Identity and access control
Before we dive in, it is good to realize that there is a shared responsibility between you and the cloud provider when it comes to security and securing your resources. It is essential to understand where your responsibility stops and the cloud provider steps in. Let's take a quick look at shared responsibility in Azure, as you can see in Figure 2.4:
Figure 2.4: Azure shared responsibility
Depending on the type of service you choose in Azure, your responsibilities will vary, as will those of the cloud provider. Note the differences between on-premises resources and the various Azure options. You can see that, regardless of any new responsibilities, you will always retain the responsibility for endpoints, account management, accounts, and data repositories you create in the cloud.
With Azure being a public-facing resource, security is at the forefront of its development. There is a wide range of tools and advisors within Azure that help you take advantage of Azure's different security tools and capabilities.
What are the security benefits of Azure?
Organizations' on-premises security groups only have limited resources (team members and tools) to view exploits and attackers. One of the benefits of using a platform like Azure is that you can offload those responsibilities to the provider in the cloud and gain a more efficient and intelligent approach to your organization's threat plane without the need to bring in physical resources.
One of the most significant benefits of Azure is that when you create a tenant, it comes with Azure AD behind it, which allows you to start from a security perspective in Azure. Azure AD is used to lock down all of the services and resources within Azure. You can also use Azure AD to secure your applications or create Business to Customer (B2C) or Business to Business (B2B) ADs to house your client information.
Helpful tools in Azure
There are several security and audit solutions built into Azure to strengthen your security posture, which can be viewed in the Azure portal through the security and audit dashboard from your home screen. Here are some helpful tools in Azure to assist you and your organization:
- We mentioned earlier that Azure Resource Manager helps keep everything in one place for deploying, updating, and deleting resources within your solution to support coordinated operations.
- Azure also offers Application Performance Management (APM), which is referred to as Application Insights. Application Insights gives you the ability to monitor your applications within Azure and detect performance anomalies.
- Azure Monitor allows you to visualize your infrastructure for your activity log and the individual diagnostic logs for your Azure resources.
- Azure Advisor is like a personalized cloud concierge to help you optimize your cloud resources. This service can help detect security and performance issues within your applications.
- Azure Security Center helps prevent, detect, and respond to different threat planes for your applications within Azure. It helps provide security monitoring and policy management across all of your other subscriptions.
Best practices
Here are some Azure security best practices recommended by Microsoft:
- Use Azure AD for central security control and identity management in Azure. This will make management and integration more streamlined.
- Try to keep your Azure AD instances to a single source of truth.
- If you have an on-premises AD, it is recommended that you integrate it with Azure AD, using Azure AD Connect for a single sign-on experience.
- If you use Azure AD Connect to sync your on-premises AD with Azure, turn on password hash synchronization in case the main resource goes offline or is deprecated.
- Remember that you can use Azure AD for authentication in your new applications, and this can be accomplished through Azure AD directly, B2B, or B2C.
- Use management groups to control your access to subscriptions. This helps with centralized management, over needing to worry about Azure Identity and Access Management (IAM) in each subscription.
- Use Conditional Access for your support personnel so that they can elevate their permissions when needed in Azure, rather than having access all the time.
- Block legacy protocols that aren't used to stop attack planes.
- It is recommended you use self-service password resets for your users if you're using Azure AD for your applications and you want to ensure you monitor this process.
- If you are using Azure AD Connect, ensure that your cloud policies match your on-premises policies.
- Enable multi-factor authentication for your organization if possible.
- If you wish to provide built-in roles in Azure, ensure that you maintain role-based access over rule-based access, as rule-based access can be very cumbersome to manage in the long run.
- Ensure that you give the least privileged access to those logging in to Azure, so that when an account is compromised, its access is limited.
- Define at least two emergency access accounts, just in case the organization admin operation team members' accounts get compromised.
- Ensure you control locations where resources are created for your organization if you also wish to monitor suspicious activities within your Azure AD tenant actively, as there may be data restrictions in different regions.
- Ensure you use authentication and authorization for your storage accounts.
- Review and apply improvements to your best practices over time.
Now that we have an understanding of security in Azure, we can review how to use Azure governance.