This post summarizes some collected best practice resources relating to Microsoft Azure Security.
Microsoft Azure Security Best Practices Document
WWWH Methodology (What Why Who How)
- How security roles and responsibilities are evolving in the security organization.
- Evolution of threat environment, roles, and digital strategies.
- Transformation of security, strategies, tools, and threats.
- Learnings from Microsoft’s experience in securing hyperscale cloud environment.
People: Educate teams on cloud security technology
- Azure security
- Azure compliance
- Identity protocols and security
Process: Assign accountability for cloud security decisions
|Network security||Configure and maintain Azure Firewall, network virtual appliances and associated routing, Web Application Firewalls (WAFs), NSGs, ASGs, and so on.||Infrastructure and endpoint security team focused on network security|
|Network management||Manage enterprise-wide virtual network and subnet allocation.||Existing network operations team in central IT operations|
|Server endpoint security||Monitor and remediate server security, including patching, configuration, endpoint security, and so on.||Central IT operations and infrastructure and endpoint security teams jointly|
|Incident monitoring and response||Investigate and remediate security incidents in SIEM or source console, including Microsoft Defender for Cloud, Azure AD identity protection, and so on.||Security operations team|
|Policy management||Set direction for use of Azure role-based access control (Azure RBAC), Defender for Cloud, administrator protection strategy, and Azure Policy to govern Azure resources.||Policy and standards and security architecture teams jointly|
|Identity security and standards||Set direction for Azure AD directories, PIM/pam usage, multi-factor authentication, password/synchronization configuration, application identity standards.||Identity and key management, policy and standards, and security architecture teams jointly|
Process: Update incident response processes for cloud
- Incident response reference guide
- Guidance on building your own security incident response process
- Azure logging and alerting
- Microsoft security best practices
- Microsoft learnings from Cyber Defense Operations Center (CDOC)
Process: Establish security posture management
Update processes and prepare your team so they know what to do when they find an active attacker.
- Processes and playbooks: Adapt existing investigations, remediation, and threat hunting processes to the differences of how cloud platforms work. The differences include new or different tools, data sources, identity protocols, and so on.
- Education: Educate analysts on the overall cloud transformation, technical details of how the platform works, and new or updated processes. This information lets them know what might change and where to go for what they need.
- Key focus areas: While there are many details described in the resource links, these areas are where to focus your education and planning efforts:
- Shared responsibility model and cloud architectures: To a security analyst, Azure is a software-defined datacenter that provides many services. These services include VMs and others that are different from on-premises, such as Azure SQL Database Azure Functions. The best data is in the service logs or the specialized threat detection services. It’s not in logs for the underlying OS/VMs, which are operated by Microsoft and service multiple customers. Analysts need to understand and integrate this context into their daily workflows. That way they know what data to expect, where to get it, and what format it’s in.
- Endpoint data sources: Getting insights and data for attacks and malware on cloud-hosted servers is often faster, easier, and more precise with native cloud-detection tools. Tools like Microsoft Defender for Cloud and endpoint detection and response (EDR) solutions provide more precise data than traditional approaches of direct disk access. Direct disk forensics are available for scenarios where it’s possible and required for legal proceedings. For more information, see computer forensics in Azure. Often, though, this approach is the most inefficient way to detect and investigate attacks.
- Network and identity data sources: Many functions of cloud platforms primarily use identity for access control. This access control includes access to the Azure portal, though network access controls are used extensively as well. This access control requires analysts to develop an understanding of cloud identity protocols to get a full, rich picture of attacker activity and legitimate user activity to support incident investigation and remediation. Identity directories and protocols are different from on-premises ones. They’re typically based on SAML, OAuth, and OpenID Connect and cloud directories rather than LDAP, Kerberos, NTLM, and Active Directory.
- Practice exercises: Simulated attack and response can help build organizational muscle memory and technical readiness. They provide preparation for your security analysts, threat hunters, incident managers, and other stakeholders in your organization. Learning on the job and adapting is a natural part of incident response, but you can work to minimize how much you have to learn in a crisis.
- Passwordless Windows Hello
- Passwordless authenticator app
- Azure AD multi-factor authentication
- Third-party multifactor authentication solution
Technology: Integrate native firewall and network security
- Extend existing capabilities and architectures: Many organizations often choose to extend the use of existing firewall capabilities so they can capitalize on existing investments into skills and process integration, particularly as they first adopt the cloud.
- Embrace native security controls: More organizations are starting to prefer using native controls to avoid the complexity of integrating third-party capabilities. These organizations typically seek to avoid the risk of a misconfiguration in load balancing, user-defined routes, the firewall or WAF itself, and delays in handoffs between different technical teams. This option is compelling to organizations embracing infrastructure as code approaches as they can automate and instrument the built-in capabilities more easily than third-party capabilities.
Technology: Integrate native threat detection
Enable threat detection in Microsoft Defender for Cloud for all the resources you’re using and have each team integrate these resources into their processes as described above.
Architecture: Standardize on a single directory and identity
Adopt a pragmatic approach that starts with new greenfield capabilities. Then, clean up challenges with the brownfield of existing applications and services as a follow-up exercise:
Greenfield: Establish and implement a clear policy that all enterprise identity can use a single Azure AD directory with a single account for each user.
Brownfield: Many organizations often have multiple legacy directories and identity systems. Address these legacy items when the cost of ongoing management friction exceeds the investment to clean it up. While identity management and synchronization solutions can mitigate some of these issues, they lack deep integration of security and productivity features. These features enable a seamless experience for users, admins, and developers.
The ideal time to combine your use of identity is during application development cycles as you:
- Modernize applications for the cloud.
- Update cloud applications with DevOps processes.
While there are valid reasons for a separate directory for independent business units or regulatory requirements, avoid multiple directories in all other circumstances.
Architecture: Use identity-based access control instead of keys
Setting an organizational preference and habit for using identity-based authentication requires following a process and enabling technology.
- Establish policy and standards that clearly outline the default identity-based authentication, and acceptable exceptions.
- Educate developers and infrastructure teams on why to use the new approach, what they need to do, and how to do it.
- Implement changes in a pragmatic way by starting with new greenfield capabilities being adopted now and in the future, such as new Azure services and new applications, and then following up with a clean-up of existing brownfield configurations.
- Monitor for compliance and follow up with developer and infrastructure teams to remediate.
For non-human accounts such as services or automation, use managed identities. Azure managed identities can authenticate to Azure services and resources that support Azure AD authentication. Authentication is enabled through predefined access grant rules, avoiding hard-coded credentials in source code or configuration files.
For services that don’t support managed identities, use Azure AD to create a service principal with restricted permissions at the resource level instead. You should configure service principals with certificate credentials and fallback to client secrets. In both cases, Azure Key Vault can be used with Azure managed identities, so that the runtime environment, such as an Azure function, can retrieve the credential from the key vault.
Architecture: Establish a single unified security strategy
Build and implement a security strategy for cloud that includes the input and active participation of all teams. While the process documentation format can vary, it always includes:
- Active input from teams: Strategies typically fail if people in the organization don’t buy into them. Ideally, get all teams in the same room to collaboratively build the strategy. In the workshops we conduct with customers, we often find organizations have been operating in de facto silos and these meetings often result in people meeting each other for the first time. We find that inclusiveness is a requirement. If some teams aren’t invited, this meeting typically has to be repeated until all participants join it. If they don’t join, then the project doesn’t move forward.
- Documented and communicated clearly: All teams must have awareness of the security strategy. Ideally, the security strategy is a security component of the overall technology strategy. This strategy includes why to integrate security, what is important in security, and what security success looks like. This strategy includes specific guidance for application and development teams so they can get clear, organized guidance without having to read through non-relevant information.
- Stable, but flexible: Keep strategies relatively consistent and stable, but the architectures and the documentation might need to add clarity and accommodate the dynamic nature of cloud. For example, filtering out malicious external traffic would stay consistent as a strategic imperative even if you shift from the use of a third-party next generation firewall to Azure Firewall and adjust diagrams and guidance on how to do it.
- Start with segmentation: There are strategy issues both large and small to address, but you need to start somewhere. Start the security strategy with enterprise asset segmentation. This segmentation is a foundational decision that would be challenging to change later and requires both business input and many technical teams.
The Cloud Adoption Framework includes guidance to help your teams with:
Azure Security Technologies
If you do not wish to make the step to Microsoft 365 E5 but want the security capabilities, then there is a security addon (‘Microsoft 365 E5 Security’ addon) that you can purchase on top of Microsoft 365 E3 that comes with the E5 security features across Office 365, EMS and Windows 10.
Another feature comparing between EMS E3 vs E5
- Exchange Online Protection
- Office 365 Advanced Threat Protection (Protection for email, Office clients, Sharepoint Online, OneDrive for Business, Microsoft Teams)
- Office 365 Threat Intelligence (from user accounts, Attacks, Phishing, Enterprise security, System updates, Denial of service, Spam, User log-ins, Malware, Device Log-ins, Data Encryption, Unauthorized data access, MFA)
- Data Loss Prevention
- Office Message Encryption
- Security & Compliance Center
- Microsoft Cloud App Security
- Secure Score
- Advanced Data Governance (enables customers to achieve organizational compliance by intelligently leveraging machine assisted insights to find, import, classify, set policy and take actions on the data that is most important to them)
- Advanced eDiscovery
- Compliance Manager – GDPR-Compliance Manager Tool
- Customer Lockbox
- Secure Assurance
Other Security Tools
1. Microsoft Azure, https://docs.microsoft.com/en-us/azure/security/fundamentals/shared-responsibility
2. Amazon Web Services, https://aws.amazon.com/compliance/shared-responsibility-model/
Azure Security Reference Model
Reference Design – Azure Administration Model
Best practices and tips to secure your hybrid cloud environment
Best practices – Identity & Access Management
- Centralize Identity management. Designate a single Azure AD directory as the authoritative source.
- Enforce SSO and Multi Factor Authentication.
- Leverage Azure RBAC with Privileged Identity Management.
- Actively monitor for suspicious activities using AAD anomaly reports.
- Use Azure AD for storage authentication.
Best Practice – for Azure Storage
Advanced Threat Protection for Azure Storage
Alerts on anomalous access & potential data exfiltration
Best practices — Apps and Data security
Leverage Key Vault to store cryptographic keys and secrets. Control access through RBAC
Manage Azure Key Vault access at Management plane and Data plane
Encrypt data and rest and dbta in transit. Use client-side encryption for high value data
Leverage Advance Data Security (ADS) for Azure SQL
Leverage Azure Security Center to identify assets that do not have encryption at rest enabled
Best practices — Network Security
Adopt a Zero Trust approach
Control routing behavior and avoid implications of default routes
Disable RDP/SSH Access to virtual machines over internet
Choose whether to use Native Azure Controls or 3rd party Network Virtual Appliances (NVAs) for
internet edge security (North-South)
Simplify NSG rule management by defining application security groups (ASGs)
Protect Linux and Windows Servers from Threats
- Reduce open network ports
- Use Just-in-Time VM to control access to commonly attacked management ports
- Limit open ports with adaptive network hardening
- Block malware with adaptive application controls
- Protect Windows servers and clients with the integration of Microsoft Defender ATP and Linux servers
Protect your workloads from Threats – Use industry’s most extensive threat intelligence to gain deep insights
- Detect & block advanced malware and threats for Linux and Windows Servers on any cloud
- Protect cloud-native services from threats
- Protect data services against malicious attacks
- Protect your Azure IOT solutions with near real time monitoring
- Service layer detections: Azure network layer and Azure management layer (ARM)
Modern security operations and threat protection
Security Posture management with Secure Score
- Gain instant insight into the security state of your cloud workloads
- Address security vulnerabilities with prioritized recommendations
- Improve your Secure Score and overall security posture in minutes
- Speed up regulatory compliance