Are you currently experiencing an attack?

Are you currently experiencing an attack?

Cloud Security and Azure, Part 3

Web applications are public-facing and confronted with a wide variety of threats. Often, they are line-of-business as well. How can you keep them secure, especially when they run in the cloud (which is, by its nature, composed of publicly available services)?

In Part 1 of this series, we discussed an overview of cloud security and Microsoft Azure. Part 2 described security for cloud compute, storage, and networking resources on Azure. Now here in Part 3, we’ll talk about web applications and identity and access management, including general management tools available for Azure.

Securing Web Applications

One of the first entry points for any attack is a public-facing web application. With that in mind, what does Azure offer for protection? One of the most popular services available for hosting and managing your web applications is App Service. Offering a fully managed platform for .NET, Java, Node.js, Python, PHP, and Ruby, it allows you to quickly deploy a production-ready application.

Azure App Service also allows you to:

  • Secure your web application with HTTPS and certificates by quickly creating a certificate directly in Azure. This certificate is then secured in Azure Key Vault. Additionally, you can upload a custom SSL certificate that you’ve purchased, if you need it.
  • Enforce HTTPS, which will allow you to disable outdated protocols such as TLS 1.0 or TLS 1.1.
  • Provide turn-key authentication and authorization of users or client apps. If enabled, App Service can sign in users or client apps with very little or no application code. These users can then authenticate against multiple providers, including Azure Active Directory (Azure AD), Facebook, Google, and Twitter.
  • If your application is hosted within the App Service environment, make sure to utilize VNet service endpoints to extend your virtual network private address space over a direct connection. VNets enable you to segment and secure the traffic to your web application, only allowing it access to the resources you define. Otherwise, the traffic will travel over a shared network and will not be as secure.
  • Application secrets, such as database credentials, tokens, or private keys, should only be exposed via environment variables. Stored in the Azure App Service app settings, these secrets are encrypted. They are only decrypted at application start time and then injected into process memory. The keys are then rotated regularly. You can also use Azure Key Vault to store additional secrets that can be integrated within your application.

This covers much of what you need to do with a web application internally, but how do you sanitize and secure outside web traffic? One option is to utilize security tools like the Application Gateway WAF, which protects against common vulnerabilities like SQL injections and cross-site scripting attacks. With this tool, all traffic that travels to your web application is routed through the WAF, and then rejected if it is malicious in nature.

By using tools like the Azure WAF, you can prevent many malicious requests from even reaching the web application. Additionally, you can leverage App Service’s turn-key authentication and authorization abilities. It’s difficult to properly implement authentication and authorization systems, but by letting Azure manage them (App Service is integrated within Azure AD), you can maintain a completely integrated environment.

Having said that, these core platform products do not provide fully comprehensive security. For example, Application Gateway WAF includes the Core Rule Set (CRS) from the Open Web Application Security Project (OWASP). These are useful, but they do not provide full coverage in today’s threat environment. To achieve this, it is best to add a cloud security platform such as Reblaze, which integrates seamlessly with Microsoft Azure and provides turn-key protection.

Identity and Access Management

Azure Active Directory

It’s almost impossible to talk about Azure without discussing Azure AD in more detail. This is easily one of the most commonly used directory service solutions, and Microsoft has extended it as a managed service to the Azure cloud. Most Azure services integrate tightly with Azure AD and allow you to control accounts and access from a centralized location.

For applications, you can use Azure AD for authentication. This usually consists of Azure AD for employees, Azure AD B2B for guest users and external partners, and Azure AD B2C for customer sign up and sign in. You can also enable Single Sign-On for devices, apps, and services within your environment. By enabling conditional access, you can ensure that only devices and locations that meet your stringent security protocols are allowed to connect and authenticate to your Azure AD instance. Furthermore, you should enforce multi-factor verification for your users, especially privileged users. One of the most effective ways to secure access is via multi-factor authentication.

Role-Based Access Control

Role-based access control (RBAC) is a large subject, but here’s a summary: by utilizing the right roles and groups for each of your users, you can easily limit the impact of bad actors and provide just what your users need. While there are multiple ways to build groups and access, many of the built-in roles that Azure offers are excellent for getting started.

One of the best recommendations for using RBAC is to group your accesses appropriately. Within that, you can stack groups to provide cumulative access that makes it easy to follow best practices like auditing and least-access-based permissions. Generating reports from these groups and their associated permissions simplifies compliance with most security standards and makes it easier to verify that access is configured as you intended.

Management

Once your environment is set up securely, you might think that you can relax. But as any IT professional knows, ongoing maintenance and monitoring is crucial to keeping your environment secure. Azure offers a lot of tools to help with this. Probably the most important is Azure Security Center. By deploying an agent into your Azure VMs, it proactively monitors them, and then assesses your network, applications, and data. By doing this, Security Center builds a comprehensive view of your entire network and displays reports on what can be improved, issues that were detected, and recommendations for remediation.

Additionally, you can employ Azure Advisor for personalized best practice recommendations about your overall environment, and you can use Azure Network Watcher for performance monitoring and diagnostics of your network traffic. Clearly, there are a number of tools that allow you to strictly monitor and dig into any issues, and this will help you quickly remediate and handle incoming threats.

Summary

In this series, we explored what it takes to secure an Azure environment from the bottom up. Although there are many moving pieces, Azure offers a comprehensive toolkit that makes it straightforward to build a secure environment. Even more important is keeping the environment secure as you build, and Azure makes that simple too.

Like any cloud provider, Azure is committed to keeping your resources secure and up to date. This is crucial for all cloud environments, as they are prime targets for malicious entities. Thankfully, there are a large number of easy-to-use tools available.

Get your price quote

Fill out your email below, and we will send you a price quote tailored to your needs

This website uses cookies to ensure you get the best experience on our website.