Data & Network Security in Azure

In today’s world of remote and hybrid work, ensuring you and your customers’ infrastructure is secure is more important than ever. The focus has also shifted from only securing the network itself to putting greater emphasis on endpoint security.

Microsoft’s security offering is world-class due to the strength of its physical datacentre security and the depth of insight they are able to make use of from the data generated across Microsoft-integrated security systems worldwide.

In this article, we’ll briefly touch on some of Microsoft’s best practice security guidelines.

1. Security in Microsoft datacentres

Network infrastructure

Microsoft’s Azure networks are only visible and accessible to devices and personnel that use Azure. They serve no other purpose than to facilitate the Azure network. Microsoft operates with strict access protocols such as ‘just-in-time’ access and ‘privileged access workstation control’ to stop any unauthorised personnel from accessing your data, wherever it is hosted.

Microsoft’s network of global datacentres that host Azure data and manage traffic to and from instances of hardware are among the most secure commercial locations in existence. Cabling, rack equipment, monitoring equipment and physical security measures are all managed directly by Microsoft and each Azure subscriber has their network completely isolated from all other customer networks, ensuring that data is kept distinct from one customer to another. To date, there has been no reported instances of the Azure platform confusing one company’s information with another’s.

DDoS protection

Microsoft’s datacentres benefit from the very latest in distributed denial of service (DDoS) attack countermeasures, that protects data from sustained, brute force attacks on network entry points. Azure ‘scrubs’ incoming data and identifies abnormalities in Internet traffic to highlight such problems before they occur and takes immediate action to prevent DDoS attacks from causing harm to data and systems.

Hardware and firmware security

Microsoft deploys a range of highly technical, internal security measures within the architecture of the physical servers that Azure uses to host data. The two most important methods are known as Project Cerberus and ‘confidential computing’. Project Cerberus refers to a computer chip that ensures that all the main components (both software and hardware) of a server are legitimate, and working together securely, to published Microsoft protocols. Confidential Computing is a concept that looks at developing new ways of encrypting data in transit and looking to encrypt data while in use. The Confidential Computing Consortium is made up of major tech organisations such as Google, Microsoft, Intel and IBM.

Among Microsoft’s over 140,000 members of staff worldwide, approximately 3,500 are cybersecurity professionals who work around the clock to ensure that Microsoft’s network of datacentres are kept secure 24 hours a day, 7 days a week, 365 days a year. As part of this effort, they use the red team/blue team method to test their own security. The red team continually attempts to gain unauthorised access to a sectioned-off part of Azure, and the blue team’s job is to stop them. Both teams then evaluate their methods at the end of the exercise and update Azure’s best practice guidelines accordingly.

2) Azure Identity Management best practice

Identity management is the process by which Azure grants a ‘security principal’ (anything on the network that can be authenticated, like a user or a device) access to data. It’s often the first line of defence against any malicious attempt to access a network

Identity and Access Management (IAM) secures data in the cloud by exercising tight controls over who and what can access network resources, via a network management feature called Azure Active Directory, and tools such as multi-factor authentication (MFA) and conditional access.

Microsoft’s published best practice guidelines for administering identities on an Azure network:

• Treat identity as the first line of defence – Promote a culture that identifies logon activity as the major security consideration of your annual IT plan. Centralise IAM activity – Build a clearly identifiable Azure Active Directory instance that acts as what’s known as a ‘single authoritative source’ – i.e. a central hub for authentication and administrative activity.
• Manage connected services – Azure gives you the ability to connect various other products and services to your domain. You need to ensure that Global Administrators (i.e. IT staff) have full visibility of anything that could compromise your network.
• Enable ‘Single Sign-on’ (SSO) – SSO allows your staff to use the same set of login credentials for applications, data and resources across your entire Azure solution, allowing for ease of administration and a decreased risk of malicious login activity.
• Make us of ‘Conditional Access’ – Conditional Access allows you to specify when certain devices and user accounts can access resources, and – equally as important – where from (e.g. specific IP addresses and physical locations).
  Manage passwords and enable MFA – Make sure that your organisation adheres to password management protocols such as complexity parameters and multi-factor authentication.
• Enable active monitoring on all security platforms – Azure provides active threat protection as standard. Ensure that your IT staff are monitoring alerts as they come in from sources such as suspicious IP addresses, anonymous sign-ins, compromised devices and brute force login attempts.

3. Azure network security best practice

Where IAM deals with access to data from individuals, accounts and devices on a network, Azure’s network security protocols dictate how virtual resources and network traffic interact to protect your network from potential intrusions.

• Make use of accepted network controls – Your Azure virtual machines (VMs) should function together in the same way as a physical computer network does – i.e. with assigned network cards that are identifiable across your network and adherent to a strict set of IP addressing rules. Operate a ‘Zero Trust’ policy – Instead of verifying a request for data based on where the request has originated from (i.e. within your network), a Zero Trust approach makes no assumptions and only grants access at the point of it being requested (subject to the usual authentication methods).
• Use sensible IP ranges – To easily identify network traffic to and from data sources, segment parts of your network with sensible private IP ranges and enact network access controls to govern traffic between them. You can also amend Azure’s routing rules to cater for security applications and devices that defend your data from routing-based attacks.
• Use virtual security applications – Microsoft provide a whole host of countermeasures including firewalls, botnet protection tools, content filtering controls to stop phishing attacks and real-time intrusion detection services.
• Make use of ‘DMZs’ – A DMZ (also known as a ‘perimeter network’) is a catch-all term for a buffer network between you and the outside world. A DMZ is the first port of call for incoming traffic and hosts most of the security measures we’ve mentioned above, such as DDoS prevention, firewalls and content filtering platforms.
• Use Azure-approved WAN connections – Depending on the complexity of your setup, you may need to provide dedicated ‘always on’ connections between your Azure data and onsite equipment. Azure recommends two methods: Site-to-Site VPN (S2S) or Azure ExpressRoute.
• Remove RDP/SSH functionality – Poorly managed port rules, including any that grant public access to a network on port 3389 (Remote Desktop Protocol) are among the main culprits when it comes to networks that have suffered a ransomware attack.