Azure Security Best Practices

Centralized identity and access management

Azure RBAC works in conjunction with Microsoft Entra ID, a cloud-based service, for centralized identity and access management in Azure. It enables administrators to assign roles to users, groups, and service principals based on their responsibilities, ensuring that access is granted in a granular manner. You can either use built-in roles or create custom roles, assigning permissions only as necessary per the principle of least privilege.

Risk-based access policies

Azure RBAC also works in conjunction with multi-factor authentication (MFA) to identify and prevent risky behavior. Enabled by the identity protection feature of Microsoft Entra ID, you can configure your access control policies based on either sign-in risk or user risk.

If a threat is detected during a sign-in, the relevant policy will be applied. For example, organizations could insist on MFA above a specific risk level, say, medium or high. This feature also enables auto-remediation, so if the steps enforced by the policy are executed, the user session will be allowed without admin intervention.

Privileged access control

Privileged identity management in Microsoft Entra ID allows for time-bound and approval-based roles for Azure resources. You can use this feature to configure additional approvals for admin roles with excess privileges or to restrict access to defined time periods.

This lets you enforce user policies to provide justification for activating roles, generate alerts when privileged roles are activated, and ensure that access is reviewed periodically.

All of the above features fortify Azure security and ensure that only authorized users can access your resources at any given time.

Management hierarchy

Azure provides four levels of management hierarchy to achieve this:

• Management groups
• Subscriptions
• Resource groups
• Resources

The first three all offer different levels of logical groupings of Azure resources.
Resources with the same lifecycle and access control requirements can be grouped together into resource groups.

There can, in turn, be many such resource groups in a subscription, which is again another
logical segregation of resources with a defined set of quotas, limits, RBAC, and cost and
billing configurations.

These subscriptions are then grouped into management groups, allowing you to configure security policies and RBAC controls that are applicable to multiple subscriptions.

Built-in policies

Once you have organized your resources into management groups, subscriptions, and resource groups, you can configure Azure policies to enforce your organizational standards and evaluate your compliance status.

It is recommended to use Azure Policy for implementing consistent resource configuration, cost management, and security. This service includes a policy definition, i.e., a set of enforcement conditions and effects if those conditions are met. Policy definitions can be applied to any of the four levels of management hierarchy.

Custom Policies

Azure features several built-in policies. However, if you have a niche security requirement that cannot be met by these, you can create a custom policy. For example, you may need to enable HTTPS access for storage accounts.

Network segmentation & groups

Azure Virtual Network provides logical segmentation of various resources in Azure. Unless explicitly connected through options such as VPN or peering, resources in different VNets cannot talk to each other. So, segregating resources in different VNets will help prevent lateral movements in the
event of a security breach.

Network security groups (NSGs) control ingress and egress traffic to resources connected
to a VNet.

Zero trust security

You can implement a zero trust security strategy by explicitly denying all traffic and allowing only required traffic using rules that have higher priority.

When there is a multi-tiered architecture deployed in the same VNet, you can bring in additional security by permitting only required traffic between tiers even if the traffic is internal. This helps prevent the proliferation of threats if one of the tiers is compromised.

NSG flow logs

For visibility into network traffic that flows in and out of your VNet, enable NSG flow logs that capture this information. These provide valuable insights into network traffic, flag any unauthorized access attempts, and help troubleshoot security issues.

Key management

The native key management service in Azure is called Key Vault. You can use this for managing cryptographic keys, secrets, and certificates, as it centralizes the key management requirement for encryption data, SSL/TLS certificates, and application secrets.

If your data is highly sensitive, you can opt for Azure Dedicated Hardware Security Module (HSM), which supports the management of keys in a FIPS 140-2 Level 3 compliant environment.

Encryption of data at rest

For visibility into network traffic that flows in and out of your VNet, enable NSG flow logs that capture this information. These provide valuable insights into network traffic, flag any unauthorized access attempts, and help troubleshoot security issues.

For services where encryption keys are managed via Azure Key Vault, make sure that you implement a key rotation policy for all the keys. Microsoft recommends that keys be rotated at least every two years.

Encryption of data in transit

For encryption of data in transit, TLS is supported for services like Azure App Service, Azure SQL
Database, and Azure Storage. You can also use Azure Application Gateway, which supports end-to-end SSL encryption and can be used to terminate SSL connections from the internet.

Multi-factor authentication

It is recommended to enable multi-factor authentication for all users including administrators. Microsoft Entra ID security defaults help you to quickly enable and enforce this. When used in conjunction with a conditional access policy, MFA is enforced when specific conditions are met, such as untrusted devices, risky applications, or different locations.

Password management

Allow user to reset passwords, you can use the self-service password reset feature from Microsoft Entra ID.

Make sure to review usage through the built-in reporting features of Microsoft Entra Password Protection. These reports give you a view of the number of people registering for password resets, the frequency of password resets, and any associated suspicious activities.

You can enable Just-in-Time (JIT) access for your VMs as well, especially for admin accounts. This will allow traffic to selected ports and from allowed source IP addresses for a specific timeframe only to further reduce the attack surface.

IaC adoption

To eliminate manual operational errors, you should always opt for automated builds, deployments, and configurations wherever possible. Infrastructure as code (IaC) can help you achieve this by ensuring consistency across environments and eliminating the problem of drifts, as the configuration is versioned and saved as code just like your application.

This makes the configuration repeatable and auditable, and eliminates human error. It also aligns with the concept of “idempotence,” i.e., the same result every time the same operation is executed.

Look to implement:

• Azure Resource Manager (ARM) templates: These are written in a declarative format to deploy multiple resources and their dependencies.
• Azure DevOps: IaC in Azure DevOps lets you streamline the build and deploy process; it also helps to avoid misconfigurations and eliminate security gaps.
• Terraform: Hashicorp Terraform is a popular open-source IAC tool you can use across multiple hybrid and multi-cloud environments. Azure supports the configuration of Azure resources, Azure AD, and APIs, plus the integration with Azure DevOps through Terraform

Endpoint application security

Securing endpoints in Azure entails safeguarding the apps and services that run in your Azure environment from potential attacks and vulnerabilities. This should start in the application design phase with threat modeling.

You can leverage the SDL Threat Modeling tool to identify threats and receive possible mitigation steps. In addition to options such as encryption and identity protection that we have seen so far, the mitigation plan should also include services that protect the application layer.

WAF

The Web Application Firewall (WAF) feature in Azure Application Gateway can be leveraged to protect your applications against common threats such as cross-site scripting, SQL injection, HTTP protocol violation, remote file inclusion, etc. This is aligned with the Core Rule Set (CRS) defined in the Open Worldwide Application Security Project (OWASP). In addition to the pre-configured rule set, you can build custom rules to best suit your application requirements.

Azure Firewall

Application layer security can be augmented by the L7 protection capabilities offered by Azure Firewall, such as HTTPS traffic filtering in hybrid deployments.

You can also leverage Azure Firewall premium features to inspect HTTP headers and perform deeper packet analysis using TLS inspection. It is a recommended design pattern to use Web Application Firewall along with Azure Firewall. Note: It is a recommended design pattern to use Web Application Firewall along with Azure Firewall.

Microsoft Defender for Cloud

This serves as the cloud-native application protection platform (CNAPP) that helps protect your application from a wide range of vulnerabilities, threats, and misconfigurations. It includes the capabilities of DevSecOps, cloud security posture management (CSPM), and a cloud workload protection platform (CWPP).

Microsoft Defender lets you shift security left by integrating best practices early on in the code pipeline insights, which detect loopholes such as exposed secrets and misconfigurations.

The CSPM capability of Microsoft Defender analyzes the security configuration of your resources and provides recommendations to fix any misconfigurations.

Secure Score

Microsoft Defender for Cloud helps quantify your security posture using Secure Score. This service continuously assesses your cloud resources against the Microsoft cloud security benchmark (MCSB) and assigns a secure score for your environments. A lower secure score means the environment is at risk and needs remedial measures to be implemented to improve the score. This can be accomplished by implementing the actionable recommendations offered by Microsoft Defender, thereby minimizing the attack surface.

Built-in benchmark assessment & dashboards

Microsoft Defender for Cloud has built-in Azure benchmark assessments and dashboards for all leading regulatory and compliance standards. You can also leverage this service to perform foundational compliance assessments for AWS and GCP.

The dashboards provide a bird’s-eye view of your organization’s compliance posture against leading regulations such as CIS, SOC 2, PCI DSS, FedRamp, and HIPAA. Assessments against compliance standards are automatically run every 12 hours.

The dashboards also provide details of the actions, manual and automated, that need to be implemented to mitigate any problems detected. These capabilities provide a good starting point for you to meet your compliance requirements.