This is Part#10 of our series of articles about best security practices that you can apply to an Azure environment. Please note that all the articles have been compiled from various official Microsoft sources.
You may want to deprecate and then discontinue some legacy security approaches as you move to Azure. You can continue to use these technologies in Azure if you see value, but many organizations are not migrating these solutions to Azure, so these choices are explicitly surfaced.
Classic Network Intrusion Detection/Prevention Systems (NIDS/NIPS)
What : Choose whether to add existing NIDS/NIPS capabilities on Azure Why : The Azure platform already filters malformed packets and most classic NIDS/NIPS solutions are typically based on outdated signature-based approaches which are easily evaded by attackers and typically produce high rate of false positives.
How :
- Do Not Add (Default Recommendation)
- Add to Azure tenant
Network Data Loss Prevention (DLP)
What : Choose whether to add Network DLP capabilities on Azure
Why : Network DLP is increasingly ineffective at identifying both inadvertent and deliberate data loss. This is because most modern protocols and most attackers use encryption (most available attacker toolkits have encryption built in)
How :
- Do Not Add (Default Recommendation)
- Add to Azure tenant