Azure Security, Privacy, Compliance, And Trust Part 2
Azure Security Tools and Features
Security tools play a big role in securing your data from malicious attackers and unauthorized persons.
State-of-the-art security in Azure centers around the world integrates security controls in Azure hardware and firmware components and protection against threats such as DDoS.
Simplify Security with Built-in Services
Easily manage identity and control access to secure your network safeguard data, manage secrets and certificates, prevent attacks, and gain centralized visibility.
Detect Threats Early with Unique Intelligence
Identify new threats and respond quickly with services that are informed bt real-time global cybersecurity.
These are tools that let us look into the azure environment to analyses any faults.
Azure Security Center
Security management system for both cloud and on-premises workloads. Evaluate the security of the current resource and provision that prevention recommendations and Provide threat detection alerts.
— Protects Azure and non-Azure servers and virtual machines this includes windows and Linux servers when the Microsoft monitoring agent is installed.
— Events collected from azure and the agents are sent to the security analytics engine, which provides threat detection alerts and tailored recommendations for securing workload.
— Azure PaaS services including SQL databases and storage accounts are automatically monitored and protected by Azure Security Center.
Azure Key Vault
This is considered a tool that is a central repository to store application secrets. These secrets include tokens, passwords, certificates, and more. The Key Vault helps in creating and controlling encryption keys. In addition, the key vault supports certificate management through Provision, manage and deploy public and private SSL/TLS certificates. And lastly, it provides the storing of secrets backed by hardware security modules(HSMs).
Azure Information Protection(AIP)
If you have azure active directory premium stock-keeping units (SKU) you will access to azure access protection. AIP will organize and classify documents and emails using labels for classifications. This done automatically when you create a rule. Enforce policies on classified data- e.g require credit card numbers to be encrypted. Can retroactively apply to existing documents and emails.
Azure Advanced Threat Protection (ATP)
This access in the premium stock-keeping units (SKU). ATP will Identify compromised identities. Also, it will Identify and detect advanced threats, identify malicious insider actions, and Identify malicious attacks.
Securing your attacks and unauthorized access is an important part of any architecture. By securing a network we make sure resources are protected.
Network layered approach
It’s paramount to secure not only the parameters of a network but also between services. A network approach provides multiple levels of protection so that if an attacker gets through one layer there are further protections in place to limit attacks.
Defense in Depth Model
Viewed from down — up (1–7)
2. Identity and access
1. Physical Security
Each layer is isolated and has to pass the layer below to get the layer above.
Protection of inbound at the parameter level can be protected using:
Azure DDoS Protection
Distributed denial of service (DDoS). The DDoS attack is typically carried out by bots. Microsft has the basic SKU us default for protection but you need more protection you can enhance the protection to VNet resources. Azure DDoS protection has Two main tiers:
Basic — This is a default feature in Azure. real-time migration
Standard — Provide additional mitigation capabilities Through policies that target virtual network services such as Azure load Balancer and Application Load balancer.
Types of DDOS attacks:
Resource(application) layer attack
This is a stateful firewall this means that it monitors the state of active connections to determine if a packet is allowed to pass. This is more secure than stateless firewalls. We can use firewalls to control access to Azure apps and resources by allowing or denying access. Filters both inbound and outbound traffic. An azure firewall protects our resources by allowing us to create and enforce policies. This can be is centralized and enforced policies across multiple virtual networks or even across multiple subscriptions The azure firewall and be configured using fully qualified domain names (FQDN) or use network rules as a source and target address protocol, destination port, and destination address.
Azure Application Gateway
This is a load balancer that has a Web Application Firewall (WAF) that provides protection from common known vulnerabilities on the website.
Controlling the traffic inside your virtual network
Network Virtual Appliances (NVAs)
There is an ideal option for non-HTTP services or advanced configurations and are similar to hardware firewall appliances.
Network Security Groups(NSGs)
This allows or denies network traffic to and from resources in an Azure VNet subnet. This is important in restricting unnecessary communication. Each NSG has the following properties regardless of where it is associated:
- Name for the NSG
- The Azure region where the NSG is located
- Resource group
- Rule either inbound or Outbound defining what traffic is allowed or denied
Network Security Group Rules()
Rules are processed in priority order the lower numbers are processed first.
Application Security Group(ASG)
Group virtual machines across virtual networks. This allows us to filter traffic to the virtual machine in the security group, not the network. This allows us to segment the virtual machine based on the application.
Choosing an Azure Security Solution
Use different virtual networks or virtual networks subnets to segment your network or isolation resources when required
Principle of Least Privilege
Limit each user access rights to the bare minimum permission they need to perform their work
Use NSGs for Bare Minimum Network Connectivity
Use Network Security Groups (NSGs) to enforce rules allowing only the minimum network access needed.
Use Azure Firewall and Azure DDoS Protection
Use azure firewall and azure DDoS protection to protect your resources and prevent large unanticipated costs.
This is a part of a series of blogs about understanding Microsoft Azure