Data breaches are becoming a regular headline on the evening news, and no CISO in the world wants to have their company added to that growing list. Many organizations are still laboring under the mistaken idea that their internal data centers are more secure than those of the major public cloud providers. Gartner even ranked this as Myth #6 on a list they published in 2014. The fact is, it is very difficult for a company to maintain the level of security seen in the cloud within their own data center.
Microsoft has put security as their primary focus in the Azure cloud, and they are seeing incredible growth because of their dedication to the platform. Amazon Web Services is still the largest cloud platform, but Microsoft is narrowing that gap each quarter, and for companies with an Azure Enterprise Agreement (Azure EA), there are many benefits to adopting the Azure cloud. Microsoft also realized several years ago that customers were not going to close their data centers and move everything into Azure, so they created the Azure Stack to bridge the gap, and were the first to develop a true hybrid cloud solution (AWS has recently announced Outposts as their new hybrid offering).
The idea that security within a cloud is a shared responsibility is a well-known axiom, with the level of responsibility shifting from the customer to the provider as a company moves from IaaS to PaaS and then SaaS. Pizza is a common metaphor for this shared responsibility: IaaS would be a “take-and-bake” option, PaaS would be calling a pizza delivery company and SaaS would be going out to a pizza restaurant. In this pizza metaphor, the on-premises data center would equate to harvesting your own wheat and growing your tomatoes, to eventually making the pizza; it can be done, but is more expensive and time-consuming. The idea is that as a company shifts from producing services to consuming them, the less responsibility they have for securing those services, which then requires more trust in the cloud provider.
Microsoft Azure has many tools and options concentrated on security, and in this article we will look at five steps customers can take to further increase their cloud security. Customers who have selected Microsoft Azure as their cloud platform can also utilize enhanced security options for their cloud adoption process. Some of these are only available to customers with an Azure EA, and having an Office 365 subscription with Azure Active Directory (Azure AD) will factor into some other options.
Step #1: Know Your Azure Secure Score
Microsoft created the Azure Security Center to be the central hub for all Azure security data and integration with other security data. Customers should learn to use it and incorporate it into their normal security operations. The Security Center has offered recommendations for several years, but recently Microsoft began to weight those recommendations to give customers a clearer idea of the impact they would have. The more points in an item’s secure score, the more important it is to Microsoft. Note that we wrote “to Microsoft.” Some items should be considered internally and not necessarily adopted based on the point score indicating their significance to Microsoft.
The secure score is a ratio based upon the points that a company has achieved compared to the possible points that they could achieve. The more resources a company is using in Azure (IaaS, PaaS, etc.), the higher their potential score could be. Some items have a higher weight; e.g., adding multi-factor authentication to elevated accounts is worth 50 points, while adding a second owner account to a subscription is worth only five points.
A point score is not the same thing as being secure, but it can give managers a better idea of where they stand currently, versus where they could be if a few more items were adopted.
Step #2: Use Azure Native Tools
Microsoft has gone to great lengths to provide tools to their customers to make their cloud environment more secure, and many of those tools are included for free with an Azure subscription. Adopting these will increase a customer’s security profile, and although some come with an added fee, this is often justifiable considering the impact of a breach.
Azure Security Center, the first of these tools, is included by default in each subscription. Customers can use the scoring, as mentioned above, but the Security Center also offers the ability to apply policy and compliance standards to a subscription. Several policies are “on” by default, but a customer can also create new policies that comply with their business requirements, some of which could address GDPR, NIST or FedRAMP certification items.
The Security Center can also configure Azure Alerts for issues that arise, and these can do more than just email or text an administrator. Alerts can also trigger a runbook from Azure Automation that can issue Azure PowerShell commands to address an issue immediately. This type of reaction does take planning and careful thought, but common security issues could be circumvented almost instantaneously with the right mix of Azure Alerts and automated responses. The Security Center also offers options for just-in-time (JIT) access for administrators to connect to IaaS VMs (this does require upgrading to the paid version of Azure Security Center). The paid tier also enables adaptive application control, which permits a customer to whitelist the applications that are allowed on a machine, thus preventing malware from installing a rogue application. This paid tier also permits File Integrity Monitoring, which lets a customer implement change tracking on files on Windows or Linux VMs. If a customer uses multiple subscriptions, they can create a custom Log Analytics workspace and configure all subscriptions to send their security log information to the central space. This gives the customer a “single pane of glass” to view security issues across their environment. Details here.
Azure Security Center also integrates third-party tools, such as Trend Micro Deep Security, Check Point CloudGuard and many others. Azure Security Center has a variety of other tools, and any company adopting Azure as their cloud should learn how to use them and decide which options would best fit their environment. There is also role-based access control (RBAC) for security administration that can be assigned to a security officer allowing them to edit and control the Security Center without having permissions to other areas.
Azure Monitor is a central hub which collects data such as notifications, activity, utilization and diagnostics to monitor resources within Azure. The data collected in the Azure Monitor is typically sent to an Azure Event Hub, which allows that data to be sent to a customer’s SIEM tool. Splunk, ArcSight and QRadar have custom connectors to ease the process of moving the data into a central SIEM, and Azure Logic Apps can be configured to send the data to other tools using the Common Event Format (CEF) to format the data for ingestion. There is also a query tool to analyze data which is similar to T-SQL (similar, but not identical, so it may take a little training to use effectively), and it has integrations with Application Insights and Azure Containers, as well as with VMs. The Azure Monitor also allows a customer to configure all Diagnostic Settings to be sent to storage accounts, Log Analytics or Event Hubs (which can then pass the data to an SIEM tool).
Network Watcher is now a part of the Azure Monitor, and is provided for both network engineers and security officers. Network Watcher has several tools that allow a network engineer to troubleshoot connectivity issues, verify IP flow and analyze network security group (NSG) traffic, as well as VPN diagnostics and packet capture tools. For the security officer, there are additional log options, particularly NSG logs, which are currently in Version 1 in most locations, as Version 2 is just being rolled out at the time of writing this article. The Version 2 log has additional details on the network traffic, which can be found here. The NSG flow logs are pushed to Azure Storage, but they can also be sent to a Log Analytics workspace (f.k.a. OMS), and from there, they can be used to populate data in Traffic Analytics. This tool allows security officers to visually see attacks on their infrastructure, as well as drill into details, such as country of origin, type of attack, IP or port being attacked, etc.
There are several other tools as well, but the above items represent some of the built-in items every company should evaluate and potentially implement. These tools can also be complemented by third-party solutions that may focus on specific areas. The CIS 1.0 standard contains over 80 rules, and while many of these are addressed by the native tools, there are a few that benefit from other vendor’s solutions.
Step #3: Understand That Identity Is the New Edge
Many companies that adopt Microsoft Azure start out with Microsoft Office 365 and Azure Active Directory. Azure AD is typically populated from a legacy on-premises Active Directory configuration using AD Connect. Customers have a choice of how much control Azure AD can have over their configuration. They can synchronize password hashes to Azure AD and allow users to change their passwords via cloud services, but some customers prefer a one-way trust that does not push password hashes into the cloud (recall our statement above that the cloud is safer than the data center).
Azure AD is used for traditional authentication, but through extensions it can allow the clients of a customer to use other authentication tools, such as Facebook or Google identities, to authenticate to a web application. SSO is possible, and Azure AD has Premium editions that include integration with other services, such as Salesforce. Azure AD can be used with other authentication tools, such as Okta, and Microsoft has also been embracing open source options under Satya Nadella’s leadership.
More and more applications are being refactored into PaaS or SaaS offerings, which indicates that the applications are lowering their reliance on traditional network security (firewalls, routes, etc.), and increasing their reliance on authentication as the new firewall. This is not unique to Microsoft. Netflix (hosted on AWS) relies on user authentication to validate access to their services, and within the Microsoft sphere, this applies to Xbox, Skype and other tools hosted within Azure.
Companies that have public facing applications can leverage these Azure AD integrated tools to increase adoption of their product by allowing users to connect using their preferred method. This could be a mobile application, a console game or a chatbot for a product about which a customer needs additional information. Azure AD allows for multiple secure access methods, and it works well with Okta and other identity companies to secure access to Azure resources.
Step #4: Realize That Cloud Adoption Is About the People
Cloud security is not all about new tools and technology; it is primarily about people and the way that a company transforms their business to adapt to cloud solutions. Companies will see more success on a cloud transformation if they invest in their people. Henry Ford knew the value of engaged and compensated employees and, today, the principal of engaging employees is vital to a successful cloud strategy.
One issue that often occurs when a company decides it is time to embrace the cloud is the initial reaction from employees who naturally think, “but what about my job!” Employees of companies have goals, families, debt, plans for the future, etc., and when they think they may be eliminated by a new technology, the natural survival instinct can engage. Companies who want to succeed in a cloud transformation should consider the human capital as much as the technological gain. If management alienates employees who have helped shape the company over years, or decades, they will find additional challenges that could have been avoided. Some functions will need to change; if an employee’s job is to swap out failed hard drives on servers, that person could be trained in how to manage servers in a cloud. Some roles may adapt more easily, such as database administrators, who already work in abstracted environments. In any case, management should realize that a cloud adoption does not equate to a staff reduction, unless they choose to do so.
The employee consideration applies to security directly, as most breaches, failures and other issues are attributable to human error. Some issues are purely mechanical, such as data center chillers failing, but most can be traced back to people. This is particularly applicable to IT management; leadership is an acquired skill, often obtained through trial and error, and the errors can be significant. Other management issues relate to both the hiring process to acquire skilled talent, and the retention of employees who have proven their skills (which makes them more marketable and harder to hold onto). There are some issues where a disgruntled employee may purposely sabotage a company’s infrastructure. While rare, those problems can be circumvented in the cloud by employing automation to respond to issues that can compromise security.
An added benefit to Azure is that for many companies there is already a certain level of understanding of how Microsoft works and delivers technology. A Windows administrator used to working on virtual machines can more easily adapt to working with those VMs in Azure. Several of the traditional on-premises tools from Microsoft can be extended to Azure as well; for example, System Center has modules available to help manage Azure in a familiar setting.
Companies of any size should evaluate their workforce prior to embarking on a cloud adoption project, and they should use that evaluation within the lens of their corporate policies and strategies. People are key to both success and failure, and each company will need to choose how they wish to proceed with cloud adoption in relation to their staff. Azure security policies and their enforced implementation will help to avoid human mistakes or ill intentions.
#5: Trust, but Verify
Logs and Analytics: learn it, live it, love it. Companies cannot have enough data, and that is particularly true of security data. Microsoft has created a robust log and analytic infrastructure around not only Azure, but the rest of their ecosystem (Office 365, SQL Server, SharePoint, etc.). Each customer will need to have a level of trust in Microsoft to secure the items they are responsible for, but logs and metrics can be used to verify the security settings.
Earlier we described some aspects of Azure Security Center and Azure Monitor (including Network Watcher), and those tools provide deep insight into a cloud environment — if a company chooses to implement them correctly. To enable Traffic Analytics, a company needs to create a storage account for NSG flow logs and a Log Analytics workspace for telemetry, and connect them to Traffic Analytics for enhanced analysis and reporting. To enable automatic responses to security alerts, a company needs to create an Azure Automation workspace and runbooks that are configured to make changes when called by a process or alert.
Logs are not only user activity or VM event logs; logs can be acquired from five different levels of use within Azure, as shown on the left side of the image below. The first level is application logs, which are best sent to Application Insights to discover details on hosted applications. The next level would be OS logs, whether Windows Event or IIS logs or Linux system logs. After that would be logs from Azure Resources, which could be PaaS databases or storage accounts. Following this are Subscription logs, which do require privileges to implement. Lastly would be the Tenant logs, which include Azure AD, and require a Global Azure Admin to implement.
These logs offer a wealth of data, but they also complicate the ability to use that data to see what is truly important. If a company has also adopted Office 365 or an Azure Enterprise Agreement license, then there are a few additional options to help clarify the status of that company’s cloud environment. Power BI is a tool commonly used by Microsoft customers to view data. It is part of Office 365 and Office 2016+. Power BI has pre-configured web-based dashboards that display Azure data without requiring a user to directly access Azure. This allows security officers to monitor their environment without allowing direct access. There are currently seven pre-configured Power BI dashboards for Azure, but a company can use the tool to customize their own visualizations.
Migrating to Microsoft Azure is a significant transformation for any corporation, but it can be handled in a secure, well-thought-out pattern if management allows time for analysis and reflection prior to decision making. All cloud providers enable security controls, but the “shared responsibility” idea requires that customers recognize and respect that their chosen cloud provider is not 100% responsible for their experience in the cloud. Each customer needs to take time to evaluate their exposure and risk, and to make decisions that benefit their corporation and, more importantly, their customers, ideally avoiding making the headlines on the evening news.