Common Azure Security Mistakes And How To Avoid Them
Five Common Azure Security Mistakes And How To Avoid Them
When a company needs a cloud provider which can provide a consistent experience for their own business, as well as consumer use, Microsoft Azure can be an excellent choice. Microsoft’s cloud infrastructure is second to none, with robust service offerings, as well as a strong emphasis on security which can help avoid many of the pitfalls associated with public cloud infrastructures.
If, that is, it’s configured correctly.
Unfortunately, misconfigured cloud systems are all too common, and that leads to elevated risk of data theft or worse. Estimates are that more than half of companies using cloud services are exposing critical data to the public – and in our experience, that’s probably a conservative estimate. It’s one of the reasons products such as our AuditWolf are needed to help companies lock down their cloud infrastructure, reaping the benefits of the cloud without increasing their threat exposure.
We do tend to see some issues more often than others, so in this article, we wanted to simply lay out some of the most common Azure security mistakes we come across.
Five Azure Security Issues That Could Expose Your Cloud To Malicious Activity
1 – Not utilizing Multi-Factor Authentication (MFA)
This one is simple. As we discussed in our recent article about the Gentoo GitHub attack, there is no good reason not to use two-factor authentication on your critical cloud infrastructure. Azure MFA allows for second-stage authentication via a variety of mediums including SMS, phone calls, OATH tokens, and a mobile app. With MFA enabled, it becomes vastly more difficult for attackers to access your vital cloud systems based on a single compromised admin account.
2 – Failing to track resource usage
Azure has robust metrics for tracking virtually every aspect of your cloud system, including usage. Unfortunately, many companies don’t watch usage very closely, and this creates issues in multiple ways. For one thing, abnormal resource usage is one of the most common red flags for unauthorized access due to credential abuse – if someone notices. Also, on a more basic level, monitoring your resource usage carefully will help you avoid over-paying for cloud services. This is particularly true for rarely-used or disused resources. Don’t store anything online that you don’t need.
All this is also true of your activity logs. These can also help you spot potential intrusions, as well as helping you optimize your cloud services usage. If necessary, look for software which can do some of the monitoring on your behalf, and alert you to unusual activity.
3 – Not properly utilizing Role-Based Access Control (RBAC)
There’s probably no single bigger security issue in any scenario than users having broad permissions which go beyond the scope of their job role. Enter RBAC. RBAC allows you to specify roles and the access privileges which accompany them, greatly simplifying the job of determining what level of access any particular user should be granted. Azure’s configuration options are robust, covering everything from subscriptions and resource groups, to individual assets such as VMs and storage accounts. If needed, you can even create your own custom roles completely from scratch.
If you’re still configuring access privileges by hand on a per-user basis, you may expose your business to unneeded risk; unnecessary complexity when granting individual access may allow for too much access to the wrong resources by the wrong people.
4 – Improperly-configured Network Security Groups
A Network Security Group (NSG) is a powerful tool that allows you to define a wide variety of security settings for a large group of users or connected assets. However, this also opens up opportunities for misconfigurations to open huge gaps in your security settings. By default, an NSG is fairly locked-down. Go slowly when setting one up, and only open up connections on specific ports or to specific applications when needed.
5 – Not protecting data at rest
When your data isn't being actively used, it needs to be protected via encryption. There are two basic components to this. One is Storage Service Encryption (SSE), which can be used to encrypt any and all data before it’s saved to Azure Storage. Access can then be managed via RBAC, Network Security Groups, and similar permissions-based settings. The other component is Transparent Data Encryption (TDE), which similarly protects your Azure SQL Database and Azure Data Warehouse. Both should always be enabled.
Lock Down Your Azure Cloud With AuditWolf
AuditWolf was designed to make Azure cloud security simple while making cloud configuration management safe, even for those without security experts on-staff. Our easy-to-use software package can perform full security audits, searching for mistakes like what we have discussed as well as many others, and can also maintain constant monitoring over your Azure account for unusual activity.
Contact us to learn more or to schedule a demonstration.