By Eric Kedrosky, CISO, Sonrai Security

Cloud-based data breaches are all too common. In fact, 45% of businesses experienced a cloud-based security breach in 2022.

Microsoft Azure, a market leader in public cloud services, supports over 200 cloud-based products and services and nearly 70% of the world's businesses. That's a big target for bad actors who want to access sensitive data like customer credit card information, healthcare records, and even student information like grades and test results.

To help protect your data in the cloud, the first step is to leverage the controls that Azure gives you to minimize risk of exposure and breaches. But protecting both static and in-transit data requires even more vigilance. That means going above and beyond the safeguards that Microsoft provides Azure users and implementing tools and best practices that support the highest level of security.

Below, we provide a dozen Azure security best practices for monitoring and securing Azure cloud data. From understanding what your responsibilities are when it comes to risk reduction in Azure's cloud environments to controlling access, there's a lot you can do to keep your Azure-based systems and data safe from bad actors.

12 Azure Cloud Security Best Practices

Let's dive right in with a dozen strategies for protecting your Azure cloud data, starting with responsibility:

1. Understand the Azure Shared Responsibility Model

A shared responsibility model means that you (the customer) and Azure are both responsible for different aspects of security. You're responsible for the security of your information and data, your virtual machines (VM), accounts, and identities.

Microsoft is responsible for the security of physical networks, physical data centers, and physical hosts. And, depending on the service you use, you may share or have total responsibility to secure identity and directory infrastructure, applications, network controls, and operating systems.

We take a deep dive into Azure's shared responsibility model here, including outlining what's included in each service and customer responsibilities.

 

2. Use Microsoft Defender for Cloud (formerly Azure Security Center)

Microsoft Defender for Cloud is a suite of tools that monitors and manages VM security and in-cloud workloads. You can use it to detect and investigate security issues, deploy countermeasures, and create custom alerts.

Designed to protect multi-cloud and hybrid environments, Defender improves the security posture of cloud resources with features like workload threat protection and vulnerability detection. It also suggests changes for protecting your Azure resources.

3. Enable Storage Service Encryption

Azure gives you the option to encrypt your data at rest using Azure Storage Service Encryption (SSE). SSE uses the Advanced Encryption Standard (AES) 256-bit encryption (an incredibly strong block cipher) and is also FIPS 140-2 compliant.

Data encryption in Azure storage accounts is automatically enabled, but binary large objects (blobs) created prior to October 20, 2017, may not be fully encrypted. To ensure older blobs are encrypted, Azure recommends checking the encryption status and rewriting the blob to force encryption.

When you need the highest level of security, enable infrastructure encryption. This will protect your data at both service and infrastructure levels using different algorithms and keys.

4. Use Multi-Factor Authentication (MFA)

MFA adds an extra layer of security by requiring users to supply two sources of authentication to access a system (e.g., a password and biometric signal like a fingerprint). Recent Microsoft data found that only 22% of Azure Active Directory identities use MFA, and this is putting organizations - and their data - at risk.

When you consider that identity attacks are increasing (Microsoft blocked over 25 billion attack attempts in 2021), it's clear that companies should use MFA to protect all user identities, not just those with administrative privileges. Enabling MFA for all users helps prevent account takeovers, even if an attacker has your password. It's one of the most effective ways to protect your resources from bad actors.

5. Restrict Administrator Access Using a ‘Least Access' Approach

Access management helps you manage who has access to a resource and what they can do once they have access. Paired with a least access strategy - an approach that gives users only the permissions they need to do their job - access management helps fortify your system. It can also limit the damage if a bad actor manages to gain access to a user account with elevated privileges.

In Azure, you can restrict administrator access using role-based access control (RBAC), a feature that lets you assign granular permissions to users, groups, and applications. Azure Active Directory uses the Global Administrator role to give full access to all resources in an Azure subscription. But, you can create custom roles with only the permissions that are needed for a given task (e.g., Application Developer, Attack Payload Author, DevOps Administrator, etc.).

6. Secure All Identities (Person and Non-Person)

Detecting and eliminating overprivileged identities should be a key part of your Azure security strategy. An "overprivileged identity" is any identity (people and non-people) that has more permissions than they need to do their job.

They present a risk because if a bad actor gains access to an overprivileged account, they can do significant damage. Privileged roles should be dispensed carefully and managed closely to ensure that only the necessary people (and applications) have access.

Monitoring "identity inflation" - when individuals or applications accrue greater levels of security over time - is also important. This presents a tremendous vulnerability to your system if one of these overprivileged identities is compromised.

 

7. Conduct Identity Access Reviews

An identity access review is an assessment of which individuals or applications have access to which resources. It's important to periodically review and adjust these permissions and ensure that they align with an individual's current job responsibilities.

You should take an inventory of all the people and non-people identities that are in your cloud, review their permissions, and assess what data they can access. This should be a continuous process of auditing, monitoring, and risk assessment. One way to achieve this is through workflow management and automation, a process that includes receiving alerts when there's a potential problem.

8. Safeguard Sensitive Data

Protecting sensitive data is what building a secure cloud data ecosystem is all about. By identifying hidden data risks and classifying the data that's essential for business operations, you can better protect your most valuable assets.

Data classification helps you understand the value of your data and how it should be protected. You should classify data based on its sensitivity, value, and how it's being used. This will help you determine which security controls to put in place.

Sensitive data should always be encrypted, both at rest and in transit. Make sure you have a complete understanding of your most critical data-what it is, where it lives, and who has access to it-so you can implement the most appropriate level of protection.

9. Azure Network Security Best Practices

Controlling and limiting network access can reduce the risk of data breaches and the severity of data loss and other damages when a breach occurs. You can use an identity and access management (IAM) tool to apply access controls across your entire data and cloud network, managing who has access to what.

IAM starts with authentication, which is the process of verifying that someone is who they say they are. Once authenticated, a user needs authorization to access specific resources. IAM ensures that only appropriate identities (users, software, machines) can access your data.

10. Use Key Management

Misconfiguration issues create vulnerabilities that lead to security incidents in cloud environments like Azure. Issues like misconfigured encryption for blobs or SQL, unused security groups, and unrestricted outbound access can leave your data vulnerable to attack.

Using security posture management tools like key management systems can help you prevent many of these problems by simplifying the process of creating, storing, and using API and encryption keys. A key management system can also help you audit and monitor access to your keys, so you can quickly detect and respond to unauthorized use.

11. Prioritize Cloud Workload Protection

Cloud-based workloads can be particularly vulnerable to attack because they're often hosted on shared infrastructure and are accessible from the public internet. When you're monitoring cloud workloads for security issues, you should pay attention to both the host and the guest operating systems.

You should also monitor network traffic and use workload protection tools with features like agentless vulnerability scanning, risk amplification, and penetration testing. Workload security monitoring helps you identify where network vulnerabilities exist and understand how an exploit of a vulnerability could impact your business.

12. Seriously, Check Your Blobs

Unsecured blobs can give a bad actor access to your most sensitive data, and once they have access, they can move laterally through your environment and wreak havoc.

This nightmare scenario recently happened to the British Council when a high-magnitude Azure data breach exposed hundreds of thousands of student files to the open internet. The data included student names, emails, login credentials, and even enrolment details.

To prevent this from happening to your business, use tools to monitor your cloud environment and identify open storage containers. Using a cloud security posture management (CSPM) tool that integrates with Azure's native security controls can help you quickly identify and remediate misconfigurations that leave your data exposed.

One Tool to Manage All Data and Identity Risk: Sonrai Dig

Sonrai Dig, built on patented graphing technology, identifies and monitors relationships between your data and identities in the public cloud. 

Sonrai Dig can help you manage Azure security best practices by automatically discovering, visualizing, and mapping data and identities across your cloud ecosystem. Machine learning determines data type and data importance and assigns a risk level for each entity.

This gives you full visibility into your cloud environment so you can swiftly remediate security issues and use behavioural controls to detect and prevent theft. To learn more about how Sonrai Dig can help keep your data safe in the cloud, request a demo today.

##

ABOUT THE AUTHOR

Eric Kedrosky, CISO, Sonrai Security

 

Eric Kedrosky is the CISO at Sonrai Security. He's been in the security game for over 17 years, with stops as head of cyber security at major financial & telecom institutions in the US & Canada. Eric has built cloud security competencies from the ground up for enterprises rich with sensitive customer data in addition to helping many organizations migrate their security from on-premise to public cloud. Most recently, he was the head of security for a financial crime services company.