Security is one of the most important components of any architecture. The assurances it provides span the width of data confidentiality, integrity, and availability. However, the demands of today’s sprawling cloud architecture are making it increasingly difficult to keep safe from attacks and abuse. The increasing strain this places on security staff has visible effects not just on an overstretched workforce – but also on the integrity of customer data.

At the same time, attacks are only increasing in complexity and impact. As an identity provider, Azure sits at a critical point in your organization’s security offering. Best practices are no longer suggestions – they are vital tools for every cloud customer.

Identity is today’s security perimeter

Remote work has exploded the traditional network perimeter: identity represents today’s new true perimeter. Keeping a handle on end-user identity requires a new approach that highlights accessibility and clarity.

Centralize identity management

In hybrid setups, it is strongly advised to integrate your on-premises and cloud directories. This integration allows your IT team to efficiently manage user accounts from a centralized location, regardless of where the accounts are created. Moreover, integrating the directories enhances user productivity by offering a unified identity for accessing both cloud-based and on-premises resources.

This approach can be replicated across all architectures by using a single Azure Active Directory (Azure AD) instance. Azure AD extends on-premises Active Directory to the cloud, allowing users to utilize their primary work or school account for domain-joined devices, company resources, and various web and SaaS applications essential for their tasks.

By doing so, users are relieved from the burden of managing multiple sets of usernames and passwords. Furthermore, access can be provisioned or deprovisioned automatically, based on the user’s organization group memberships and employment status. This provides a consistent, sole authoritative source, helping reduce security risks stemming from human errors and configuration complexities.

Manage connected tenants

Production environments are busy, humdrum with innovation. Proper visibility is essential to addressing the fact that production environments are also the most vulnerable areas of any organization. In order to assess risk and ensure compliance with organizational policies and regulatory requirements, your security team needs visibility into all subscriptions associated with your production environment and network, regardless of whether they are connected via Azure ExpressRoute or site-to-site VPN.

To establish this visibility, Azure AD’s Global Admin User can elevate their access to the User Access Administrator role. This grants them the privileges to view every subscription and managed group that is currently linked to your environment. This elevated access enables security to monitor and oversee your enterprise’s entire infrastructure.

Turn on conditional access

In today’s dynamic work environment, users have the flexibility to access organizational resources using various devices and applications, regardless of their location. As an IT administrator, it’s essential to ensure that these devices meet the required security and compliance standards. Merely focusing on who accesses what resource is no longer sufficient.

To strike the right balance between security and productivity, consider how a resource is accessed before making decisions about access control. This is where Azure AD’s Conditional Access comes into play. With Conditional Access, you can automate access control decisions based on specific conditions for accessing your cloud applications. After you’ve defined user groups, locations, and application sensitivity for both Software as a Service (SaaS) applications and Azure AD-connected apps, access controls are granted on context.

Plan for routine security improvements

Security is an ever-evolving aspect of cloud and identity management. Keeping abreast of attacks demands a mechanism within your framework to consistently demonstrate progress and explore new ways to enhance the security of your environment.

To aid in this endeavor, Microsoft offers the Identity Secure Score, which comprises a set of recommended security controls. This feature provides you with a numeric score, enabling you to objectively assess your security posture and chart a course for future security enhancements. Additionally, you can compare your score with those from other industries and track your own progress over time.

Enable password management

To prevent abuse and enhance security when dealing with multiple tenants or enabling user password resets, implement self-service password reset (SSPR) for your users using Azure AD’s self-service password reset feature.

It’s not enough to just offer this option, however: users need to prioritize their own security. You can monitor the usage of SSPR with the Azure AD Password Reset Registration Activity report. This offers prebuilt reports to track user registrations and address any questions about SSPR usage.

Use role-based access control

Assigning specific Azure functions to designated groups or individual roles is vital for avoiding some of the worst cloud confusion. This designation helps maintain clarity and ensures that access is limited based on the principles of “need to know” and “least privilege.”

Roles and groups offer streamlined ways to segregate duties and provide users with the precise level of access required to fulfill their job responsibilities. Avoid granting unrestricted permissions in your Azure subscription or resources, and instead, allow specific actions only at the appropriate scope. To implement this approach, utilize Azure’s built-in roles to assign privileges to users.

Lower privileged accounts exposure

Privileged accounts have significant control over IT systems; this makes them prime targets for cyber attackers. Isolating these accounts and systems, therefore, helps mitigate the risk of exposure to malicious users.

Azure AD Privileged Identity Management (PIM) provides notification emails for privileged access role changes, offering early warnings when highly privileged roles are modified in your directory.

Furthermore, separating admin accounts for administrative tasks can minimize the risk of phishing and other attacks. Create a dedicated admin account assigned the necessary privileges solely for administrative duties. Restrict the use of these accounts for daily productivity tools like Microsoft 365 email or arbitrary web browsing, thereby enhancing security.

Control locations where resources are created

To ensure control over the locations where resources are created, Azure Resource Manager provides the means to create security policies that define actions or resources to be explicitly denied. These policy definitions can be assigned at various scopes, such as the subscription, resource group, or individual resource. By implementing these security policies, organizations can enforce strict access controls and maintain the integrity of their cloud environment.

Use Azure AD for storage authentication

Azure Storage provides authentication and authorization capabilities with Azure AD for Blob storage and Queue storage. By leveraging Azure AD authentication, you can utilize Azure role-based access control (RBAC) to grant precise permissions to users, groups, and applications at the level of an individual blob container or queue. This granular control ensures secure access management, allowing fine-tuned permissions for different resources based on the specific needs of your applications and users.

Application and workload best practices

In most infrastructure as a service (IaaS) scenarios, Azure virtual machines (VMs) offer the main cloud computing power. These VMs handle broad swathes of mission-critical information, and therefore need particularly strict protection.

Control VM access

Azure policies offer ways to establish resource conventions and customized policies within your organization. These policies can be applied across various resources, including resource groups; VMs that are associated with a resource group will inherit the policies assigned to it.

Management groups offer significantly higher-scope management of access, policies, and compliance across large quantities of compute resources. By organizing subscriptions into management groups and applying governance conditions to those groups, you can ensure that all subscriptions within a management group automatically inherit the applied conditions.

Gain visibility into your VM setup and deployment

Azure Resource Manager templates bolster your deployment practices by enhancing the clarity and inventory management of VMs in your environment. This approach streamlines deployment workflows, reduces errors, and facilitates efficient management of your VM infrastructure.

Secure privileged access

Granting users the ability to access and set up VMs in Azure is vital for widespread, sustained productivity. However, supporting privileged access demands the responsible application of the following built-in Azure roles:

• Virtual Machine Contributor: This role allows users to manage VMs, but not the associated virtual network or storage account.
• Classic Virtual Machine Contributor: This user is permitted to manage VMs created using the classic deployment model, but not the linked virtual network or storage account.
• Security Admin: This higher-authority user can view and edit security policies, security states, and recommendations.
• DevTest Labs User:This user has the highest degree of privilege, permitted to view all relevant information, connect to VMs, and perform actions like starting, restarting, and shut down.

By assigning the appropriate roles to users, you can effectively limit their access to VMs in accordance to least privilege.

Use multiple VMs

Critical applications need high availability: for such instances, it is highly recommended to employ multiple VMs. For improved availability, utilize either an availability set or availability zones.

By implementing these features, you can distribute your VMs across different fault domains or availability zones, reducing the risk of downtime due to hardware or datacenter failures. This setup enhances the resilience of your applications and ensures continuous operation even in the face of unexpected disruptions.

Network controls

While specific instances and devices are kept under close guard, it’s similarly important to maintain such protection throughout the lifespan of each resource – no matter where it is in your broader network.

Use strong network controls

Azure VMs and appliances can be connected to via Azure virtual networks. This connection is established by attaching virtual network interface cards (NICs) to the virtual network, enabling TCP/IP-based communications between network-enabled devices.

Once the VMs are connected to an Azure virtual network, they gain the ability to communicate with devices within the same virtual network, devices in different virtual networks, the internet, and even devices in your on-premises networks. This flexibility allows for seamless and secure connectivity across various network environments, empowering your Azure resources to interact with the broader network ecosystem as needed.

However, virtual networks that carry highly sensitive information no longer need to be exposed to the public internet. Azure Private Link offers a way to secure critical service resources by routing all traffic through the Microsoft Azure network. Instead of the entire service, a private endpoint is mapped only to the required instance of a resource. Use this to protect critical networks.

Use dedicated WAN links

In many hybrid IT scenarios, certain service components operate in Azure, while others remain on-premises. To establish connectivity between on-premises networks and Azure virtual networks, cross-premises connectivity is required. Two available solutions for cross-premises connectivity are:

• Site-to-site VPN: A reliable technology that connects over the internet; however, bandwidth is limited to approximately 1.25 Gbps.
• Azure ExpressRoute: ExpressRoute enables you to extend your on-premises networks to the Microsoft Cloud through a private connection provided by a connectivity provider. This dedicated WAN link allows you to connect to Microsoft cloud services like Azure, Microsoft 365, and Dynamics 365. This prevents enterprise data from traversing the internet, minimizing potential risk.

Jump-start your approach to the cloud today

Cloud services have grown to the point that their configuration options are 10 times, or even 100 times, the scale of their on-premises equivalents. As a result, security leaders are often overwhelmed by where to even start.

Automation has already proven itself one of today’s leading cloud levelers. By first establishing a governance strategy of excellence, organizations can begin reforming their Azure security practices with adept, policy-compliant automation. With this in place, security teams are finally granted the ability to address the wider picture of their cloud security.