The following article was written by Chris Mihm, Director of Managed Cloud Services at Align, as part of Align’s National Cyber
Photo Credit: © kras99 - stock.adobe.com
If you missed Tuesday’s article, read Something Seems “Phishy” – How to Identify and Avoid Phishing Scams here.
Microsoft Azure makes it simple to deploy IaaS resources in the public cloud. As a result, it can become easy to forget, or even bypass, best practices for securing your Azure IaaS resources. The following is a list of common best practices that may be utilized when deploying Azure resources via the Azure Resource Manager (ARM) portal. Specific use cases will ultimately dictate deviation when necessary, but for most deployments, these hold up.
Virtual Private Network
Creating a Site-to-Site (S2S) VPN connection between your on-premises network and your Virtual Private Network in Azure provides a secure, dedicated, IPsec tunnel for communicating. With a Site-to-Site VPN connection in place, you can completely remove specified public access and simply connect via the internal ports as you would with any other machine on your internal network. Another option is to create a Point-to-Site (P2S) VPN connection, which establishes a secure connection directly from a computer to the Virtual Network without having to acquire and configure a VPN device, as would be necessary for a Site-to-Site VPN connection. Both S2S and P2s are great ways to reduce external threats by removing the public facing access. See Create a Site-to-Site connection in the Azure portal for setting up and configuring a S2P VPN connection. Additionally, see Configure a Point-to-Site connection to configure a P2S VPN connection.
ExpressRoute creates private connections between Azure datacenters and either on premises infrastructure or in a co-location
A network security group (NSG) contains a list of security rules that allow or deny network traffic to resources connected to Azure Virtual Networks (VNet). NSGs can be associated to subnets and individual network interfaces attached to VMs (Resource Manager). When you deploy a virtual machine, a default NSG is created with 1 inbound security rule to allow VM management. The VM is initially be configured with a public IP. It is recommended to dissociate the public IP from the Azure Arm portal in order to remove public facing access to the VM. This is a great way to reduce external threats.
When provisioning and accessing resources in Azure, users are required to authenticate. Enforce complex usernames and
passwords for your VMs. Azure requires passwords to be between 12 and 123 characters long and must contain 3 of the following: a lowercase character, an uppercase character, a number and a special character. In addition to strong passwords, it is good practice to enforce multi-factor authentication which adds a second layer of security to user sign-ins. This reduces the likelihood that compromised credentials will have access to an organization’s data.
Azure Security Center provides unified security management and advanced threat protection for workloads running in Azure, on-premises, and in other clouds. It delivers visibility and control over hybrid cloud workloads, active defenses that reduce your exposure to threats, and intelligent detection to help you keep pace with rapidly evolving cyberattacks with active threat monitoring and security alters.
Security Center is offered in two tiers:
For more information on Azure Security center, see Introduction to Azure Security Center.
For many organizations, data encryption at rest is a mandatory step towards data privacy, compliance and data sovereignty. Azure Disk Encryption enables IT administrators to encrypt Windows and Linux IaaS Virtual Machine disks. Azure Disk Encryption protects and safeguards data to meet organizational security and compliance requirements. Encryption mitigates risks related to unauthorized data access. Organizations that do not enforce data encryption are more likely to be exposed to data integrity issues, such as malicious or rogue users stealing data and compromised accounts gaining unauthorized access to unencrypted data. For more info visit, Azure Data Security and Encryption Best Practices.
In addition to the above recommendations, there are other numerous methods that are available to secure Azure IaaS resources.For more information about our services, contact info@align.com or visit: www.aligncybersecurity.com and www.align.com.
Images courtesy of Microsoft: VPN Security Center