The cloud has redefined how enterprises manage security, demanding more vigilance and multi-layer security implementations, whether you’re dealing with born-in-the-cloud applications or migrating workloads from on-premises.
As one of the leading cloud service providers, Microsoft Azure has a plethora of services and tools to help you handle these new challenges. Still, security in the cloud is a shared responsibility. Although some factors like the physical security of assets, OS (in the case of PaaS services), or application stack (in the case of SaaS) are taken off your plate by the cloud service provider, the security of data, endpoints, and account and access management remain the customer’s responsibility.
Azure platform offers a number of services that can be broadly categorized under Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-service(SaaS) delivery models. It supports multiple operating systems, application stacks, the most popular DB platforms, and container-hosting solutions. Irrespective of whether your application is built using .NET, PHP, Python, Node.JS, Java, MySQL, SQL, MariaDB, Docker, Kubernetes—it can find a home in Azure.
As you migrate applications from data centers completely managed by you to Azure, you will greatly depend on the platform to protect these workloads. The shared responsibility model for security thus becomes very relevant here for the demarcation of roles and responsibilities.
Microsoft owns the physical infrastructure of the Azure platform and handles its security, covering several aspects like the physical data center, access control, mandatory security training for staff, background checks, etc. But as you deploy workloads on the Azure platform, a division of responsibilities—between you and your provider—should be taken into consideration, as summarized below:
As depicted in the image above, some security responsibilities, including for the physical data center, network, and host, are taken care of by cloud providers. But, depending on whether you are using an IaaS, PaaS, or SaaS model, you need to address the OS application stack and additional network-layer security requirements.
The security requirements of every organization are unique and would need extensive customizations to ensure the security of each specific workload. Advanced threat vectors in the cloud demand a zero-trust security approach, where nothing is trusted by default and everything is verified. This proactive approach to cloud security helps reduce the attack surface and limit damage in the event of an attack.
Security has to be implemented at each layer of your application stack, starting from compute, storage, and networking all the way up to application-specific controls and identity and access management. Visibility into the status of your environment’s security is also important, as any malicious activity has to be detected in real time for optimal protection.
Azure enables workload security through multiple configurable tools and services you can leverage to meet varying security demands and enhance your cloud security posture. You can also use partner security solutions wherever applicable to further augment this stance.
Security Center is Azure’s centralized security management solution that helps you adapt your security controls to a changing threat landscape and proactively protect your organization against multiple kinds of attacks. Azure services are automatically onboarded to Security Center and monitored against defined security baselines. Default as well as tailored policies can be used to monitor the status of your Azure subscription and included resources. Based on the continuous assessment of your Azure environments, Security Center provides actionable recommendations that can be used to proactively address security gaps.
Azure Security Center also offers comprehensive threat protection and uses cyber kill chain analysis to give you end-to-end visibility into the attack vector. You can additionally use Microsoft Defender for Endpoint to protect your Azure servers. It provides advanced breach-detection sensors that quickly adapt to evolving threats through the power of big data and analytics and provides superior threat intelligence to protect your workloads.
Plus, thezautomated onboarding capability for Windows servers and single-pane visibility make life easy for cloud security teams by reducing operational overhead. Azure Security Center integrates with solutions like Azure Policy, Azure Monitor Logs, and Azure Cloud App Security as well for in-depth security.
Threats in the cloud are not the same as on-premises. The cloud needs born-in-the-cloud solutions to ensure security hygiene and that the best security practices are being implemented. Azure’s Cloud Security Posture Management helps you with this, letting you proactively manage your security workloads in Azure.
The ”secure score” option in Security Center helps to quantify the security posture of your environments using multiple pre-built security controls against which the environments are assessed. If any of these controls are not implemented or if there are any misconfigurations, Security Center offers prescriptive recommendations to improve your score. Meanwhile, the regulatory compliance score assesses workloads against standards like PCI DSS, HIPAA, Azure’s own CIS, and NIST, helping you take stock of your official compliance status.
Security Center enables CSPM by providing a bird’s-eye view of vulnerabilities and generating alerts on potential attacks. Each alert is tagged with a level of severity so you can prioritize mitigation activities. Along with cloud-native workloads, IoT services, and data services, Security Center can protect Windows and Linux machines across environments from threats, thereby reducing the attack surface.
With cloud application sprawl, it has become increasingly difficult to monitor all your apps and ensure secure data transactions. Azure helps to address this concern through a cloud security broker solution called Microsoft Cloud App Security.
This tool protects against shadow IT by helping you detect cloud services being used by your organization and identify any risks associated with them. The service’s built-in policies let you automate the implementation of security controls for cloud applications, plus, you can sanction or unsanction apps through the cloud app catalog functionality, which covers more than 16,000 applications and scores them based on 80+ risk factors so you can make an informed decision on the kind of apps you want to allow in your organization.
Cloud App Security additionally provides visibility into your applications and their security status and controls how data travels between them. It can also detect unusual behavior to identify compromised applications and trigger auto-remediation to reduce risk. You can further evaluate your applications for regulatory compliance and restrict the movement of data to non-compliant apps, and it protects any regulated data in your apps from unauthorized access as well.
Native integration with other Microsoft security solutions provides unparalleled threat intelligence and in-depth analytics to defend your applications from different types of attacks in the cloud.
Azure Security Center offers security baselining and assessment of container hosting environments such as AKS as well as VMs running Docker to identify potential misconfigurations and security loopholes. The hardening of Docker environments is enabled by monitoring against CIS Benchmarks with recommendations consolidated in Security Center. Similarly, monitoring and advanced threat detection are available for AKS nodes and clusters. You can also enable the Azure policy add-on for Kubernetes clusters to monitor requests for Kubernetes API servers against defined best practices before servicing them.
Meanwhile, Azure Defender protects AKS nodes and clusters from run-time vulnerabilities and infiltration by detecting suspicious activities like web shell detection, connection requests from suspicious IPs, privileged container provisioning, etc. Azure Defender also includes a Qualys integration to scan images pulled or pushed to Azure Container Registry. Any findings are classified and displayed in Security Center, allowing you to differentiate between healthy and unhealthy images.
NSGs act as the first line of network defense for workloads connected to Azure VNets. It filters inbound and outbound traffic via five tuple rules using source, source port, destination, destination port, and protocol. These groups can be associated with subnets or the NIC cards of virtual machines and come with a few default rules to allow inter-network communication and internet access. Network Security Groups additionally let you achieve fine-grained control over east-west and north-south traffic and help segregate your application component communication.
Azure VNet is the basic building block of networking in Azure and helps with the micro-segmentation of workloads, enabling the secure communication of connected workloads with other Azure resources, on-premises resources, and the internet. Resources in one Azure VNet cannot communicate with resources in a different VNet by default, unless explicitly connected through options like Peering, VPN, Private Link, etc. Another layer of security can be added by enabling NSGs in subnets inside the VNet. Additionally, you can use traffic shaping within the VNet by creating custom route tables, for example, if you want all traffic to be routed through a network virtual appliance for packet inspection.
Azure VPN lets you securely connect to Azure resources from on-premises data-center networks through site-to-site connection or from individual machines using point-to-site connection. The traffic to Azure goes over the internet but through a secure, encrypted tunnel using SSTP, OpenVPN, or IPSec. While VPN connection works well in branch office scenarios, for assured connectivity backed by Azure SLAs, customers can opt for ExpressRoute, which is a dedicated connection from your on-premises data center to Azure Cloud.
Azure Application Gateway is a load balancer that operates at the application layer (OSI Layer 7) and redirects traffic to resources in the backend pool based on HTTP attributes. It features a web application firewall (WAF) that helps protect your application from common attacks, such as SQL injection attacks, cross-site scripting, HTTP request splitting, remote file inclusion, etc. It comes with a predefined set of security rules but also provides the flexibility to define your own rules. The service is based on OWASP ModSecurity Core Rule Set and is capable of automatically updating itself to protect your applications from new and evolving vulnerabilities.
In a cloud-driven world, Identity has emerged as the new security perimeter. Azure provides role-based access control (RBAC) enabled by Azure Active Directory (AD) to control access to hosted applications. It is recommended to follow the principle of least privilege (PoLP) so that users are given only the minimum access required for their work. This authorization is decided by the role assigned to the user, which can either be one of the built-in roles or a custom role defined by the administrator.
You can further tighten IAM through options like Just-in-time (JIT) access for VMs, shared access signature for storage, multi-factor authentication, etc. It is also important to log and track user activity through Azure AD audit logs and Azure activity logs to identify compromised identities and rogue users.
While native tools and services often provide a good starting point, you also need tools with advanced capabilities to guardrail your applications from evolving threat actors in the cloud. The following additional capabilities are essential to ensure comprehensive cloud security:
CloudGuard can help you with all of the above, as it comes prebuilt with these features. It seamlessly integrates with your Azure-native tools and augments the security of your data and workloads hosted in Azure.
Read more about how CloudGuard can help you achieve your cloud security goals today.