A common misconception about consuming Azure public cloud services is that Microsoft is taking care of all security aspects. Although this is partially true, as a consumer of Azure public cloud services, you are responsible for some of the security controls. The number and areas of security controls you are responsible for depends on which type of public cloud services you are consuming– Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS) or Infrastructure-as-a-service (IaaS).
Microsoft will manage most of the security controls within SaaS, a significant portion within of PaaS, and a small portion within IaaS. Conversely, you will need to manage most of the controls within IaaS, some within PaaS and a small portion within SaaS.
Azure PaaS services can be consumed under two models:
- Multi-tenant, public IP accessible.
- Dedicated virtual network (v-net) integrated.
Multi-tenant PaaS is hosted on virtual infrastructure shared with other customers, whereas PaaS dedicated is provisioned on virtual infrastructure dedicated for your use. With the dedicated v-net integrated model, you are responsible for implementing more security controls; however, as the solution is not publicly accessible over the internet, with appropriate monitoring and governance provides an improved security model.
When securing Azure datacenters, one challenge is to ensure you find the correct balance between enterprise IT governance, security and line-of-business developer agility. One approach to this is to have different standards between production and non-production environments, this way developers can have the freedom to innovate within an environment with fewer controls whilst still having the required governance and controls within the production environment.
The following security pillars in Azure are areas to focus on when implementing your security controls.
Encrypting data at rest and in-transit ensures that if the network or if data is ever compromised, it will not be possible for an attacker to access the content. Encryption keys should be stored in an Azure Key Vault with lifecycle management.
Ensuring your target operating model matches your Role Based Access Control (RBAC) design, and that a process for segregating duties exists will reduce risk.
- Software Defined Networking
Making sure workloads of different trust levels are segregated and that traffic visibility is provided to security operation centers are some critical controls.
IaaS workloads should be hardened to a defined standard with agreed core applications and any deviations should be reported and remediated.
- Monitoring and Reporting
Proactive monitoring of security controls is important and ideally, auto-remediation of any issues should be the desired outcome.
Availability design is critical in order to meet the recovery time objectives for a wide range of events and ensure applications continue to operate.
The following is a more comprehensive list of security controls and the tools/solutions available within Azure to meet the controls:
Azure Security Controls Azure Tools and Solutions
|Network||Subscription and Network Segregation. Subnet and NSG Design, WAF & NGF Firewalls|
|Monitoring||Log Analytics, Azure Monitor, Azure AD, Azure Security Centre, Azure Network Watcher|
|Virtual Machine Build Compliance||Hardening Standards, ARM Templates, DSC Core Application Installation Process, Certification|
|Cryptography and Secret Management||OS Disk Encryption, Key Vault|
|Vulnerability Scanning||Qualys Scanning Appliance and Security Centre agent|
|System and Software Vulnerability Management||SCCM, OMS Patching|
|Cloud Security||Azure Platform and OS Logs sent to SIEM and SOC. OMS, ATA|
|Identity & Access Management||Identity for Portal and Host Access, MFA, Jump Box Design|
|Malware Protection||Deploy chosen Anti-Malware agent as part of build process|
|User Access Rights||Design RBAC model, Azure policy design, reduced elevated privilege use|
|Backup||Encrypted Backups, data restore process|
|Availability||Design, availability sets and zones and backup data centre locations|
Contact New Signature to ensure your Azure environment is being designed in a secure manner and that you are meeting the required controls.