Azure security considerations
For any customer utilising Azure Services, it’s vital that security is at the forefront of your mind. Navigating the complexities of Azure security can seem daunting… Thankfully, the Softcat team has compiled a list of service options that can aid decision making and some security best practices that your organisation can proactively implement to improve your Microsoft Azure Secure Score.
Native options to consider
Take a look through our list of technical considerations that we advise exploring before deployment.
- Centralise your connectivity services.
- Adhere to Cloud Adoption Framework (CAF) or planned deployments.
Logically segment subnets
- Avoid ‘allow rules’ with broad ranges.
- Segment larger address spaces into manageable subnets.
- Use NSGs to create network flow rules between subnets.
Avoid small, specific Virtual Networks and subnets unless necessary
- Allows flexibility, simplicity in design and caters for the fact that most organisations end up putting more resources than initially intended into the cloud.
- Define Application Security Groups - allows for lists of IPs that will be used in the future also allows for the management across multiple NSGs.
Use Virtual Network Appliances
- Firewalls – such as Azure Virtual Firewall.
- Intrusion detection/prevention – essentially Security Information and Event Management (SIEM) tools, such as Azure Sentinel.
- Application Control – Such as Intune; or use Azure AD to create identities for applications which communicate with other services.
- Network anomaly detection.
- Antivirus (AV) – Such as Defender for Cloud
- DDOS Protection – Natively provided free of charge, but a paid for and improved option available in the form of Azure DDOS Protection.
Deploy A DMZ
- Security at the Edge / DMZ
Disable RDP/SSH directly to VMS
Be mindful of the state of your data and what controls are in place to filter access to it.
Data at rest
- Apply disk encryption to VMs.
- Storage accounts and SQL Database variants encrypt data at rest by default.
Data in transit
- It is advisable to use SSL/TLS protocols wherever possible to allows for the movement of data back and forth.
- Data moving from on-premises to the cloud, use Express Route, VPN or ensure HTTPS.
- For moving large datasets between datacentres and the cloud, consider using WAN.
Encrypt your data
- Use Role Based Access control in line with the principle of least privilege to ensure the right people have access to the right data at the right time.
- Consider using Azure Information Protection as part of O365.
- Identity and users should be treated as one of the major priorities of your security outlook in the cloud – a somewhat modernised view over the traditional “network as a stronghold” approach. Network perimeters are getting more porous due to the services available. Intelligent use of Azure Active Directory (AAD) is critical from this perspective.
- Centralise your identity management where possible and establish a single Azure AD instance that is authoritative. This will help increase organisational clarity, reduce security risk from human error and config complexity. Integrate your on-premises directories with Azure AD.
- Use simple but extremely powerful tools like Multi-Factor Authentication (MFA), Single Sign-On (SSO) and Conditional Access (CA), particularly on user profiles that have enhanced privileges or admin status.
- Use Role Based Access Control (RBAC) - it permeates every service and logical structure within Azure. This feature allows you to provide great granularity when deigning which users can access what, in what manner. There is full logging availability for administrators relative to this.
- Actively monitor for suspicious activities while also establishing alert rules. Coupled with “runbooks” or other automation features, this can be an extremely powerful way of detecting and quarantining user security issues as they arise. Tools like Azure Sentinel can also assist here.
How can Softcat support?
If you have concerns with your organisation’s security posture, Softcat has a variety of services to ensure your environment meets Microsoft best practices..
Azure Security and Health Assessment
The Microsoft and Softcat Best Practice Security Assessment for Azure tenants and subscriptions covers several areas such as security, governance, networking, performance and cost optimisation. This service will provide you with an output report outlining areas of improvement, alongside Softcat consultant security recommendations based off the Microsoft Cloud Adoption Framework.
We can help you self-manage your own Cloud Environment across Azure and AWS in a more effective, secure and easy way. Softcat’s Cloud Fundamentals will give you the tools, advice and support you need to ensure your environment is compliant, reliable, and cost-effective, as well as identifying opportunities for optimisation. Our tooling looks at cost, governance, performance, security and much more.
Enhanced Cloud Optimisation
We can provide additional in-depth analysis, guidance and support, focused on the financial management and governance of your cloud environment. This will give you access to a FinOps-certified expert who will deliver detailed business unit-based reports and recommendations for optimising your cloud environment. You’ll also receive additional support from our Solution Architects and Chief Technologists to drive your cloud maturity journey and technology strategy.
Cloud Management Platform
To help you optimise your cloud investments and eliminate waste while ensuring compliance, security, and sustainability, we have created the Cloud Management Platform (CMP). As a single-pane-of-glass, the CMP brings complete transparency to your Public Cloud environments and gives you the power to make effective, data-driven decisions. Crucially, unlike many other platforms, it has not been designed to re-invent the wheel, when many of the Public Cloud providers already offer rich and native access to lots of the core data which drives decision making. Instead, the Softcat CMP centralises this cloud native data, from multiple clouds, to ensure the relevant information is available to the right people at the right time.
The purpose of Softcat’s Cloud Management Platform is to make your interactions with multi-cloud technology simpler. We conducted rigorous customer and market research to ensure the CMP:
- Delivers visibility of crucial cloud data points, such as security posture and compliance, platform telemetry and spend.
- Is commercialised as part of the Softcat Service offering, not a standalone software solution charged as a % of your cloud spend, like many others.
- Integrates with other Softcat systems, so if you’re an existing Softcat customer, it’s quick and easy for you to get access.
Our roadmap is continuously evolving with the opportunity for you to shape the future value of the platform to ensure your cloud strategy stays aligned with your broader corporate social responsibility goals.
Softcat Managed Service
We can manage your Azure environment from the Operating System (OS) layer down. Our Softcat Managed Service removes complexities and enables you to focus on your strategic and business goals for Cloud instead.
This service module includes:
- Monitoring and responding to/remediating alerts on behalf your behalf
- Essential and security patching
- Security Posture Management
- Service Assurance
- Azure Governance
- Azure Backup
- Proactive monthly Cloud Intelligence Analyst reporting and recommendations to help you optimise your cloud spend and resource utilisation.
Manage & Operate also offers support for both Windows and Linux machines.