Azure Security Architecture & Best Practices Tips and Tricks - NETSEC


Learning, Sharing, Creating

Cybersecurity Memo

Tuesday, November 1, 2022

Azure Security Architecture & Best Practices Tips and Tricks

This post summarizes some collected best practice resources relating to Microsoft Azure Security and architecture. 

Reference Enterprise Design - Azure Network Security

Browse Azure Architectures - Security

Azure Network Defense in Depth

Six different layers protection :
  • DDos Protection
  • Load Balancer /WAF
  • Virtual Appliances / Azure FW
  • Subnet NSG
  • VM / Services Firewall

Azure Defender

Defender :
  • Endpoints
  • Apps
  • IoT
  • Clouds
  • Identity
  • Office 365

Azure Security Best Practices - Tips and Tricks

Top 10
  1. Encrypt data at rest and in-flight (in-motion, in-transit)
    • Transparent data encryption - enabled by default for Azure SQL, Synapse, DB for PostgresSQL and MySQL
    • Secure transfer required : Enabled by default
  2. Restrict Access to your data
    • Database firewalls for development and test environment
    • Azure Private Link to connect for production 
  3. Restrict Access to VMs
    • Close RDP or SSH access. Use Bastion to access. No public ip.
  4. Protect application secrets
    • Don't store secrets like api keys and connection strings in application code
    • Store keys and certifications into Azure Key vault
    • Using Azure Access Policy to define the access from Azure Services to Azure key vault without using secrets.
  5. Used a separate Azure Subscription for Production
    • RBAC + policies
  6. Implement a WAF (Web Application Firewall)
    • Application gateway or Front Door. - Enable WAF
  7. Use Azure Security Center
  8. People - Education: threats, security culture, shared responsibility, architecture, services, security controls, etc
  9. Process - Assign accountability, rapid incident response, posture management
  10. Technology - Passwordless / MFA, Native network security & firewall, natvie threat detection

  • Architecture
    • Single directory / idenity: simplifies monitoring & user experience - Azure AD / DS
    • Identity access: avoide using key based access control
    • Single stragety: align and integrate teams, processes

For a video presentation, see best practices for Azure security

WWWH Methodology (What Why Who How)

1  People: Educate teams about the cloud security journey
2  People: Educate teams on cloud security technology

3  Process: Assign accountability for cloud security decisions

DecisionDescriptionTypical team
Network securityConfigure and maintain Azure Firewall, network virtual appliances and associated routing, Web Application Firewalls (WAFs), NSGs, ASGs, and so on.Infrastructure and endpoint security team focused on network security
Network managementManage enterprise-wide virtual network and subnet allocation.Existing network operations team in central IT operations
Server endpoint securityMonitor and remediate server security, including patching, configuration, endpoint security, and so on.Central IT operations and infrastructure and endpoint security teams jointly
Incident monitoring and responseInvestigate and remediate security incidents in SIEM or source console, including Microsoft Defender for Cloud, Azure AD identity protection, and so on.Security operations team
Policy managementSet direction for use of Azure role-based access control (Azure RBAC), Defender for Cloud, administrator protection strategy, and Azure Policy to govern Azure resources.Policy and standards and security architecture teams jointly
Identity security and standardsSet direction for Azure AD directories, PIM/pam usage, multi-factor authentication, password/synchronization configuration, application identity standards.Identity and key managementpolicy and standards, and security architecture teams jointly

4  Process: Update incident response processes for cloud5  Process: Establish security posture management

Update processes and prepare your team so they know what to do when they find an active attacker.

  • Processes and playbooks: Adapt existing investigations, remediation, and threat hunting processes to the differences of how cloud platforms work. The differences include new or different tools, data sources, identity protocols, and so on.
  • Education: Educate analysts on the overall cloud transformation, technical details of how the platform works, and new or updated processes. This information lets them know what might change and where to go for what they need.
  • Key focus areas: While there are many details described in the resource links, these areas are where to focus your education and planning efforts:
    • Shared responsibility model and cloud architectures: To a security analyst, Azure is a software-defined datacenter that provides many services. These services include VMs and others that are different from on-premises, such as Azure SQL Database Azure Functions. The best data is in the service logs or the specialized threat detection services. It's not in logs for the underlying OS/VMs, which are operated by Microsoft and service multiple customers. Analysts need to understand and integrate this context into their daily workflows. That way they know what data to expect, where to get it, and what format it's in.
    • Endpoint data sources: Getting insights and data for attacks and malware on cloud-hosted servers is often faster, easier, and more precise with native cloud-detection tools. Tools like Microsoft Defender for Cloud and endpoint detection and response (EDR) solutions provide more precise data than traditional approaches of direct disk access. Direct disk forensics are available for scenarios where it's possible and required for legal proceedings. For more information, see computer forensics in Azure. Often, though, this approach is the most inefficient way to detect and investigate attacks.
    • Network and identity data sources: Many functions of cloud platforms primarily use identity for access control. This access control includes access to the Azure portal, though network access controls are used extensively as well. This access control requires analysts to develop an understanding of cloud identity protocols to get a full, rich picture of attacker activity and legitimate user activity to support incident investigation and remediation. Identity directories and protocols are different from on-premises ones. They're typically based on SAML, OAuth, and OpenID Connect and cloud directories rather than LDAP, Kerberos, NTLM, and Active Directory.
    • Practice exercises: Simulated attack and response can help build organizational muscle memory and technical readiness. They provide preparation for your security analysts, threat hunters, incident managers, and other stakeholders in your organization. Learning on the job and adapting is a natural part of incident response, but you can work to minimize how much you have to learn in a crisis.

6  Technology: Require passwordless or multifactor authentication

7  Technology: Integrate native firewall and network security
  • Extend existing capabilities and architectures: Many organizations often choose to extend the use of existing firewall capabilities so they can capitalize on existing investments into skills and process integration, particularly as they first adopt the cloud.
  • Embrace native security controls: More organizations are starting to prefer using native controls to avoid the complexity of integrating third-party capabilities. These organizations typically seek to avoid the risk of a misconfiguration in load balancing, user-defined routes, the firewall or WAF itself, and delays in handoffs between different technical teams. This option is compelling to organizations embracing infrastructure as code approaches as they can automate and instrument the built-in capabilities more easily than third-party capabilities.

8  Technology: Integrate native threat detection
Enable threat detection in Microsoft Defender for Cloud for all the resources you're using and have each team integrate these resources into their processes as described above.

9  Architecture: Standardize on a single directory and identity

Adopt a pragmatic approach that starts with new greenfield capabilities. Then, clean up challenges with the brownfield of existing applications and services as a follow-up exercise:

  • Greenfield: Establish and implement a clear policy that all enterprise identity can use a single Azure AD directory with a single account for each user.

  • Brownfield: Many organizations often have multiple legacy directories and identity systems. Address these legacy items when the cost of ongoing management friction exceeds the investment to clean it up. While identity management and synchronization solutions can mitigate some of these issues, they lack deep integration of security and productivity features. These features enable a seamless experience for users, admins, and developers.

The ideal time to combine your use of identity is during application development cycles as you:

  • Modernize applications for the cloud.
  • Update cloud applications with DevOps processes.

While there are valid reasons for a separate directory for independent business units or regulatory requirements, avoid multiple directories in all other circumstances.

11  Architecture: Use identity-based access control instead of keys

Setting an organizational preference and habit for using identity-based authentication requires following a process and enabling technology.

The process

  1. Establish policy and standards that clearly outline the default identity-based authentication, and acceptable exceptions.
  2. Educate developers and infrastructure teams on why to use the new approach, what they need to do, and how to do it.
  3. Implement changes in a pragmatic way by starting with new greenfield capabilities being adopted now and in the future, such as new Azure services and new applications, and then following up with a clean-up of existing brownfield configurations.
  4. Monitor for compliance and follow up with developer and infrastructure teams to remediate.

The technologies

For non-human accounts such as services or automation, use managed identities. Azure managed identities can authenticate to Azure services and resources that support Azure AD authentication. Authentication is enabled through predefined access grant rules, avoiding hard-coded credentials in source code or configuration files.

For services that don't support managed identities, use Azure AD to create a service principal with restricted permissions at the resource level instead. You should configure service principals with certificate credentials and fallback to client secrets. In both cases, Azure Key Vault can be used with Azure managed identities, so that the runtime environment, such as an Azure function, can retrieve the credential from the key vault.

12  Architecture: Establish a single unified security strategy

Build and implement a security strategy for cloud that includes the input and active participation of all teams. While the process documentation format can vary, it always includes:

  • Active input from teams: Strategies typically fail if people in the organization don't buy into them. Ideally, get all teams in the same room to collaboratively build the strategy. In the workshops we conduct with customers, we often find organizations have been operating in de facto silos and these meetings often result in people meeting each other for the first time. We find that inclusiveness is a requirement. If some teams aren't invited, this meeting typically has to be repeated until all participants join it. If they don't join, then the project doesn't move forward.
  • Documented and communicated clearly: All teams must have awareness of the security strategy. Ideally, the security strategy is a security component of the overall technology strategy. This strategy includes why to integrate security, what is important in security, and what security success looks like. This strategy includes specific guidance for application and development teams so they can get clear, organized guidance without having to read through non-relevant information.
  • Stable, but flexible: Keep strategies relatively consistent and stable, but the architectures and the documentation might need to add clarity and accommodate the dynamic nature of cloud. For example, filtering out malicious external traffic would stay consistent as a strategic imperative even if you shift from the use of a third-party next generation firewall to Azure Firewall and adjust diagrams and guidance on how to do it.
  • Start with segmentation: There are strategy issues both large and small to address, but you need to start somewhere. Start the security strategy with enterprise asset segmentation. This segmentation is a foundational decision that would be challenging to change later and requires both business input and many technical teams.

Microsoft has published video guidance for applying a segmentation strategy to Azure. There are documents published about enterprise segmentation and aligning network security to it.

The Cloud Adoption Framework includes guidance to help your teams with:

Shared Responsibility model for cloud security

1  AWS - Shared Responsibility Model

2  Azure: - Shared Responsibilities for Cloud Computing

3  CIS: Shared Responsibility for Cloud Security: What You Need to Know

1. Microsoft Azure,
2. Amazon Web Services,

Azure Security Reference Model

1  Reference Design - Azure Administration Model

2  Best practices and tips to secure your hybrid cloud environment

2  Best practices - Identity & Access Management

  • Centralize Identity management. Designate a single Azure AD directory as the authoritative source.
  • Enforce SSO and Multi Factor Authentication.
  • Leverage Azure RBAC with Privileged Identity Management.
  • Actively monitor for suspicious activities using AAD anomaly reports.
  • Use Azure AD for storage authentication.

3  Best Practice - for Azure Storage

Advanced Threat Protection for Azure Storage
Alerts on anomalous access & potential data exfiltration
Investigation & remediation guidance
Alerts in Azure Security Centor

Note: Advanced Threat Protection for Storage Alerts

4  Best practices — Apps and Data security
Leverage Key Vault to store cryptographic keys and secrets. Control access through RBAC
Manage Azure Key Vault access at Management plane and Data plane
Encrypt data and rest and dbta in transit. Use client-side encryption for high value data
Leverage Advance Data Security (ADS) for Azure SQL
Leverage Azure Security Center to identify assets that do not have encryption at rest enabled

5  Best practices — Network Security
Adopt a Zero Trust approach
Control routing behavior and avoid implications of default routes
Disable RDP/SSH Access to virtual machines over internet
Choose whether to use Native Azure Controls or 3rd party Network Virtual Appliances (NVAs) for
internet edge security (North-South)
Simplify NSG rule management by defining application security groups (ASGs)

6  Protect Linux and Windows Servers from Threats

Best practices:
  • Reduce open network ports
    • Use Just-in-Time VM to control access to commonly attacked management ports
    • Limit open ports with adaptive network hardening
  • Block malware with adaptive application controls
  • Protect Windows servers and clients with the integration of Microsoft  Defender ATP and Linux servers

7  Protect your workloads from Threats - Use industry's most extensive threat intelligence to gain deep insights
Best Practices:
  • Detect & block advanced malware and threats for Linux and Windows Servers on any cloud
  • Protect cloud-native services from threats 
  • Protect data services against malicious attacks
  • Protect your Azure IOT solutions with near real time monitoring
  • Service layer detections: Azure network layer and Azure management layer (ARM)

Modern security operations and threat protection

Modern security operations and threat protection with Azure security center and Azure sentinel

Security Posture management with Secure Score

  • Gain instant insight into the security state of your cloud workloads
  • Address security vulnerabilities with prioritized recommendations
  • Improve your Secure Score and overall security posture in minutes
  • Speed up regulatory compliance


No comments:

Post a Comment