Azure Security Best Practices Checklist

The importance of following Azure security best practices in your environment is well-known. These practices are specifically designed to increase your security posture, no matter how you use Azure.

Yet, detailed practice guidelines aren’t always the easiest to follow if you aren’t an Azure expert. You need a digestible, straightforward way to track your security practices in order to keep your cloud service optimally protected.

That’s exactly what these checklists are here to deliver. We’ll provide an easy-to-use checklist for each security practice and a more detailed explanation of what each item means. With these guidelines, hopefully you will be better equipped to follow and communicate the protocols you need to follow.

“Everyone knows how important cybersecurity is. Yet, so many people don’t know where to start with it.” – Jacob Saunders, Executive Vice President of Professional Services, Atmosera

Azure Cloud Security Best Practices

1. Enable Multi-Factor Authentication (MFA)
2. Use Azure Security Center
3. Encrypt Data at Rest and in Transit

1. Enable Multi-Factor Authentication (MFA)

MFA requires two or more verification methods—something the user knows (password), something the user has (security token or phone), or something the user is (fingerprint or face recognition). Enabling MFA is simply a good cybersecurity practice in general, and it also applies to your Azure environment.

To enable Azure’s MFA:

1. Log in to Azure Portal
2. Navigate to Azure Active Directory on the left-hand pane
3. Under the “Security” section, click on “MFA”
4. Click on “User settings” to manage the MFA settings for users
5. Under “Multi-Factor Authentication,” click on “Enable” to turn on MFA for the selected users
6. Review & Save

2. Use Azure Security Center

Incorporating Azure Security Center into your security strategy is essential for safeguarding your Azure resources. This centralized tool actively monitors your environment and offers specific recommendations to help you enhance your protection.

Please note that the Security Center is not automatically enabled when you set up your Azure account. You need to manually enable it in your Azure Portal. The Security Center also has 2 tiers: free and standard.

• Free: no cost, but only covers Azure services.
• Standard: paid subscription, but extends coverage to hybrid environments. The price is based on the number of resources and features you use.

By default, Azure Security Center is set to the free tier. If you want to upgrade to standard, click on “Pricing & Settings” and select “Standard” on the Security Center menu in your Portal.

3. Encrypt Data at Rest and in Transit

Ensure that your data, whether stored or being transmitted, is encrypted. Encryption prevents people from reading your data if they don’t have the right encryption key. This extra layer of security means that even if unauthorized personnel access your data, they won’t be able to use it.

Azure Networking Best Practices

1. Implement Virtual Network Service Endpoints
2. Use Network Security Groups (NSGs)
3. Enable Azure DDoS Protection

1. Implement Virtual Network Service Endpoints

Ensure that your Azure services are only accessible within your virtual network. By restricting access to your virtual network, you minimize the potential entry points for malicious actors. Many industry compliance standards also require this step.

If you don’t already have a virtual network, here’s how to set it up.

1. Log in to Azure Portal
2. On the left-hand menu, select “Create a resource”
3. In the search box, type “Virtual Network” and select it from the list
4. Click the “Create” button
5. Configure your settings
6. Specify IP address range under the “IP Addresses” tab
7. Still under the “IP Addresses” tab, define at least one subnet
8. Review & Create

2. Use Network Security Groups (NSGs)

NSGs ensure that you’re controlling inbound and outbound traffic to network interfaces (NICs), virtual machines (VMs), and subnets. This gives you precise control over your network traffic to prevent unauthorized access, protect applications, and counter potential threats like DDoS attacks.

To create an NSG

1. Log in to Azure Portal
2. On the left-hand menu, select “Create a resource”
3. Search for “Network Security Group” and select it from the list
4. Click the “Create” button
5. Configure settings
6. Once your NSG is created, select it and navigate to “Inbound security rules” or “outbound security rules”
7. Click “Add” to create rules that define allowed or denied traffic
8. Navigate to the “Associations” section of your NSG and select the resources you want to link

3. Enable Azure DDoS Protection

Azure offers DDoS protection. You can find this as an additional feature for your virtual networks. Like the Security Center, Azure has 2 tiers of DDoS protection.

• Basic: free and automatically enabled, limited to traffic to and from the Azure platform
• Standard: paid and must be manually enabled, extends protection to virtual network resources

Azure Identity & Access Management Best Practices

1. Implement Azure AD Conditional Access
2. Use Managed Identities
3. Review and Prune Permissions Regularly

1. Implement Azure AD Conditional Access

Set up policies that enforce security requirements when accessing Azure AD connected applications. For instance, you can require MFA when a user accesses Azure AD from an unfamiliar location.

To set up a security policy:

1. Log in to Azure Portal
2. Select “Azure Active Directory”
3. Under the “Security” section, click on “Conditional Access”
4. Click on “+ New Policy” to start defining your security requirements
5. Provide a descriptive name that indicates the purpose of the policy
6. Under “Assignments,” select “Users and groups.” Choose specific users or groups this policy will apply to
7. Still under “Assignments,” select “Cloud Apps.” Choose the connected applications that the policy should cover
8. Enable & Save

2. Use Managed Identities

Managed identities ensure that user credentials are managed by Azure AD. This can drastically reduce the risk of these credentials being leaked. You can manually assign identities or let Azure do it for you.

To set up auto-assigned managed identities:

1. Log in to Azure Portal
2. Navigate to the Azure resource where you want to use a managed identity
3. On the resource’s left navigation pane, select “Identity”
4. Under the “System assigned” tab, set the status to “On” and save

3. Review and Prune Permissions Regularly

Over time, users might accumulate permissions that they no longer need. Regularly review and prune these permissions to adhere to the principle of least privilege. Neglecting this process increases your risk of unauthorized access or unintended changes.

Azure Storage Security Best Practices

1. Use Azure Storage Service Encryption (SSE)
2. Enable Azure Storage Account Firewalls
3. Rotate Storage Account Access Keys

1. Use Azure Storage Service Encryption (SSE)

We’ve already stressed the importance of encryption, but we only briefly touched on how to implement it. You can ensure that data stored in Azure Storage is encrypted at rest using SSE.

To verify SSE:

1. Log in to Azure Portal
2. Select “Storage Accounts”
3. Choose the specific storage account you want to configure
4. Under the “Security + networking” section in the storage account’s settings, click on “Encryption”
5. Ensure “Storage Service Encryption” is set to “Enabled”

By default, Azure encrypts data using Microsoft-managed keys. However, you can choose to use customer-managed keys if desired.

2. Enable Azure Storage Account Firewalls

Restrict access to your storage accounts by enabling firewalls. You can use Azure firewalls to only allow trusted IP addresses to access your data.

To do this:

1. Log in to Azure Portal
2. Select “Storage Accounts”
3. Choose the specific storage account you want to configure
4. Under the “Security + networking” section in the storage account’s settings, click on “Firewalls and virtual networks”
5. Under “Allow access from,” select the option “Selected Networks”
6. In the “Firewall” section, add the desired IP addresses or IP ranges that should be allowed access

3. Rotate Storage Account Access Keys

Regularly rotate and regenerate your storage account keys to ensure that any potential compromised keys are invalidated. Regular rotation also ensures that access by former team members or collaborators is curtailed.

Azure DevOps Security Best Practices

1. Limit Access With Role-Based Access Control
2. Use Secure Pipelines
3. Regularly Audit and Monitor Activities

1. Limit Access With Role-Based Access Control

Ensure only authorized individuals can access specific Azure resources. Role-based access control (RBAC) is a simple, yet effective way to do this.

To set up RBAC:

1. Log in to Azure Portal
2. Navigate to the resource you want to manage access for
3. On the resource’s navigation pane, click on “Access control (IAM)”
4. Click on “+ Add” and select “Add role assignment”
5. On the “Role” dropdown, select the appropriate role that aligns with the permissions you want to grant
6. On the “Assign access to” dropdown, choose the type of entity you’re granting access to (e.g., User, Group, Service Principal)
7. Search for and select the specific user or group in the “Select” field
8. Save the assignment

2. Use Secure Pipelines

Implement security checks in your CI/CD pipelines. This ensures that the code being deployed is free from vulnerabilities. It can also act as a proactive defense mechanism that catches potential threats before they get a chance to proliferate.

Adding security checks to your CI/CD pipelines involves integrating tools and practices that analyze and validate your code for vulnerabilities during the development and deployment process. Therefore, the way in which you implement them varies based on the tools, languages, and policies you use.

3. Regularly Audit and Monitor Activities

Keep an eye on operations within your DevOps environment. Regular audits are crucial to help you detect any unusual or unauthorized activities.

Furthermore, with the rapid pace of DevOps, continuous monitoring allows for real-time corrections. This helps reduce downtime and ensures that the development and deployment processes remain agile and efficient.

Leave Your Data Security to The Experts with Managed Security and Governance

Maintaining Azure best practices can take a lot of time and energy. As you may have noticed, there are a lot of factors you need to consider every time you perform an Azure security assessment.

If you simply don’t have time to follow our checklists, you can entrust it all to Atmosera’s managed Azure services. Our expert team has decades of experience securely managing sensitive data in multiple Azure cloud environments.

Gain peace of mind and save yourself time. Look toward an Azure MSP today.