In today’s fast-paced and quickly evolving cloud environment, adopting a strong security strategy is critical to ensuring your infrastructure remains protected and reliable. With more IT support units choosing strategies like DevOps, this rapid development and change can become difficult to manage without a comprehensive understanding of the security tools and configurations available.

Despite the cloud’s new capabilities, there are many standards of security that simply don’t change. Azure offers several security services and capabilities that can underpin your infrastructure, and learning to manage and integrate them is crucial to succeeding in a cloud environment.

This three-part series outlines the security tools currently available in the increasingly popular Azure environment. With that in mind, let’s dive into what Azure offers and how you can incorporate best security practices.

Azure’s Cloud Security Offerings

As with any major cloud provider, Azure offers many tools to facilitate security best practices and secure your infrastructure. Of course, technology alone cannot mitigate every threat, so you also need a robust set of operational policies and procedures.

Microsoft has generally organized Azure’s cloud security offerings into six category, listed below. Each category encompasses a number of tools and services intended to give you visibility and control over your cloud resources.

1. Operations: includes the Security and Audit dashboard, Azure Resource Manager, Application Insights, Azure Monitor, Azure Monitor Logs, Azure Advisor, and Azure Security Center.
2. Applications: includes penetration testing, Application Gateway WAF, authentication and authorization in Azure App Service, a layered service architecture, and web server and application diagnostics.
3. Storage: includes role-based access control (RBAC), shared access signature (SAS), encryption in transit, encryption at rest, storage analytics, and CORS configurations for browser-based access.
4. Networking: includes network security groups, route control and forced tunneling, Azure Virtual Network (VNet), Traffic Manager, Azure Application Gateway, and Azure DNS.
5. Compute: includes anti-malware and anti-virus software, a hardware security module, Azure Backup for Azure VMs, Azure Site Recovery, Azure Disk encryption for VMs, and virtual networking.
6. Identity and access management: primarily provided by Azure Active Directory, which includes many features, such as multi-factor, role-based, token-based, and hybrid authentication.

Azure Regions and Availability Zones

Much like AWS, Azure offers the ability to segment portions of your network for both security and reliability. If a region becomes unavailable, having infrastructure homed in multiple locations ensures a higher chance of uptime and customer availability.

Within each region, there is a minimum of three separate Availability Zones to ensure redundancy. These Availability Zones are physically separated from each other. Zone-redundant services will replicate your applications and data across the Availability Zones to protect against single points of failure. As a best practice, making sure that your resources and infrastructure are spread across Azure regions ensures that you will have the maximum up-time possible.

Operations

Ensuring that a real-time overview of your entire environment is available when you need it is critical to any secure infrastructure. For this, Azure offers the Security and Audit dashboard and Azure Security Center to provide an overview of your infrastructure. Utilizing the monitoring capabilities of Azure Security Center, this dashboard provides a broad view of your organization and its security posture.

Incorporating top-level policy and compliance management allows you to craft the appropriate policies to maintain information security. When you utilize Azure’s Network map to discover and graph all of your Azure-connected systems, Azure can then assign a Secure score. This gives you the snapshot required to assess what areas need improvement or further attention.

Additionally, Azure provides recommended controls and suggestions across all of your resources, which you can apply through the dashboard. The ability to quickly identify and remediate outstanding security issues will allow you to respond to problems promptly—and, ideally, prevent future issues from occurring.

Applications

Most environments have several applications that provide customer services and internal utilities. Naturally, Azure offers tools to help maintain the security and reliability of those customer-facing services and internal applications. App Service environments (ASEs) provide an isolated runtime. When combined with network security groups within an Azure Virtual Network, that runtime allows a layered approach to securing the application to only those users and services that require it.

For Internet-facing applications, Azure WAF in the Application Gateway can mitigate some common web-based threats. However, the Azure WAF is not comprehensive. It includes and enforces the Core Rule Set from the Open Web Application Security Project (OWASP), but there are many attack vectors which it does not address. For complete security (including a next-gen WAF, DDoS protection, hostile bot mitigation, etc.), you should also include a comprehensive third-party security solution. Reblaze integrates fully with Microsoft Azure: it runs natively on autoscaling Azure VMs within a Virtual Private Cloud, it streams traffic data into Azure Security Center, and so on. Reblaze provides a turn-key, all-in-one web security solution for Azure users.

Automation and Cloud Security

To minimize risks and issues, it is highly recommended to use Azure Resource Manager (ARM) configurations to automate your infrastructure. There are a number of ways to run configuration commands against Azure within the CLI, such as with PowerShell or within a Linux shell. By implementing automation in nearly every aspect of your organization’s infrastructure, you’ll benefit from transparency, repeatability, and ease of management.

ARM is a deployment and management layer built on top of Azure to allow for the deployment of templates that configure resources held within Azure. By using this, you can quickly spin up new resources that were configured from the ground up to be secure. ARM templates are well suited for CI/CD integration and they integrate with Azure Policy. Additionally, they allow you to export code, exert version control in products such as GIT, and create any Azure resources necessary. Tools such as Visual Studio Code allow you to easily author the code that is validated before deployment to protect against mistakes.

Additionally, you can use Azure Automation, which consists of a set of shared resources that allow you to configure your environment. This service ties together a number of different tools to deploy, remove, and configure your resources. By defining templates, integrating with source control, and utilizing automation, you can create a solid foundation to build upon. This includes the ability to schedule automations that further assist with the constant monitoring and compliance needed in a changing environment.

Conclusion

It can be challenging to maintain a secure infrastructure, especially with the multitude of technologies and abilities available in cloud environments. Because so many organizations want to move to a hybrid or all-cloud infrastructure, learning to properly secure these environments will be critical for future growth.

In part two of this series, we will explore the compute, storage, and networking services that form the backbone of most cloud infrastructures. In the third post, we will touch on securing web applications within Azure, as well as operational management to maintain a secure infrastructure.