Cloud security management will always remain an ongoing journey, as threats keep evolving and organizations need to keep updating their cloud security strategy. A well-defined set of security controls and categories helps you set a strong baseline in this journey, irrespective of your cloud platform. This blog series will help you understand what your cloud security focus areas should be and the most important controls and categories you should take into account for building this strategy.
We explored this framework in the first part of the series, which covered the focus areas to consider when designing your cloud security strategy, such as reducing the attack surface, detecting attacks and breaches, and responding to attacks.
We also discussed the controls and categories aligned with these focus areas. Implementing these controls in your cloud platform of choice is the next step. This article will help you understand the different Microsoft Azure services and tools that you can use to implement the security controls for your workloads in the cloud.
Azure Cloud Security Controls
The rule of thumb for implementing cloud security controls is to leverage the services and tools natively available on the cloud platform. You can consider third-party services for features and capabilities that are not natively available. Let’s explore the options for implementing the relevant security controls and categories in Azure.
Network
Application security groups for VNet microsegmentation: Application security groups help with microsegmentation of application components deployed in Azure VNets. They abstract IP configuration and management by aligning fine-grained security policies with the business logic. Application security groups can be used in NSGs to manage East-West and North-South traffic filtering. If you’re looking for the simplest way to implement network microsegmentation in your Azure VNet, application security groups are the solution.
Azure Firewall threat intelligence-based filtering: Azure Firewall protects your workloads by providing threat intelligence-based filtering that denies traffic from or to known malicious sources. The information about malicious sources is derived from the Microsoft Threat Intelligence feed, which is powered by Microsoft’s Intelligent Security Graph service, used by multiple security services in Azure, including Azure Security Center.
Azure Web Application Firewall: Azure Web Application Firewall (WAF) protects your web applications deployed in Azure from common threats and known vulnerabilities. It offers automated protection against evolving exploits as well as known exploits like SQL injection and cross-site scripting. WAF can be integrated with these Azure services for comprehensive workload protection: Azure Application Gateway, Azure Front Door, and Azure Content Delivery Network (CDN) (public preview).
WAF is most commonly used with Azure Application Gateway and offers protection based on the ModSecurity Core Rule Set from the Open Web Application Security Project (OWASP).
Azure DDoS protection: Azure offers basic and standard DDoS protection. Basic protection is available for all Azure resources by default, while customers can configure standard DDoS protection for additional security for workloads connected to Azure VNets. The standard service offers protection and automated mitigation of volumetric, protocol, and application-layer attacks with real-time telemetry for monitoring and analysis of the attack vector.
You can configure alerts to notify stakeholders about ongoing attacks by leveraging built-in attack metrics. When integrated with layer 7 protection services like WAF or third-party application firewalls, Azure’s DDoS protection delivers protection for layer 3 to layer 7 for your Azure workloads.
Cloud Security Posture Management
Azure Security Center policies and recommendations: Azure Security Center is a built-in cloud security posture management solution that monitors your Azure deployments for possible misconfigurations and for alignment with Azure security benchmarks. Azure Security Center does a continuous assessment of resources against defined security controls and assigns a security score that helps to prioritize remedial actions.
Azure Security Center comes with built-in policies and recommendations for security, compliance, and cost and administrative control of a wide range of services. These include data protection, storage, compute, app services, VMSS, and containers, a few of which are listed below:
- Adaptive network hardening requirements based on analysis of traffic patterns
- Pod security policies to restrict pods’ access to each other in Kubernetes clusters
- Alignment of Azure subscription ownership with recommended best practices
- Advanced data security configuration for managed and unmanaged database instances
- Advanced threat protection for storage accounts
- Protection of internet-bound traffic
- Just-in-time network access control implementation
- Configuration of diagnostics logs for crucial services
- Encryption for databases and storage services
Vulnerability Management
Azure Update Management: Azure offers a hybrid patch deployment option through Azure Update Management, which is part of Azure Automation service. It can be used to assess patch levels of Windows and Linux machines and initiate the deployment process. The assessment and deployment process leverages the Log Analytics agent for Windows/Linux, along with Hybrid Runbook Worker, DSC (for Linux machines), and WSUS (for Windows machines). Connecting the machines to a Log Analytics workspace is a prerequisite for update management.
Azure Security Center vulnerability assessment: Azure Security Center provides real-time integrated vulnerability scanning for virtual machines, powered by Qualys, and presents the results for review. You can also leverage Azure Resource Graph to export the vulnerability scanning results for further querying, analysis, and filtering.
If you’ve already purchased a license for a third-party vulnerability assessment solution, you have the option to integrate it with Security Center.
Cloud Workload Protection Platform (CWPP)
Azure Security Center threat protection: Azure Security Center offers endpoint detection and response through integration with Microsoft Defender Advanced Threat Protection (ATP).
Azure Security Center threat protection is powered by big data, advanced analytics, and intelligent security graphs, which helps it adapt to fast-evolving threats and provides actionable alerts for remediation. Microsoft Defender ATP integration with Azure Security Center helps with automated onboarding of Windows servers and provides a single-pane view of the security status of all machines.
