Keeping data secure is not an easy task. With data breaches happening daily platform security is something that keeps every CISO or CIO awake. The recent case at Uber and incidents like open Amazon S3 buckets with data (it may happen on another cloud as well) are just examples of a new area to cover – our developers and deployment teams. Will the cloud give us another headache?
Staying secure became a complex task. It covers multiple areas – security policies and procedures, keeping our client credentials safe, keeping our environment safe. The adoption of DevOps and continuous integration / deployment tools brought about new challenges. Surprisingly, where cloud is often seen as a problem, it might also be a solution. Or at least part of a solution. The basics are still the most important, but there are tools and practices you can apply to improve information security at your organisation. We want to be clear here – some things cost extra! Wherever you will see a P2 warning in this article, this means we are talking about premium or paid versions of services. Hey, it is the cloud – there are entry level and premium level services. They have a cost, but typically, it's worth it. Let's begin!
Maintain your account security
We have covered this subject on the blog many times, so let's keep it short – it is important. Most of the attacks and data breaches start with compromised accounts. Keep them safe! Educate your users. With Azure services it comes down to Azure Active Directory as your identity platform:
- Make sure your users understand the threat. Educate them
- Implement reasonable password policies and be up-to-date with the latest recommendations. Changing the passwords every month is not in fashion nowadays
- Implement multi-factor authentication. It doesn't have to be painful for users and right now it works with most of the tools and services. The days of app passwords are gone.
A practical tip – MFA is free for your Azure AD admins!
Level up the account security game
These are the basics of account protection. There are tools provided as part of a platform, and these take this game to the next level:
Conditional access
Make your users’ life easier and at the same time improve safety of your applications and access – conditional access in Azure AD to the rescue! Control access and protection based on the location, time and state of the device. Worried about your code repository or team’s content? No problem, apply conditional access and allow only managed devices to access it. And with recent updates, it works on Mac OS as well!
Identity Protection (P2 warning)
Want to provide better protection with better user experience? Identity Protection applies Microsoft security intelligence to your account and applies it if necessary. You can trigger additional protection measures based on the risk threshold for a given account and the policies you configured.
Access control
Right after account protection comes access control. I can't stress enough how important this is. Your access management is your barrier to cross when someone is in your network. Leave it open – and you have your data open to anyone who can access your solutions. There is no justification for people having access to all of your resources. There is no need for someone having access to all of your services at admin level on a daily basis. Azure AD provides you with control over accounts. But what about access control? Azure platform gives you the RBCA model you can use to granularly control access to your subscriptions, resource groups and resources within those groups. There is a pretty good set of built-in roles but if you need custom ones – you can build them. And remember – no Microsoft Accounts (aka LiveIDs) in your tenant. If you need external guests – use Azure AD B2B.
Beef it up – next-level access management (P2 warning)
The most common reason for all security breaches are excessive privileges held by normal accounts or even admin accounts on a daily basis. If you are not doing the admin work, why do you have admin privileges? Why!? There is no reason for it! There are plenty of solutions for Privilege Account Management (PAM) for enterprises. Believe me – privileges in the cloud are often missing from the security radar. Azure AD provides Privileged Identity Management (PIM) service that allows you to grant administrative roles on request and only for a specific time. This creates a Just-in Time (JIT, remember this acronym, we will use it shortly) admin account. The same mechanism is in preview for Azure RBAC roles. No need for someone to be granted access on a permanent basis to resources in Azure subscription. Make them eligible for this role and use PIM to activate it only when it is needed. The platform itself will revoke it after the time you specify. And there are logs and audits for all activities! A bonus from the compliance point of view.
Azure Security Center
Concerned with your VMS configuration? Is it up to date and configured based on your requirements? Azure Security Center comes to the rescue. This important but often overlooked service will take your security to the next level. It is the Swiss Army knife when it comes to monitoring security of your resources. Checking VMS status for updates is easy. Security Center will do much more. It will monitor your resources for misconfiguration, automatically apply patches, detect attacks on your VMs and other cloud services. Do you think you are not attacked in a cloud? Make a test – establish an isolated VM with RDP open on standard port to the internet and monitor Security Center for this machine. You will be surprised. One thing you might not know – it works for on-premises hosts as well. Only in the paid version of the service, but it is available there.
Just-in-Time access to virtual machines
Remember what I wrote a bit earlier about JIT (Just-In Time) access to admin roles which the system automatically revokes? What if you could apply the same JIT principle to the network port access? Security Center in its standard (paid) version delivers Just-In Time port access. No ports open at all times. When your user needs RDP access, you go through the process of requesting it, and just like that it is open for you. After the specified time, Azure will close it. You do not need to undertake any manual actions or interventions. It costs in terms of Security Center licenses but in a highly secure or managed services environment it might really come in handy and improve overall platform security.
Applications need credentials… and rights! (P2 warning)
What is one of the frequent reasons for compromised network security? You are right – service and applications accounts. If an application or script needs access to your organisation Azure AD or Azure resources, it also needs security principal and credentials! Remember! You should treat them as any other privileged account. A typical scenario is that an application has its Application ID (equivalent of username) and a client secret (equivalent of password). Many Azure users, especially developers, are not considering those as credential equivalents and store them in version control systems like GitHub or VSTS. Guess what had happened in the case of Uber data leakage? Yes, AWS management keys were in the source code repository. Waiting for someone to grab them. If you have application or script which requires access to your Azure, instead of using client secret (password) it is much safer to use certificate for authentication. Yes, you can do this. And BTW – there is a new kid on the block. Managed Service Identities for Azure AD is a way for Azure AD to automate your credentials management. It is not supported in all scenarios. However, in cases where you can use it, it is for sure a nice option! Tip – do yourself a favor and read this excellent blog on how to use Service Principals from one of the Polish MVPs.
Credentials all over the code – use KeyVault!
Credentials and passwords stored in application code are a nightmare .They are a nightmare from the security point of view. People store code in many places. Of course, it should be in your organisation repository protected with all your identity stack. But it often isn't. They are a nightmare from the DevOps perspective. How to deploy it all in an efficient and effective way? Where to source all the credentials and certificates? How to retrieve them? Again – cloud to the rescue. Azure KeyVault is a service that allows you to store sensitive materials like credentials and certificates in a dedicated service. And it is easy to use and very cheap! Of course not free, but compared to the risk of confidential data being stored in code and exposed, and the cost of managing this in your DevOps process – a no-brainer!
- You can use it from your web app.
- Another option is to protect your BitLocker keys for your VMs with it.
- Plus, you can also manage your SSL Certificates, including IIS running in Virtual Machine.
- And there's more – just check service documentation.
Azure KeyVault is one of those hidden gems of the cloud platform when it comes to improving application security.
Encryption, encryption everywhere!
For many customers, data confidentiality is a must. Azure provides plenty of options for data encryption and protection. It is good to know these options and apply them. This article gives you a one-stop place to start exploring and applying encryption on the Azure platform. Before implementing your services make sure you've read it!
Summary
There are many more elements of the Azure platform security of which you should be aware!
- Azure Monitor is your tool to get to know when something is happening on your platform and to gather and channel all auditing information from your resources
- Azure Policy is still in preview but it gives you a way to govern your cloud resources and if implemented right, it might be an important aspect of your overall Azure platform security!
Every service on a platform has its security aspects – encryption, access control, threat model and mechanisms to prevent and mitigate threats. We will be surely getting back to this topic with practical use cases from our projects. Stay tuned! And if you wish to discuss any solutions in more detail – get in touch!