Azure Security best practice: Administration – Account protection

This is Part#2 of our series of articles about best security practices that you can apply to an Azure environment. Please note that all the articles have been compiled from various official Microsoft sources.

Passwordless Or Multi-factor Authentication For Admins

What : Require all critical impact admins to be passwordless (preferred) or require MFA.

Why : Passwords cannot protect accounts against common attacks.

How :

  • Passwordless (Windows Hello)
  • Passwordless (Authenticator App)
  • Multifactor Authentication
  • 3rd Party MFA Solution

No Standing Access

What : No standing access for critical impact admins

Why : Permanent privileges increase business risk by increasing attack surface of accounts (time)

How :

  • Just in Time : Enable Azure AD PIM or 3rd party solution) for all of these accounts
  • Break glass : Process for accounts (preferred for low use accounts like global admin)

Azure Security best practice: Operationalize Secure Score for cleaning up risk

This is Part#1 of our series of articles about best security practices that you can apply to an Azure environment. Please note that all the articles have been compiled from various official Microsoft sources.

What – Assign stakeholders to use Secure Score in Azure Security Center to monitor risk profile and continuously improve security posture

Why – Rapidly identifying and remediating common security hygiene risks can significantly reduce overall risk

How – Set up a regular cadence (typically monthly) to review Azure secure score and plan initiatives with specific improvement goals. Gamify the activity if possible to increase engagement.

Suggested Process Owners

Operationalize Secure Score for cleaning up risk

Common cloud security threats we see in the wild

Common cloud security threats we see in the wild

The biggest question now becomes as to how to protect your Azure environment against all those threats: protect your cloud workload from
threats using Azure Security Center and Azure Policies!

A go-do list to protect your workloads against threats:

  1. Good hygiene comes first, strengthen your cloud security posture
  2. Turn on threat protection for all cloud resources
  3. Reduce attack surface for VMs with JIT, Network and app controls
  4. Integrate alerts into your SIEM or Ticketing system & notify app owners
  5. Identify root cause and drive new security hygiene up
  6. Bring security controls together by using a standard like Azure CIS/NIST 800-53/ISO27001

The last point on the above list touches upon our Managed Security Services for Azure.

Top 10 Azure Security best practices

With so many recommendations out there you need to be focused on the ones with highest impact and rapid implementation.

As recommended by Microsoft, here are the top 10 Azure Security best practices:

Operationalize Secure Score for cleaning up riskPasswordless or MFA for adminsEnterprise segmentation & Zero Trust preparationEnable Threat Protection for Azure ResourcesFollow guidance to secure your DevOps
Operationalize Secure Score for cleaning up risk Passwordless or MFA for admins Enterprise segmentation
& Zero Trust preparation
Enable Threat Protection for Azure Resources Follow the guidance to secure your DevOps
Assign and Publish Roles Responsibilities Choose Firewall StrategyImplement Web Application FirewallsChoose DDoS Mitigation for Critical AppsConsider Retiring Legacy Classic Technology
Assign and Publish Roles Responsibilities Choose a Firewall Strategy Implement Web Application Firewalls Choose DDoS Mitigation for Critical Apps Consider Retiring Legacy Classic Technology

In the next few days and over a few blog post will explore in more details each of the recommendations, but keep in mind that our managed Azure security services can complement if not completely replace all the tasks done by you.

How to protect Linux and Windows VMs from threats

How to protect Linux and Windows VMs from threats

There are many options when you want to enhance the security of your VMs . Here are a few options that when configured correctly will greatly improve your security posture.

Reduce open network ports:

  • Use Just-in-Time to avoid exposure of management ports
  • Limit open ports with adaptive network hardening

Protect against malware:

  • Block malware with adaptive application controls
  • Built-in Microsoft Defender ATP EDR
  • Crash dump analysis and fileless attack detection

Use the built-in vulnerability assessment for VMs:

  • Automated deployment of the vulnerability scanner
  • Continuously scans installed applications to find vulnerabilities
  • Visibility to the vulnerability findings in Security Center portal and APIs
How to protect Linux and Windows VMs from threats
Protect all the VMs from threats

How does your company understand the quality of their security posture against industry recognized security standards?

The goal of cyber security standards is to improve the security of information technology (IT) systems, networks, and critical infrastructures. A cyber security standard defines both functional and assurance requirements within a product, system, process, or technology environment. A standard must address user needs, but must also be practical since cost and technological limitations must be considered in building products to meet the standard. Additionally, a standard’s requirements must be verifiable; otherwise, users cannot assess security even when products are tested against the standard.

Many organizations security needs are driven by compliance requirements. Azure Security Center measures compliance against the following:

Standard Author Description
Azure CIS 1.1.0 Center for Internet Security Set of security controls published by the Center for Internet Security
PCI DSS 3.2.1 Payment Card Industry Standards Council Standards required for organizations that manage payment card data
ISO 27001 International Standards Organization Set of security controls for information security systems. Standard 27017 is cloud computing specific.
NIST 800-53 National Institute of Standards and Technology Security and Privacy Controls for Federal Information Systems and Organizations.

Our proposal: let us manage your security compliance!

Our Proposal: let us manage your security compliance!
Managed Azure Security Services

Advanced Threat Protection for Azure SQL Database

How can your company improve the security of Azure SQL instances?

Azure has built-in functionality for discovering and classifying sensitive data, surfacing and mitigating potential database vulnerabilities, and detecting anomalous activities that could indicate a threat to your database.

Those powerful features are part of the Advanced Data Security (ADS) package for advanced SQL security. Specifically, Advanced Threat Protection for Azure SQL Database and SQL Data Warehouse detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases:

  • Vulnerability to SQL Injection
  • Potential SQL injection
  • Access from unusual location
  • Access from unusual data center
  • Access from unfamiliar principal
  • Access from potentially harmful application
  • Brute force SQL Credentials
Advanced Threat Protection for Azure SQL Database
Advanced Threat Protection for Azure SQL Database

The cost of ADS is aligned with Azure Security Center standard tier pricing per node, where a node is the entire SQL Database server or managed instance. You are thus paying only once for protecting all databases on the database server or managed instance with ADS.

Another feature of Azure Security, part of the above mentioned ADS, is SQL Vulnerability Assessment.

Vulnerability Assessment is a scanning service built into the Azure SQL Database service. The service employs a knowledge base of rules that flag security vulnerabilities and highlight deviations from best practices, such as misconfigurations, excessive permissions, and unprotected sensitive data. The rules are based on Microsoft’s best practices and focus on the security issues that present the biggest risks to your database and its valuable data. We recommend using regularly this service, as it can provide valuable insight into your database security posture.

Privileged Identity Management

How does your company ensure that administrative tasks are only performed by authorized users?

Organizations want to minimize the number of people who have access to secure information or resources, because that reduces the chance of a malicious actor getting that access, or an authorized user inadvertently impacting a sensitive resource. However, users still need to carry out privileged operations in Azure AD, Azure, Office 365, or SaaS apps. Organizations can give users just-in-time privileged access to Azure resources and Azure AD. There is a need for oversight for what those users are doing with their administrator privileges.

By using Privileged Identity Management, you can enable time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources that you care about.

Privileged Identity Management in Azure
Privileged Identity Management in Azure

Using this feature requires an Azure AD Premium P2 license.

Comprehensive security for hybrid environments with built-in Azure services

Quality of the security posture against security controls in Azure

How does your company understand the quality of their security posture against security controls that are possible to configure within Azure?

One way of looking at this issue is by using the Azure Security Center Secure Score.

  • Secure Score measures what you have done to secure your environment compared to what you can do
  • Your secure score will change depending on what resources are deployed in a subscription
  • Two organizations can only have the same secure score if they have the same resources deployed with the same security configuration
  • Secure Score will change as new security configuration options become available over time

There quite a few built-in Azure services that would help you secure any hybrid environments and help you improve you Secure Score, as you can see from the diagram below.

Comprehensive security for hybrid environments with built-in Azure services


Built-in Azure services that when configured correctly will improve your security posture.

Azure Cloud security is a shared responsibility

Azure Cloud security is a shared responsibility
Shared responsibility model for Azure Cloud Security

Security controls are designed to ensure technology solutions are built and maintained in ways that ensure function and security successfully coexist. This ideal holds strong in Azure where Microsoft is constantly vetting and monitoring the implementation of their security controls, as well as watching their service teams continue to innovate new functionality in the cloud environment. With that said, the cloud presents a spectrum of responsibilities based on what types of services and/or features a customer may be consuming. This is unlike more traditional on-premises information systems where most, if not all, security is implemented by the same owner.

As organizations move from IaaS, to PaaS and then to SaaS, you’ll find that they are responsible for less and the cloud service provider is responsible for more.

The figure below describes how shared responsibility works across the cloud service models.

Shared responsibilities and key strategies for Azure environments
A higher resolution version of the diagram is attached as well.

Make sure you understand you role in this complex paradigm that is cloud computing and don’t assume the Cloud provider will manage all security aspects of your environment!