The capabilities of Microsoft Azure are vast, and companies everywhere are expanding their usage of the solutions available to expand their business. With the incredible ease of enabling cloud services quickly, companies often find themselves rapidly experiencing security challenges. Unfortunately, when companies discover these challenges too late, they can have catastrophic impacts.
Microsoft Azure is one of the top targeted cloud providers, and due to their success, attacks are increasingly frequent. But it’s not just up to Microsoft to prevent these attacks. Microsoft has shared security responsibility with their customers, so it’s on each company to hold up their end of the bargain and ensure they’re doing what they need to keep their environment secure.
There are five security pitfalls that 75% of customers experience within their first three years of leveraging Microsoft Azure. Let’s dive in:
Public Facing IPs
When PEI is brought in to perform our Azure Optimization Services, the first jaw drop we see is typically when we show them the amount of public facing IPs that exist in their environment. Often the IT team has no idea. This is likely because developers were some of the initial architects of their Azure environment. They built it with a developer’s approach as opposed to a network security architect’s approach.
Why does this matter? By exposing your resources to the internet, you’re unknowingly allowing anyone to access the data stored on those resources. Hundreds of millions of records have been leaked because of this exact issue over the past few years.
Luckily, there is a simple solution. Review your public facing IPs and determine if it’s absolutely necessary for them to remain. Then, rearchitect accordingly.
Access Control Challenges
There’s one major oversimplification I like to use with clients when talking about security: Attackers don’t break in, they log in. What this means is that protecting access to your environment is key. Not in building a giant wall and a moat filled with crocodiles, but rather controlling how many keys there are to the door, and ensuring the person using it is the person you gave a key.
Why does this matter? Access control issues can be huge depending on the company, and here are a few examples of issues that led to a security incident.
- Lack of MFA > Admin account compromised > Access granted to attacker
- Privileged access granted to user account (not admin account) > And user account compromised > Access granted to attacker
- User granted elevated rights needed to complete task > Elevated rights never revoked > User unknowingly gets account compromised
- 3rd Party Vendor needed rights to complete task > No MFA enabled as account was needed by multiple team members > 3rd party vendor account compromised > Access granted to attacker
Once again, Microsoft has tools available to prevent these issues from leading to disaster. Educate your team on Azure Role Based Access Control (RBAC) and Azure Attribute Based Access Control (ABAC) and setup a proper rights management process for your organization. Once this process is in place, routinely review to ensure that your access control policies are enforced.
Not using Azure Native Security Services – Monitoring and Logging
Every small team has more valuable tasks than constantly checking to see if instances are available and not experiencing a security incident. The most efficient use of time is to setup your Azure environment to tell you exactly when there’s a real issue, and better yet, automate the process for resolving that issue immediately upon detection.
How do we do this? By leveraging Azure Monitor and Microsoft Sentinel.
Azure Monitor provides visibility across your entire Azure environment, where you can automatically get platform metrics, activity logs, and diagnostics logs from most of your resources with no configuration. You can update the settings based on sensitivity for each instance, so you’re only getting informed on what you want, and minimize the noise associated with a high frequency of alerts.
Microsoft Sentinel is a security information event management (SIEM) and security orchestration automated response (SOAR) solution. This powerhouse solution gives you a single solution for attack detection, threat visibility, proactive hunting, and threat response. And we’ve seen SO MANY organizations that don’t leverage its capabilities. When deployed correctly, this is one of the most powerful tools to have against threats in Azure. Every organization should evaluate how they can leverage its capabilities for better protection.
The last Azure native service deserves its own section, so we’ll jump into that with number four.
Not using Defender for Cloud
Despite the fact that Microsoft’s marketing team takes the same approach to naming their security solutions that George Foreman takes when naming his children, the solutions themselves are actually incredibly comprehensive. Defender for Cloud is a cloud-native protection platform with a set of security practices and measures intended to protect cloud-based applications from various threats and vulnerabilities. Underneath the hood, Defender for Cloud is made up of many specific services (Defender for Storage, Defender for Servers, Defender for Key Vault, etc.), all of which are built to protect the specific workload they’re named for.
We’re all about architecting for simplicity, without compromising best practices for security. Microsoft Defender for Cloud services allows you to get the best protection for the specific services running in Azure, and with native integration for ease of management.
Log into your Azure Portal, search for and select Microsoft Defender for Cloud, go to Environment settings, and see if you currently have any Defender for Cloud services enabled.
Backing up WITHOUT Immutable vault
In the 101 class of systems administration, we know that for all valuable resources, we need them backed up. This serves multiple purposes, but in the event of an infection on the production instance, we need a healthy backup to restore from.
However, in the event of a security breach, the first thing attackers go for are the backups. This ensures that when they encrypt/steal information, the organization cannot rely on their backups as a mechanism for recovery. If the attacker was able to access the backups, we need a way to ensure that they cannot eliminate our ability to recover.
How do we accomplish this? Immutable vault for Azure Backup.
By leveraging Immutable backup, we’re protecting our backup data by blocking any operations that could lead to loss of recovery points. Additionally, we can lock the Immutable vault settings to make it irreversible to prevent any malicious actors—external or internal—from disabling immutability and deleting backups.
This is massively important. A major point we make when talking backup with clients; your backups are only as good as your restores. If you have valid backups, but can’t restore them, what good are they? Having Immutable backup ensures that they cannot be tampered with, so in the event that all other protections have failed, and a bad actor has access to your backups, you can still recover.
Do Your Part!
Like I stated earlier, it is not just up to Microsoft to keep your Azure environment protected. We walked through five of the most common security pitfalls that Azure customers experience, and there is an easy to access solution for each one. It’s up to you to take the next step towards securing your Azure environment.
If you have questions about Azure, or if you’d like some help getting your environment configured for security best practices, contact us! We’d be happy to setup a conversation with one of our Azure architects.
Martin Feehan, PEI
