Have you thought about the security best practices to use when you’re designing, deploying, and managing your cloud solutions by using Microsoft Azure? There are number of solutions in Azure, for each solution best practice, we should think about:
- What the best practice is?
- Why you want to enable it?
- What might be the result if you don’t enable it?
- How you can learn to enable it?
- Where to find detailed information?
My goal is to help you describe with the attached document for each best practice. These best practices come from our experience with Azure security and the experiences from customers, and partners like you. This attached white paper is intended to be a resource for IT pros. This might include designers, architects, developers, and testers who build and deploy secure Azure solutions.
Download the Document from here – Azure Security Best Practices
Top security best practices to do now
We understand that you’re busy and may not be able to immediately read the entire document. To help you get started fast, here are the top security best practices you can do now to secure your Azure solution:
- Upgrade your Azure subscription to Azure Security Center Standard. Security Center’s Standard tier helps you find and fix security vulnerabilities, apply access and application controls to block malicious activity, detect threats using analytics and intelligence, and respond quickly when under attack.
- Store your keys and secrets in Azure Key Vault (and not in your source code). Key Vault is designed to support any type of secret: passwords, database credentials, API keys and, certificates.
- Install a web application firewall. Web application firewall (WAF) is a feature of Application Gateway that provides centralized protection of your web applications from common exploits and vulnerabilities.
- Enforce multi-factor verification for users, especially your administrator accounts. Azure Multi-Factor Authentication (Azure MFA) helps administrators protect their organizations and users with additional authentication methods.
- Encrypt your virtual hard disk files to help protect your boot volume and data volumes at rest in storage, along with your encryption keys and secrets.
- Connect Azure virtual machines and appliances to other networked devices by placing them on Azure virtual networks. Virtual machines connected to an Azure virtual network can connect to devices on the same virtual network, different virtual networks, the internet, or your own on-premises networks.
- Mitigate and protect against DDoS. Distributed denial of service (DDoS) is a type of attack that tries to exhaust application resources. Azure has two DDoS service offerings that help protect your network from attacks. DDoS Protection Basic is automatically enabled as part of the Azure platform. DDoS Protection Standard provides additional mitigation capabilities— beyond those of the Basic service tier—that are tuned specifically to Azure Virtual Network resources.
Strong operational security practices to implement every day are:
- Manage your VM updates. Azure VMs, like all on-premises VMs, are meant to be user managed. Azure doesn’t push Windows updates to them. Ensure you have solid processes in place for important operations such as patch management and backup.
- Enable password management and use appropriate security policies to prevent abuse.
Review your Security Center dashboard regularly to get a central view of the security state of all of your Azure resources and take action on the recommendations.
Optimize identity and access management
Things you can do to optimize identity and access management include:
- Treat identity as the primary security perimeter
- Centralize identity management
- Enable single sign-on
- Turn on conditional access
- Enable password management
- Enforce multi-factor verification for users
- Use role-based access control
- Lower exposure of privileged accounts
Control locations where resources are located
Treat identity as the primary security perimeter
Many consider identity to be the primary perimeter for security. This is a shift from the traditional focus on network security. Network perimeters keep getting more porous, and that perimeter defense can’t be as effective as it was before the explosion of BYOD
devices and cloud applications.
Azure Active Directory (Azure AD) is the Azure solution for identity and access management. Azure AD is a multitenant, cloud-based directory and identity management service from Microsoft. It combines core directory services, application access management, and identity protection into a single solution.
The following sections list best practices for identity and access security using Azure AD.
Centralize identity management
In a hybrid identity scenario, we recommend that you integrate your on-premises and cloud directories. Integration enables your IT team to manage accounts from one location, regardless of where an account is created. Integration also helps your users be more productive by providing a common identity for accessing both cloud and on-premises resources.