Evolution of cybersecurity from on-premises to the cloud
When protecting an on-premises data center and infrastructure, a cybersecurity architect designs many of the controls to protect physical assets and keep bad actors from entering at either physical data center entry points or internet service provider (ISP) network entry points. Traditionally, these protections would have been a combination of physical security appliances, such as firewalls for packet investigation, and protection against attacks through endpoint devices by only allowing access to the data center with SSL VPN-encrypted connections. These devices were managed by the company and given antivirus and anti-malware software to mitigate potential attacks.
As companies move to more cloud-native applications, such as Microsoft 365, and build infrastructure on cloud providers, such as Microsoft Azure, companies have moved their responsibility for security away from physical to virtual environments. This creates new vulnerabilities that the company must identify and plan ways in which to mitigate against threats. The following sections will discuss how a cybersecurity architect should begin to plan for protection and controls within a cloud and hybrid infrastructure.
Defense-in-depth security strategy
When protecting the cloud and hybrid infrastructure, there are many aspects that need to be considered. As you go through the various solutions offered within Microsoft 365 and Azure, these methodologies and principles play a key role in the process of protecting resources, identity, and data. One of the primary strategies for protecting your company is through defense in depth. Having a strong defense-in-depth security posture addresses the areas of the cybersecurity kill chain. The next section will discuss the concept of building a defense-in-depth security posture.
Building a defense-in-depth security posture
In order to protect your company from cyber attacks, you should have controls in place that address the stages of cyber attacks and that maintain a defense-in-depth security posture. When planning for the security of information technology resources, protecting one aspect is not enough; every aspect of the infrastructure should have security controls in place to protect at all levels. Controls are the services or solutions that we have in place to properly secure and protect the resources at that level of defense.
Each of these levels of defense is important since attackers look for various entry points into a company network. The levels of defense in depth are shown in Figure 1.1.
Figure 1.1 – Defense-in-depth security
Now that you know why defense in depth is important, let’s discuss each of these areas and provide an example of a control that can be used for protecting resources.
Physical
The physical level of defense includes the actual hardware technology and spans the entire data center facility. This includes the compute, storage, and networking components, rack spaces, power, internet, and cooling. It also includes the room that the equipment is housed in, the building location and its surroundings, and the processes that are in place for the guards, physical security staff, or guests that access these locations.
Protecting the physical level of defense in depth encompasses how we create redundancy and resiliency in the previously mentioned systems, and how we record and audit who accesses the building and systems. This could include gated fences, guard stations, video surveillance, logging visitors, and background checks. These physical controls should be in place for any company that utilizes its own private data center.
When utilizing Microsoft cloud services, the physical controls are Microsoft’s responsibility. We will discuss shared responsibility for cloud security in the next section.
Identity and access
Since the provider is responsible for the physical controls within cloud services, identity and access become the first line of defense that a customer can configure and protect against threats. This is why statements such as “Identity is the new control plane” or “Identity is the new perimeter” have become popular when discussing cloud security. Even if your company maintains a private data center for the primary business applications, there is still a good chance that you are consuming a cloud application that uses your company identity. For this reason, having the proper controls in place, such as multi-factor authentication (MFA), conditional access policies, and Azure AD Identity Protection, will help to decrease vulnerabilities and recognize potential threats before a widespread attack can take place.
Perimeter security
Within a private data center, where the company controls the internet provider connection terminations and has their firewall appliances, intrusion detection and protection solutions, and DDoS protection in place and fully configured, the protection of the perimeter is a straightforward architecture.
When working within cloud providers, perimeter security takes on a different focus. The cloud providers have agreements with the internet providers that provide services to their data centers and these providers terminate these connections with their hardware. The company perimeter security then becomes more of a virtual perimeter to their tenant, rather than a physical perimeter to the data center network facilities. The company now relies on the provider’s ability to protect against DDoS attacks at the internet perimeter.
Within Microsoft, DDoS protection is a free service, since Microsoft wants to avoid a DDoS attack that would bring down a large number of their customers in a data center. For additional perimeter protection, the company can implement virtual firewall appliances to protect the tenant perimeter, to block port and packet level attacks, and additional solutions, such as Application Gateway, with a web application firewall (WAF) to protect from application layer attacks.
Network security
The perimeter and network security layers work closely together. Both focus on the network traffic aspect of the company infrastructure. Where perimeter security handles the internet traffic that is entering the tenant, or data center, network security solutions protect how and where that traffic can be routed once it passes through the perimeter. Once an attacker can gain access to a system on the network, they will want to find ways to move laterally within the network infrastructure. Having proper IP address and network segmentation on the network can protect against this lateral movement taking place.
On a private data center network, this can be accomplished within switch ports with virtual Local Area Networks (LANs), or VLANs, configured to block traffic between network segments. In a cloud provider infrastructure, virtual networking, or VNETs, can accomplish similar network segmentation. In an Azure infrastructure, network security groups and application security groups can also be configured on network interfaces with additional port, IP address, or application layer rules for how traffic can be routed within the network.
Compute
After network security, we begin to get into the resources that hold our data. The first of these is our compute resources. In order to maintain clarity, we will generalize the compute layer as the devices with an operating system, such as Linux or Windows. Compute resources also include platform-based services where the compute layer is managed by the cloud provider, such as Azure App Service, Azure Functions, or containers. Within your own private data center with equipment that you own, protecting the host equipment and avoiding exposure by hardening the virtual hypervisor is necessary. In the public cloud, Microsoft or another cloud provider will be responsible for this. Our responsibility on virtual machines relies on maintaining proper patching of updates and security, to avoid having exploit vulnerabilities within the operating system. In addition, encrypting virtual machine operating systems and disks with Azure Disk Encryption will protect the image from being exposed.
A common attack at the compute layer is scanning and gaining access to management ports on devices. Not exposing these ports, 3389 for Windows Remote Desktop Protocol (RDP) and 22 for Linux Secure Shell (SSH) Protocol, to the internet will provide a layer of protection against these attacks. Within Microsoft Azure, this can be accomplished with network security group rules, removing public IP addresses on virtual machines, bastion hosts, and/or utilizing just-in-time virtual machine access. Many of these security options will be discussed in Chapter 7, Designing a Strategy for Securing Server and Client Endpoints.
Applications
The layer of defense that is closest to our data is our applications. Applications present data to users through our internet websites, intranet sites, and our line of business applications that are used to perform our day-to-day business. A cybersecurity architect will determine how to protect applications against common threats, such as cross-site scripting on our websites. To protect against these common threats, a WAF can be used for proper evaluation of the traffic accessing our applications. Utilizing secure transport layer (TLS) protocols that are encrypted can also help to avoid the exposure of sensitive data to unauthorized individuals.
Prior to an application being moved to production, it should be properly tested to make sure that there are no open management ports and that all API connections are also secured.
If the application references connections to databases and storage accounts, the secrets and keys should not be exposed and a key management solution, such as Azure Key Vault, should be in place for the proper rotation of secrets, keys, and certificates. Properly securing these areas of our applications will assist in avoiding exposure of sensitive data to those that are not authorized.
Data
Always at the center of our defense-in-depth security posture is our data. Data is the primary asset of our company. This includes the business and financial data that is necessary for the company’s survival and the personal information of our employees and customers. Exposure or theft of this information would have potentially catastrophic effects on the company’s ability to continue. These effects could be reputational and involve financial loss.
As a security professional, one must protect data from intentional and accidental exposure to those that are not authorized to view it. Data resides in various areas within our technology infrastructure. Data can be found primarily in different storage accounts, such as blob containers or file shares, and within relational and non-relational databases. The common practice to accomplish this is through encryption.
Encryption makes data unreadable to those that are not properly authenticated and authorized to view it. Encryption can be used in different ways with data. First, there is encrypting data at rest, which is when it is stored and not being accessed. Next, there is encryption in transit, or while it is being delivered from where it is stored to the person requesting access. Finally, there is encryption in use, which maintains the encryption of the data within the application throughout the time that it is being viewed. This is the more complex of the types of data encryption since it requires the application to have the capability of presenting the encrypted data. Microsoft provides options for these encryption types that will be discussed later in this book.
Encrypting our data in our storage accounts and databases decreases the potential of this data being exposed to those that are not authorized. Additionally, requiring verification through authentication and authorization maintains the protection of data. This includes avoiding anonymous access to storage accounts and masking sensitive data within our databases. The most important aspect of protecting our data is knowing where our sensitive data is located and planning proper steps to avoid it being exposed to the unauthorized. Bringing together the protection of data within the entire defense-in-depth strategy provides us with an effective way to protect against vulnerabilities and threats.
Maintaining a proper security posture across all of the defense-in-depth layers is the best way to protect our company from loss or exposure across the stages of a cyber attack. These stages will be further discussed later in this chapter. As security professionals, it is important that we take ownership of the planning, execution, monitoring, and management of all of these layers and work with other stakeholders at each of these layers to maintain the overall security posture for the company.
Special considerations need to be accounted for within this security posture when utilizing public cloud services. In the next section, we will discuss how this shared responsibility for cloud services requires possible adjustments to our defense-in-depth security approach.
Shared responsibility in cloud security
As technology has evolved and more resources have a level of exposure to external internet connections, the attack surface that is potentially vulnerable also increases. We must understand this and know where our responsibilities lie for each of the areas within our defense-in-depth security approach.
Shared responsibility is the relationship between the customer and the cloud provider at each of the layers of defense in depth. This relationship differs depending on the technology that is being consumed.
Shared responsibility focuses on who has the ownership to interact at a specific level of protection. This may be physical ownership of equipment or administrative ownership for enabling various controls. The level of ownership between the company using the service and the cloud provider changes depending on the type of service that is being consumed by the company.
Table 1.1 shows shared responsibility for customers and Microsoft within the various cloud and on-premises services.
|
Responsibility |
On-Premises |
IaaS |
PaaS |
SaaS |
|
Data governance and rights management |
Customer |
Customer |
Customer |
Customer |
|
Client endpoints |
Customer |
Customer |
Customer |
Customer |
|
Account and access management |
Customer |
Customer |
Customer |
Customer |
|
Identity and directory infrastructure |
Customer |
Customer |
Microsoft/ Customer |
Microsoft/ Customer |
|
Application |
Customer |
Customer |
Microsoft/ Customer |
Microsoft |
|
Network controls |
Customer |
Customer |
Microsoft/ Customer |
Microsoft |
|
Operating system |
Customer |
Customer |
Microsoft |
Microsoft |
|
Physical hosts |
Customer |
Microsoft |
Microsoft |
Microsoft |
|
Physical network |
Customer |
Microsoft |
Microsoft |
Microsoft |
|
Physical data center |
Customer |
Microsoft |
Microsoft |
Microsoft |
Table 1.1 – Shared responsibility in the cloud
As you look at the customer’s and Microsoft’s responsibilities for security, the cybersecurity architect should determine the levels of controls that the company should have in place for each of the areas of potential vulnerabilities and exposure to attacks.
The next section will build upon the areas of controls and security posture, and we will discuss the various components of cybersecurity operations.
