Azure security: Tips, tricks, best practices and things you should be thinking about
The cloud is an amazing place and is by no means getting smaller.
The key players—Azure, AWS, and Google Cloud—are making big strides very quickly to bring new and exciting things to customers the world over. Then there are the not so big players, trying to keep up with the major cloud providers all while finding some way to remain innovative. All in all, it’s a very interesting time to work in IT.
With all of these players and all of this technology, we the consumer must spend time considering what security might look like today, and what we want it to look like in the next few months.
This post will focus on Azure security as it exists at the time of writing and what some of the best practices are. I’ll also call out some tips, tricks, and things I’ve noticed in working with Azure.
Please Note: This is by no means an exhaustive list of all things security and some of the features and things discussed may be in preview. They are included for exposure and to get you thinking about what might be coming and how you can leverage it in your Azure environment.
Azure Security Center
Microsoft has done a lot of work in the security space to help make all of its products more secure, but one of the favorite security features I’ve seen recently (since its preview release over the past year or so) is Security Center.
This service is baked into the Azure platform—the basic tier of the service is free and begins collecting data about your Azure environment as soon as you start it up (all Azure subscriptions can collect information in the free tier).
The power of Security Center in my mind comes from two areas: the Security Advisor, which will provide recommendations for correcting things found in your Azure environment; and an upgrade to the standard tier of Security Center, which allows you to configure agents on any virtual machines you have running, both in Azure and elsewhere, and collect data about the security posture of your environment as a whole.
When you access Recommendations from Security Center, a list based on mitigation priority will be displayed to help you understand what’s needed and in many cases offer a fix at the click of a button.
Pricing for the standard tier:
|Virtual Machines||$14.60/Server/Month||500Mb data collection|
|App Services||$14.60/App Service/Month|
*preview pricing for these resources – subject to change when the service goes GA
There are additional charges for data storage over the included 500Mb daily limits as well, and more info can be found on the Azure Security Center Pricing page.
Enforcing Multi-Factor Authentication for Administrator Accounts
This is more a policy or practice than a feature of Azure—sure it supports the use of Multi-Factor Authentication, but there may be users who have read-only privileges to a subset of resources that may not require MFA to be enabled all the time.
For any admin accounts, requiring MFA is definitely a security practice worth implementing. Consider for a moment the following:
You are the administrator at AwesomeStuff, a company that makes awesome stuff and uses Azure for the majority of its IT services. As the administrator you can configure settings in Office 365, create and destroy virtual machines, and use pretty much any service you need to (within reason and budget). While you’re on vacation with your family, your administrator account for Azure has been used to log in and create three or four huge virtual machines, and costs are spiraling out of control.
When you return to the office you see these new machines and their costs. Asking around, no one knows what they are used for and is under the assumption that since they were created using your account, they must be needed for something. Further investigation into the logs shows that when these machines were created, the sign in came from IP address that traced back to a European country; not your office in the US, not your home office, and not anywhere near the lake house you rented for vacation.
Without enabling MFA on your admin accounts, they can be used from anywhere. In the event that they are compromised, the person who has gained access to your account is able to create resources for any purpose they choose, and even steal both money and intellectual property from your organization.
Had MFA been enabled on the account in the above example, the owner of the account would have been prompted to respond when the login occurred. Since you were on vacation (and definitely not creating virtual machines or other resources in Azure), you could immediately recognize the log in as suspicious, denied the second-factor authentication, and taken five minutes to change your password. This simple configuration might have prevented the account compromise.
You can find more information on Azure MFA here.
Security in Azure Storage
We’ve looked at general and login security, but what about data storage? You need somewhere to keep the data you’ll be working with, and that data might be the next big thing, so security isn’t something that only applies to processing resources.
Shared Access Signatures help keep information safe and accessible, without having to use the Administrative credentials. Using Shared Access Signatures, it’s possible to control access to data stored in Azure storage accounts, and easily ensure access expires when it’s no longer needed.
Here’s another example. I’m an admin storing documents in Azure Storage, and I need to share a document with a vendor, but only for a limited period of time. Using Shared Access Signature allows delegation of access to the data with expiration built in. When I create an access signature, a URL is created and can be shared with whoever needs access. Each storage type—blob, table, and files—is configured for the shared access signature independently, but more than one type can be assigned to each URL.
With this configuration, I can create an access endpoint that allows me to share both blob and files for as much time as necessary, allowing a few days for the data to be collected. Then, the URL expires and the data becomes inaccessible.
While this may not seem like a security feature, it can certainly help keep your stored data both secure and available to others when needed. In addition, there is no requirement for a third party service to share files, so any data storage and sharing is only being done within your Azure environment.
You can learn more about Shared Access Signatures for Azure Storage here.
Keep your environment and data safe in the cloud
Cloud Security, like all of the other resources available in Azure, is something that should be looked upon as a first-class citizen. Taking your environment, and possibly your customers, for granted is not something that’s easy to bounce back from. Using the available resources in Azure and the Microsoft Documentation will help you better understand how to keep things safe in the fast-paced, constantly evolving world of the cloud.
The Azure cloud is not a “set it and forget it” environment, and the care and feeding needed are different in some ways from the practices used on-premises. Many of these will translate well, but you will need to continually review the services, features, and use cases for many of the resources you leverage in Azure.
The product team behind Microsoft Azure is moving just as fast (or faster) as their customer organizations in some areas, so the way security works today may not be the way security works tomorrow.
Derek Schauland is a 10-time Microsoft MVP and works on a daily basis with Azure and Google Cloud Platform technologies for an insurance provider in the Midwest. In addition to his day job, Derek has been writing technical articles and books for the last 15 years, and has been in many roles within the technology industry. When he’s not working with technology, Derek enjoys learning and spending time with friends and family—including his wife and two dachshunds.