Infrastructure-as-a-Service (IaaS) adoption continues its upward trend as the fastest growing public cloud segment (forecasted to grow 27.6% in 2019 to reach $39.5 billion, up from $31 billion in 2018). Not surprisingly, in Microsoft’s latest Security Intelligence Report from 2017, cloud service users saw a 300% year-over-year increase in attacks against them, with over a third of attacks against Azure services in particular originating from China.
With the rapid adoption of IaaS providers like Azure, the threat environment has evolved, but with the right preparation, any company can implement cloud security practices for services that significantly reduce the potential impact of an attempted breach.
While Microsoft provides security capabilities to protect enterprise Azure subscriptions, cloud security’s shared responsibility model requires Azure customers to deliver security “in” Azure. Below are Azure best practices, derived from customers and Center for Internet Security (CIS) recommendations for 7 critical areas of security in Azure that everyone must follow to ensure their Azure subscriptions are secure.
Azure IaaS Best Practices
1. Security Policy
Ensure the following are set to on for virtual machines:
- ‘OS vulnerabilities’ is set to on.
Enable OS vulnerabilities recommendations for virtual machines. When this setting is enabled, it analyzes operating system configurations daily to determine issues that could make the virtual machine vulnerable to attack. The policy also recommends configuration changes to correct these vulnerabilities.
- ‘Endpoint protection’ is set to on.
Enable endpoint protection recommendations for virtual machines. When this setting is enabled, Azure Security Center recommends endpoint protection be provisioned for all Windows virtual machines to help identify and remove viruses, spyware, and other malicious software.
- ‘JIT network access’ is set to on.
Enable JIT network access for virtual machines. When this setting is enabled, the Security Center locks down inbound traffic to your Azure VMs by creating an NSG rule. You select the ports on the VM to which inbound traffic should be locked down. Just-in-time VM access can be used to lock down inbound traffic to your Azure VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed.
2. Identify and Access Management
- Ensure that for all users, multi-factor authentication is enabled.
Enable multi-factor authentication for all user credentials who have write access to Azure resources. Multi-factor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. Multi-factor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multi-factor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk.
- Ensure that users can consent to apps accessing company data on their behalf’ is set to no.
Require administrators to provide consent for the apps before use. Until you are running Azure Active Directory as an identity provider for third-party applications, do not allow users to use the identity outside of your cloud environment. User’s profile information contains private information such as phone number and email address which could then be sold off to other third parties without requiring any further consent from the user.
- Ensure that ‘restrict access to Azure AD administration portal’ is set to yes.
Restrict access to Azure AD administration portal to administrators only. Azure AD administrative portal has sensitive data. You should restrict all non-administrators from accessing any Azure AD data in the administration portal to avoid exposure.
3. Storage Accounts
Ensure the following are set to enabled:
- ‘Secure transfer required’ is set to enabled.
Enable data encryption is transit. The secure transfer option enhances the security of your storage account by only allowing requests to the storage account by a secure connection. For example, when calling REST APIs to access your storage accounts, you must connect using HTTPS. Any requests using HTTP will be rejected when ‘secure transfer required’ is enabled. When you are using the Azure files service, connection without encryption will fail, including scenarios using SMB 2.1, SMB 3.0 without encryption, and some flavors of the Linux SMB client.
- ‘Storage service encryption’ is set to enabled.
Enable data encryption at rest for blobs. Storage service encryption protects your data at rest. Azure storage encrypts your data as it’s written in its data centers, and automatically decrypts it for you as you access it.
4. SQL Services
On SQL database or servers, ensure the following are set to on:
- ‘Auditing’ is set to on.
Enable auditing on SQL Servers. Auditing tracks database events and writes them to an audit log in your Azure storage account. It also helps you to maintain regulatory compliance, understand database activity, and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations.
- ‘Threat detection’ is set to on.
Enable threat detection on SQL Servers. SQL Threat Detection provides a new layer of security, which enables customers to detect and respond to potential threats as they occur by providing security alerts on anomalous activities. Users will receive an alert upon suspicious database activities, potential vulnerabilities, and SQL injection attacks, as well as anomalous database access patterns. SQL Threat Detection alerts provide details of suspicious activity and recommend action on how to investigate and mitigate the threat.
- ‘Transparent data encryption’ is set to on.
Azure SQL Database transparent data encryption helps protect against the threat of malicious activity by performing real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.
Ensure the following are disabled on network security groups from internet:
- Disable RDP.
The potential security problem with using RDP over the Internet is that attackers can use various brute-force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use your virtual machine as a launch point for compromising other machines on your Azure Virtual Network or even attack networked devices outside of Azure.
- Disable SSH.
The potential security problem with using SSH over the Internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use your virtual machine as a launch point for compromising other machines on your Azure Virtual Network or even attack networked devices outside of Azure.
- Disable Telnet (port 23).
Disable unrestricted access on Network Security Groups (i.e. 0.0.0.0/0) on TCP port 23 and restrict access to only those IP addresses that require it in order to implement the principle of least privilege and reduce the possibility of a breach. TCP port 23 is used by the Telnet server application (Telnetd). Telnet is usually used to check whether a client is able to make TCP/IP connections to a particular service.
6. Virtual Machines
- Install endpoint protection for virtual machines.
Installing endpoint protection systems (antivirus/anti-malware) provides real-time protection capability that helps identify and remove viruses, spyware, and other malicious software, with configurable alerts when known malicious or unwanted software attempts to install itself or run on your Azure systems.
- Enable latest OS patch updates for virtual machines.
Ensure Latest OS Patches for virtual machines. Windows and Linux virtual machines should be kept updated to:
- Address a specific bug or flaw
- Improve an OS or application’s general stability
- Fix a security vulnerability
- Enforce disk encryption on virtual machines.
Ensure that data disks (non-boot volumes) are encrypted, where possible. Encrypting your IaaS VM’s data disks (non-boot volume) ensures that its entire content is fully unrecoverable without a key and protects the volume from unwarranted reads.
- Secure the subscription.
A secure Azure cloud subscription provides a core foundation upon which subsequent development and deployment activities can be conducted. An engineering team should have the capabilities to deploy and configure security in the subscription including elements such as alerts, ARM policies, RBAC, Security Center policies, JEA, Resource Locks, etc. Likewise, it should be possible to check that all settings are in conformance to a secure baseline.
- Minimize the number of admins/owners.
Each additional person in the Owner/Contributor role increases the attack surface for the entire subscription. The number of members in this role must be kept as low as possible.
- Do not grant permissions to external accounts (i.e., accounts outside the native directory for the subscription).
Non-AD accounts (i.e. firstname.lastname@example.org) subject your cloud assets to undue risk. These accounts are not managed to the same standards as enterprise tenant identities.
Learn More about Azure Best Practices from our Definitive Guide to Azure Security blog post
About the Author
Categories: Cloud Security