Azure Security
Security in the cloud is a shared responsibility between the cloud provider and the client. Clients are responsible for helping secure data and identities, on-premises resources, and the cloud components you control (which vary by service type IaaS, PaaS, SaaS)
The client retains responsibility for the following items:
- Data
- Endpoints
- Accounts
- Access management
Azure Security Center
This is a monitoring service that provides threat protection across all services both on-premises and azure. Available in two tiers:
Free — available as part of your Azure subscription and is limited to assessments and recommendations.
Standard — This is the full suite of security-related services that include continuous monitoring.
Uses of Security Center
1. Incident response
This is used to detect, assess, and diagnose stages.
Detect: Reviewing the first detection of event investigation.
Asses: Perform the initial assessment to obtain more information about suspicious activity.
Diagnose: Conduct a technical investigation and identify containment migration and workaround strategies.
2. Security recommendations
Reduce the chances of security vulnerability events by configuring a security policy. This policy will help define a set of control that are recommended for resources within that specified subscription.
Azure Identity and Access Services
In a physical data center, access firewalls would be the primary protection. But the advisement of the cloud identity has become the new primary security boundary. That means proper authentication and assignment has become critical to cloud control and operations.
There are two components to azure identity services:
Authentication
This is establishing the identity of a person or service looking to access a resource. Provides access before giving access to resources
Authorization
This establishes the level of access an authorized person or service has. Provided what you can access as a user based on permissions.
Azure Active Directory
This is a cloud-based identity service and access management solution for external and internal users. This can support your existing on-premises Active Directory. Azure AD Provides service such as:
- Authentication
- Single sign-on
- Application management
- Business-to-Business (B2B) identity services
- Business-to-Customer (B2C) identity services
- Device management
Azure Multi-Factor Authentication (MFA)
Requires two or more authentication methods. This provides additional security for your identities. This could include
- Password
- Mobile Phone
- Fingerprint
Single sign-on
Enables users to remember one ID and one password to access multiple applications. This will reduce the risk of credential related security.
Role-based Access control (RBAC)
Roles sets of permission like “Read-only” or “Contributor” that users can be granted access and Aure service. An identity can be mapped to roles directly through group membership. This creates a much fine-grained permission control
Privileged Identity Management
On top of managing Azure resource access with RBAC. You can use PIM to provide oversight of role assignments, self0service, and just0time role activation.
Providing identities to services
In the case of that service required to access azure resource. Configuration files may contain these credentials. Anyone who can access the system can easily get to these credentials.
Azure AD has two methods of addressing this:
- Service Principle
- Manged identities
Service principals
This is an identity that is used by service or application can be assigned roles.
Managed Identities
Encryption
This is a security measure where data is encoded or translated into unreadable code. To read encrypted data it must be decrypted which will require the use of a secret key. There is two top-level encryption.
Symmetric and Asymmetric.
Symmetric encryption
Uses the same key to encrypt and decrypt data.
Asymmetric encryption uses a public key and a private key. Either key can encrypt but a single key cant decrypts its own encrypted data. Asymmetric encryption is used for things like Transport Layer Security (TLS) (used in HTTPS) and data signing.
They used two approaches:
Encryption at rest — When data is stored on a physical medium.
Encryption in transit — When data is actively moving across the network.
Encrypt raw storage
- Azure Storage Encryption — Azure Blob Storage Azure Files
- Encrypt virtual machine disks — VHDS for VMs
- Azure Disk Encryption -
Encryption databases
Transparent data encryption (TDE) — Azure SQL Database and Azure Data Warehouse
Encrypt secrets
Keys that are used to decrypt and encrypt data needs to be made secure. To archive this you will use Azure Key Vault.
AKV is a central cloud service for storing your application secrets.
Azure Certificates
Certificates used in Azure are x.509 v3 and can be signed by a trusted certificate authority, or they can be self-signed. A self-signed certificate is signed by its own creator; therefore, it is not trusted by default. Most browsers can ignore this problem.
Types of certificates:
Service certificates are used for cloud services
Management certificates are used for authenticating with the management API.
This is a part of a series of blogs about understanding Microsoft Azure
