When it comes to Azure security best practices, where do you start? In many different ways, Azure has a lot in common with all other data centers. However, Azure can also be quite different. The process of securing Azure is not easy and can present a number of specific issues. The security of resources hosted on Azure is of paramount importance, but is sometimes ignored by startups unfamiliar with Azure.
During the initial stages of a company’s journey to cloud adoption, it is commonly believed that Microsoft protects the cloud services it hosts. While Azure helps protect your business assets, a lot of the onus falls on users to take responsibility for ensuring the security of their Azure cloud.
In this post, I’ll share my 9 Azure security best practices. If you’re interested in going deeper into Azure security, you might be interested in a Microsoft Azure course learning path. Even if there is no interest in becoming an Azure Certified Security Professional, these classes, as well as hands-on labs, will help you begin your journey toward managing and implementing Microsoft Azure security technologies.
1. Be aware of the shared responsibility model.
Although I could provide a lot of detail about Azure Shared Responsibility Azure’s Shared Responsibility system, I will briefly summarize the fundamental concepts. It is essential that cloud security professionals are aware of the roles and responsibilities that the Azure customer (you) share with Microsoft. The responsibility assignment is different depending on the Azure service; however, at a fundamental level, you are responsible for the security of your data and access to it. In the case of the service you are using, you may have additional responsibilities, as shown below.
2. Alerts and changes suggested by Azure Security Center.
Let me start by saying that this is not a new article. The tips you’ll see below can be found within Azure via the Azure Security Center, which is why I’m starting there.
Azure Security Center is the ideal place to start. Azure Security Center offers suggested settings and alerts to keep your Azure resources safe. Azure’s first security recommendation is that you get the most out of Azure Security Center by visiting the portal frequently for new alerts and taking action to immediately remediate any alerts that are detected. The third recommendation for Azure Security is to use Azure Security Center as a standard feature for all subscriptions, or at a minimum, for each subscription that has production resources.
The base version of Azure Security Center included in Microsoft Azure provides limited information. Azure Security Center Standard helps identify security weaknesses and provides a suggested solution. Microsoft offers a 60-day trial period for Security Center Standard at no cost.
3. Secure identity with Azure Active Directory
The days of the main security barrier within the network was the Firewall. Identity is fast becoming the number one security boundary. For Microsoft Azure, this is more than ever. That’s why Microsoft has issued a series of recommendations on Identity security through Azure Active Directory. Since Microsoft Azure relies on Azure Active Directory for user authentication and security, these Azure security recommendations are essential for protecting the Azure cloud.
Microsoft strongly recommends that identity be centralized with an authoritative source. For a hybrid identity model, an Azure security best practice is to connect your cloud and on-premises directories using Azure Active Directory Connect. The integration will allow identities to be managed at the same time in a single location. The “single point of reference” will improve transparency and decrease the chance of making mistakes that could create security risks and create a lot of configuration complexity.
4. Holders of limited subscriptions
These Azure Security Best Practices for Security are simple. You don’t need to have at least one Azure account owner; however, there should be no more than three permit holders. Ideally, you’ll want to have two trusted Azure administrators, or “product owners,” to hold the subscriptions, and if possible, one “breakable” account in case of emergency.
5. Access to the control network
As with all data centers, network access within Azure must be managed carefully. My suggestion is to use a “rings of protection” method that allows you to create multiple rings of security inside (and between) the protected resource. Applying this method to Azure, the first ring (often known as the edge ring) is typically made up of a firewall such as Azure Firewall or an external virtual network device.
The second ring can be a network security group (or NSG) that is enforced on the subnet. Network security groups allow you to limit network traffic as well as traffic to Azure resources in the Azure virtual network.
6. Remote connection removal (RDP/SSH)
I suggest you block RDP and SSH access to Azure VMs on the internet. In fact, using both RDP and SSH access must be available through a secure private network (such as VPN or ExpressRoute, as described above), making use of Just-in-Time (JIT) virtual machine access.
After you’ve enabled Azure Security Center Standard in the first place, I recommend that you enable just-in-time access to virtual machines. Just-in-time access to the virtual machine is used to manage incoming traffic going to Azure Virtual Machines, reducing the risk of being a victim of brute force attacks while allowing easy access to connect to virtual machines ( VM) via Remote Desktop and Secure Cover.
7. Update and protect your virtual machine
It is essential to protect your server operating systems just as you would protect on-premises data centers. It is essential to have anti-malware and antivirus. I would recommend Windows Defender Advanced Threat Protection (ATP), as well as Microsoft’s anti-malware. Both are integrated together with Azure Security Center to provide one place to manage your VM security.
Microsoft still requires system updates for virtual machines hosted on Azure, and Azure offers an update management system that provides an automated method to apply the latest updates for Windows virtual machines. Azure Security Center will find the missing security updates and apply them on your behalf.
8. Protect sensitive data
They are securely protecting sensitive data, including keys, certificates, and secrets, essential to protecting your data stored in cloud computing with the Microsoft Azure cloud. Azure Key Vault is a good choice for protecting cryptographic keys as well as secrets used by cloud-based applications and services. Each store is a separate access control list, which is based on role-based access controls (RBAC).
9. Enable encryption
With Microsoft Azure, protect all your information, both in transit and at rest, with Encryption. In some cases, encryption is turned on by default. In other situations, encryption must be enabled by hand.
Encryption at rest is achieved by default on Managed Disks (created after June 10, 2017) by Storage Service Encryption for Azure Managed Disks using Microsoft-controlled encryption keys. I also suggest using Azure Disk Encryption, which can be enabled manually, to protect any drives that contain sensitive data.
Also, when using Azure SQL, Azure SQL encryption of the data in the transparent database must be used to protect the database files on disk.
Closure
Secure Azure is not without its different problems. If done correctly, it will be as secure as the top data center. This list of Azure security best practices will get you up and running; however, understanding Azure Security will require technical expertise and hands-on training.
Subscribe to our latest newsletter
To read our exclusive content, sign up now. $5/month, $50/year
Categories: Technology
Source: vtt.edu.vn