Azure Cloud Security: An Introduction
Learn about Azure cloud security options, the shared responsibility model, Azure Security Center, and key best practices to securing Azure workloads
What is Azure Cloud Security?
Microsoft’s Azure cloud service supports both Windows and Linux operating systems. It is used to build, test, deploy and manage applications residing in data centers managed by Microsoft. It offers SaaS, PaaS, and IaaS services, and utilizes a broad selection of programming languages, frameworks, tools, databases, and devices.
Azure offers a wide array of cloud security options that can be configured to an organization’s unique requirements, implementation and service model. These include monitoring, encryption for data at rest and in transit, access management, and data recovery.
In this article, you will learn:
Azure Joint Responsibility Model
Azure’s security model assigns the responsibility over the infrastructure between the client organization and Azure, according to the deployment model:
- On-premises—the responsibility lies solely with the customer.
- Infrastructure as a Service (IaaS)—Azure is responsible for the security of hosts, networks, and the data center.
- Platform as a Service (PaaS)—Azure extends its responsibility to the operating system (OS). Responsibility for identity, directories, network controls, and applications will be shared between Azure and the customer.
- Software as a Service (SaaS)—Azure’s responsibility covers network controls and applications, as well as the physical infrastructure and operating system. Azure shares responsibility for identity and directory infrastructure with the customer.
In all cases, whether on-premises or in the cloud, the customer is always responsible for data governance, endpoint protection, and the management of rights, accounts, and access.
Related content: read our guide to cloud infrastructure security ›
What is Azure Security Center?
Azure Security Center provides protection against threats across hybrid workloads, whether on-premises or in the cloud.
Manage Security Policies and Compliance
Azure’s policy controls can be specially tailored and set to apply to management groups, across subscriptions and entire tenants. Users can easily identify newly created subscriptions, subordinated to policies, and protected by the security center.
Continuous Assessments
Security Center identifies newly deployed resources, assesses if configuration is correct, and flags them if not. The center then generates a list of recommendations supported by Azure’s security benchmark, based on best practices and common compliance frameworks. Recommendations are grouped into security controls and prioritized using a severity score.
Azure’s security benchmark complies with Center for Internet Security (CIS) and National Institute of Standards and Technology (NIST) cloud security controls.
Network Map
Security Center provides a network map that illustrates the topology of a workload, to ensure proper configuration of each node. This helps to identify and block access points through which an attacker can penetrate the network.
Read our guide to cloud security solutions ›
Azure Security Best Practices
Here are a few best practices that will help you improve security of your workloads on Azure.
Use Azure Monitor
Azure Monitor collates notifications, logs, and resource diagnostics. It analyzes network data flow, evaluates VPN diagnostics and packet captures, and helps troubleshoot connectivity issues. It also generates flow logs, providing security teams with attack details, such as IP address, country of origin, and attack type.
Azure Monitor integrates with Security Information and Event Management (SIEM) solutions, enabling automated analysis of logs and alerts across the Azure deployment.
Encrypt Data
Data encryption is critical for security, whether at rest or in transit. Encryption keys should be periodically rotated, drives should be encrypted before writing, and blob encryption, file encryption, and secure transfers should be used in parallel. You should secure communication channels using a Virtual Private Network (VPN) and store encryption keys in Azure Key Vault or a privately managed vault.
Limit Data Access
Share only data that needs to be shared. Restrict access to Secure Shell (SSH) and Remote Desktop Protocol (RDP) only to authorized Security Groups, and limit open ports to the minimum.
When sharing data, Azure Information Protection helps classify file priority and apply permissions filters, marking file security classification in headers, footers, and metadata. Azure’s Rights Management service makes it possible to coordinate authorization policies for files, whether they are owned by the organization or belong to third parties.
Use Identity Management and RBAC
Using Azure’s Role-Based Access Control (RBAC), you can restrict permissions to specific Azure subscriptions, resource groups, storage accounts, or individual resources. This minimizes the access and privileges issued, and prevents users from inviting additional users or gaining excess administrative privileges.
Have a Recovery Plan
Azure Backup employs automated backup policies set by the user, enables central backup management from a single location. It is important to use a 3-2-1 backup model (3 copies, 2 locations, 1 of them off-site).
Azure Cloud Security Posture Management (CSPM) with Aqua
Misconfiguration of cloud services is a primary cause of data breaches. Misconfigurations will happen — the problem is, any lack of visibility or controls to remediate can lead to exploitation. CSPM solutions help by continuously checking for misconfigurations that can have a security impact. This creates visibility by informing staff about misconfigurations, and helping them make the necessary changes.
For example, it is common for organizations to define Network Security Groups (NSGs) with broader permissions than necessary. The fix is to block remote access, or restrict it to specific IPs. CSPM can detect this issue and allow teams to manually restrict access, or specify an auto-remediation policy every time the issue occurs.
Aqua CSPM is a cloud security auditing, monitoring, and remediation solution that scans your entire public cloud infrastructure for potential security risks, including misconfigurations, malicious API calls, and insider threats. With each scan, it securely connects to your cloud account through the APIs of the underlying cloud provider, collects the necessary data, and then checks it for potential risks and misconfigurations.
For each configuration Aqua CSPM has a plugin – a piece of software that checks this specific setting and compares it to the corresponding best practice and, in case of misconfiguration, offers remediation steps.
Visibility across your entire multi-cloud infrastructure
Aqua CSPM continually audits your cloud accounts for security risks and misconfigurations across hundreds of configuration settings and compliance best practices, enabling consistent, unified multi-cloud security for AWS, Azure, Google Cloud, and Oracle.
Transparency
Aqua CSPM maintains a central and open repository of best practices for cloud security and sends alerts when they are not being adhered to. The repository is continuously updated, based on new security configuration best practices developed by Aqua’s experts.
Automated and semi-automated remediation
Aqua CSPM not only detects configuration issues but also allows organizations to efficiently remediate them on an ongoing basis, offering several levels of control (assisted/manual/automated). You can get detailed, actionable remediation advice and alerts, or choose automatic remediation of misconfigured services with granular control over chosen fixes. Thus, Aqua provides self-securing capabilities to ensure your cloud accounts don’t drift out of compliance.
Extensive compliance reporting
Aqua CSPM supports a broad list of industry standards and frameworks, such as PCI-DSS, HIPAA, AWS Well-Architected Framework, CIS Benchmark, GDPR, SOC 2 Type 2, ISO27001, NIST, as well as allows you to implement custom compliance requirements for specific types of checks and conditions.
Real-time control plane events monitoring
Sometimes scanning isn’t enough, and real-time notifications for things like disabled MFA or other high-level security operations may be necessary. With the power of Amazon CloudTrail, Aqua analyzes in real-time each supported API call for violations of security best practices, potential compromises, or malicious activity. By providing visibility into all your cloud control-plane API calls, it enables teams to get alerts on certain API activity when seconds and minutes matter.
Built for enterprise scale
Supporting multiple users and teams across hundreds of cloud accounts, Aqua CSPM integrates with many SIEM and collaboration tools, including Splunk, Slack, OpsGenie, PagerDuty, Microsoft Teams, and more. Fully documented RESTful APIs make it easy for you to create additional integrations and automate workflows.Infrastructure-as-Code template scanning Aqua CSPM helps secure your infrastructure-as-code templates with its built-in IaC scanning engine. You can check Terraform and AWS CloudFormation templates for security issues before the deployment of the infrastructure itself. Applying this “shift left” approach in CSPM reduces risk and security incidents in production.
Extensible open source architecture
Based on CloudSploit open source project, Aqua CSPM has an open core architecture, whereby the entire scanning engine is open source. It provides full transparency into why, what, and how your cloud accounts are tested (you can check all the plugins on the respective GitHub page), enables users to easily develop new plugins to address specific issues in any cloud service and share them with the Community.
Aqua CSPM is the perfect companion to Azure Cloud Security for filling any security gaps in your cloud infrastructure.