The Pervasive Domain of Cloud Security

Earlier in this series Taranjeet Singh, Cloud Solutions Architect at Eighty20 Solutions, wrote an article on Azure SQL, this time he is back with another exciting topic (and one of the area that he has recently developed a love for!)… Cloud SECURITY

The information shared through these articles primarily comes from what Taranjeet has learnt through his work engagements, as well as his passion for learning new things. 

First, let us set up the context – the information covered in this article is purely from a Cloud lens and specifically Microsoft Azure. We prefer to be specific when it comes to technology, so all the security constructs that we’re going to look at in this article, will be very specific to Azure. However, these constructs can easily be mapped to any other cloud provider. 

This article is by no means a comprehensive IT infrastructure security guide and is meant to get you started. We have also included further references to Microsoft’s official documentation in each area, to be explored further. 

Definition of security

With the recent developments in the information technology space, the definition of Security has significantly changed. What used to be considered as a secure zone within Data Centres (like DMZs) is no longer trusted, and that’s mainly due to the following factors:  

  1. Cloud computing has pushed the boundaries of the infrastructure / services from within the organisations’ premises to something that has a notion of being insecure (because of the term “Public“), i.e. Public Cloud. 
  2. Introduction of the Bring Your Own Device (BYOD) idea. 
  3. Evolution of SaaS based consumption model also blurred this boundary further (has virtually diminished). 
  4. Increasing demand for collaboration / federation between businesses, and between business and consumer (B2B and B2C). 
  5. The COVID-19 episode has also forced organisations to think of alternate ways to enable their workforce to work from outside the corporate office locations.

This means that the securing of an application, data or identity has become more crucial than ever before. There’s more surface area available for the “Bad Boys” to break-in. To address these evolving concerns, concepts like Zero Trust took birth. But, we are not going to talk about what that is and how to achieve it because there’s a lot of great documentation out there already. If you’re interested, take a look at these articles: 

What’s Zero Trust

How to Implement Zero Trust

A holistic view of Microsoft security ecosystem with the zero trust principles in mind 

The pervasive domain of IT Security

IT Security in general is a very wide and pervasive domain that cuts across every dimension of an IT / cloud infrastructure. It is composed of layers and each layer addresses specific challenges. We can broadly categorize it into the following layers (Be mindful that this is not a defined standard): 

  1. Pre-perimeter Security 
  2. Perimeter Security (WAN) 
  3. Intra VNet Security (LAN) 
  4. Platform-wide Security 
  5. Identity and Access Management (Authentication & Authorization) 
  6. Application Security 
  7. Data Security (Data Confidentiality and Integrity) 
  8. Information Protection & Data Loss Protection (DLP) 
  9. Credentials Security 
  10. General Logging, Monitoring, Auditing & Alerting 
  11. Security Information Event Management (SIEM) and Logging 
  12. Virtual Machine (Endpoint) Security 
  13. Storage Security 
  14. Container Security 
  15. DevSecOps (Security shift-left) 

This list is ever-growing due to the sheer nature of the cloud platform (evolving every day). 

Mapping to Azure Security Constructs

OKAY! What next? We’ve looked at the layers… how about mapping these layers to the Azure Security constructs that help address challenges? Remember we said, “We prefer to be specific when it comes to technology”. Well, this is why we laid that ground early in our journey. 

Mapping to Azure Security Constructs
Mapping to Azure Security Constructs
Mapping to Azure Security Constructs

Pre-perimeter Security

Azure Front Door (with WAF) – Global Service 

Microsoft’s Azure Front Door service is a global, layer-7 load balancer with the following security features (and that’s why it has qualified into this list of security constructs): 

1. Application security with integrated Web Application Firewall (WAF) 

2. Transport Layer Security (TLS) termination (SSL offload) 

It is an Application Delivery Network (ADN) as a service, offering various layer 7 load-balancing capabilities for your applications. 

Official Microsoft documentation

Perimeter Security (WAN)

Azure Distributed denial of service (DDoS) protection

Powered by Machine Learning algorithms, it is an adaptive and intelligent service that offers defence against a comprehensive set of network layer (layer 3/4) attacks, and protects web apps from common application layer (layer 7) attacks, such as SQL injection, cross-site scripting attacks and session hijacks when used along the Application Gateway. 
 
Official Microsoft documentation

Application Gateway (with integrated WAF) – Regional Service 

For sake of simplicity, we can think of Azure Application Gateway as a regional Front Door (there are some differences though). Unlike Azure Front Door that can load balance the incoming traffic across Azure regions, an Application Gateway can only span across availability zones within a region (or different VMs within same subnet). It is an Application Delivery Controller (ADC) as a service, offering various Layer 7 load-balancing capabilities. 

Note: An Azure regional service enables the customer to specify the region into which the service will be deployed. 

The integrated Web Application Firewall is based on OWASP project and protects your workload from common exploits like SQL injection attacks or cross-site scripting attacks. 
 
Official Microsoft documentation

Azure Firewall / NVA

Azure Firewall is a fully-managed, cloud-based Firewall as a Service (FWaaS). 
 
Official Microsoft documentation

Azure Load Balancer: 

1. Public / External LB

2. Private / Internal LB 

Load balancing refers to evenly distributing load (incoming network traffic) across a group of backend resources or servers. Azure Load Balancer operates at layer 4 of the Open Systems Interconnection (OSI) model. 
 
Official Microsoft documentation

Azure Bastion Host (similar to RDS Gateway) 

Azure Bastion is a fully managed service (PaaS) that provides secure and seamless RDP / SSH (over SSL) access to virtual machines directly through the Azure portal. The VMs are accessed using private IP of the VM. 
 
Official Microsoft documentation

Intra VNet Security (LAN)

Azure Firewall 

Azure FWaaS service can also be used for policing internal traffic. For example, traffic between different Subnets within Azure, traffic from Azure to on-prem, and traffic from on-prem to Azure.

Network Security Group (NSGs) and Application Security Groups ASGs 

Network Security Group is a simple IP, port and protocol based firewall. It can filter network traffic to and from Azure resources in an Azure Virtual Network (VNet). Administrators can define NSG rules that use 5-tuple information (source, source port, destination, destination port, and protocol) to allow or deny the traffic. 
 
Official Microsoft documentation–> https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview 
 
Application Security Groups (ASGs) further simplify NSG configuration by allowing administrators to group together virtual machines and define network security policies based on those groups. 
 
Together NSGs and ASGs allow creating a micro-segmented zone architecture. 
 
Official Microsoft documentation

Service Endpoint (Public Endpoint) and Resource-level firewall 

Virtual Network (VNet) Service Endpoint provides secure and direct connectivity to a list of supported Azure PaaS services over an optimized route over the Azure backbone network. When Service Endpoint is enabled on a subnet for a PaaS service, the traffic from Azure VNet to PaaS service is contained on Microsoft Azure backbone network (instead of going over Internet) though the PaaS service still listens on Public IP (Public Endpoint). 
 
From the above definition, you must be wondering, what this thing (Service Endpoint) has to do with Security…isn’t it? Let me explain. 
 
PaaS services in Azure like Azure Storage and Azure SQL Server offer an IP Firewall that sit before these services to offer another layer of defence. Once Service Endpoint is enabled, administrators can lock down access to these services only from Azure VNet IP address range, thus tightly controlling who’s allowed to access these PaaS services…..ahh han..Great Stuff! 
 
Official Microsoft documentation

Private Link 

There’s a lot of convoluted definitions of Public and Private Endpoints out there. However, I’ve tried to make it simple for myself. 
 
Private Endpoint is a way of presenting Azure PaaS services (that are otherwise accessible using Public IPs) to VNets through Private IP interface. 
 
Through a Private Endpoint within the VNet, the servers / applications in an Azure VNet talks to PaaS services using a Private IP and the traffic remains on Microsoft Azure Backbone. 
 
Official Microsoft documentation

Platform Security

Azure Security Center (ASC) 

This is an amazing tool to say the least. Microsoft has beautifully defined it, so I’m not going to re-invent here. 
 
Azure Security Center is an integrated, unified infrastructure security management system that strengthens the security posture of data centres, and provides advanced threat protection across hybrid workloads in the cloud – whether they’re in Azure or on-premises. 
 
ASC assesses the end-to-end state of the resources deployed and reports back with security score for each and suggested remediation. It allows a comprehensive view into organisation’s IT security posture. 
 
Official Microsoft documentation

Defender (formerly called Advanced Threat Protection or ATP) 

Azure offers built in threat protection functionality through services such as:

1. Azure AD and is known as Microsoft

2. Defender for Identity

3. Azure Monitor logs

4. Azure Security Center

5. Azure Defender for SQL 

This collection of security services and capabilities provides a simple and fast way to understand what is happening within your Azure deployments. Azure ATP detect and investigate security incidents across customer’s networks. It is integrated into various offering like SQL, networking, storage etc. Advanced Threat Protection integrates alerts with Azure Security Center, which include details of suspicious activity and recommend action on how to investigate and mitigate the threat. 

Official Microsoft documentation

Azure Arc 

Azure Arc provides a consistent inventory, management, governance, and security for various services across customer’s environment. It simplifies governance and management by delivering a single pane of glass for multi-cloud and on-premises management platform. The non-Azure, on-premises, or other-cloud resources are projected as Azure Resource Manager resources. 
 
Official Microsoft documentation

Azure Policy 

Azure Policies allow implementing governance for resource consistency, regulatory compliance, security, cost, and management. 
 
Official Microsoft documentation

IAM (Authentication & Authorisation)

1. Azure AD (Native) and RBAC 
2. Hybrid Identity (Azure AD in sync with on-premises / Windows AD DS): 
     a. Password Has Synchronization 
     b. Pass Through Authentication 
     c. Federated Authentication and SSO (ADFS) 
 
3. Azure AD DS 
Azure AD Features like:

  • Multi-factor Authentication (MFA)
  • Privileged Identity Management (PIM) and JIT
  • Conditional Access Policies 

Certainly, identity has become the new “Control Plane” for security or the primary perimeter for security. This is a big shift from the traditional focus on network security. 
 
I tried, and it proved to be extremely challenging to summarize IAM into a short, crisp paragraph, so gave up. Here’s some great documentation on these topics: 
 
Hybrid Identity Documentation
 
Azure AD Connect Supported Topologies
 
Azure AD Authentication

Application Security

SSL / TLS Encryption 

Transport Layer Security (TLS) is the basis for encryption of website data in transit. TLS uses certificates to encrypt and decrypt data. TLS certificates can be used to secure in-transit web applications running on services like App Service, VM, or Static Web App. 
 
Certificates used in Azure are x.509 v3 and can be signed by third-party trusted certificate authority (CA), or they can be self-signed. A self-signed certificate is signed by its own creator.

Data Security (Data Confidentiality and Integrity)

Encryption at rest:

1. Storage Service Encryption (SSE) for Azure Storage

2. SQL Database security features (e.g. SQL Database Always Encrypted, Transparent Data Encryption (TDE) 

Using Azure Storage Service Encryption (SSE) Azure storage platform automatically encrypts your data before persisting it to Azure Managed Disks, Azure Blob, Queue, or Table storage, or Azure Files, and decrypts the data before retrieval. Managing encryption, encryption at rest, decryption, and key management in SSE is transparent to users. All data written to the Azure storage platform is encrypted through 256-bit Advanced Encryption Standard (AES) encryption, one of the strongest block ciphers available. 

Encryption while data in transit:

1. SSL / TLS Encryption (covered previously)

2. SQL Database security features (e.g. SQL Database Always Encrypted, Transparent Data Encryption (TDE) 

Encryption while data is in use:

1. SQL Database security features (e.g. SQL Database Always Encrypted, Transparent Data Encryption (TDE) 

Always Encrypted is a new data encryption technology in Azure SQL Database and SQL Server that helps protect sensitive data at rest on the server, during movement between client and server, and while the data is in use. Always Encrypted ensures that sensitive data never appears as plaintext inside the database system. After you configure data encryption, only client applications or app servers that have access to the keys can access plaintext data. 
 
Always Encrypted is a feature designed to protect sensitive data such as credit card numbers or national identification numbers (for example, U.S. social security numbers), stored in Azure SQL Database or SQL Server databases. 
 
Transparent Data Encryption (TDE) encrypts SQL Server, Azure SQL Database, and Azure Synapse Analytics data, and log files. It does real-time I/O encryption and decryption of data and log files using a database encryption key (DEK). Encryption of a database file is done at the page level. The pages in an encrypted database are encrypted before they’re written to disk and are decrypted when read into memory. 

Information Protection & Data Loss Protection (DLP)

Azure Information Protection (AIP) and Cloud Application Security (CAS) 

Azure Information Protection (AIP) is a cloud-based solution that enables organisations to discover, classify, and protect documents and emails by applying labels to content. 
 
AIP is part of the Microsoft Information Protection (MIP) solution, and extends the labelling and classification functionality provided by Microsoft 365. 
 
At a very high-level, administrators perform the following:

  • Classify data and Label
  • Encrypt / Protect (apply policy)
  • Monitor, Notification and Respond to incidents 
     
    What is AIP
    Learn about DLP

Credentials Security

Azure Key Vault 

The importance of secure storage and management of credentials (secrets, passwords and certificates) is evident by the fact that every cloud provider offers a service / construct around this. Benefits include:

1. Secure, centralized storage of credentials and only allowing access to authorized entities (application / service). Allows credentials to be stored separately from application / code.

2. Automatic retrieval of credentials from the vault during runtime, without sharing it to anyone.

3. Automatic rotation of keys on specified intervals.

4. Automatic renewal of certificates before expiry.

5. Monitor and audit the access to the credentials. 

Official Microsoft documentation

General Logging, Auditing, Monitoring & Alerting

Logging

By default, Azure provide detailed diagnostic and auditing information for Azure resources and the Azure platform they depend on. They are automatically generated although customers would need to configure certain platform logs to be forwarded to one or more destinations to be retained / analysed (Log Analytics workspace, Azure storage, Event hub). 
 
Azure Platform logs fall in the following three categories: 
 
1. Resource Logs (Data Plane): Operations that are performed within an Azure resource, for example: 
 
     a. Diagnostics logs that are configured through Azure Monitor 
 
     b. When wetting a secret from a Key Vault or making a request to a database. 
 
The content of resource logs varies by the Azure service and resource type. Resource logs were previously referred to as diagnostic logs. 
 
2. Activity Logs (Control / Management Plane): Operations on each ARM resource (CREATE, UPDATE, and DELETE operations) in the subscription from the outside. There is a single Activity log for each Azure subscription. 
 
3. Azure AD Logs: Contains the history of sign-in activity and audit trail of changes made in the Azure Active Directory for a particular tenant. 
 
Overview of Azure platform logs
Azure security logging and auditing

Monitoring 

Azure Monitor is the suite of tools that aggregates and stores monitoring telemetry for Azure and on-premises resources in a log data store (Log Analytics Workspace). Customers can analyse this data using queries, set up alerts, get end-to-end views of applications, and use machine learning-driven insights to quickly identify and proactively resolve problems. 
 
Official Microsoft documentation

Security Information Event Management and Logging

Azure Sentinel

Another great weapon in the armoury for Azure customers. Azure Sentinel offers two-fold capability: 
 
1. Security Information Event Management (SIEM): Like any other SIEM tool, it detects and alerts security threats.  
 
2. Security Orchestration Automated Response (SOAR): Automates response to detected threats. 
 
It delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response. Critical tool to prevent financial loss or complying with regulatory obligations. 
 
Official Microsoft documentation

Virtual Machine (Endpoint) Security

Anti-virus and Anti-malware 

Vulnerability Management 

Microsoft Defender is a comprehensive AV and Anti-malware solution from Microsoft. It is the Extended Detection and Response (XDR) solution for threat protection that’s composed of two products: 
 
1. Azure Defender: Provides XDR for Azure and hybrid environments. 
 
2. Microsoft 365 Defender: Helps stop attacks across Microsoft 365 services and auto-heals affected assets. 
 
Azure Defender is a built-in tool that provides threat protection for workloads running in Azure, on premises and in other clouds. It is tightly integrated with Azure Security Center and can integrate with SIEM solution to further streamline threat mitigation. 
 
Introduction to Azure Defender

Host-based Firewalls 

Windows Firewall is available for Windows and iptables / Firewall can be used on Linux systems. 

Security Updates 

Update Management in Azure Automation can be used to manage OS updates for Windows and Linux VMs in Azure, physical machines or VMs in on-premises environments, and in other cloud environments. 
 
Official Microsoft documentation

VM Disk Encryption 

Azure Disk Encryption (ADE) leverages the industry standard BitLocker feature of Windows, and the DM-Crypt feature of Linux to provide volume encryption for the OS and data disks. The solution is integrated with Azure Key Vault to help you control and manage the disk-encryption keys and secrets. 
 
Be aware that ADE is only supported on certain OS and VM sizes. It is not enabled by default and requires some planning before it is enabled. 
 
Azure Disk Encryption for virtual machines and virtual machine scale sets

Storage Security

Azure Storage Service Encryption (SSE) 

Enabled by default (cannot be disabled), the Azure Storage Service Encryption (SSE) Azure storage platform automatically encrypts customer data before persisting it to Azure Managed Disks, Azure Blob, Queue, or Table storage, or Azure Files, and decrypts the data before retrieval. Managing encryption, encryption at rest, decryption, and key management in SSE is transparent to users. All data written to the Azure storage platform is encrypted through 256-bit Advanced Encryption Standard (AES) encryption, one of the strongest block ciphers available. 
 
Azure Storage encryption for data at rest

DevSecOps

Azure DevOps 

Increasing cyberthreats poses new, serious challenges to the traditional ways of application development. This means security must be built into the development process and not as an afterthought. DevSecOps stems out of DevOps and necessitates incorporation of security right from the beginning (by having security as part of software development & testing and hardening the release pipeline). Azure DevOps allow integration of large number of open-source and paid tools into the build and release pipelines to help deliver robust and high-quality code. It also reduces technical debt: 
 
1. SonarCloud: Gets integrated in the build pipeline (CI stage) and scans for code quality issues (bugs and vulnerabilities). 
2. WhiteSource Bolt: Can scan the code (especially when open-source code is used) for security vulnerabilities, outdated libraries and licensing issues for compliance purposes. It scans the artefact repositories. 
3. SonarQube: It looks for efficiency / performance and syntax related issues. 
 
These tools continuously look for security vulnerability, code quality issue, bugs, licensing violations throughout the SDLC without leaving this to be done at the end (with finished product). Thus, leveraging automation to reduce manual effort and increase the speed of delivery. 
 
DevOps treats security implementation as a continuous process and not just a one-off activity. Every time a new code is introduced / written or updated, it is security validated before being committed. 

Container Security

Azure Security Center and Azure Defender 

Azure Security Center and (integrated) Azure Defender work together to bring host of security features for a containerized environment. This includes security for: 
 
1. Kubernetes Cluster 
2. Nodes (VMs running containers) 
3. Containers 
4. Azure Container Registry (ACR) 
 
Container Security

To wrap this all up, security in cloud, as opposed to traditional, on-prem environments, is a shared responsibility between cloud provider and customer. Depending on the cloud service(s) in question, the ownership varies. Before you start consuming a service, it is wise that you invest some time in understanding these areas of ownership and plan relevant controls for them. I believe, this article is a good first step in this direction: Azure security best practices and patterns

 

At Eighty20 Solutions, our goal is to deliver technology transformations in a faster, simpler, and more collaborative manner working with our clients. If you are looking at a cloud journey and are looking at partners who get in the trenches, work shoulder to shoulder with your team, and stay the course, while you help your organisation to sustain long-term, strategic technology investments, embrace change, and realise benefits – as opposed to leaving the teams grappling with shiny new technical debt – reach out to us today