{"id":97863,"date":"2019-03-26T13:00:10","date_gmt":"2019-03-26T20:00:10","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=97863"},"modified":"2019-05-06T15:29:16","modified_gmt":"2019-05-06T22:29:16","slug":"8-azure-security-best-practices","status":"publish","type":"post","link":"https:\/\/www2.paloaltonetworks.com\/blog\/2019\/03\/8-azure-security-best-practices\/","title":{"rendered":"8 Azure Security Best Practices"},"content":{"rendered":"<p>As a natural extension of Microsoft\u2019s on-premises offerings, Azure cloud is enabling hybrid environments. In fact, <a href=\"https:\/\/azure.microsoft.com\/en-us\/overview\/azure-vs-aws\/\" rel=\"nofollow,noopener\" >95% of the Fortune 500<\/a> is using Azure. But there are some common misconceptions when it comes to security.<\/p>\n<p>Oftentimes, organizations jump into Azure with the false belief that the same security controls that apply to AWS or GCP also apply to Azure. This is simply not the case. Outlined below are some common challenges, along with security best practices, to help you mitigate risks and keep your Azure environment secure.<\/p>\n<p>&nbsp;<\/p>\n<p><strong>1. Visibility<\/strong><\/p>\n<p>According to our research, the average lifespan of a cloud resource is two hours and seven minutes. Many companies have environments that involve multiple cloud accounts and regions. This leads to decentralized visibility and makes it difficult to keep track of assets. Since you can\u2019t secure what you can\u2019t see, detecting risks becomes a challenge.<\/p>\n<p><strong>Best Practice:\u00a0<\/strong>Use a cloud security approach that provides visibility into the volume and types of resources (virtual machines, load balancers, security groups, gateways, etc.) across multiple cloud accounts and regions through a single pane of glass. Having visibility and an understanding of your environment enables you to implement more granular and contextual policies, investigate incidents, and reduce risk.<\/p>\n<p>While Microsoft\u2019s cloud native security products, such as Azure Security Center, work well within Azure, monitoring at scale or across clouds requires third-party visibility from platforms such as RedLock from Palo Alto Networks.<\/p>\n<p>&nbsp;<\/p>\n<p><strong>2. Privileges for Active Directory global admin accounts<\/strong><\/p>\n<p>Your Azure Active Directory user accounts with admin privilege have the ability to do the most harm when unauthorized parties acquire access to them. Administrators often forget to limit the scope of what Azure AD users can do.<\/p>\n<p><strong>Best Practice:\u00a0<\/strong> Not even your top admins should have access to the global admin role the vast majority of the time. Make sure you\u2019re creating limited scope roles in RBAC and applying them to resources only when needed. AD users must be protected by multifactor authentication (MFA).<\/p>\n<p>&nbsp;<\/p>\n<p><strong>3. Privilege and scope for all users<\/strong><\/p>\n<p>As with #2 above, it is way too easy to allow your users to have too much privilege. Often, it\u2019s done out of expediency or because you just want to solve that production issue at 3:00 a.m.<\/p>\n<p><strong>Best Practice:\u00a0<\/strong>Make use of RBAC, ensuring that you limit the permissions needed by entities for a specified role and to a specific scope (subscription, resource group or individual resources). Permissions are only part of the story, however. Make sure you\u2019re coupling RBAC with Azure Resource Manager to assign policies for controlling creation and access to resources and resource groups.<\/p>\n<p>&nbsp;<\/p>\n<p><strong>4. Authentication<\/strong><\/p>\n<p>Lost or stolen credentials are a leading cause of cloud security incidents. It is not uncommon to find access credentials to public cloud environments exposed on the internet. Organizations need a way to detect account compromises.<\/p>\n<p><strong>Best Practice:\u00a0<\/strong>Strong password policies and multifactor authentication should be enforced always. Azure provides several ways to implement MFA protection on your user accounts, but the simplest of these is to <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/authentication\/howto-mfa-userstates\" rel=\"nofollow,noopener\" >turn on Azure MFA<\/a> by changing the user state.<\/p>\n<p>&nbsp;<\/p>\n<p><strong>5. Access keys<\/strong><\/p>\n<p>As mentioned above, lost or stolen credentials are a leading cause of security incidents. Unfortunately, admins often assign overly permissive access to Azure resources, and the keys used to manage those resources are often given overly permissive privileges. At all times, you should protect those keys from accidental or malicious leaking.<\/p>\n<p><strong>Best Practice: <\/strong>Storing credentials in application source code or configuration files will create the conditions for compromise. Instead, store your API keys, application credentials, password and other sensitive credentials in Azure Key Vault.<\/p>\n<p>&nbsp;<\/p>\n<p><strong>6. Broad IP ranges for security groups and unrestricted outbound traffic<\/strong><\/p>\n<p>Network Security Groups (NSGs) are like firewalling mechanisms that control traffic to Azure VMs and other compute resources. Unfortunately, admins often assign NSGs IP ranges that are broader than necessary. Adding to the concern, 85% of resources associated with security groups <a href=\"https:\/\/start.paloaltonetworks.com\/5-key-cloud-security-trends\">don\u2019t restrict outbound traffic at all<\/a>.<\/p>\n<p>Research from Unit 42\u2019s cloud intelligence team also found an increasing number of organizations were not following network security best practices and had misconfigurations or risky configurations. Industry best practices mandate that outbound access should be restricted to prevent accidental data loss or data exfiltration in the event of a breach.<\/p>\n<p><strong>Best Practice:\u00a0<\/strong>Limit the IP ranges you assign to each security group in such a way that everything networks properly, but you aren\u2019t leaving more open than you\u2019ll need. Additionally, make sure you segment your virtual networks into subnets to control routing to VMs. Finally, ensure that you are restricting or disabling SSH and RDP access to VMs.<\/p>\n<p>&nbsp;<\/p>\n<p><strong>7. Reviewing audit logs<\/strong><\/p>\n<p>Organizations need visibility into user activities to reveal indicators of account compromises, insider threats and other risks. The virtualization that\u2019s the backbone of cloud networks and the ability to use the infrastructure of a very large and experienced third-party vendor afford agility as privileged users can make changes to the environment as needed. The downside is the potential for insufficient security oversight. To avoid this risk, user activities must be tracked to identify account compromises and insider threats as well as to assure that a malicious outsider hasn\u2019t hijacked their accounts. Fortunately, businesses can effectively monitor users when the right technologies are deployed.<\/p>\n<p><strong>Best Practice:<\/strong>\u00a0Monitoring activity logs is key to understanding what\u2019s going on with your Azure resources. You can use anomaly detection \u2013 such as RedLock\u2019s ML-based UEBA, which can be used to detect unusual user activity, excessive login failures, or account hijacking attempts \u2013 all of which could be indicators of account compromise.<\/p>\n<p>&nbsp;<\/p>\n<p><strong>8. Patch VMs<\/strong><\/p>\n<p>It is your responsibility to ensure the latest security patches have been applied to hosts within your environment. The latest research from Unit 42 provides insight into a related problem. Traditional network vulnerability scanners are most effective for on-premises networks but miss crucial vulnerabilities when they\u2019re used to test cloud networks.<\/p>\n<p><strong>Best Practice:\u00a0<\/strong>Make sure hosts are frequently patched and apply any necessary hotfixes that are released by your OEM vendors. Also, ensure that new VM images are created with the latest patches and updates for that OS.<\/p>\n<p>Azure recently released <a href=\"https:\/\/www.cisecurity.org\/benchmark\/azure\/\" rel=\"nofollow,noopener\" >Azure CIS 1.1 benchmarks<\/a>, so if Azure is a part of your strategy, I highly encourage you to implement the new benchmarks. RedLock supports Azure CIS 1.0, and we look forward to supporting 1.1 in the near future. If you\u2019re interested to learn how RedLock can help your organization stay secure in the cloud, you can <a href=\"https:\/\/start.paloaltonetworks.com\/redlock-14-day-free-trial.html\">learn more here<\/a>.<\/p>\n<p>&nbsp;<\/p>\n<p><em>Note: While this post may seem similar to our previous <\/em><em><a href=\"https:\/\/www.paloaltonetworks.com\/blog\/2019\/02\/8-aws-security-best-practices-mitigate-risk\/\">AWS Security Best Practices post<\/a><\/em><em>, it is important to note that there are significant differences in the way the various cloud platforms operate. For Azure, I highly recommend you read and understand Microsoft\u2019s \u201c<\/em><em><a href=\"https:\/\/azure.microsoft.com\/en-us\/resources\/security-best-practices-for-azure-solutions\/\" rel=\"nofollow,noopener\" >Security best practices for Azure solutions<\/a><\/em><em>\u201d white paper.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This blog post outlines common challenges, along with security best practices, to help you mitigate risks and keep your Azure environment secure.<\/p>\n","protected":false},"author":629,"featured_media":96978,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[6717,6768],"tags":[1664,1166],"coauthors":[6726],"class_list":["post-97863","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-products-and-services","category-secure-the-cloud","tag-azure","tag-cloud-security"],"jetpack_featured_media_url":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2019\/02\/corp-blog-cloud-600x300.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/97863","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/629"}],"replies":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=97863"}],"version-history":[{"count":3,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/97863\/revisions"}],"predecessor-version":[{"id":97871,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/97863\/revisions\/97871"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media\/96978"}],"wp:attachment":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=97863"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=97863"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=97863"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=97863"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}