Last Updated on 28th January 2022
Azure Security Best Practice
Making the transition to the cloud can be a great way to enhance your business. However, many organisations are hesitant about making this move due to concerns about data safety and security. If these kinds of worries are holding you back from moving to the cloud, it’s important to know that following best-practice suggestions can go a long way towards keeping your cloud data safe.
Restrict Access Levels
From the perspective of internal security, one of the most important ways to protect data is simply to restrict who can access it—and also restrict who decides who can access it. This means restricting both user access, and administrator access. Any security measures you take are meaningless if the accounts that manage your Azure subscription aren’t administrators themselves. In terms of best-practices, this includes:
1) Limit who has admin access to the fewest number of people and accounts possible.
2) Use Privileged Identity Management to stay in control of admin access. Azure allows accounts to have temporary admin access in order to perform specific tasks. So, you can grant temporary admin access as needed, when people need it to perform those tasks. Since admin accounts have higher fees, granting access on a temporary basis can both improve security and save money.
Note: A similar feature is available to restrict data access. This is called Shared Access Signatures. This feature allows you to grant a user temporary access to selected stored data. This means you can give an individual short-term access to sensitive information, then revoke that access when it’s no longer required.
3) For general accounts, make sure to only grant individual users the access rights and permissions they need to perform their specific tasks.
Restrict Network Access
Another important best-practice is to protect any systems that connect to the internet, to reduce the risk of unauthorised access. Some options include:
- Use network security groups to restrict network access to specific designated points on Windows or Linux virtual machines.
- Configure a site-to-site VPN to enhance network security groups. This means they restrict access from any points outside the local network, protecting against remote attacks.
- Use Azure virtual networks to manage systems that don’t need local access.
Use Privileged Access Workstations
There’s been a trend in recent years towards allowing employees to use their own devices for work purposes. This can work well for some organisations, and can certainly save money. But in terms of security, it’s definitely not a best-practice situation. It’s much safer to provide dedicated workstations, for instance by taking advantage of Microsoft Azure’s Privileged Access Workstations feature. This provides additional security for work-only machines, with a high-level of protection against phishing attacks and other issues that leave the system vulnerable.
Use Multi-factor Authentication
For a variety of reasons, securing online accounts with just a password is no longer an ideal situation, no matter how strong the password might be. Now, it’s much better to use multi-factor authentication to provide extra security. Azure’s multi-factor authentication keeps data more secure by requiring not just a password, but an additional security check in the form of a code sent via a text or phone call.
Note that all accounts—including admin as well as general user accounts—should be set up to require multi-factor authentication. Never assume that any account is 100% safe, not even your own.
Activate Azure Key Vault
This key management solution helps you protect cloud data by providing a place to digitally store encrypted and secret keys, including passwords. The encrypted keys are stored in hardware security modules. Usage of those keys can then be monitored via log analysis.
Activate Azure Encryption
Encrypting virtual disks and disk storage helps reduce the risk of data theft, and the risk of unauthorised data access. There are a couple of ways that Azure does this.
1) Azure Disk Encryption uses BitLocker and other encryption methods to encrypt an operating system and attached data drives. It also integrates with Azure Key Vault for easier management of encryption keys.
2) Azure Storage Services protects stored data with account-level encryption. Data is encrypted as it’s written, and then decrypted when it’s accessed.
Use Azure Security Centre to Monitor the Server Centrally
Azure Security Centre offers a centralized security management solution that allows you to monitor for a wide range of security issues.
The security centre is an integral part of Azure. It’s available for free at a basic level, and it activates as soon as you set up your Azure environment. Once deployed, it provides advanced threat protection for cloud, on-site, and hybrid data centres. Azure Security Centre monitors your systems for threats, and also provides recommendations for improving security, as well as:
- Configuring network security to block brute force attacks and other threats
- Providing web application firewalls to protect against targeted attacks
- Providing anti-malware software that identifies and removes malware
- Deploy system updates as needed
- Identifying and resolving issues caused by vulnerable operating system configurations
Log All Activity
Microsoft Azure has a number of different ways to log activity, and it’s important to use these correctly. They provide you with a means of auditing security, and can help prove compliance with data regulations.
Note that each different logging method has its own log storage account. The default setting for these is that log data is stored for a limited amount of time. Ideally, these settings should be changed so that logging data is stored indefinitely.
For assistance making your Azure environment more secure, get in touch with us today.