Uncover hidden risks

Watch how the Wiz platform can expose unseen risks in your cloud environment without drowning your team in alerts.

Native Azure Security Tools

This blog explores the significance of security in Azure environments and provides an overview of native as well as third-party security tools available to improve an organization’s Azure security stance.

Wiz Experts Team
8 min read

Intro

In today's digital landscape, security is paramount, especially within cloud environments like Azure. The critical importance of safeguarding data, applications, and infrastructure against ever-evolving threats cannot be stressed enough. To ensure that resources are valid, secure and available, customers must have strong security measures in place.

This blog explores the significance of security in Azure environments and provides an overview of native as well as third-party security tools available to improve an organization’s Azure security stance.

Top tools for Azure security

Azure offers a wide range of security tools, addressing key areas such as identity and access management (IAM), data protection, network and application security, compliance management, and threat detection. 

While data protection techniques encrypt sensitive data and implement access rules, IAM helps implement the principle of least privilege. Meanwhile, network and application security solutions help defend against dangers like DDoS attacks and intrusion detection, and threat detection solutions leverage advanced analytics to quickly identify and address security problems. Lastly, compliance management tools simplify regulatory adherence. 

We’ll be reviewing some of the tools that address these key areas, offering insights into their functionalities and advantages.

Identity and access management (IAM)

Microsoft Entra ID (formerly Azure Active Directory) acts as a centralized IAM solution for user identities, ensuring all access requests go through a unified system in Azure. It offers the following features and benefits for securing workloads in Azure.

Fine-grained access control 

The identities in Microsoft Entra ID can be used to implement fine-grained access control via role-based access control (RBAC). Following the principle of least privilege, users can restrict access to resources with both built-in or custom roles. 

Single sign-on 

If you’re already using other identity management services, you can integrate these with Microsoft Entra ID using federation, linked sign-on, or passwords. The federation options include OpenID Connect (OIDC), SAML, and OAuth, ensuring a seamless experience for users.

Microsoft Entra ID unified IAM

Multi-factor authentication

Microsoft Entra ID allows you to implement an additional layer of authentication beyond a username and password. There are multiple options available to do this, including Microsoft Authenticator, Windows Hello for Business, OATH hardware/software tokens, and FIDO security keys. 

Identity protection 

This feature provides automated risk and threat detection to prevent identity compromise powered by machine learning (ML) models. The adaptive security control and conditional access policies based on user risk data and sign-on patterns help implement comprehensive security guardrails for IAM.

Application integration

Microsoft EntraID offers out-of-the-box integration with several Microsoft and non-Microsoft applications. This helps implement a unified identity strategy in combination with techniques such as single sign-on.

Data protection

Protecting sensitive information across complex Azure deployments can be challenging. Let’s take a look at some of the native tools in Azure that help safeguard your data.

Azure Key Vault

Azure Key Vault safeguards your critical secrets in Azure. These include encryption keys, passwords, tokens, and certificates required to protect your data and prevent unauthorized access. 

Key Vault offers the following features: 

  • Centralized management of secrets: Used by your apps and services in the cloud; no need to hard code the access details, just point it to Key Vault through secure URIs

  • Secure access: RBAC for secrets via Microsoft Entra ID; authorizes the management of Key Vault; access policies ensure authorized access to data stored in the vault

  • Governance and visibility: Built-in monitoring capabilities to audit the usage of keys and secrets stored in Key Vault; secure key generation and rotation to protect application keys and secrets

Azure Key Vault administration

Azure Sentinel

Azure Sentinel serves as Azure’s native security information and event management (SIEM) tool for multi-cloud and on-premises environments; it is also a security orchestration, automation and response (SOAR) solution. Using built-in data connectors, you can consolidate information from various sources, analyze them to detect threats, and respond to incidents. 

Azure Sentinel comes with the following features:

  • Threat detection: Continuously analyzes data from various sources to identify the root cause of security threats

  • Incident response: Fast-tracks incident response for identified threats via built-in automation and orchestration features available through playbooks 

  • Threat hunting: Engine based on the MITRE framework that proactively identifies security threats; Jupyter notebooks and integration with the Azure Machine Learning workspace reinforces threat hunting capabilities

Azure sentinel automation

Azure Purview

Data governance is crucial for ensuring the security and compliance of your information. Azure Purview helps with the governance of data across diverse environments, through capabilities such as automated data discovery, data-lineage visibility, and data classification. 

Some of Purview’s notable features and benefits are:

  • Data catalog: Provides a unified catalog of your data estate creating a holistic view of what data you have and where it resides

  • Data lineage: Shows how data flows in your cloud environment, as well as how it is used and transformed

  • Data classification: Robust capabilities to classify sensitive data in your system and understand how it is used

  • Data security: Data loss prevention, information protection, insider risk management, and privileged access management to protect sensitive data

Network & application security

In today’s landscape of continuously evolving security threats, implementing the right network and application security tools is important to ensure multi-layered security. Azure offers several solutions for this purpose. 

Network security groups (NSGs)

NSGs offer basic firewall capabilities in Azure through monitoring and filtering ingress and egress traffic to your Azure Virtual Networks. 

  • Security rules: Create five-tuple (source, source port, destination, destination port, and protocol) security rules for granular filtering of ingress and egress traffic 

  • Prioritization: Assign priorities that dictate how rules are applied

  • Flexible deployment: Apply rules across entire networks, subnets, or specific VM network interfaces depending on the granularity of traffic filtering required

  • Augmented rules: Create fewer rules and augment them with service tags and application security groups for large complex networks; helps minimize complexity through the grouping of IP prefixes associated with Azure services 

  • Application security groups: Help group together resources associated with specific applications and apply NSG rules across them at scale

Network security group traffic filtering

Azure distributed denial of service (DDoS) Protection

Azure DDoS Protection helps safeguard Azure deployments from organized DDoS attacks that aim to overwhelm your applications, rendering them inaccessible to legitimate users. Azure DDoS Protection comes in two tiers: DDoS Network Protection and DDoS IP Protection. 

Network Protection can be enabled across a set of virtual networks protecting all connected resources in it. IP Protection is available in a pay-per-protected IP model, which can be applied to specific public IPs; it also offers additional services such as cost protection, discounts, and DDoS rapid response support.

Azure DDoS Protection offers the following features:

  • Always-on protection: Automatically and continuously monitors app traffic patterns to detect and automatically mitigate DDoS attacks; adaptive tuning capabilities to adjust to traffic patterns

  • Multi-layered: Defends resources across layers 3, 4, and 7 when combined with a web application firewall (WAF), either Azure WAF or third-party solutions from the Azure Marketplace

  • Scalable mitigation: Provides extensive attack mitigation capabilities at scale across L3/L4 attacks

  • Integrated protection: Automatically protects all resources in the network by enabling Azure DDoS Protection across the target virtual networks

  • Attack analysis and alerts: Offers advanced attack monitoring, analysis, and customizable alerts; ML-tailored protection for each IP, with real-time attack insights during an event 

  • Detailed reports and metrics: Generates reports and metrics from ongoing analysis throughout the attack lifecycle and post-attack analysis

Azure DDoS protection architecture

Azure WAF simplifies the application protection process without extensive maintenance, monitoring, and patching of application code using the following features:

  • Multi-service integration: Allows for integration with Azure Front Door, Azure Application Gateway, and Azure Content Delivery Network (CDN) for extensive protection of frontend services

  • Wide spectrum protection: Protects against a wide range of common web attack vectors such as local file inclusion, PHP injection, remote command execution, and remote file execution 

  • Managed rule set: Provides managed rules that help detect common vulnerabilities and align with Common Vulnerabilities and Exposures (CVE), core rule set (CRS) groups defined by the Open Web Application Security Project (OWASP), and Microsoft threat intelligence

  • Alerts and custom rules: Integrates with Azure Monitor for real-time alerts based on detected threats; customization allows for specific app requirements

Two modes of operation: Detection mode (works in log-only mode) for when a rule is violated; prevention mode for applying the rule to block the attack

Azure WAF architecture

Compliance management

Compliance management tools like Azure Policy and Microsoft Defender for Cloud help organizations adhere to regulatory standards and industry best practices while deploying workloads in the cloud.

Azure Policy

Azure Policy helps implement security standards and assess organizational-specific compliance requirements. It helps define and enforce rules that govern how resources are created, configured, and managed using:

  • Policy definitions: Predefined and custom policies that help implement standards for ensuring resource standards, cost management, and security; e.g., authentication to Linux machines through SSH keys. 

  • Initiatives: Made up of multiple Azure policies to manage overarching security goals; help simplify Azure policy management, especially in large complex deployments

  • RBAC permissions: Control access to Azure policy resources 

  • Remediation tasks: Can be created in Azure Policy to address non-compliant resources and enforce compliance

Microsoft Defender for Cloud

This tool is a cloud native application protection platform (CNAPP) that helps you secure your Azure, hybrid, and multi-cloud environments. Microsoft Defender for Cloud combines the capabilities of a DevSecOps solution, a cloud secure posture management (CSPM) solution, and a cloud workload protection platform (CWPP)

Centralized protection 

Microsoft Defender for Cloud helps implement consistent security protection across multiple environments. It is aligned with the Microsoft Cloud Security Benchmark, which has best practice guidelines for resources across Azure and other cloud platforms.

Secure score

Microsoft Defender for Cloud qualifies the security posture of your environment through the secure score. You can review the recommendations provided by the tool and implement them to improve the score.

Attack path analysis

You can write queries to analyze traffic patterns in the network and identify risks using the attack path analysis feature of Microsoft Defender for Cloud. It uses a graph-based algorithm and contextual information for comprehensive attack path analysis.

Microsoft Defender dashboard
CSPM capabilities 

These provide visibility into the security state of Azure workloads and actionable recommendations to improve your security posture. In addition to cloud environments, it can be connected with third-party systems through built-in integrations.

Threat detection

Azure offers a robust vulnerability assessment solution, Microsoft Defender Vulnerability Management, to identify and address potential security threats that could impact deployed workloads.

Let’s take a look at some of the features and capabilities of this tool: 

  • Multi-cloud support: Scans virtual machines across multiple cloud environments to identify vulnerabilities

  • OS scanning: Supports vulnerability scanning of all leading operating systems, Windows, Linux, Android, and iOS

  • Actionable recommendations: Creates a report with associated CVE reference and remediation steps based on findings from scans consolidated across subscriptions 

  • Findings management: Flexibility to disable specific findings that don’t need to be addressed in your environment, e.g., findings that will lower severity ratings or warning messages

Threat and vulnerability management Dashboard

Enhancing Azure security with third-party tools

While Azure offers a comprehensive set of native security tools, it’s important to gain deeper visibility and have access to specialized functionalities to combat evolving threats. That is where Wiz can help.

Wiz goes beyond a simple security tool, offering a comprehensive CNAPP specifically designed for Azure. This translates into a single unified solution for managing all your Azure security needs.

Cloud security posture management (CSPM)

The agentless design of the Wiz CNAPP solution simplifies deployment and reduces overhead. What truly sets Wiz apart is its ability to provide 100% visibility across your entire cloud landscape. Whether you use Azure, another cloud provider, or even a mix of both, Wiz offers a unified solution that can scan virtual machines (VMs), serverless resources, data volumes, databases, and other platform-as-a-service (PaaS) offerings.

Centralized visibility 

The security landscape scanned by Wiz can be visualized through a graph-based system, giving you a clear understanding of how your cloud resources connect and how potential security risks might propagate. The streamlined approach to multi-cloud security empowers you to make informed decisions.

Cloud detection and response (CDR)

Wiz’s CDR capabilities provide contextual information on threats and implement real-time remedial action. You can also correlate threats and audit logs to detect and prevent lateral movements.

Data security posture management (DSPM) 

Wiz helps ensure the security of your sensitive data stored in Azure by actively scanning for potential paths of exposure that would compromise personally identifiable information (PII), protected health information (PHI), payment card industry (PCI) data, access credentials, and other sensitive data. Wiz’s proactive approach empowers you to take steps to secure your data and minimize the risk of breaches.

See Wiz in action for yourself. Sign up for a demo today to learn more!

Agentless full stack coverage of your Azure workloads in minutes

Learn why CISOs at the fastest growing companies choose Wiz to get complete visibility into their Azure environments.

Get a demo

Continue reading

Azure Security Risks & Mitigation Steps

Wiz Experts Team

This article offers an extensive examination of Azure environments’ most pressing security risks along with suggested approaches for effectively mitigating these challenges.

Remote Code Execution Attacks Explained

Wiz Experts Team

Remote code execution refers to a security vulnerability through which malicious actors can remotely run code on your systems or servers.

Cloud Sprawl Explained

Wiz Experts Team

Cloud sprawl is a phenomenon that involves the unmanaged growth of cloud-based resources and services.

CSPM vs DSPM: Why You Need Both

Wiz Experts Team

Discover the similarities between CSPM and DSPM, what factors set them apart, and which one is the best choice for your organization’s needs.

Container monitoring explained

Container monitoring is the process of collecting, analyzing, and reporting metrics and data related to the performance and health of containerized applications and their hosting environments.

Data Exfiltration Explained

Wiz Experts Team

Data exfiltration is when sensitive data is accessed without authorization or stolen. Just like any data breach, it can lead to financial loss, reputational damage, and business disruptions.