Azure Security

The following is from Azure Administrator Training lab for AZ-103
Some Azure Services related to Security, Privacy and Compliance.

 

Azure Firewall – enforce, log application and network connectivity. Inbound and oubound filtering rules. Azure Monitor loggin. Different than Web Application Firewall (WAF) which is part of Application Gateway – it does only inbound protection for web apps against common vulnerabilities.

Azure DDoS Protection – automtically available – at the basic tier it monitors all traffic in real-time; on standard tier it has additional mitigation capabilities

Network Security Groups (NSG) – filter network traffic to/from Azure in a VNet. Setup inbound/outbound security rules based on IP address, port or protocol.

Application Security Groups (ASG) – network security done at the applications level, defines what apps can talk to what other apps or databases.

 

Azure Security Center

Provides threat protection for cloud and on-premise resources. Monitors security settings, perform security assessments, uses machine learning to detect and block malware, provides just-in-time access control for ports to reduce attack surface.

It is a continuous process of:

detect – assess – diagnose – stabilize – close

 

Azure Information Protection (AIP) – Microsoft Azure Information Proection (MSIP) tool that lets you classify and protect documents. Such as applying labels to emails. MSIP is a cloud-based solution that helps an organization classify, and optionally, protect its documents and emails by applying labels.

Azure Advanced Threat Protection (ATP) – Azure ATP is a cloud-based security solution that identifies, detects, and helps organizations investigate advanced threats, compromised identities, and malicious insider actions directed at that organization.

Azure Policy – policy for resources to make sure its compliant.

Role-Based Access Control (RBAC) – fine grained access maangement to resources. Done at the resource level by clicking on “Access Control (IAM)”. Use roles to set those controls

Azure Blueprint – repeatable set of instructions to set things as role, policy etc.

Azure Monitor – maximizes performance by analyzing and providing a telemetry of resource usages. Azure Monitor collects, analyzes, and provides actions on telemetry from your cloud and on-premises environments.

Azure Service Health – includes following services to provide guidance and support when issues come up. Azure Status, Service Health, Resource Health. Azure Service Health is the correct answer, because it provides you with a global view of the health of Azure services. With Azure Status, a component of Azure Service Health, you can get up-to-the-minute information on service availability.

Azure Trust Portal – You can download published audit reports and other compliance-related information related to Microsoft’s cloud service from the Service Trust Portal. Service Trust Portal provides information about compliance with standards, laws, and regulations, in addition to hosting the Compliance Manager application.

Compliance Manager – enables you to track, assign, and verify your organization’s regulatory compliance activities related to Microsoft professional services and Microsoft cloud services.

 

 

 


 

Azure provides several services to help secure applications running on it. These services cover areas such as Authentication, Authorization, Secret Store, Credentials Store, Certificates and Encryption. The services managing these functions are:

  • Azure Active Directory
  • Azure Key Vault
  • Azure App Service Certificate (TLS Certificates)
  • Data at Rest Encryption (provided in all database and storage services)

The following sections discuss these services further.

 

Azure Active Directory

Azure AD is an IDPAAS (Identity-Provider as a Service). It stores identities and properties for those identities. This can include user profile information as well as authorization information such as user roles. Therefore Azure AD can be used for both authentication and authorization. It can also integrate with other IDPs (Identity Providers) such as on-premise IDPs. This service can be used for cloud-based services (in Azure) or even on-premise services (for example integrating with Office365 in cloud but keeping things like mail servers on premise).

Some of the more advanced features of Azure AD is that it can also support MFA (Mulit-Factor Authentication) and Advanced Threat Detection. Azure AD can detect things like geo-location to see if users are authenticating from unlikely locations.

For basic user authentication and authorization Azure AD is the best service to use. It is also the best option when needing to store user profile information.

 

Azure Key Vault

The Azure Key Vault is used for storing keys or other sensitive information. This can include encryption keys, certificate keys and secrets (like passwords or connection strings). It encrypts the keys and can be accessed using an Azure API or SDK. It does not store key properties or other metadata.

Azure Key Vault also provides logging on all operations. All access to the keys are logged.

 

Azure App Service Certificate

The Azure Certificate service provides TLS certificates. It can be purchased in Azure (which uses GoDaddy.com as the CA) and stores it in the Azure Key Vault. The certificate renewal is automatically handled by Azure.

Once a certificate is created it can be used with Azure App Service or any other Azure applications. It can also be used for on-premise applications outside of Azure.

 

Azure Data Encryption

Azure provides data at rest encryption for all of it’s data storage services. Once the feature is enabled Azure performs the encryption/decryption automatically and manages the key. There is minimal performance impact.

Azure also provides SQL Transparent Data Encryption for it’s SQL Server databases. This is the same encryption feature as found in the SQL Server when used on premise.