Azure Security Best Practices

11/1/2022

0 Comments

This post summarizes some collected best practice resources relating to Microsoft Azure Security.

Microsoft Azure Security Best Practices Document

From: https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/secure/security-top-10

For a video presentation, see best practices for Azure security

1. People: Educate teams about the cloud security journey

How security roles and responsibilities are evolving in the security organization.
Evolution of threat environment, roles, and digital strategies.
Transformation of security, strategies, tools, and threats.
Learnings from Microsoft's experience in securing hyperscale cloud environment.

2. People: Educate teams on cloud security technology

Azure security
Azure compliance
- Regulatory compliance
Identity protocols and security
- Azure security documentation site
- Azure Active Directory (Azure AD) authentication YouTube series
- Securing Azure environments with Azure AD

3. Process: Assign accountability for cloud security decisions

Decision	Description	Typical team
Network security	Configure and maintain Azure Firewall, network virtual appliances and associated routing, Web Application Firewalls (WAFs), NSGs, ASGs, and so on.	Infrastructure and endpoint security team focused on network security
Network management	Manage enterprise-wide virtual network and subnet allocation.	Existing network operations team in central IT operations
Server endpoint security	Monitor and remediate server security, including patching, configuration, endpoint security, and so on.	Central IT operations and infrastructure and endpoint security teams jointly
Incident monitoring and response	Investigate and remediate security incidents in SIEM or source console, including Microsoft Defender for Cloud, Azure AD identity protection, and so on.	Security operations team
Policy management	Set direction for use of Azure role-based access control (Azure RBAC), Defender for Cloud, administrator protection strategy, and Azure Policy to govern Azure resources.	Policy and standards and security architecture teams jointly
Identity security and standards	Set direction for Azure AD directories, PIM/pam usage, multi-factor authentication, password/synchronization configuration, application identity standards.	Identity and key management, policy and standards, and security architecture teams jointly

4. Process: Update incident response processes for cloud

Incident response reference guide
Guidance on building your own security incident response process
Azure logging and alerting
Microsoft security best practices
- Transformation of security, strategies, tools, and threats
- Security operations
Microsoft learnings from Cyber Defense Operations Center (CDOC)

5. Process: Establish security posture management
6. Technology: Require passwordless or multifactor authentication

Passwordless Windows Hello
Passwordless authenticator app
Azure AD multi-factor authentication
Third-party multifactor authentication solution

7. Technology: Integrate native firewall and network security

8. Technology: Integrate native threat detection

9. Architecture: Standardize on a single directory and identity

10. Architecture: Use identity-based access control instead of keys

11. Architecture: Establish a single unified security strategy

Azure Security Technologies

EMS - Licensing Details - E3 vs E5

Enterprise Mobility and Security = EMS

If you do not wish to make the step to Microsoft 365 E5 but want the security capabilities, then there is a security addon (‘Microsoft 365 E5 Security’ addon) that you can purchase on top of Microsoft 365 E3 that comes with the E5 security features across Office 365, EMS and Windows 10.

Another feature comparing between EMS E3 vs E5

The Complete Office 365 and Microsoft 365 Licensing Comparison

Technologies

Threat Protection

Exchange Online Protection
Office 365 Advanced Threat Protection (Protection for email, Office clients, Sharepoint Online, OneDrive for Business, Microsoft Teams)
Office 365 Threat Intelligence (from user accounts, Attacks, Phishing, Enterprise security, System updates, Denial of service, Spam, User log-ins, Malware, Device Log-ins, Data Encryption, Unauthorized data access, MFA)

Information Protection

Data Loss Prevention
Office Message Encryption

Security Management

Security & Compliance Center
Microsoft Cloud App Security
Secure Score

Compliance Solutions

Advanced Data Governance (enables customers to achieve organizational compliance by intelligently leveraging machine assisted insights to find, import, classify, set policy and take actions on the data that is most important to them)
Advanced eDiscovery
Compliance Manager - GDPR-Compliance Manager Tool
Customer Lockbox
Secure Assurance

Other Security Tools

CASB
SIEM
MDR

Azure Security Features:

Office Malicious Content Detection

Shared Responsibility model for cloud security

1 AWS - Shared Responsibility Model

2 Azure: - Shared Responsibilities for Cloud Computing

3 CIS: Shared Responsibility for Cloud Security: What You Need to Know

Sources:
1. Microsoft Azure, https://docs.microsoft.com/en-us/azure/security/fundamentals/shared-responsibility
2. Amazon Web Services, https://aws.amazon.com/compliance/shared-responsibility-model/

Azure Security Reference Model

1 Reference Design - Azure Administration Model

2 Best practices and tips to secure your hybrid cloud environment

2 Best practices - Identity & Access Management

Centralize Identity management. Designate a single Azure AD directory as the authoritative source.
Enforce SSO and Multi Factor Authentication.
Leverage Azure RBAC with Privileged Identity Management.
Actively monitor for suspicious activities using AAD anomaly reports.
Use Azure AD for storage authentication.

3 Best Practice - for Azure Storage

Advanced Threat Protection for Azure Storage
Alerts on anomalous access & potential data exfiltration

Investigation & remediation guidance

Alerts in Azure Security Centor

Note: Advanced Threat Protection for Storage Alerts

4 Best practices — Apps and Data security
Leverage Key Vault to store cryptographic keys and secrets. Control access through RBAC
Manage Azure Key Vault access at Management plane and Data plane
Encrypt data and rest and dbta in transit. Use client-side encryption for high value data
Leverage Advance Data Security (ADS) for Azure SQL
Leverage Azure Security Center to identify assets that do not have encryption at rest enabled

5 Best practices — Network Security
Adopt a Zero Trust approach
Control routing behavior and avoid implications of default routes
Disable RDP/SSH Access to virtual machines over internet
Choose whether to use Native Azure Controls or 3rd party Network Virtual Appliances (NVAs) for
internet edge security (North-South)
Simplify NSG rule management by defining application security groups (ASGs)

6 Protect Linux and Windows Servers from Threats

Best practices:

Reduce open network ports
- Use Just-in-Time VM to control access to commonly attacked management ports
- Limit open ports with adaptive network hardening
Block malware with adaptive application controls
Protect Windows servers and clients with the integration of Microsoft Defender ATP and Linux servers

7 Protect your workloads from Threats - Use industry's most extensive threat intelligence to gain deep insights

Best Practices:

Detect & block advanced malware and threats for Linux and Windows Servers on any cloud
Protect cloud-native services from threats
Protect data services against malicious attacks
Protect your Azure IOT solutions with near real time monitoring
Service layer detections: Azure network layer and Azure management layer (ARM)