With more and more companies and industries moving their applications and data to the Cloud, it has never been more important for everyone that is even slightly tied to a Cloud environment to understand Cloud Security. As with my other blog posts in this series, this is just a 100 level course, so I will not be going into depth, but there is plenty of content out there on each topic that I cover if you want more depth and I will provide you with some additional links at the end of the post.
Let’s start by talking about what I mean by Cloud Security. There are four main categories that I will be covering and they are pretty much the same in the Cloud as there were when you had your systems in a Data Center.
- Authentication & Authorization
- Security Boundaries & Endpoint Security
- Data Security
- Security Monitoring & Recommendations
Within each of these categories there are one or more features or services that fall into that category. One of the great things about Microsoft and Azure is that they absolutely put security first which means that there is almost no way that I will be able to cover each little feature or service, but I will try and talk about as many as possible within the scope of a single blog post. Feel free to reach out to me either the comments section or through one of my social media options (Twitter or LinkedIn) if there is something that you think that I missed.
Authentication & Authorization
The authentication portion of this category is pretty straight forward as it is built and based completely on Azure Active Directory (AAD) and the Authorization portion then extends off of it.
Azure Active Directory (AAD) is a Cloud based implementation of the old school Active Directory controllers that everyone has always had installed within their On-Prem networks. However, AAD only provides the User, Groups, and Authentication functionality of those controllers, which means that you will leverage those controllers to maintain a synchronized set of User and Groups with AAD and then tell AAD how to handle the authentication and password management portion. This means that you still can use your existing domain controllers for functionality like DNS and Group Policy if you need to, but Azure does provide a DNS service as well.
Once your Users and Groups are synchronized with AAD, you can then start to take advantage of some of the additional security features that were designed for the Cloud and can be installed as add-ons for your On-Prem directory controllers. I am specifically referring to Multi-Factor Authentication (MFA) and the ability to add Social Identity Providers, like Facebook and Google. MFA provides additional security by requiring a second form of authentication and delivers strong authentication via a range of easy to use authentication methods, such as a trusted device or some form or biometrics.
From the authorization side of the equation, AAD takes those Users and Groups that were synchronized above and leverages them to control what they can do within the confines of an Azure subscription and even when they are allowed to perform those actions. This is accomplished through three distinct features of Azure and AAD:
- Role Based Access Control (RBAC)
- Azure Policies
- Just in Time Access (JIT) which is part of Privileged Identity Management (PIM)
You can see a walk-through of both RBAC and Policies in the videos below, but Just in Time access is only available in a higher level tier of AAD which I do not have available to me. Just in Time access basically takes the idea of assigning a user a Role to perform some set of changes within Azure and says that that Role should only be available for the period of time that it takes that User to actually perform those actions. Thereby stating that All Users should maintain the Least Privileges required to do their Job and then only when necessary and only for as long as needed will their privileges be elevated and this feature can be found to be part of the Privileged Identity Management portion of AAD which means that JIT is only one of the features available. There are others that can be used as part of the Authentication and Authorization security posture as well.
Security Boundaries and Endpoint Security
Next on the list is probably the one security category that is most familiar to everyone because it is usually the most publicized when there is a breach of some kind. I am referring to Endpoint Security and the Security boundaries that you build around your systems, no matter whether they are internally facing or publicly facing systems. Within Azure, this typically starts by laying out a solid Virtual Network and making sure that the boundary is locked down with Network Security Groups. For more information about the basics of Networking in Azure, please take a look at my previous post on Azure Networking 101 Part 1.
Once you have your security boundary, this only locks down traffic once it is flowing within the network that you have architected, it does not put any kind of security to prevent issues at the initial point of entry, this is typically called Endpoint Security. Microsoft provides two out of the box services that can absolutely help in this regard: Azure Application Gateway and Azure Firewall. In addition, many customers already have preferences for different vendors that they are used to working within in the local Data Centers and in most cases, those vendors provide Cloud based virtual appliances that provide the same level of features and functionality that they had On-Prem. This gives a number of different options for providing Endpoint Security, but in this blog post, we want to focus on what is available in Azure.
What exactly is the Azure Firewall service? The official statement from the Azure documentation is the following:
Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It is a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.
As you can see from that statement, there are definitely some differences between the Azure Firewall and the NSG, but what are the major ones?
- Stateful Service
- Outbound SNAT and Inbound DNAT support
- Highly Available and Scalable based on demand
- All network filtering rules can be applied across multiple subscriptions and virtual networks
- White Listing capabilities for outbound HTTP/S traffic based on FQDN
Lets’ take a look now at what the service looks like within the Azure Portal.
Azure Application Gateway
Where Azure Firewall provides endpoint security across multiple virtual networks and therefore multiple applications or systems, what about providing endpoint security for individual applications? That is where the Azure Application Gateway comes in. This service is considered as a Web Application Firewall, which means that it provides Application Load Balancing along with the ability to define routing based on additional attributes of an HTTP request such as URI path or host headers.
From a pure security perspective however, the most important feature of the Azure Application Gateway is the Web Application Firewall which provides centralized protection of the application from some of the most common exploits and vulnerabilities. Specifically, the WAF is based on rule sets that traffic must pass before being allowed through and these rule sets are based on the Open Web Application Security Project versions 3.0 and 2.2.9 and you have complete control to turn on/off different rules within the rule set. With that as a background, let’s take a look at a walk-through of the Azure Application Gateway.
Of all the different security categories that are being discussed in this blog post, Data Security is definitely the one that keeps CISOs up at night. Here’s the thing, you can penetrate a security boundary and you can even get a user’s password, but if you can’t unlock the data that sits behind that security boundary or that the user has privileges to, then the hacker is still going to fail and ultimately that is what the CISO is trying to make sure always happens.
Microsoft has made it very easy to feel secure about your data’s security when it sits inside of one of their services within Azure. All Data-at-Rest and in Transit is encrypted by default. You actually have to explicitly configure your services to turn off encryption rather than the other way around. This is a great start, but that encryption is being managed by Microsoft and not all customers in all industries are comfortable with that. That is where Azure Key Vault comes into play. Azure Key Vault is where a customer can bring their own keys or certificates and have complete control over how the encryption is being managed thereby increasing their security posture. Not all data services within Azure provide integration with Azure Key Vault, but most of them do, such as Azure Disks, Storage Accounts, and Azure SQL. To get an understanding of what Key Vault provides, please take a look at the video below:
Security Monitoring & Recommendations
Due to the fact that Microsoft takes security so seriously themselves, they wanted to make sure that it was just as important and visible to each of its subscribers, no matter whether they were subscribing to Azure or 365. Microsoft also wanted to make sure that it was easy for its customers to be serious about security as well. To do this, they added a service for all customers called Azure Security Center which is a combination, logging, monitoring, and recommendations tool that is directly tied to the security of your Azure subscription(s) and the resources within. The great thing for this service is that it is completely free, that’s how important Microsoft believes security is and how important it is that their customer’s take it seriously.
Azure Security Center is one of those services that I cannot do justice to just in words, so please take a look at the walk-through video that I have provided below. It is the culmination of what customers are looking to understand about the security posture of their Azure deployments and none of the other Cloud providers have anything even close to it and certainly not one that is free.
Security withing any Commercial Cloud is important PERIOD. Because of this, the major commercial Cloud providers have made sure to make Security a number on priority with all features and services that they provide. The key for you as a customer of Azure is to understand what that exactly means and how it translates to your software and systems that are being deployed and managed within Azure. This blog post should help you get started, but please provide any feedback to let me know if I have missed anything or if I have gotten anything wrong.