WIXLIB

EBOOKAzure SecurityChecklistExpert Advice on Identity, Data, Workload,and Platform Security and Risk Priorities

Azure Security OverviewMicrosoft Azure is one of the top public cloud service providers, offering a broadset of global compute, storage, database, analytics, application, and deploymentservices that help enterprises move faster, lower IT costs, and scale applications.While this is great for development, securing Azure remains one of the biggestcloud security issues today.Azure environments are frequently at risk of data breaches. For example, a Dutche-Ticketing platform recently suffered a data breach resulting in exposed userPII: 1.9 million unique email addresses were removed from an unsecuredstaging server.Rising security threatsCompanies are facing rising internal security issues due to misconfigurations andhuman error. In one highly publicized recent example, Solarwinds blamed theirdata breach on an undisclosed intern.Table of Contents03  Azure Shared ResponsibilityModel Explained04 Azure Responsibility Reminder Table05 Division of Responsibility05 Shared Responsibility Breakdown06 Top Cloud Security Challenges08 Azure Cloud Security Checklist10 About SonraiIn one recent example, a publicly exposed cloud storage bucket was found tocontain images of hundreds of passports and identity documents belongingto journalists and volleyball players from around the world. These sensitivedocuments were hosted on a Microsoft Azure Blob storage share that waspublicly accessible to anyone because the organization failed to appropriatelyconfigure it.What the research showsResearch from ID WatchDog shows that insider threats present in 60% of databreaches — and 44% of root causes can be attributed to negligence. Azurecan be incredibly complicated, and if you are developing fast in the platform,it’s easy to make small mistakes that can lead to catastrophic consequences.This document guides Microsoft Azure customers through recommended bestpractices for the highest protection level for their Azure infrastructure and thesensitive data stored in Azure environments.2

Azure SharedResponsibilityModel ExplainedLike most cloud providers, Microsoft Azure operates under ashared responsibility model. Azure takes care of the security‘of’ the cloud while Azure customers are responsible forsecurity ‘in’ the cloud.Microsoft Azure has made platform security a priority toprotect customers’ critical information and applications bytaking responsibility for its infrastructure’s security.Microsoft Azure ResponsibilityAzure is focused on the security of the underlying infrastructure,by protecting its computing, storage, networking, and databaseservices against intrusions. Azure is also responsible for thesecurity of the software, hardware, and the physical facilities thathost Azure services. Also, Azure takes responsibility for the securityconfiguration of its managed services, such as Azure KubernetesService (AKS), Container Instances, Cosmos DB, SQL, Data LakeStorage, Blob Storage, and others.Customer ResponsibilityAzure customers are responsible for the security ‘in’ their own cloud,or more simply put, everything that they instantiate, build and/or use.For example, while Azure has built several layers of security featuresto prevent unauthorized access to Azure, including multi-factorauthentication (MFA), it is the customer’s responsibility to make suremulti-factor authentication is turned on for users, particularly for thosewith the most extensive IAM permissions in Azure.It is worth noting that the default security settings of Azure servicesare often the least secure configuration. Enhancing these initial Azuresecurity settings, therefore, is a low hanging fruit that organizationsshould prioritize as the first step to fulfill their end of Azure securityresponsibility. From there, they should examine the services andresources that they are using to determine what the target securitylevels should be, and then put a plan in place to configure theircloud as such.The security perimeter has changed. Identity - not firewalls - formsyour security boundaries. As enterprises continue to migrate to orbuild their custom applications in Azure, the threats they face are nolonger isolated like the old world of on-premises applications. Underthis new paradigm, preventing many of these threats falls on theshoulders of the Azure customer. So how are you securing your data?3

Azure Responsibility Reminder TableBelow you’ll find a responsibility table to visually offer reminders as to what action fallsunder whose jurisdiction:CustomerAzurePreventing or detecting when an Azure account has been compromisedPreventing or detecting a privileged or regular Azure user behaving in an insecure mannerBusiness continuity management (availability, incident response)Protecting against Azure zero-day exploits and other vulnerabilitiesProviding environmental security assurance against things like mass power outages, earthquakes,floods, and other natural disastersProviding physical access control to hardware/softwareConfiguring Azure Managed Services in a secure mannerEnsuring network security (DoS, man-in-the-middle (MITM), port scanning)Ensuring Azure & custom applications are being used in a manner compliant with internal and external policiesUpdating guest operating systems and applying security patchesRestricting access to Azure services or custom applications to only those users who require itConfiguring Azure services (except gcp Managed Services) in a secure mannerPreventing sensitive data from being uploaded to or shared from applications in an inappropriate mannerDatabase patching4

For all cloud deployment types, you are responsible forprotecting the security of your data and identities, onpremises resources, and the cloud components you control(which varies by service type).Regardless of the type of deployment, the followingresponsibilities are always retained by you, the Azurecustomer: Data Endpoints Account Access managementeisemPrnOaSaSIaasPaIn an on-premises data center, the customer owns the wholestack. As you move to the cloud some responsibilities transferto Microsoft Azure. The following diagram illustrates theareas of responsibility between the customer and Microsoft,according to the type of deployment.Shared ResponsibilityBreakdownSaDivision of ResponsibilityRetained by customer Information & Data Devices (Mobile & PC) Accounts & IdentitiesCarries by service type Identity & Directory Infrastructure Applications Network Controls Operating SystemTransfers to cloud provider Physical Hosts Physical Network Physical DatacenterKEYMicrosoftCustomer5

Top Cloud Security ChallengesRisks to applications running on Azure and the data stored within it cantake many forms:Compromise of AzureAzure has made significant investments in securityto protect its platform from intrusion. However,the possibility always exists that an attacker couldcompromise an element in the Azure platform andeither gain access to data, take an application runningon the platform offline, or permanently destroy data.An attacker only needs to find one misconfiguration toget in, while a security team needs to keep track of allof them, all the time.Insider & Privileged Identity ThreatsThe average enterprise experiences 11 insiderthreats each month, and one-third are privilegeduser threats. These incidents can include maliciousand negligent behavior ranging from taking actionsthat unintentionally expose data to the internet toemployees stealing data.Third Party Account CompromiseAccording to the Verizon Data Breach Investigationsreport, 1% of data breaches are caused by thirdparties. However, these breaches are very noteablewhen they happen, like the third party data breachwith Volkswagen Group of America, Inc. affecting 3.3million customers.Sensitive Data Uploaded Against Policy& RegulationMany organizations have industry-specific,regional regulations and/or internal policies thatput restrictions on certain data types from beingusing in the cloud. In some cases, data can besafely stored in the cloud, but only in specificgeographic locations (for example, a data centerin United Kingdom but not in the United States).Software Development LacksSecurity InputSurprisingly, an organization’s security team aren’talways involved in the development process. Mostof the time if the team does become aware, it is nearthe end of the cycle and they are asked to performheroics and/or are seen the blocker to releasing theapplication. This not only leads to longer releasecycles, but also to increased costs and loss of velocitywithin the market. When security is included as afundamental component of the development process,say by implementing a secure software developmentlifecycle (SDLC), it enables the business to releasehighly secure applications at increased velocity andoftentimes at lower costs.6

Shadow ITEphemeral Compute Pours Over Your DataShadow IT uses information technology systems,devices, software, applications, and serviceswithout explicit IT department approval. It hasgrown exponentially in recent years with theadoption of cloudbased applications and services.Departments other than the central IT department,to work around the shortcomings of the centralinformation systems create a hidden risk.With container orchestration, the typical lifetime of aCloud Data SprawlGone are the days of a limited selection ofmanageable data stores (e.g., Oracle, IBM, and MSSQL). Innovations in agile cloud development haveled to an explosion of new data store. Adding theseto object stores, like Microsoft Blob, makes it selfevident that new corporate infrastructures do nothave a physical or logical concept of a ‘data center.’This innovation can create cloud sprawl, where anorganization has an uncontrolled proliferation of itscloud instances, services, or identities. Cloud sprawltypically occurs when an organization lacks visibilityinto or control over its cloud computing resources.Lack of Application ProtectionNetwork firewalls don’t help you when it comes tocontainer is 12 hours. Serverless functions - alreadyadopted by 22% of corporations - come and go inseconds. Data is the digital era’s oil, but the oil rigs areephemeral and countless in this era. Spot instances,containers, serverless functions, admins, and agiledevelopment teams are the countless fleeting rigs thatdrill into your data.Unsecured Storage ContainersThe news is filled regularly with attacks onmisconfigured cloud servers and the leaked datathat criminals obtain from them. Misconfigurationsare the natural result of human error. Setting a cloudserver with loose or no credentials and then forgettingto tighten them when the server is placed intoproduction is a common mistake.Manually Managing Access RightsKeeping track of which users can access anapplication manually creates risk. You can’tdetect common privilege escalation attacksacross your infrastructure manually. Also, you cancreate risk by giving too many admin rights tovirtual machines and containers.the public cloud. Attacks on applications more thandoubled, according to the Verizon Data Breach report.7