As a natural extension of Microsoft’s on-premises offerings, Azure cloud is enabling hybrid environments. In fact, 95% of the Fortune 500 is using Azure. But there are some common misconceptions when it comes to security.
Oftentimes, organizations jump into Azure with the false belief that the same security controls that apply to AWS or GCP also apply to Azure. This is simply not the case. Outlined below are some common challenges, along with security best practices, to help you mitigate risks and keep your Azure environment secure.
According to our research, the average lifespan of a cloud resource is two hours and seven minutes. Many companies have environments that involve multiple cloud accounts and regions. This leads to decentralized visibility and makes it difficult to keep track of assets. Since you can’t secure what you can’t see, detecting risks becomes a challenge.
Best Practice: Use a cloud security approach that provides visibility into the volume and types of resources (virtual machines, load balancers, security groups, gateways, etc.) across multiple cloud accounts and regions through a single pane of glass. Having visibility and an understanding of your environment enables you to implement more granular and contextual policies, investigate incidents, and reduce risk.
While Microsoft’s cloud native security products, such as Azure Security Center, work well within Azure, monitoring at scale or across clouds requires third-party visibility from platforms such as RedLock from Palo Alto Networks.
2. Privileges for Active Directory global admin accounts
Your Azure Active Directory user accounts with admin privilege have the ability to do the most harm when unauthorized parties acquire access to them. Administrators often forget to limit the scope of what Azure AD users can do.
Best Practice: Not even your top admins should have access to the global admin role the vast majority of the time. Make sure you’re creating limited scope roles in RBAC and applying them to resources only when needed. AD users must be protected by multifactor authentication (MFA).
3. Privilege and scope for all users
As with #2 above, it is way too easy to allow your users to have too much privilege. Often, it’s done out of expediency or because you just want to solve that production issue at 3:00 a.m.
Best Practice: Make use of RBAC, ensuring that you limit the permissions needed by entities for a specified role and to a specific scope (subscription, resource group or individual resources). Permissions are only part of the story, however. Make sure you’re coupling RBAC with Azure Resource Manager to assign policies for controlling creation and access to resources and resource groups.
Lost or stolen credentials are a leading cause of cloud security incidents. It is not uncommon to find access credentials to public cloud environments exposed on the internet. Organizations need a way to detect account compromises.
Best Practice: Strong password policies and multifactor authentication should be enforced always. Azure provides several ways to implement MFA protection on your user accounts, but the simplest of these is to turn on Azure MFA by changing the user state.
5. Access keys
As mentioned above, lost or stolen credentials are a leading cause of security incidents. Unfortunately, admins often assign overly permissive access to Azure resources, and the keys used to manage those resources are often given overly permissive privileges. At all times, you should protect those keys from accidental or malicious leaking.
Best Practice: Storing credentials in application source code or configuration files will create the conditions for compromise. Instead, store your API keys, application credentials, password and other sensitive credentials in Azure Key Vault.
6. Broad IP ranges for security groups and unrestricted outbound traffic
Network Security Groups (NSGs) are like firewalling mechanisms that control traffic to Azure VMs and other compute resources. Unfortunately, admins often assign NSGs IP ranges that are broader than necessary. Adding to the concern, 85% of resources associated with security groups don’t restrict outbound traffic at all.
Research from Unit 42’s cloud intelligence team also found an increasing number of organizations were not following network security best practices and had misconfigurations or risky configurations. Industry best practices mandate that outbound access should be restricted to prevent accidental data loss or data exfiltration in the event of a breach.
Best Practice: Limit the IP ranges you assign to each security group in such a way that everything networks properly, but you aren’t leaving more open than you’ll need. Additionally, make sure you segment your virtual networks into subnets to control routing to VMs. Finally, ensure that you are restricting or disabling SSH and RDP access to VMs.
7. Reviewing audit logs
Organizations need visibility into user activities to reveal indicators of account compromises, insider threats and other risks. The virtualization that’s the backbone of cloud networks and the ability to use the infrastructure of a very large and experienced third-party vendor afford agility as privileged users can make changes to the environment as needed. The downside is the potential for insufficient security oversight. To avoid this risk, user activities must be tracked to identify account compromises and insider threats as well as to assure that a malicious outsider hasn’t hijacked their accounts. Fortunately, businesses can effectively monitor users when the right technologies are deployed.
Best Practice: Monitoring activity logs is key to understanding what’s going on with your Azure resources. You can use anomaly detection – such as RedLock’s ML-based UEBA, which can be used to detect unusual user activity, excessive login failures, or account hijacking attempts – all of which could be indicators of account compromise.
8. Patch VMs
It is your responsibility to ensure the latest security patches have been applied to hosts within your environment. The latest research from Unit 42 provides insight into a related problem. Traditional network vulnerability scanners are most effective for on-premises networks but miss crucial vulnerabilities when they’re used to test cloud networks.
Best Practice: Make sure hosts are frequently patched and apply any necessary hotfixes that are released by your OEM vendors. Also, ensure that new VM images are created with the latest patches and updates for that OS.
Azure recently released Azure CIS 1.1 benchmarks, so if Azure is a part of your strategy, I highly encourage you to implement the new benchmarks. RedLock supports Azure CIS 1.0, and we look forward to supporting 1.1 in the near future. If you’re interested to learn how RedLock can help your organization stay secure in the cloud, you can learn more here.
Note: While this post may seem similar to our previous AWS Security Best Practices post, it is important to note that there are significant differences in the way the various cloud platforms operate. For Azure, I highly recommend you read and understand Microsoft’s “Security best practices for Azure solutions” white paper.