Are you confused with the many Azure Official documentation available at your fingertips? Don’t know how to channelize your search based on your requirements?
This blog lists all Azure security services on one page and mentions areas where Azure has provided security services.
Security is integral for the entire lifecycle of an application, from design and implementation to deployment and operations. An Organization faces many challenges with securing their datacenters and keeping pace with the volume and complexity of threats. One of the common attack factors is open internet expose endpoints.
Azure offers unified security management and advance thread protection of your resources, whether it is in the Cloud or on your datacenter or both. It provides a secure foundation across physical, infrastructure and operational security. Below Picture gives you an overview to build secure and compliant application infrastructure based on industry standards, using Azure services.
Figure: Defense-in-depth security layers
Azure offers many security-related services and technologies. Based on this, you can classify your type of security and identify your related security-services, which help you to select the right Cloud solutions for your organization.
Azure has many “Built-in security controls,” for services like:
Azure App Service
Azure Resource Manager
Azure Cosmos DB
Azure Event Hubs
Azure Key Vault
Azure Load Balancer
Azure Service Bus Messaging
Azure Service Bus Relay
Azure Service Fabric
Azure SQL Database
Azure Virtual Machine Scale Sets
Linux Virtual Machines
Windows Virtual Machines
Azure VPN Gateway
For more details of each service, you can visit here.
Here are some of the area where azure is offering security-services:
Identity and access management
Backup and disaster recovery
Internet of Things security
Best practices for Data Security
At rest: Includes all information data that exist statically on physical media, whether magnetic or optical disk.And for protecting data at rest, encryption at rest is designed to prevent the attacker from accessing the unencrypted data by ensuring the data is encrypted when on disk.
In transit: Data which is transfer between components, locations or programs, are in transit. Examples are transferring data over the network, across a service bus (from on-premises to Cloud and vice-versa).Encryption in transit helps in protecting data that is transmitted across networks e.g., Transport-level encryption, Wire encryption, Client-side encryption.
Choose a key management solution
Azure Key Vault is best for key management solution, which helps safeguard cryptographic keys and secrets used by Cloud applications and services. It creates multiple secure containers, called vaults, which are backed by HSMs. Using the Key Vault enables you to avoid writing storage keys in application configuration files. It also prevents exposure of keys to everyone with access to those configuration files.
Secure email, documents, and sensitive data
In Azure, we have Azure Information Protection that helps an organization to classify, label and protect its documents and emails inside and outside company walls.
Best practices for Database Security
Use firewall rules to restrict database access
Database or Servers are exposed to the internet and to avoid any unfortunate attempt IP firewall rules are required to provide access security and control access. To know more, visit here.
Enable database authentication
SQL Database supports two types of authentication:
SQL Server authentication: SQL Database support environments with mixed operating systems and sometimes all users are not authenticated by a Windows domain. For solving this type of problem SQL Server authentication comes into the picture.There are two possible modes: Windows Authentication mode and mixed mode. Windows Authentication mode enables Windows Authentication and disables SQL Server Authentication.Mixed mode enables both Windows Authentication and SQL Server Authentication. Windows Authentication is always available and cannot be disabled.
Azure Active Directory (AD) authentication: Azure AD authentication is the authentication used to access Azure SQL Database and SQL database Warehouse by using identities in Azure AD. It is like one central location where we can manage the identities of database users and other Microsoft services.
Use encryption and row-level security to protect your data Azure SQL Database transparent data encryption helps in encrypting and decrypting data in real-time. This Data might be the data of the database, associated backups and transaction log files at rest without requiring changes to the applications.
Enable database auditing Enable database auditing of the SQL Server Database Instance involves tracking and logging events. It tracks the database events and writes them to an audit log in Azure storage account. Auditing helps you in maintaining regulatory compliance, understand database activity. It facilitates adherence to compliance standards but doesn’t guarantee compliance.
Enable database threat detection Enabling database threat detection helps to monitor a dynamic database environment where changes are hard to track. Also, meet data privacy standards and regulatory compliance requirements. To know more, visit here.
Enable Feature restrictions Data of your databases can be exposed to attackers using attack vectors that leverage database errors and query execution times. Enabling feature restrictions helps to protect from the same.
Best practices for Network Security
Use strong network controls You can create a strong virtual network to control access. You can connect Virtual Network Interface card to Virtual network to allow TCP/IP-based communications between network-enabled devices. Governance of network security elements, which act as network virtual appliance function are ExpressRoute, virtual network and subnet provisioning, and IP addressing.
Azure DDoS Protection
DDoS is a type of attack that tries to exhaust application resources. Azure provides continuous protection against DDoS attacks. Azure DDoS Protection is integrated into the Azure platform by default at no extra cost.Azure has two DDoS services that protect from network attacks (Layer 3 and 4): DDoS Protection Basic and DDoS Protection Standard.
Use virtual network appliances As we all know, user-defined routing and network security groups provide network security at the network and transport layer of the OSI model. But in some situations, we have to have better security at high levels of the stack. Azure network security appliances can give you better security than what network-level controls offer. These appliances include:
Intrusion detection/intrusion prevention
Network-based anomaly detection
Avoid exposure to the internet with dedicated WAN links Many companies use hybrid IT route as in, some of their components of service are running in Azure while other components remain on-premises. For this cross-premises connectivity, the offered solutions are:
Best practices for Azure Identity Management and access control security
Some of the best practices for Azure identity management and access control security is as follows:
Treat identity as the primary security perimeter Azure Active Directory (Azure AD) is the Azure solutions for identity and access management. It combines core directory services, application access management, and identity protection into a single solution.
Enable single sign-on Enabling Single Sign-On can provide access to company resources, domain-joined devices on one single sign-in launch. After that no need to sign-in again and again for every single domain service.
Turn on Conditional Access Conditional Access policies at their simplest are if-then statements. For example, If a user want to access a resource, then they must complete an action.
Enforce multi-factor verification for users
Using this MFA method requires users to perform two-step verification every time they sign in and overrides Conditional Access policies.