How to secure your Azure cloud

In our previous post we recalled and emphasized a number of important cloud security challenges, reported by the Cloud Security Alliance (CSA) in 2019. Reported security threats are related to, for example; Identity and Access Management, data identification and classification, threat and vulnerability management… 

When adopting a cloud solution, you should understand and leverage the numerous tools that are available to secure your cloud services. 

For example, the Microsoft Azure Cloud Platform offers multiple capabilities in order to manage cloud security risks and to secure your Azure cloud environment.Azure Cloud

In this article we will discuss a number of solutions provided by Microsoft Azure that can help administrators to perform their security tasks in an effective and efficient way.

Azure Cloud Solutions

Most importantly, the Azure cloud solutions enable you to apply a more streamlined approach to manage security tasks automatically and centralized.

Below, we will discuss following solutions in more detail:

  • Azure Active Directory (AD), MFA and SSO
  • Azure Role-Based Access Control (RBAC)
  • Azure Vault
  • Azure Conditional Access
  • Azure Information Protection (AIP)
    • Azure Data Discovery and Classification
    • AIP policy
  • Azure Privileged Identity Management (PIM)
  • Azure Security Center

Microsoft Azure provides several licensing possibilities, each of them with different features. Therefore, the Azure solutions discussed below might not be included in your specific license. Details can be verified in the following location: https://azure.microsoft.com/nl-nl/pricing/#product-pricing

1. Identity, Credentials and Access Management 

1.1. Azure Active Directory and SSO

Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service. Note: Azure AD is not the same as Active Directory Domain Services. If you would like to know more: Microsoft published an article explaining the differences, see Compare Active Directory to Azure Active Directory.

Azure AD enables users to sign in and access both external resources (e.g. Office 365, The Azure portal, and numerous SaaS applications) and internal resources (e.g. self-developed cloud apps or apps on your corporate network).

When using Azure AD with single sign on (SSO), a user must no longer remember application-specific passwords to sign in to each application. SSO enables users to sign in only once with their account to access SaaS applications, web applications, company resources etc. Moreover, IT staff can centralize user account management, and automatically add or remove user access based on group membership. Beware that your applications are as safe as your weakest protected device; an unprotected laptop gives readily access to all your resources.

1.2. Multi Factor Authentication (MFA)

Applying MFA is critical to mitigate the risk of user accounts becoming compromised. MFA is an authentication method which relies on the user’s normal credentials and at least one other item of information. For example: something the user knows (password) combined with something the user has (mobile phone). If the username and password are stolen, hackers cannot use the credentials without also stealing the second authentication.

By combining MFA and SSO, perimeter security increases while the authentication process is simplified (i.e. by enabling a single, centrally managed IAM solution).

2. Azure Role-Based Access Control (RBAC)

Basically, role-based access control (RBAC) restricts access based on a person's role within an organization. The roles refer to the levels of access that employees have. “Much as with a traditional Active Directory, user account permissions should be configured using such a role-based approach in order to provide users the least amount of privileges required to perform their job tasks” [2].

Azure RBAC helps you to manage who has access to your Azure cloud resources, what they can do with those resources, and what areas they have access to. This is done by creating role assignments. A role assignment consists of three elements: security principal, role definition, and scope.

  • Security Principal: “A security principal is an object that represents a user, group, service principal, or managed identity that is requesting access to Azure resources” [1]
  • Role definition: “A role definition is a collection of permissions. A role definition lists the operations that can be performed, such as read, write, and delete. Roles can be high-level, like owner, or specific, like virtual machine reader” [1]
  • Scope: “Scope is the set of resources that the access applies to. When you assign a role, you can further limit the actions allowed by defining a scope. In Azure, you can specify a scope at multiple levels; management group, subscription, resource group, or resource. Scopes are structured in a parent-child relationship” [1]

More details can be consulted via: https://docs.microsoft.com/en-us/azure/role-based-access-control/overview.

In addition, Microsoft has published several blueprints that can help you configuring user account permissions. https://docs.microsoft.com/en-us/azure/governance/blueprints/samples/

3. Azure Conditional Access

The change to a more cloud-centric model results in a security perimeter that extends beyond an organization's network to include user and device identity. As a consequence, controlling the access to your corporate resources is more challenging.  

Conditional Access Policies can be applied as: IF a user wants to access a resource, THEN a certain condition should be met first. When making a policy decision, conditional access can take into account a number of signals, such as;

  • The user’s roles and the groups he or she belongs to
  • The IP address of the user or the geographic location of the user attempting to log in
  • The application
    • Users attempting to access specific applications can trigger different Conditional Access policies

Using these attributes, administrators can use Conditional Access to adjust security by [2] :

  • Restricting users from logging in from foreign countries or restricting access to specific sensitive information when logging in from locations other than their offices
  • Forcing users to use MFA when logging in on IP addresses external to the organization
  • Requiring users to use compliant devices when attempting to access organizational resources

4. Azure Information Protection (AIP)

Organizations might be challenged with detecting their data and classifying this data according to their policies and procedures. Some useful tools to implement data classification are [2]: 

    4.1. Azure Data Discovery and Classification

“This tool can help you to discover, classify, label and report sensitive data stored within Azure’s SQL databases” [2]. Moreover, Azure SQL auditing enables the possibility to generate dashboarding and reports to have a view on what data is stored within the databases and who is accessing this data.

    4.2. AIP policy

Azure Information Protection Policies can be developed to assist your organization in protecting documents and emails based on specific conditions. Documents and emails can be labeled (labels apply a certain classification value) based on triggers, for example words or phrases that are used when writing a document or email.

5. Key Vault

Azure Key Vault is a tool to securely store and manage your encrypted keys, passwords or certificates.  This way, access to your key vaults is only allowed by authorized applications and users in order to protect your data.

In summary, Azure Key Vault helps solve the following problems [1]:

  • Secrets Management – “Securely store and control access to tokens, passwords, certificates, API keys, and other secrets”
  • Key Management – “Azure Key Vault facilitates the creation and controlling of the encryption keys used to encrypt your data”.
  • Certificate Management – “Azure Key Vault is also a service that lets you easily provision, manage, and deploy public and private Transport Layer Security/Secure Sockets Layer (TLS/SSL) certificates for use with Azure and your internal connected resources”.
  • Store secrets backed by Hardware Security Modules – “The secrets and keys can be protected either by software or FIPS 140-2 Level 2 validated HSMs”

6. Azure Privileged Identity Management (PIM)

Privileged Identity Management enables you to manage the assigned privileged roles throughout your organization and to gain insights about the activities of these privileged roles. “Users assigned to a PIM protected role, must elevate to use the granted privileged access rights, for example; perform MFA, obtain approval or provide a reason of activation. In addition, the tool enables to track these elevations via notifications and the audit event logs” [1].

7. Azure Security Center

Azure Security Center unifies security management and enables advanced threat protection for workloads in the cloud and on-premises. “Not only does the Security Center offer recommendations throughout the Azure portal in order to further secure the cloud, but individual resources can be integrated with the Security Center to allow for health checks, patch management, and security alerts” [2] .

Security Center provides you with the tools to [1]:

  • Strengthen your security posture: “Security Center will assess your environment and enables you to understand the status of your resources, and whether they are secure”.
  • Protect against threats: “Security Center assesses your workloads and raises threat prevention recommendations and security alerts”.
  • Get secure faster: “Deployment of Security Center is easy, providing you with auto-provisioning and protection with Azure services”.

When security policies are being broken, the Security Center will notify administrators and provide recommended solutions to resolve the incident. Moreover, administrators are able to streamline the incident response process by developing rules to automatically apply efforts to resolve known or common issues.

The Security Center provides you with a dashboard of organization databases. Identified critical vulnerabilities will be notified with recommendations to resolve the incident.

Moving forward

Many more Microsoft security tools are and might become available for cloud administrators. Organizations are moving more and more of their activities and data to a cloud environment, therefore it is important to get to know the tools that are available to mitigate the security risks to secure your cloud services.

While these tooling’s can increase an organization’s security posture, it is still critical that management continue to perform traditional responsibilities, such as user access reviews and periodic review of role matrices, to verify that excessive access is not provisioned to users.

References:

[1] Microsoft Azure, https://docs.microsoft.com/en-us/azure/?product=featured

[2] Crowe LLP, Zak Thoreson, 2020; https://www.crowe.com/cybersecurity-watch/securing-the-azure-cloud-dgs?utm_source=linkedin&utm_medium=social&utm_campaign=mo2114-002a

 

For more information about securing your cloud environment, please contact:

Gorik.vandenbergh@callens.be


Microsoft, Windows, and Azure are either registered trademarks or trademarks of Microsoft Corp.