Editor’s note: Uladzislau shares ScienceSoft’s knowledge in the security routines for Azure-hosted infrastructures for you to boost your cybersecurity level. These guidelines cover only common risks compromising your cybersecurity posture, and if you doubt these preventive measures are sufficient for you, feel free to browse through our security testing service offering.
You can build Azure security in a variety of ways, depending on the services and roles used. Check the guidelines below to avoid common cybersecurity risks and advance the security level of your entire Azure environment.
Configuring and managing access to cloud resources should be an important part of your security policy. For that, Microsoft offers 3 cloud resource management interfaces: Azure Portal, PowerShell, and Azure CLI. As the access to them is a goal for many cybercriminals, their protection should be your one of the key steps in ensuring the security of your entire Azure infrastructure.
Here is what you should avoid in the first place to prevent security issues with identity and access management:
- Weak account security. According to the Verizon Data Breach Investigations Report, 63% of attacks involve compromise of accounts when an attacker uses a weak or a stolen password.
- Redundant rights for users and applications. From ScienceSoft’s experience, companies face an average of 11 insider threats and 3 threats to privileged users per month. In most cases, security threats are non-malicious and arise from employees' carelessness.
- Using default Azure Portal settings.
To avoid these common mistakes, I’d like to stress the importance of password reliability and secure authentication. Below, I provide recommendations on how to adjust your access policy and protect your cloud resources:
- Ensure user account protection.
- Enable Multi-Factor Authentication (MFA) for all accounts. Azure provides MFA for users with the assigned Global Admin role free of charge.
- Be cautious of using the App Password feature. Some applications, like Office 2010 and its earlier versions, do not support MFA and use App Password to operate correctly, which increases the risk of an account hack.
- Take care of password complexity and its timely change. The recommended password length is 10 characters, including numbers and letters of both cases.
- Limit the number of incorrect password entry attempts.
- Use Conditional Access and Identity Protection tools to quickly detect and stop malicious activity in your account.
- Cut the redundant rights down.
- Limit the number of privileged accounts. For example, Microsoft's guidelines suggest reducing the number of users with the Global Admin role to 3.
- Implement and actively use Privileged Identity Management (PIM). PIM is a superior tool helping you audit redundant rights and grant access to resources only when it is really needed.
- Protect your portal and applications
- Audit the rights given to applications that use Microsoft Graph APIs.
- For unprivileged users, disable registering applications.
- Enable a feature limiting the Azure portal access for unprivileged users.
- Assign Service Principal to applications using native services (e.g., Azure Storage).
Sophisticated hacker attacks with bypassing firewall layers or decrypting cryptographic protection impress us in movies, but are rare in real life. In most cases, attackers seek easy prey and exploit plain vulnerable spots imprudently left after deployment.
Here is a list of major mistakes that administrators or developers make when deploying Azure services:
- Open administration ports. As seen from this study, an open SSH port may undergo more than a million password mining attempts in less than 8 days.
- Passwords imprudently left in Azure Resource Manager (ARM) configuration files or deployment templates.
- Incorrectly configured access modifiers to Azure Storage. According to the Verizon Data Breach Investigations Report, 21 out of 347 investigated threats relate to an incorrect access configuration, which subsequently leads to confidential data leaks.
- Non-configured network access policies.
- Lack of antivirus software. Malware can be used not only to attack but also to control an already hacked server. More than a half of malware we, at ScienceSoft, detect is remote control software.
- Disabled OS updates.
Here are the tips that will help you avoid the above mistakes:
- Use Azure Key Vault to store passwords and certificates. It will help secure your infrastructure if configuration files or templates were accidentally copied to a public repository.
- Use Just-in-Time (JIT) access to virtual machines. JIT access allows you to keep administration ports closed and open them only upon a request of an administrator under predefined conditions.
- Configure Network Security Group (NSG), resource firewall, application firewall. Distribute virtual machines over different NSGs according to their role and, for each NSG, open only the ports you need. For example, for web servers, use an NSG with ports 80 and 443 open and another NSG for databases but only with port 3306 open.
- Install the Defender plugin for each virtual machine running Microsoft Windows. You can do this manually through the portal or en masse via Azure Policy.
- Configure OS Windows update policy. Configure the update feed from the Azure portal.
- To protect databases, I recommend using Advanced Threat Protection and database encryption functions. Advanced Threat Protection helps you prevent SQL-injection attacks and alerts about suspicious activity and potential vulnerabilities of your database. The encryption function serves to prevent attackers from reading data when they gain unauthorized access to your database.
In the article, I shared common measures to secure your Azure environment that will help you avoid major security pitfalls. However, cybersecurity is dynamic and needs to be constantly monitored since the number of exploitable holes inevitably grows with the increasing complexity of Azure-hosted systems. So, your next step forward should be the timely detection of breaches in your cloud IT infrastructure via black/white box penetration testing. And if you feel the need for assistance with security assessment, just let me know.
Want to identify security loopholes in your systems before intruders do? Our security testing guards are here to help.