Intro
In today's digital landscape, security is paramount, especially within cloud environments like Azure. The critical importance of safeguarding data, applications, and infrastructure against ever-evolving threats cannot be stressed enough. To ensure that resources are valid, secure and available, customers must have strong security measures in place.
This blog explores the significance of security in Azure environments and provides an overview of native as well as third-party security tools available to improve an organization’s Azure security stance.
Azure Security Best Practices [Cheat Sheet]
Explore detailed aspects of Azure best practices, from role-based access control (RBAC) to cloud security posture management, that you can adapt to secure your Azure subscriptions.
Download now
Top tools for Azure security
Azure offers a wide range of security tools, addressing key areas such as identity and access management (IAM), data protection, network and application security, compliance management, and threat detection.
While data protection techniques encrypt sensitive data and implement access rules, IAM helps implement the principle of least privilege. Meanwhile, network and application security solutions help defend against dangers like DDoS attacks and intrusion detection, and threat detection solutions leverage advanced analytics to quickly identify and address security problems. Lastly, compliance management tools simplify regulatory adherence.
We’ll be reviewing some of the tools that address these key areas, offering insights into their functionalities and advantages.
Identity and access management (IAM)
Microsoft Entra ID (formerly Azure Active Directory) acts as a centralized IAM solution for user identities, ensuring all access requests go through a unified system in Azure. It offers the following features and benefits for securing workloads in Azure.
Fine-grained access control
The identities in Microsoft Entra ID can be used to implement fine-grained access control via role-based access control (RBAC). Following the principle of least privilege, users can restrict access to resources with both built-in or custom roles.
Single sign-on
If you’re already using other identity management services, you can integrate these with Microsoft Entra ID using federation, linked sign-on, or passwords. The federation options include OpenID Connect (OIDC), SAML, and OAuth, ensuring a seamless experience for users.
Multi-factor authentication
Microsoft Entra ID allows you to implement an additional layer of authentication beyond a username and password. There are multiple options available to do this, including Microsoft Authenticator, Windows Hello for Business, OATH hardware/software tokens, and FIDO security keys.
Identity protection
This feature provides automated risk and threat detection to prevent identity compromise powered by machine learning (ML) models. The adaptive security control and conditional access policies based on user risk data and sign-on patterns help implement comprehensive security guardrails for IAM.
Application integration
Microsoft EntraID offers out-of-the-box integration with several Microsoft and non-Microsoft applications. This helps implement a unified identity strategy in combination with techniques such as single sign-on.
BingBang: AAD misconfiguration led to Bing.com results manipulation and account takeover
How Wiz Research found a common misconfiguration in Azure Active Directory that compromised multiple Microsoft applications, including a Bing management portal
Read more
Data protection
Protecting sensitive information across complex Azure deployments can be challenging. Let’s take a look at some of the native tools in Azure that help safeguard your data.
Azure Key Vault
Azure Key Vault safeguards your critical secrets in Azure. These include encryption keys, passwords, tokens, and certificates required to protect your data and prevent unauthorized access.
Key Vault offers the following features:
Centralized management of secrets: Used by your apps and services in the cloud; no need to hard code the access details, just point it to Key Vault through secure URIs
Secure access: RBAC for secrets via Microsoft Entra ID; authorizes the management of Key Vault; access policies ensure authorized access to data stored in the vault
Governance and visibility: Built-in monitoring capabilities to audit the usage of keys and secrets stored in Key Vault; secure key generation and rotation to protect application keys and secrets
Azure Sentinel
Azure Sentinel serves as Azure’s native security information and event management (SIEM) tool for multi-cloud and on-premises environments; it is also a security orchestration, automation and response (SOAR) solution. Using built-in data connectors, you can consolidate information from various sources, analyze them to detect threats, and respond to incidents.
Azure Sentinel comes with the following features:
Threat detection: Continuously analyzes data from various sources to identify the root cause of security threats
Incident response: Fast-tracks incident response for identified threats via built-in automation and orchestration features available through playbooks
Threat hunting: Engine based on the MITRE framework that proactively identifies security threats; Jupyter notebooks and integration with the Azure Machine Learning workspace reinforces threat hunting capabilities
Azure Purview
Data governance is crucial for ensuring the security and compliance of your information. Azure Purview helps with the governance of data across diverse environments, through capabilities such as automated data discovery, data-lineage visibility, and data classification.
Some of Purview’s notable features and benefits are:
Data catalog: Provides a unified catalog of your data estate creating a holistic view of what data you have and where it resides
Data lineage: Shows how data flows in your cloud environment, as well as how it is used and transformed
Data classification: Robust capabilities to classify sensitive data in your system and understand how it is used
Data security: Data loss prevention, information protection, insider risk management, and privileged access management to protect sensitive data
What is DSPM? [Data Security Posture Management]
Data security posture management (DSPM) is a solution designed to continuously monitor an organization's data security policies and procedures to detect vulnerabilities and potential risks.
Read more
Network & application security
In today’s landscape of continuously evolving security threats, implementing the right network and application security tools is important to ensure multi-layered security. Azure offers several solutions for this purpose.
Network security groups (NSGs)
NSGs offer basic firewall capabilities in Azure through monitoring and filtering ingress and egress traffic to your Azure Virtual Networks.
Security rules: Create five-tuple (source, source port, destination, destination port, and protocol) security rules for granular filtering of ingress and egress traffic
Prioritization: Assign priorities that dictate how rules are applied
Flexible deployment: Apply rules across entire networks, subnets, or specific VM network interfaces depending on the granularity of traffic filtering required
Augmented rules: Create fewer rules and augment them with service tags and application security groups for large complex networks; helps minimize complexity through the grouping of IP prefixes associated with Azure services
Application security groups: Help group together resources associated with specific applications and apply NSG rules across them at scale
Azure distributed denial of service (DDoS) Protection
Azure DDoS Protection helps safeguard Azure deployments from organized DDoS attacks that aim to overwhelm your applications, rendering them inaccessible to legitimate users. Azure DDoS Protection comes in two tiers: DDoS Network Protection and DDoS IP Protection.
Network Protection can be enabled across a set of virtual networks protecting all connected resources in it. IP Protection is available in a pay-per-protected IP model, which can be applied to specific public IPs; it also offers additional services such as cost protection, discounts, and DDoS rapid response support.
Azure DDoS Protection offers the following features:
Always-on protection: Automatically and continuously monitors app traffic patterns to detect and automatically mitigate DDoS attacks; adaptive tuning capabilities to adjust to traffic patterns
Multi-layered: Defends resources across layers 3, 4, and 7 when combined with a web application firewall (WAF), either Azure WAF or third-party solutions from the Azure Marketplace
Scalable mitigation: Provides extensive attack mitigation capabilities at scale across L3/L4 attacks
Integrated protection: Automatically protects all resources in the network by enabling Azure DDoS Protection across the target virtual networks
Attack analysis and alerts: Offers advanced attack monitoring, analysis, and customizable alerts; ML-tailored protection for each IP, with real-time attack insights during an event
Detailed reports and metrics: Generates reports and metrics from ongoing analysis throughout the attack lifecycle and post-attack analysis
Azure WAF simplifies the application protection process without extensive maintenance, monitoring, and patching of application code using the following features:
Multi-service integration: Allows for integration with Azure Front Door, Azure Application Gateway, and Azure Content Delivery Network (CDN) for extensive protection of frontend services
Wide spectrum protection: Protects against a wide range of common web attack vectors such as local file inclusion, PHP injection, remote command execution, and remote file execution
Managed rule set: Provides managed rules that help detect common vulnerabilities and align with Common Vulnerabilities and Exposures (CVE), core rule set (CRS) groups defined by the Open Web Application Security Project (OWASP), and Microsoft threat intelligence
Alerts and custom rules: Integrates with Azure Monitor for real-time alerts based on detected threats; customization allows for specific app requirements
Two modes of operation: Detection mode (works in log-only mode) for when a rule is violated; prevention mode for applying the rule to block the attack
Compliance management
Compliance management tools like Azure Policy and Microsoft Defender for Cloud help organizations adhere to regulatory standards and industry best practices while deploying workloads in the cloud.
Cloud Compliance: A Fast-Track Guide
Cloud compliance is the series of procedures, controls, and organizational measures you need to have in place to ensure your cloud-based assets meet the requirements of the data protection regulations, standards, and frameworks that are relevant to your organization.
Read more
Azure Policy
Azure Policy helps implement security standards and assess organizational-specific compliance requirements. It helps define and enforce rules that govern how resources are created, configured, and managed using:
Policy definitions: Predefined and custom policies that help implement standards for ensuring resource standards, cost management, and security; e.g., authentication to Linux machines through SSH keys.
Initiatives: Made up of multiple Azure policies to manage overarching security goals; help simplify Azure policy management, especially in large complex deployments
RBAC permissions: Control access to Azure policy resources
Remediation tasks: Can be created in Azure Policy to address non-compliant resources and enforce compliance
Microsoft Defender for Cloud
This tool is a cloud native application protection platform (CNAPP) that helps you secure your Azure, hybrid, and multi-cloud environments. Microsoft Defender for Cloud combines the capabilities of a DevSecOps solution, a cloud secure posture management (CSPM) solution, and a cloud workload protection platform (CWPP).
Centralized protection
Microsoft Defender for Cloud helps implement consistent security protection across multiple environments. It is aligned with the Microsoft Cloud Security Benchmark, which has best practice guidelines for resources across Azure and other cloud platforms.
Secure score
Microsoft Defender for Cloud qualifies the security posture of your environment through the secure score. You can review the recommendations provided by the tool and implement them to improve the score.
Attack path analysis
You can write queries to analyze traffic patterns in the network and identify risks using the attack path analysis feature of Microsoft Defender for Cloud. It uses a graph-based algorithm and contextual information for comprehensive attack path analysis.
CSPM capabilities
These provide visibility into the security state of Azure workloads and actionable recommendations to improve your security posture. In addition to cloud environments, it can be connected with third-party systems through built-in integrations.
Threat detection
Azure offers a robust vulnerability assessment solution, Microsoft Defender Vulnerability Management, to identify and address potential security threats that could impact deployed workloads.
Let’s take a look at some of the features and capabilities of this tool:
Multi-cloud support: Scans virtual machines across multiple cloud environments to identify vulnerabilities
OS scanning: Supports vulnerability scanning of all leading operating systems, Windows, Linux, Android, and iOS
Actionable recommendations: Creates a report with associated CVE reference and remediation steps based on findings from scans consolidated across subscriptions
Findings management: Flexibility to disable specific findings that don’t need to be addressed in your environment, e.g., findings that will lower severity ratings or warning messages
Enhancing Azure security with third-party tools
While Azure offers a comprehensive set of native security tools, it’s important to gain deeper visibility and have access to specialized functionalities to combat evolving threats. That is where Wiz can help.
Wiz goes beyond a simple security tool, offering a comprehensive CNAPP specifically designed for Azure. This translates into a single unified solution for managing all your Azure security needs.
Cloud security posture management (CSPM)
The agentless design of the Wiz CNAPP solution simplifies deployment and reduces overhead. What truly sets Wiz apart is its ability to provide 100% visibility across your entire cloud landscape. Whether you use Azure, another cloud provider, or even a mix of both, Wiz offers a unified solution that can scan virtual machines (VMs), serverless resources, data volumes, databases, and other platform-as-a-service (PaaS) offerings.
Centralized visibility
The security landscape scanned by Wiz can be visualized through a graph-based system, giving you a clear understanding of how your cloud resources connect and how potential security risks might propagate. The streamlined approach to multi-cloud security empowers you to make informed decisions.
Cloud detection and response (CDR)
Wiz’s CDR capabilities provide contextual information on threats and implement real-time remedial action. You can also correlate threats and audit logs to detect and prevent lateral movements.
Data security posture management (DSPM)
Wiz helps ensure the security of your sensitive data stored in Azure by actively scanning for potential paths of exposure that would compromise personally identifiable information (PII), protected health information (PHI), payment card industry (PCI) data, access credentials, and other sensitive data. Wiz’s proactive approach empowers you to take steps to secure your data and minimize the risk of breaches.
See Wiz in action for yourself. Sign up for a demo today to learn more!
Learn why CISOs at the fastest growing companies choose Wiz to get complete visibility into their Azure environments.
