Securing the cloud infrastructure is a critical activity for any organization, yet it is also one of those activities that get often overlooked or pushed down on the backlog of your things to do. Improving your Azure security posture is a necessary requirement towards securing your products, data, and business reputation. It is also a necessary step towards any potential organization certifications you might need, such as ISO, SOC, etc. In this article, I will elaborate the initial steps you can take to improve your Azure security posture as well as prepare for a security audit.

Initial actions

Here are two initial steps you can take to significantly improve the security of your Azure cloud.

Review the recommendations of Azure Security Center

The easiest step you can take towards improving your Azure security posture is to visit Azure Security Center and check the recommendations. Azure Security Center is a security management tool which provides recommendations on fixing security issues in your Azure cloud. These recommendations are given based on the resources you have and the configuration you have in place. It also classifies these recommendations per severity level, giving you a clear indication on what you need to act first. Azure Security Center comes with a free 30 days trial. By fixing the issues identified in Azure Security Center, you already take a significant step towards improving the security of your Azure cloud infrastructure.

Implement defense in depth

Cloud security can be significantly improved if you implement defense in depth to minimize the potential attack surface. The idea behind defense in depth is, you implement security on every place and level you can and not only on your external entry points to your infrastructure. By implementing security in various levels, you want to minimize the attack surface of a potential security threat and contain the damage as much as possible. Here are some actions you can take to improve you cloud infrastructure security:

• Protect your incoming traffic with a firewall. You should ideally leave no resource directly accessible to internet without protecting it with a firewall. Use services like Azure FrontDoor with WAF as a first line of defense and traffic filtering. If possible, keep the number of openly accessible resources as limited as possible.
• Structure your network infrastructure. Do not leave all your resources in one vnet – one subnet configuration. If you can, split your network by implementing hub-spoke network topology. If this is not possible for your situation, at least split resources that need to be exposed to internet (e.g. WebApps, APIs, etc.) from those that usually do not (e.g. databases, storage, etc.) and put them into different subnets. Then implement network security groups and regulate the traffic, who can talk to whom. This way, you will minimize the attack surface and make the attack more difficult.
• Apply least privilege principle everywhere. If something doesn’t work, it will come to your attention, but if a service is more open then needed, it is very likely that it will not be known. Some actions you can take are:
  • Assign the least privileges to resources as well as human users. Then assign more privileges only if needed.
  • In your network, block all traffic first and then allow what is needed. Same for firewalls.
  • In your VMs and containers, block all ports first, then open only the ones that are needed.
• Store your secrets in KeyVaults. Those API keys, passwords, etc., they all should be stored in KeyVaults in encrypted form. Azure KeyVault does an excellent job here. Ideally, also those secrets should be accessed dynamically from workloads and not stored in local configuration files at all. By eliminating secrets from your config files, you also eliminate the risk of them being accidentally committed to a source control repo or leaked somewhere else.
• Encrypt your data, at rest as well as in transit. Configure your infrastructure to:
  • Use disc encryption
  • Use https and secure communication everywhere if possible.
  • Exclude sensitive data from logs (e.g. passwords and connection strings)
• Use Azure Manage Identities. Have all your Azure resources linked with managed identities and assign access privileges by their identity. This way, you will minimize the need for secrets, e.g. your web app should connect to a database using managed identity authorization and not by using a username/password.
• Organize access based on user groups and not individual assignments. When assigning permissions to users on Azure resources, instead of quickly assigning the privileges directly to the user, have proper Azure EntraID groups in place, assign privileges to the user group and then assign people to the groups. This way, it will be easier to manage when people come in or leave your organization

This is of course by no means a complete list of actions you can take, but if you implement at least these, you will have a relatively good security posture.

Further steps to take

The next steps described are more towards continuous maintenance of the security of your cloud infrastructure

Prepare your cloud inventory

You cannot protect what you do not know. You will need to identify all your services/applications that you need for your organization and have a plan on how to protect them. By building an inventory of your cloud, you will also be able to structurally prioritize your action plan based on criticality of your resources.

Active Monitoring

When implementing security into your cloud infrastructure, there are two aspects you need to focus on. One is to implement best practices and security recommendations, the other is to have active monitoring. One key aspect of active monitoring is, to be able to identify the security breaches on time, whether to prevent them or to asses the damage if something happens. You have build implement a logging and monitoring solution to be able to know if someone tried to access something they were not supposed to, or if information leaked, or if any of your systems is hacked.

Leverage the tools provided by Azure like Security Center, Security Copilot to actively review the security posture of your Azure Cloud. As you further develop your cloud infrastructure, make it part of your process to regularly review the security recommendations and fix them as soon as possible.

Independent auditing

After you have taken the steps you can do on your own, it is highly recommended that you hire an external independent auditor to evaluate the situation of your cloud infrastructure. One of the crucial benefit of external experts is, besides their technical expertise, they bring an outsiders’ perspective, which often helps identifying blind spots that get overlooked by people who work in your organization.

Final thoughts

Cloud security is a complex topic requiring expertise on various levels. Despite this, there are still plenty of things you can do to maintain a fairly good security level on your cloud infrastructure. By incorporating the above mentioned steps into your cloud development process, you can maintain a relatively secure cloud infrastructure.

If you need help on implementing these security recommendations and improving your Azure security posture, I’d be happy to help. Book a call to discuss how can we help you planning and implementing those security measures on your Azure cloud infrastructure.