Practices that help in securing Azure Cloud Infrastructure
Data security is an important aspect of any data management service or system that you opt for. The data security service must not only monitor, identify, and block unauthorized access but also come up with a recovery plan should such a scenario strike. Your data security service or SaaS software should also be capable of helping you prepare a data security policy that complies with the laws of the land.
As a client, you would want to give your data management project to somebody who not only understands security but prepares your data infrastructure for any future changes in the international data security policies.
Clairvoyant has been managing data infrastructures for multiple enterprises and enabling companies’ data security policies to ensure that there are no intrusions. We also ensure that the client always stays compliant with appropriate security standards. Our dataops implementation takes care of all these things.
Microsoft Azure offers a comprehensive option to secure your cloud, but that responsibility is shared between the customer and Microsoft Azure.
As Cloud Administrators, we need to tick all the boxes for securing resources in Azure at a different level.
Here are a few of the best practices we, at Clairvoyant, follow when we provide security services to our clients using Microsoft Azure.
"Cloud Security is not expensive, it’s priceless" -Anonymous
1. Configure Azure Security Center to assess the environment
- Assessment of patching and security policy application can be done on a weekly basis
- Use plugins like Qualys or Rapid7 to get a detailed assessment
2. Make use of Azure policy across all the subscriptions
- The deployment should not happen without tagging any resource
- Tags add additional security controls
- The policy helps in Audit compliance
3. Admin accounts
- Implement conditional access for devices assessing Azure Administration
- Use a different email/user for cloud administration, i.e. an account other than the owner’s
- Subscription owners should not be more than 3
4. Use Multi-Factor Authentication for Active directory
- MFA with Conditional access
5. Make use of Role-based access control
- Leverage RBAC around resource groups
- The application team should only access application resource groups.
- Keep the Admin credentials different from the application credentials
- Deployment is encouraged to be automated right from the source code
6. Make use of Network security groups for the Virtual machine or the applications
- A resource group can have an individual NSG to allow traffic
7. Enable encryption across Azure resources
- Use encryption for the managed disk
- Use Azure disk encryption for the other disks
- Encrypt SQL databases using the data encryption utility
8. Configure Azure AD Privilege Identity Management
- Inspect Azure AD PIM audit trail
- Perform Azure AD access review
- Configure Azure AD PIM alerting and reporting
9. Implement a Solid recovery strategy
- Use Azure Backup and Azure site recovery
- Convert your IT configurations into IaaCode. e.g. Terraform
- Keep your code ready with redeploying ability at every level
10. Use Azure Key Vault along with RBAC policy
If you feel there are other ways that have not been covered here, please let me know.