Azure Defense-in-Depth security
This post is a part of Azure Spring Clean which is a community event focused on Azure management topics throughout the month of February. Many thanks to Joe Carlyle and Thomas Thornton for organizing this event and allowing me to contribute on the bonus day (February 29th). In this post, I am going to briefly talk about what Defense-in-depth is and how Azure provides tools and services to achieve that.
Defense-in-depth is a security risk management approach that defines multiple layers of security controls in an IT environment so that if a security attack is not caught by one layer, it will probably be caught by next. The multiple layers increase the overall security score of the environment and reduce the probability of a security breach by a huge margin.
Sometimes, defense-in-depth is also referred to as the “Castle defense” as it resembles the security defense techniques employed in castles historically where an enemy had to first cross multiple barriers at the castle’s periphery before attacking the castle.
With the rapid expansion of cloud computing, the need for the Defense-in-Depth strategy has increased many folds. Here is a snapshot of the different security layers in a cloud environment:
Cloud security is a shared responsibility. Each of the security layers is the responsibility of either the cloud provider or the customer. In the case of Azure, below is a snapshot of each of the security layer:
- Physical Security: Microsoft owns the Azure data centers and manages physical security at all the locations. Only authorized personnel have access to different areas of data centers.
- Identity & Access: All Azure resources are governed and controlled through Azure Active Directory, which is the central identity plane. Further, you can control access to your Azure resources using Role-based access control (RBAC). Users can be granted higher privileges just-in-time using Azure Privileged Identity Management.
- Perimeter: By default, Azure enables basic Distributed denial of service (DDoS) protection which comes with always-on traffic monitoring, and real-time mitigation of common network-level attacks. The standard tier of DDoS protection provides additional capabilities to protect against volumetric attacks, protocol attacks, and application attacks.
- Network: You can filter network traffic to and from Azure resources in a virtual network through Network Security Groups which contains security rules allowing or denying traffic. Under Azure Security Center’s standard pricing tier, you can lock down inbound traffic to your Azure VMs with Just In time VM access (eg – RDP, SSH)
- Compute: Azure Security center provides protection against threats by its ability to process signals and detect security threats like RDP brute-force attacks and SQL injections. The security center also gives a Secure score based on the assessment of the security posture of your environment.
- Application: Application Gateways and Web Application Firewall provides centralized protection of your web applications from common exploits and vulnerabilities. Azure Frontdoor is another service that allows you to author custom Web Application Firewall (WAF) rules for access control to protect your HTTP/HTTPS workload from exploitation based on client IP addresses, country code, and Http parameters. A managed identity from Azure Active Directory (AAD) allows your app to easily access other Azure Active Directory-protected resources such as Azure Key Vault. The identity is managed by the Azure platform and does not require you to provision or rotate any secrets. Also, you can enable SSL on your app services.
- Data: Data is encrypted-at-rest for both structured and unstructured data. You can further control access to the data using authentication mechanisms.
Azure Security Center is a great tool that can help in strengthening your security posture in Azure. It provides advanced threat protection across hybrid workloads.
Azure Sentinel is a cloud-native Security Information Event Management (SIEM) solution that delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response. It supports Logic apps based Security Runbooks which can run in response to an alert.
Azure further complies with 90+ compliance certifications. For a comprehensive list of Azure Compliance offerings, please visit Azure Trust Center.
I hope you found this article helpful,