Microsoft is continually adding to Azure’s capabilities. Recent updates have improved Azure’s security features across a variety of services. We’ve previously discussed web security for Microsoft Azure, including topics such as:
- An overview of cloud security on Azure
- A discussion of security for compute resources, containers, storage, and networks
- Azure web application security and IAM
- Leveraging DevSecOps on Azure to strengthen your defenses
- Using Azure Firewall
It’s been a while since we stepped back and took a broader look at the platform overall. In this article, we’ll discuss Azure’s recent enhancements and new services that can help to improve the security posture of your organization’s cloud deployments.
What’s New in Azure Security?
Microsoft Azure is one of the fastest-growing public cloud platforms and regularly releases new features and updates for optimized performance. Such enhancements include provisions for both Azure and non-Azure resources to ensure threat vectors do not exploit security gaps within your ecosystem, including third-party integrations. The following section outlines some of these new capabilities to help you improve your security posture in Azure cloud.
Updates to Microsoft Defender for Cloud
As part of its continuous enhancements, Microsoft recently announced the unification of Azure Security Center and Azure Defender into the centralized Microsoft Defender for Cloud (DoC). The latest version includes Microsoft’s built-in threat and vulnerability management platform. Azure cloud security teams can now easily set up vulnerability assessments in real time without having to deploy additional agents.
Through its native plugin enabling threat prevention for AWS EKS and ECS assets, the platform extends its native security features to connected AWS resources. In addition to this, DoC now includes focused security policies and hardening recommendations to ensure that Kubernetes workloads are secure.
Other novel features offered by Defender for Cloud include:
- Inventory display of on-premises machines
- Leveraging Azure Purview to enable the prioritization of security actions by data sensitivity
- Azure Security Benchmark v3 for extended security control assessments
- Security recommendations mapped with the MITRE ATT&CK framework
- Snapshot export for security findings and recommendations
- Software inventory filters in asset inventory
Azure Storage Security Assessment
Azure now applies the Azure Security Benchmark v1 to storage resources connected to Azure instances. The platform leverages a resource manager deployment model that you can use to apply recommended security settings for storage accounts. Among other things, this action implements an Azure Resource Manager to lock storage accounts and prevent accidental configuration changes or deletion.
An Azure Storage security assessment helps identify the risks associated with a storage account through a detailed report of various storage services, accounts, configuration settings, and access control policies. As a result, the benchmark helps you make informed decisions on how to secure your data while performing risk-based remediation actions for identified vulnerabilities.
While storage is one of the services, the security assessment helps identify security controls across a number of other services as well, including:
- Roles and access control
- Data collection and storage
- Identity and access management
- Developer operations
- Ongoing security monitoring
- Assigned policies and recommendations
Enhanced Web Application Firewall Capabilities
A WAF is built into the Azure cloud to protect VLANs from common threats and vulnerability exploits. The latest version of the Azure WAF introduces the latest rule sets to enable swift vulnerability and threat management with reduced false positives. It also includes the OWASP ModSecurity Core Rule Set (CRS 3.2) to offer enhanced security against known web vulnerabilities while simplifying the management of your security posture.
The upgraded platform additionally comes with exclusion lists that enable cloud administrators to omit certain attributes from the evaluation of a rule, thereby making it easy to fine-tune Azure Web Application Firewall (WAF) policies and rule sets for your web applications.
Integrated Vulnerability Assessment
As part of Azure’s latest subscription model, with every Defender for Cloud service, the Defender for Endpoint’s threat and vulnerability management suite is deployed by default. Defender for Endpoint relies on sensors to identify security misconfigurations and vulnerabilities in real time, eliminating the need for periodic scans or agents.
Besides this, Defender for Cloud also includes an integrated vulnerability assessment powered by Qualys at no extra cost; this can be leveraged as an integrated vulnerability scanner that supports both Azure VMs and hybrid machines.
Improved Security Incidents
The Azure platform now integrates with popular SIEM solutions, such as Splunk, to automate incident response workflows through analytics-driven detection, recommendation, and remediation. As a result, security incidents can now rely on real-time alerts that coincide to kill chain patterns, offering real-time insights into breaches affecting multiple clusters of VMs. By correlating the malicious activity of one machine to another, security administrators can identify compromised systems and take corrective actions faster.
Security Recommendations for Virtual Machine Scale Sets
Azure now provides a security baseline that applies guidance from the Azure Security Benchmark v1 to scale sets of Linux, Windows, and Azure VMs. The baseline applies to both uniform and scale sets while offering hardening recommendations for various services including, monitoring, networking, identity and access, data security, and general security configuration.
Azure Security Solutions
There are several popular tools you can use to help improve the security posture for Azure cloud, some of which we discuss below.
Microsoft Defender for Cloud
Defender for Cloud is an all-around security posture management and threat detection framework. The platform helps to strengthen the security posture of your hybrid cloud resources, thereby securing workloads running on different cloud setups. Core capabilities of Defender for Cloud include:
- Comprehensive security posture management and workload protection
- Private, hybrid, and multi-cloud protection
- Vulnerability assessment and management
- Recommendations for configuring and enhancing security
- Threat prevention and management
Application Insights is an application performance management solution built into Azure Monitor to offer extensible capabilities for administering security. Along with detecting anomalies autonomously, the tool relies on powerful analytic mechanisms to provide useful insights into application performance.
Through an easy-to-install agent, Application Insights can pull telemetry data directly from host environments such as Docker logs, Azure diagnostics, or third-party performance counters. The telemetry streams can then be integrated into Azure Monitor for the efficient search and analysis of raw data.
Application Insights helps to monitor a wide variety of critical data including:
- Request rates, failure rates, and response times
- Load performance and page views
- AJAX calls
- Session and user counts
- Host diagnostics
- Custom metrics and events
Azure Monitor Logs
Azure Monitor Logs offer a built-in feature to record and organize logs from various resources and underlying services of a cloud platform. The solution consolidates data from multiple sources, such as virtual machine agents, platform logs, usage, and the performance data of your applications.
For efficient analysis of the data, the platform lets you use a simple query language capable of sophisticated pattern evaluation. In addition to this, you can further visualize the log data through intuitive tables and charts on an Azure dashboard or workbook, Grafana, or PowerBI for interactive reporting.
The Azure Advisor service offers best practices and recommendations based on the configuration of your Azure cloud deployments. The platform refers to the Microsoft Azure Well-Architected Framework as a baseline to help you optimize configuration by analyzing data from the deployment’s telemetry. The Advisor service also includes step-by-step guidance and quick actions for administering a comprehensive security posture.
App Service Authentication/Authorization
Azure offers Easy Auth as a built-in authentication and authorization capability for efficient access management with minimal or no code requirements. Its scope applies to various services, including RESTful APIs, mobile backends, Azure Functions, and web applications. Easy Auth functionality is offered out of the box through the App Service platform and integrates with multiple authentication mechanisms including Google, Twitter, Azure AD, Facebook, and more.
Encryption At-Rest or In-Transit
Azure supports multiple encryption models to help protect secret data both at rest and in transit. These models include:
- Client-side encryption
- Server-side encryption
- Azure disk encryption
- Azure Storage service encryption
- Always Encrypted for data at rest
Azure also leverages Azure Active Directory to store keys for implementing encryption at rest and in transit.
The Azure cloud computing platform provides an extensive set of built-in security features, and Microsoft is constantly improving them. However, most organizations will still need more capabilities than these. As we’ve discussed before (Built-In Cloud Security Tools: Are They Enough?), Azure and the other major cloud providers offer some security tools, but these tools don’t offer (nor are they intended to offer) full protection.
Reblaze offers comprehensive cloud security for Microsoft Azure, including a next-generation WAF, DDoS protection, advanced bot management, ATO (Account Takeover) prevention, API security, and much more. For more information or to get a demo, feel free to contact us.