A few years ago, security was a weak point in cloud software. Today, the best cloud services offer stronger security than many businesses can achieve in an on-premises data center. Its benefits don’t come automatically, though. The customer has to understand how the security features work and actively take advantage of them.
Microsoft Azure’s cloud services offer a vast range of protections for the SaaS user. The Introduction to Azure Security offers a good overview of them, though it presents quite a lot of information for an introductory piece. So, here is a slightly shorter look at those features, with the focus on how managers can use them to maximize the security of cloud applications.
Important considerations for administrators include user management, operations, applications, and data storage. In addition, administrative accounts themselves need to be treated with care.
A good starting point is user management. It includes making sure only authorized people to have access, that they have only the amount of access they need, and that strong authentication mechanisms are in place.
Users are inclined toward weak passwords since they’re easier to remember. Azure provides several ways to keep password choices from becoming a risk. Administrators should become familiar with Azure Active Directory and everything it offers.
Password policy enforcement keeps users from choosing short or easily guessed passwords. It requires passwords of 8 to 16 characters. A password must use at least three out of four of uppercase letters, lowercase letters, numbers, and symbols. The administrator can choose whether or not to allow password expiration. Many security experts believe expiration doesn’t convey any significant benefit and only encourages people to choose simple passwords. However, if company policy requires expiration, it’s available.
Multi-factor authentication prevents anyone from breaking into an account just by knowing a username and password. Azure lets users choose confirmation by text message, application, or voice call. Suspicious login attempts can trigger an alert.
Implement Role-Based Access Control
RBAC, Role-based access control, allows a fine-grained definition of what any user can access. A “user” for this purpose can be either a person or an account which an application uses. When accounts don’t have unnecessary access to resources, a compromised one can’t do as much harm. Administrators have more time to locate the hijacked account and lock the attacker out of it. Roles under Azure Security include specialized ones such as Key Vault Contributor, Monitoring Reader, and Site Recovery Operator.
Role assignment aids in sharing information safely with partners. The partner can get read-only access or be restricted to certain parts of the data.
IT managers and administrators have access to many tools for spotting issues, monitoring applications, and automating responses. Azure Security Center supports unified security management. Its dashboard gives a quick overview and insights into current issues. From there, the administrator can use the policy management interface to view compliance levels. One Security Center account can manage multiple subscriptions, each with its own policies.
Azure Security Center is available under the Operations Management Suite, which also includes monitoring and log analytics. These tools help administrators to catch unusual behavior in applications, such as large numbers of errors or failures. Administrators can create custom queries to streamline checks which they make regularly. They can also view the overall state of the services which they monitor. Searching voluminous logs with tools like grep doesn’t get very far. Azure’s tools make it easier to extract significant information from them.
Azure Advisor provides recommendations on availability, performance, and security. It identifies vulnerabilities and suggests specific actions for mitigating them. It’s configurable so that it generates recommendations only for subscriptions and resources where they’re wanted.
Application-level security is important in today’s world. Attackers try to smuggle in packets which look legitimate at the network level but target weaknesses in software. Azure Application Gateway lets administrators set up multiple levels of protection.
Set Up Web Application Firewalls
It can set up a Web application firewall (WAF) to keep hostile traffic out. A WAF applies OWASP rules to stop requests that target common vulnerabilities such as cross-site scripting and SQL injection. It’s always possible for an application to have undiscovered vulnerabilities; packets designed to exploit them just shouldn’t reach the application in the first place.
A WAF can be set up either just to detect threats or to block them. Detection mode may be useful when testing a configuration, to make sure it doesn’t block legitimate traffic. In normal operation, after any necessary rules tweaking, it should keep hostile traffic out. Administrators can modify WAF rules to reduce false positives. If a legitimate request within an application’s context looks like cross-site scripting to the WAF, you can modify the rules to avoid interference with normal use.
A WAF logs information about potentially hostile packets, making it available to log analytics and monitoring. Administrators can identify the source and nature of attacks before they do any harm and take any necessary steps.
Bots and crawlers are fine when they come from legitimate sources, but they can be a sign of probing for weaknesses. WAF identifies crawlers so that the service can block them off if necessary.
Some configuration errors in IIS, Apache, and other application servers turn up frequently. IIS reports file access issues and other possible configuration weaknesses in them.
Some attacks, unfortunately, may get through. Azure’s storage protection minimizes the chances that they’ll acquire or damage valuable data.
Encrypt Sensitive Information
Sensitive information needs to be encrypted in transit. Administrators can use HTTPS protocols wherever they’re necessary by enabling the “secure transfer required” setting for a storage account. If it is enabled, the account refuses unencrypted HTTP requests. This guards against poorly designed applications accessing important data. The secure transfer requirement can also be set programmatically, through a REST API or language-specific libraries.
Azure Files supports encryption for SMB 3.0 transfers. SMB 2.1 doesn’t support encryption, so older systems could expose data in transit. Azure requires SMB 3.0 for file shares outside the hosted region, to prevent this from happening inadvertently.
Also, critical information needs to be encrypted even when it’s in storage and theoretically safe. This is part of the “defense in depth” approach. With Azure storage accounts, encryption is the default. The feature is Storage Service Encryption or SSE. Applications don’t have to do anything to use it. Customers can either use Microsoft-generated keys or their own keys.
Protect Your Encryptions
Additionally, you need to protect the encryption keys themselves. A compromised key can leave an entire file system unprotected. Azure Key Vault lets customers store their keys in hardware security modules (HSMs), along with non-Azure keys. Azure Active Directory manages permissions to access the keys.
An additional layer of protection is possible with client-side encryption. Microsoft’s .NET and Java libraries support encryption based on the Azure Key Vault APIs. The keys can use the Azure Key Vault, or the customer can manage them independently. With this approach, the information is encrypted twice over if sent by HTTPS, and it’s never exposed on the server side, even in transient memory.
SQL databases can use transparent data encryption and column-level encryption. Transparent encryption protects against direct access to the data storage but not against unauthorized SQL requests. Column-level encryption requires separate decryption or hash checking after retrieving data, and it is appropriate for especially sensitive information such as passwords.
Administrators need to understand when each type of encryption is applicable, so they can provide the necessary protection for all their data.
Securing Azure Administration
Azure provides an excellent set of tools for running cloud software securely. However, they don’t do much good if the administration itself isn’t well protected. A compromised administrator account can result in all kinds of damage. Administrators should always use multi-factor authentication and strong passwords.
Minimize Administrative Access
Administrator accounts are for administrative purposes only. Cloud-hosted applications should run on a different account. The less the admin account is used, the less likely it will be compromised. A single sign-on shouldn’t get access to both the user and administrator accounts. If the same person manages multiple subscriptions, each one should have its own admin account.
Delegating some administrative tasks doesn’t require giving full rights. Role-based access control lets people with limited responsibilities get only the rights their tasks require. Creating full admins may seem quick and easy, but it broadens the chances for serious harm. One compromised account is all it takes.
Defining resource groups helps to manage delegation. You can assign a user the rights to manage everything defined in the resource group. If its scope changes later, modifying the group’s definition updates the rights of all accounts based on it.
Protect Login Information
Information for accessing those accounts should be as limited as possible. It’s necessary to have a backup for the administrator, but if the login information is too widely available, that’s an unnecessary risk.
Therefore, protecting Key Vault access is especially important. Stolen keys can make encryption useless and allow theft of information in transit. Access should be as limited as possible.
To summarize: Azure cloud software provides top-quality security, but that doesn’t relieve the administrators of the need to understand its features and manage them carefully. A thorough understanding of the available tools within Azure security and careful attention to managing them are necessary in order to have truly secure services. Agile IT has the skills and experience to make this happen. Contact us to find out how we can help.