Reading Time: 16 minutes

Azure Fundamentals

Part 3/4 – Azure Security and Monitoring

Material source:

Microsoft documentation

Defence in depth: a series of mechanisms to slow the advance of an attack. Each layer provides protection so that if one layer is breached, a subsequent layer is already in place to prevent further exposure. It can be visualised as a set of concentric rings, with the data to be secured at the centre. Each ring adds an additional layer of security around the data.

What type of security is required at each layer?

Data: It’s the responsibility of those storing and controlling access to data to ensure that it’s properly secured. Often, there are regulatory requirements that dictate the controls and processes that must be in place to ensure the confidentiality, integrity, and availability of the data

Application: Make security a design requirement for all application development. Ensure applications are secure and free of vulnerabilities.

Compute: Secure access to virtual machines. Implement endpoint protection and keep systems patched and current.

Azure shared responsibility

Azure shared responsibility model

Network: Limit communication between resources. Deny by default. Restrict inbound internet access and limit outbound, where appropriate. Implement secure connectivity to on-premises networks

Perimeter: Use DDoS protection to filter large-scale attacks. Use perimeter firewalls to identify and alert on malicious attacks.

Identity and access: Control access to infrastructure and change control. Use single sign-on and multi-factor authentication. Audit events and changes

Physical security: Physical building security and controlling access to computing hardware within the data centre

Azure Security Center

Azure Security Center: a monitoring service that provides threat protection across all of your services both in Azure, and on-premises. It can;

  • Provide security recommendations based on your configurations, resources, and networks.
  • Monitor security settings across on-premises and cloud workloads, and automatically apply required security to new services as they come online.
  • Continuously monitor all your services, and perform automatic security assessments to identify potential vulnerabilities before they can be exploited.
  • Use machine learning to detect and block malware from being installed on your virtual machines and services. You can also define a list of allowed applications to ensure that only the apps you validate are allowed to execute.
  • Analyse and identify potential inbound attacks, and help to investigate threats and any post-breach activity that might have occurred.
  • Provide just-in-time access control for ports, reducing your attack surface by ensuring the network only allows traffic that you require.

Azure Security Centre is available in two tiers;

  1. Free. Available as part of your Azure subscription and limited to assessments and recommendations of Azure resources only.
  2. Standard. Provides a full suite of security-related services including continuous monitoring, threat detection, just-in-time access control for ports, and more ($15 per node per month)

Example use cases of Azure Security Centre include;

  • Incident response: You can use Security Center during the detect, assess, and diagnose stagesDetect: Use the dashboard to review the initial verification that a high-priority security alert was raisedAssess: Perform the initial assessment to obtain more information about the suspicious activityDiagnose: Conduct a technical investigation and identify containment, mitigation, and workaround strategies. You can do so by following the remediation steps described in Azure Security Center
  • Enhance Security: You can configuring a security policy, and then implementing the recommendations provided by Azure Security Center. When Security Center identifies potential security vulnerabilities, it creates recommendations based on the controls set in the security policy. The recommendations guide you through the process of configuring the needed security controls.

Identity and Access

Azure provides services to manage both authentication and authorisation through Azure Active Directory (Azure AD). It has built in support for synchronising with your existing on-premises Active Directory or can be used stand-alone.

Azure AD provides services such as:

  • Authentication: This includes verifying identity to access applications and resources, and providing functionality such as self-service password reset, multi-factor authentication (MFA), a custom banned password list, and smart lockout services.
  • Multi-factor authentication: provided free of charge to any user who has the Global Administrator role in Azure AD, because these are highly sensitive accounts. All other accounts can have MFA enabled by purchasing licenses
  • Single-Sign-On (SSO): Enables users to remember only one ID and one password to access multiple applications.
  • Application management: You can manage your cloud and on-premises apps using Azure AD Application Proxy, SSO, the My apps portal (also referred to as Access panel), and SaaS apps.
  • Business to business (B2B) identity services: Manage your guest users and external partners while maintaining control over your own corporate data Business-to-Customer (B2C) identity services. Customize and control how users sign up, sign in, and manage their profiles when using your apps with services.
  • Device Management: Manage how your cloud or on-premises devices access your corporate data.

Providing identities to services: It’s usually valuable for services to have identities. Often, and against best practices, credential information is embedded in configuration files. With no security around these configuration files, anyone with access to the systems or repositories can access these credentials and risk exposure. Azure AD addresses this problem through two methods;

  • Service principals: An identity is just a thing that can be authenticated. A principal is an identity acting with certain roles or claims. A service principal is an identity that is used by a service or application. And like other identities, it can be assigned roles.
  • Managed identities for Azure Services: A managed identity can be instantly created for any Azure service that supports it. When you create one for a service, you are creating an account on the Azure AD tenant. The Azure infrastructure will automatically take care of authenticating the service and managing the account. You can then use that account like any other Azure AD account, including securely letting the authenticated service access other Azure resources

Role-based access control: Roles are sets of permissions, like “Read-only” or “Contributor”, that users can be granted to access an Azure service instance. Roles can be granted at the individual service instance level, but they also flow down the Azure Resource Manager hierarchy (below diagram). Identities are mapped to roles directly or through group membership. Roles assigned at a higher scope, like an entire subscription, are inherited by child scopes, like service instances.

Azure Privileged Identity Management: an additional, paid-for offering that provides oversight of role assignments, self-service, and just-in-time role activation and Azure AD and Azure resource access reviews.

Azure Encryption

Note: Symmetric encryption uses the same key to encrypt and decrypt the data. Asymmetric encryption uses a public key and private key pair. Either key can encrypt but a single key can’t decrypt its own encrypted data. To decrypt, you need the paired key. Asymmetric encryption is used for TLS (used in HTTPS) and data signing.

Azure Storage Service Encryption: It is for data at rest. the Azure storage platform automatically encrypts your data before persisting it to Azure Managed Disks, Azure Blob storage, Azure Files, or Azure Queue storage, and decrypts the data before retrieval. The entire process and the key management in Storage Service Encryption is transparent to applications using the services.

Azure Disk Encryption: a capability that helps you encrypt your Windows and Linux IaaS virtual machine disks using the BitLocker feature of Windows and the dm-crypt feature of Linux. The solution is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets.

Transparent data encryption (TDE): performs real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application. By default, TDE is enabled for all newly deployed Azure SQL Database instances. TDE encrypts the storage of an entire database by using a symmetric key called the database encryption key. Bring your own key (BYOK) is also supported with keys stored in Azure Key Vault.

Azure Key Vault: helps you control your applications’ secrets by keeping them in a single, central location and by providing secure access, permissions control, and access logging capabilities. It is useful for;

  • Secrets management: securely store and tightly control access to tokens, passwords, certificates, Application Programming Interface (API) keys, and other secrets.
  • Key management: create and control the encryption keys used to encrypt your data.
  • Certificate management: provision, manage, and deploy your public and private SSL/ TLS certificates for your Azure, and internally connected, resources.
  • Store secrets backed by hardware security modules (HSMs): The secrets and keys can be protected either by software, or by FIPS 140-2 Level 2 validated HSMs.

The benefits of using Azure Key Vault include; centralised application secrets, secure storage of secrets and keys, monitoring of access and use, simplified administration, integration with other Azure services including Azure AD

Network Security

To provide inbound protection at the perimeter, you have several choices;

  • Azure Firewall: protects your Azure virtual network resources. Stateful firewall with built-in HA and scalability. Provides inbound protection for non-HTTP/S protocols and outbound network-level protection for all ports and protocols, and application-level protection for outbound HTTP/S
  • Azure Application Gateway: a load balancer that includes a Web Application Firewall (WAF)
  • Network Virtual Appliances (NVAs):  ideal options for non-HTTP services or advanced configurations, and are similar to hardware firewall appliances

Azure DDoS Protection: leverages the scale and elasticity of Microsoft’s global network to bring DDoS mitigation capacity to every Azure region. Protects your Azure applications by scrubbing traffic at the Azure network edge before it can impact your service’s availability. Within a few minutes of attack detection, you are notified using Azure Monitor metrics.

Azure DDoS Protection provides the following tiers:

  • Basic: automatically enabled as part of the Azure platform. Always-on traffic monitoring and real-time mitigation of common network-level attacks provide the same defences that Microsoft’s online services use
  • Standard: provides additional mitigation capabilities that are tuned specifically to Microsoft Azure Virtual Network resources. Protection policies are tuned through dedicated traffic monitoring and machine learning algorithms. It can be used to mitigate volumetric, protocol and resource based attacks.

Network Security Groups: allow you to filter network traffic to and from Azure resources in an Azure virtual network. An NSG can contain multiple inbound and outbound security rules based on source and destination IP address, port, and protocol.

Azure VPN: Used for connecting Azure VNets to an on-premise VPN device

Azure ExpressRoute: a dedicated, private connection between your network and Azure

Microsoft Azure Information Protection (MSIP or sometimes referred to as AIP): helps organizations classify and optionally protect documents and emails by applying labels. Labels can be applied automatically based on rules and conditions, manually, or a combination of both where users are guided by recommendations. You can purchase MSIP either as a standalone solution, or through one of the following Microsoft licensing suites: Enterprise Mobility + Security, or Microsoft 365 Enterprise

Azure Advanced Threat Protection (Azure ATP): identifies, detects, and helps you investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. Azure ATP is available as part of the Enterprise Mobility + Security E5 suite (EMS E5) and as a standalone license. It is not available to purchase via the Azure portal (and has its own portal –  https://portal.atp.azure.com ). ATP has the following components;

  • ATP Portal: to view data received from ATP sensors and used to monitor and respond to suspicious activity.
  • ATP Sensor: installed directly on your domain controllers. They monitor domain controller traffic without requiring a dedicated server or configuring port mirroring.
  • ATP Cloud service: connected to Microsoft’s intelligent security graph

Apply and monitor infrastructure standards with Azure Policy

Azure Policy: used to define, assign, and, manage standards for resources in your environment. It can prevent the creation of disallowed resources, ensure new resources have specific settings applied, and run evaluations of your existing resources to scan for non-compliance. Azure Policy can integrate with Azure DevOps, by applying any continuous integration and delivery pipeline policies that affect the pre-deployment and post-deployment of your applications. To create an Azure Policy you will need to;

  1. Create a policy definition: what to evaluate and what action to take. Represented as JSON file.
  2. Assign definition to a scope of resources: policy definition is assigned to take place within a specific scope. This scope could range from a full subscription down to a resource group. Policy assignments are inherited by all child resource, but you can exclude a subscope from the policy assignment.
  3. View policy evaluation results:

Initiative Definition: simplify the process of managing and assigning policy definitions by grouping a set of policies into a single item. Microsoft recommends using initiatives if you anticipate increasing the number of policies over time.

Azure Management Groups: containers for managing access, policies, and compliance across multiple Azure subscriptions. They allow you to order your Azure resources hierarchically into collections, which provide a further level of classification that is above the level of subscriptions. Another scenario where you would use management groups is to provide user access to multi subscriptions. By moving many subscriptions under that management group, you can create one role-based access control (RBAC) assignment on the management group, which will inherit that access to all the subscriptions.

Azure Blueprint: Azure Blueprint is a declarative way to orchestrate the deployment of various resource templates and other artefacts, such as: Role assignments, Policy assignments, Azure Resource Manager templates, and Resource groups. The process of implementing Azure Blueprint consists of the following high-level steps:

  • Create an Azure Blueprint
  • Assign the blueprint
  • Track the blueprint assignments

Azure Blueprints are different from Azure Resource Manager Templates. When Azure Resource Manager Templates deploy resources, they have no active relationship with the deployed resources (they exist in a local environment or source control). By contrast, with Azure Blueprint, each deployment is tied to an Azure Blueprint package. This means that the relationship with resources will be maintained, even after deployment. Managing relationships, in this way, improves auditing and tracking capabilities. Azure Blueprints are also useful in Azure DevOps scenarios, where blueprints are associated with specific build artefacts and release pipelines and can be tracked more rigorously.

Compliance

Microsoft provides four sources regarding its compliance and infrastructure management;

  1. Microsoft Privacy Statement
  2. Microsoft Trust Center
  3. Service Trust Portal
  4. Compliance Manager

Microsoft privacy statement: explains what personal data Microsoft processes, how Microsoft processes it, and for what purposes.

Trust Center: a website resource containing information and details about how Microsoft implements and supports security, privacy, compliance, and transparency

Service Trust Portal (STP): hosts the Compliance Manager service, and is the Microsoft public site for publishing audit reports and other compliance-related information relevant to Microsoft’s cloud services. Service Trust Portal is a companion feature to the Trust Center.

Compliance Manager: a workflow-based risk assessment dashboard within the Trust Portal that enables you to track, assign, and verify your organisation’s regulatory compliance activities related to Microsoft professional services and Microsoft cloud services. Compliance Manager provides ongoing risk assessments with a risk-based scores reference. It combines the following three items; information provided by Microsoft to auditors and regulators, information that Microsoft compiles internally for its compliance with regulations, and an organisation’s self-assessment of their own compliance with these standards and regulations.

Monitor your service health

Azure provides two primary services to monitor the health of your apps and resources.

  1. Azure Monitor: collects, analyses, and acts on telemetry from your cloud and on-premises environments. It helps you understand how your applications are performing and proactively identifies issues affecting them and the resources they depend on. Activity Logs record when resources are created or modified and Metrics tell you how the resource is performing and the resources that it’s consuming. Optionally, you can add an agent to your compute resources. Azure monitor can also send Alerts or use Autoscale.
  2. Azure Service Health: a suite of experiences that provide personalised guidance and support when issues with Azure services affect you.  It can notify you, help you understand the impact of issues, and keep you updated as the issue is resolved. Azure Service Health can also help you prepare for planned maintenance and changes that could affect the availability of your resources.