Five Best Practices to Set up a Secure Azure Platform

Cloud Services are Growing, but are They Secure?

The trends are clear. Microsoft reported a 98 percent year-over-year revenue growth for the second fiscal quarter in 2018 and credited cloud growth as the major catalyst. Across all industries, companies are looking to cloud services. By the end of this year, Gartner predicts spending on public cloud services will increase another 18 percent to $306 billion. At least 70 percent of U.S. organizations are now using some type of cloud computing. However, even the best platform can be sabotaged by a poor set-up, and poor set-up can result in an insecure network. In fact, Forbes recently wrote about “13 Biggest Challenges When Moving Your Business to the Cloud.” Their first point was “Getting it right.” The article compared Infrastructure-as-a-service (Iaas), including Azure, to Legos. “There are many different pieces and tons of ways to assemble something.” How can you assemble your Azure network to optimize security? Here are five best practices to implement to make sure you have a secure Azure platform.

Mitigate Risk Through Forced Tunneling

Security is a top priority for Azure developers. Azure adheres to the rigorous guidelines laid out by the International Organization for Standardization (ISO), which includes hundreds of specifications aimed at keeping infrastructure secure. However, there are default settings in Azure that should be changed to make it more secure. One involves tunneling. The default routes for an Azure Virtual Network allow virtual machines to initiate traffic on the Internet. However, these outbound connections are a playground for attackers.

To amp up security, enable forced tunneling on your virtual machines. What does this accomplish? To explain, let’s compare forced and split tunneling. Split tunneling is often seen with VPN connections. Imagine an employee connecting to the corporate network from his home through a VPN connection. He accesses all the corporate resources through the VPN. However, when he accesses the Internet, these connections do not go through the VPN if split tunneling is enabled. Many experts recommend disabling split tunneling and forcing all connections, including Internet connections, to go through the corporate network security infrastructure. Enabling forced tunneling will ensure that all cross-premises connections are secure.

Enable SSO with Azure AD

Managing multiple directories is not only cumbersome for IT managers, but end users must struggle to remember multiple log-ins. In addition, when users have multiple passwords to remember, they often reuse passwords or choose weak ones. Simplify log-ins for users and improve security by enabling Single Sign-On (SSO). SSO allows users to sign in just once to gain access to all the applications and resources they need, and employees can use the same credentials whether they are on-premises or accessing resources on the cloud.

Configure applications to use Azure Active Directory (AD) as the SAML-based identity provider. AD monitors who can gain access to certain applications and files. The user will not be granted access unless they have been approved in the Azure AD. Access can be granted on an individual basis or as a group. Azure AD supports three different ways to use SSO.

• Federated SSO redirects applications to Azure AD for authentication instead of prompting for its own application password.
• Password-based SSO actually securely stores the application password and enables reply using a web browser or mobile app. This method uses an existing process built into the application but allows the administrator to manage the passwords.
• Existing SSO allows Azure AD to use existing SSO that has already been set up for the application, allowing the application to be linked to Office 365 or Azure Ad access panel portals.

In addition to SSO, take advantage of the following features of Azure AD to create a secure Azure platform.

• User provisioning. Azure AD allows administrators to easily authorize and de-authorize users. A provisioned account is the means by which a user is able to use SSO to access their applications.
• Centralized application access management. Azure allows administrators to delegate application access decision-making and approvals to anyone in the organization.
• Reporting. Azure AD has extensive reporting and monitoring functions so user activity can be tracked across applications.

Use RBAC for DevOps Authorization

Azure is a popular platform in development environments. The DevOps software development method has aligned application development and IT operations. Azure enables organizations to increase productivity using the DevOps method by eliminating delays due to material, equipment, and hardware supply. However, this method has also required a new security approach. NetworkWorld  explained it this way, saying, “This means many smaller projects can go from concept to development to deployment much faster than traditional applications. It also means more de-centralized control, as many different teams can run these smaller projects simultaneously.” As a result, companies are more exposed to attacks, both internal and external.

Either due to a lack of knowledge about building a secure Azure platform or in an effort to accelerate development, DevOps teams are often too permissive with granting authorization. Often times, users have significantly more access than they should. Give DevOps room to innovate while keeping the organization safe by utilizing Azure Role-Based Access Control (RBAC). RBAC allows authorization within a team to be divided up so that only the level of access needed is granted to each user. Predefined roles, including owner lab user and collaborator, help assign rights. The same tool can be used for external partners that may need certain access.

Think of RBAC as the means by which you enforce permissions. Role assignment is made up of three elements:

• Security principal
• Role definition
• Scope

Here’s just a sampling of how you can configure RBAC:

• Give one user permission to manage virtual machines in a subscription, while another user manages virtual networks.
• Assign a DBA group to manage SQL databases in a subscription.
• Permit a user to maintain all resources within a group, including virtual machines, websites, and subnets.
• Set parameters to allow an application to access all resources in a resource group.

Create Security Zoning with DMZ’s

In the world of security, DMZ stands for demilitarized zone. Microsoft recommends deploying a DMZ to enhance network security on your Azure platform. DMZ is a physical or logical subnetwork or perimeter network that provides an additional layer of security between the Internet and the company’s data. The established subnetwork is outside the firewall. The DMZ network works by positioning network access control devices around the perimeter of the DMZ network, allowing only desired traffic to pass the network security device. In turn, only that desired traffic makes it into your Azure Virtual Network. Incoming requests are intercepted by the DMZ before they even reach the firewall. A true DMZ also restricts computers behind the firewall from directly communicating with the DMZ devices. Large corporations often have multi-level DMZs with several layers of firewall support to protect their networks.

When using the Azure Virtual Network, you would set up your network security devices to sit between the Internet and the Azure network, interacting with both. The devices within the DMZ can handle all your management, monitoring, logging and reporting. Examples of what you might include in your DMZ are:

• DDoS prevention
• Intrusion Detection/Intrusion Prevention systems (IDS/IPS)
• Firewall rules and policies
• Web filtering
• Network anti-malware

Read more about Microsoft’s recommendations for DMZ architecture with the Azure Virtual network here.

Use Load Balancing Techniques to Improve Availability of Your Secure Azure Platform

The CIA security model includes the three pillars of confidentiality, integrity, and availability. Although availability is not always the biggest security priority, ensuring optimal uptime and performance is a key part of securing the network. If performance is poor, data will be unstable and sometimes inaccessible. If service is down, critical data simply can’t be accessed. To improve availability, load balancing is a common technique used with the Azure Virtual Network. Load balancing is basically a method that distributes traffic across backend servers, sometimes called a server pool or server farm. The benefit is that if one server becomes unavailable, the load balancer stops sending traffic to that server and redirects to another. Performance is also enhanced because the processor and network requests are distributed across all servers.

The Azure Virtual Network has three load balancing options available.

• HTTP-based load balancing: Azure has an HTTP load balancer called Application Gateway. This method makes balancing decisions using the characteristics of the HTTP protocol. While there are many applications, shopping cart apps and web mail servers often use this balancing method.
• External load balancing: Azure’s External Load balancer uses information at the network and transport layers of the OSI network model to take incoming connections from the Internet and balance them among your servers on the Azure network. This method is recommended when you have stateless applications, that is applications that do not save client data from one session to another.
• Internal load balancing: Azure’s internal load balancing capability works similarly to external load balancing. However, instead of accepting connections from external sources, however, it’s accepting connections from virtual machines initiated by devices already on the Azure network.

Learn More Best Practices From Agile IT

Azure Virtual Network is a powerful tool. Getting the most out of your investment is largely dependent on how it’s deployed.  Contact the experts at Agile IT to learn more best practices when deploying the Azure Virtual Network.