Azure Platform
Azure is a cloud platform designed for public services that supports multiple programming languages, operating systems, frameworks, databases and devices. Linux containers and Docker integration allow developers to build apps using JavaScript, Python and .NET technologies Microsoft Azure development services.
Azure public cloud services are built on technologies already trusted and relied upon by millions of IT professionals and developers worldwide, so when migrating or developing on their platform, you can count on Azure public cloud providers to protect both your data and applications.
Azure's infrastructure - from its facilities to applications - has been designed with millions of customers in mind, providing businesses with an unshakeable foundation to meet security regulations. Azure also provides configurable security options and controls that can help tailor security to meet the unique requirements of each organization. This document will assist in understanding how Azure's security capabilities meet these needs.
Want More Information About Our Services? Talk to Our Consultants!
Overview Of Azure Security Features
Security for cloud service models differs. Azure Platform features built-in capabilities and partner solutions which can help manage this responsibility. Six functional areas of built-in capabilities include Applications, Storage and Networking, Compute and Identity. Summary information offers more insight into features and capabilities offered by Azure Platform. This section details crucial security features and capabilities, with summaries provided herein.
Microsoft Sentinel
Microsoft Sentinel provides cloud-native Security Information and Events Management (SIEM), Security Orchestration Automation and Response (SOAR), security orchestration automation and response (SOAR), and intelligent security analytics across an enterprise as a single platform for threat detection, visibility, proactive hunting and response.
Microsoft Defender For Cloud
Microsoft Defender Cloud gives you better insight and control into the security of Azure resources. With integrated security monitoring across all Azure subscriptions, this solution offers enhanced visibility into how well-defended they are from potential threats that would otherwise go undetected. It can even manage policies effectively and detect threats that would otherwise go undetected.
Defender for Cloud offers assistance with security operations as well. It features a dashboard where alerts and suggestions can be displayed quickly for immediate action, often helping resolve problems by simply clicking one button within its Console.
Azure Resource Manager
Azure Resource Manager enables you to effectively oversee all aspects of resource management for an entire solution in one coordinated operation, updating or deleting them all simultaneously. Deployment occurs using an Azure Resource Manager template; these templates can be used for testing, staging and production environments. It also features security, auditing and tagging features to assist in keeping tabs on resources.
Azure Resource Manager template deployments offer enhanced security for solutions deployed in Azure since standard security settings can be integrated directly into template deployments for maximum reliability and decreased chances of manual configuration mistakes.
Also Read: How Microsoft Azure Is A Perfect Cloud Solution For Smbs?
Application Insights
Application Insights is an extensible Application Performance Management (APM) service tailored for web developers by monitoring your live web applications with Application Insights and automatically detecting performance anomalies, as well as accessing powerful analytics tools for diagnosing issues and understanding what users do with them, all the while monitoring it from testing through to deployment or publication of your app(s). Application Insights provides charts and tables that display what times of day your app receives the most users, how responsive it is and whether external services it uses for support provide adequate services.
If there are crashes, failures, or performance issues with your app, Application Insight provides the telemetry data to quickly pinpoint its cause. Furthermore, its service sends emails whenever there are changes to the availability and performance of your app, thus becoming an invaluable security tool that supports confidentiality, integrity, and availability (CIA) protection triad.
Azure Monitor
Azure Monitor offers visualization, querying, routing, alerting, auto-scaling, and automation on Azure subscriptions (Activity Log) and individual Azure resources (Resource Logs). Azure Monitor can also notify you about security-related events generated in these logs.
Azure Monitor logs
Azure Monitor logs provide an IT management solution that combines on-premises management, AWS cloud services, Azure resources, and log data directly into one view, allowing for easier management and maintenance of complex environments such as AWS. With one central view for all metrics and logs collected by Azure Monitor, you can see all metrics and logs for all environments at once.
Azure Monitor logs can be an invaluable asset in security analysis, providing a quick way to search through large amounts of security-related entries with flexible query options. Furthermore, firewall and proxy logs from on-premises systems can be exported into Azure to make analysis possible using this powerful tool.
Azure Advisor
Azure Advisor is a personalized cloud consultant designed to assist with optimizing Azure deployments. By analyzing resource configuration and usage telemetry, it offers solutions that improve the performance, security, and reliability of resources while finding ways to reduce overall spending. Azure Advisor also provides security recommendations which can significantly strengthen security posture across solutions deployed in Azure; these recommendations come directly from security analysis performed by Microsoft Defender for Cloud.
Applications
The section provides additional information regarding key features in application security and summary information about these capabilities.
Penetration Testing
No one performs penetration testing of your application for you; we understand, however, the need for you to conduct such assessments on your apps. That is good because when you increase the security of your apps, it helps make the Azure ecosystem more secure as a result. Although notifying Microsoft of pen testing activities is no longer required, customers must still adhere to its Rules of Engagement for such activities.
Web Application firewall
Azure Application Gateway's web application firewall (WAF) protects web applications against common web-based attacks like SQL injection, cross-site scripting attacks and session hijacking. It comes preconfigured to protect against threats identified by the Open Web Application Security Project as the top 10 common vulnerabilities .
Authentication And Authorization In Azure App Service
App Service Authentication/Authorization is an innovative feature of your application that provides users with easy login. No changes need to be made to protect and store per-user data efficiently.
Layered Security Architecture
App Service Environments offer developers a secure runtime environment deployed into an Azure Virtual Network, making them ideal for creating a layered security architecture with different levels of network access for each application tier. A common goal is obscuring API back-ends from general Internet access while only permitting their usage by downstream web applications; Network Security Groups (NSGs) may be utilized on Azure Virtual Network subnets hosting App Service Environments to limit public access azure cloud service development.
Web Server Diagnostics And Application Diagnostics
App Service web apps offer diagnostic functionality to monitor information from web servers and applications, with web server diagnostics logically separated from application diagnostics. Web Server includes two significant advances for diagnosing and troubleshooting sites and applications: server and application diagnostics.
Real-time state information on application pools, worker processes, sites, application domains and running requests is a key new feature of our product offering. Furthermore, detailed trace events provide insight into every stage of a request-and-response cycle. IIS 7 can be configured to automatically capture full trace logs in XML format for any particular request based on time-elapsed or error response codes. This enables the accessible collection of these trace events.
Storage
The section provides additional information regarding key features in Azure storage security and summary information about these capabilities.
Azure Role-Based Access Control (Azure Rbac)
Azure Role-Based Access Control (Azure RBAC) offers organizations an effective means of protecting their storage accounts through restricted access based on need-to-know and least-privilege security principles, which are vital in upholding data access policies and ensuring data confidentiality. Access rights can be granted by assigning appropriate Azure roles at certain levels within groups and applications - built-in roles like Storage Account Contributor can help assign privileges directly. Azure RBAC also controls access to keys using Azure Resource Manager models for any storage account managed with RBAC.
Shared Access Signature
Shared Access Signature (SAS) allows delegated access to resources within your storage account. With SAS, you can grant limited permissions to objects within your storage account for a specified period and with a specific set of privileges - without sharing account access keys with that client.
Encryption at rest
For many organizations, data encryption at rest is a mandatory step towards data privacy, compliance, and data sovereignty. Three Azure storage security features provide encryption of data that is "at rest":
- Storage Service Encryption allows you to request that the storage service automatically encrypt data when writing it to Azure Storage.
- Client-side Encryption also provides the feature of encryption at rest.
- Azure Disk Encryption for Linux VMs and Azure Disk Encryption for Windows VMs allows you to encrypt the OS and data disks used by an IaaS virtual machine.
Storage Analytics
Azure Storage Analytics performs logging and provides metrics data for a storage account. You can use this data to trace requests, analyze usage trends, and diagnose issues with your storage account. Storage Analytics logs detailed information about successful and failed requests to a storage service. This information can be used to monitor individual requests and to diagnose issues with a storage service. Requests are logged on a best-effort basis. The following types of authenticated requests are logged:
- Successful requests.
- Failed requests, including timeout, throttling, network, authorization, and other errors.
- Requests using a Shared Access Signature (SAS), including failed and successful requests.
- Requests to analytics data.
Enabling Browser-Based Clients Using CORS
Cross-origin resource Sharing (CORS) is an interdomain permission mechanism allowing domains to grant each other permission to access each other's resources. A User Agent sends special headers allowing or disallowing JavaScript code loaded from one domain access resources located at another; then that other domain replies with extra headers either granting or denying this domain access. Azure storage services now support CORS rules, meaning once set, an authenticated request made against them from any domain will be evaluated to see whether it falls under their CORS restrictions.
Networking
The section provides additional information regarding key features in Azure network security and summary information about these capabilities.
Network Layer Controls
Network access control restricts connectivity with specific devices or subnets and is at the core of network security. Its purpose is to ensure your virtual machines and services can only be reached by users or devices you designate as having permission.
Network Security Groups
A Network Security Group (NSG) is an introductory stateful packet filtering firewall, enabling you to control access using a 5-tuple. NSGs do not provide application layer inspection or authenticated access controls. They can control traffic between subnets within an Azure Virtual Network and between an Azure Virtual Network and the Internet.
Azure Firewall
Azure Firewall is a cloud-native and intelligent network firewall security service that provides threat protection for your cloud workloads running in Azure. It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability. It provides both east-west and north-south traffic inspection.
Azure Firewall is offered in two SKUs: Standard and Premium. Azure Firewall Standard provides L3-L7 filtering and threat intelligence feeds directly from Microsoft Cyber Security. Azure Firewall Premium provides advanced capabilities, including signature-based IDPS, to allow rapid detection of attacks by looking for specific patterns.
Route Control and Forced Tunneling
Controlling routing behavior on Azure Virtual Networks is a vital network security and access control capability. If, for example, you want to ensure all traffic to and from your Azure Virtual Network goes through one virtual security appliance, then being able to modify routing behavior using User-Defined Routes in Azure will allow you to do this easily.
User-defined routes allow you to tailor inbound and outbound paths for traffic moving into and out of individual virtual machines or subnets to ensure the safest journey. Forced Tunneling provides another method to protect services against initiating connections over the Internet.
Front-end web servers need to respond to requests from Internet hosts and, therefore, allow inbound traffic from this source so their web servers can respond effectively. Forced tunneling is often used to force outbound Internet traffic to pass through security proxies and firewalls on-premises.
Virtual Network Security Appliances
Network Security Groups, User-Defined Routes and forced tunneling provide primary network and transport layer OSI model security features; however, you may wish to enhance these with Azure partner network security appliance solutions for added network protection features. You can find them by searching Azure Marketplace using "security" and "network security."
Azure Virtual Network
An Azure virtual network (VNet) represents your network in the cloud. It is a logical separation from Azure network fabric dedicated to your subscription. It gives you complete control over IP address blocks, DNS settings, security policies, route tables and subnets in this network. Subnets allow for segmented VNets that host IaaS virtual machines (VMs) or Cloud services (PaaS role instances) within them.
custom azure development services additionally, you can connect a virtual network to your on-premises network using one of Azure's connectivity options - effectively expanding your network into Azure with complete control over IP address blocks while taking advantage of its enterprise-scale capabilities.
VPN Gateway
You must set up a VPN gateway for your Azure Virtual Network in order to transport network traffic between it and your on-premises location. A virtual network gateway, or VPN, transmits encrypted data across a public link. Additionally, you can utilize VPN gateways to transmit data across the Azure network fabric between Azure Virtual Networks.
Express Route
With Microsoft Azure ExpressRoute, you can use a dedicated private connection made possible by a connectivity provider to extend your on-premises networks into the Microsoft cloud.
With ExpressRoute, you can connect to Microsoft cloud services, such as Microsoft Azure, Microsoft 365, and CRM Online.A point-to-point Ethernet network, an any-to-any (IP VPN) network, or a virtual cross-connection through a connectivity provider at a co-location facility are all options for connectivity. ExpressRoute connections are safer than VPN-based options because they do not use the open Internet. Due to this, ExpressRoute connections are more dependable, faster, have fewer latencies, and have more security than regular Internet connections.
Web Application Firewall
Azure Application Gateway's Web Application Firewall feature offers web applications using Azure ADC services with additional layers of protection against unwanted traffic and attacks. Web application firewalls do this by protecting against most of the OWASP Top 10 Common Web Vulnerabilities. Centralized protection makes security management much more straightforward and provides better assurance to applications against threats of intrusions. WAF solutions allow enterprises to respond more rapidly to security threats by patching known vulnerabilities from one central location rather than individually securing each web application. Existing gateways can easily be converted into application gateways with web firewall capabilities.
Traffic Manager
Microsoft Azure Traffic Manager enables you to manage the distribution of user traffic across different data centers for service endpoints such as virtual machines (VMs), Web apps and cloud services in Azure VMs and Web Apps as well as external non-Azure endpoints using DNS for traffic routing purposes and endpoint health checks. Traffic Manager uses its DNS-based routing functionality to direct client requests to an appropriate endpoint based on a traffic routing method and health check of each endpoint.
Traffic Manager provides various traffic routing methods tailored to specific application needs, endpoint health monitoring and automatic failover - and is even resilient against failure of entire Azure regions.
Internal DNS
Customers can manage the list of DNS servers used in a VNet through the Management Portal or Network Configuration File, adding up to 12 DNS servers per VNet. When specifying DNS servers for customers, the lists must match up with their environment. DNS server lists don't work randomly - they must be specified sequentially. If the first DNS server on a customer's list can be reached, regardless of its performance or lack thereof, that server is used by default. Suppose they wish to change this order for their virtual network, remove one or more servers and add them back in according to customer desires. In that case, DNS servers provide availability aspects of security triads like "CIA."
Azure DNS
Domain Name System, or DNS, translates the names of websites or services into their IP addresses. Azure DNS provides name resolution using Microsoft Azure infrastructure - meaning you can manage DNS records using the same credentials, APIs, tools and billing as your other Azure services - supporting availability as part of its "CIA" security triad.
Microsoft Defender for Cloud
Microsoft Defender for Cloud continuously analyzes the security status of your Azure resources to assess network security best practices and detect potential security vulnerabilities. When identified, Defender for Cloud provides recommendations to assist with configuring controls to harden and protect them further.
Also Read: A Comprehensive Overview of Azure Cloud Security Systems
Compute
The section provides additional information regarding key features and a summary of these capabilities.
Azure Confidential Computing
Azure confidential computing offers an essential part of data protection: it enables you to keep all your data encrypted at all times - when at rest, traveling through networks or being loaded in memory and used. With Remote Attestation capabilities available, you can verify cryptographically that any VM provisioned has booted securely and is configured correctly before unlocking its data.
Options span from "lift and shift" scenarios of existing applications to complete control over security features. Infrastructure as a Service (IaaS) offers confidential virtual machines powered by AMD SEV-SNP or Intel Software Guard Extensions (SGX). Platform as a Service provides multiple container-based options integrated with Azure Kubernetes Service (AKS).
Anti Malware & Antivirus
Azure IaaS offers access to antimalware software from Microsoft, Symantec, Trend Micro, McAfee and Kaspersky that will protect virtual machines from malicious files, adware and other threats. Microsoft Antimalware for Azure Cloud Services and Virtual Machines helps detect and remove viruses, spyware and other forms of malicious software such as rootkits while also alerting administrators when such software attempts to install itself or run on Azure systems - it can be deployed through Microsoft Defender for Cloud.
Hardware Security Module
Encryption and authentication alone do not provide sufficient protection, however. Azure Key Vault makes the management and protection of critical secrets and keys easier by offering HSMs certified to FIPS 140-2 Level 2. Your SQL Server backup encryption keys or transparent data encryption keys may all be stored here, as well as any keys from applications; permissions for these protected items can be managed through Azure Active Directory.
Virtual Machine Backup
Azure Backup is a solution that protects your application data with zero capital investment and minimal operating costs. Application errors can corrupt your data, and human errors can introduce bugs into your applications that can lead to security issues. With Azure Backup, your virtual machines running Windows and Linux are protected.
Azure Site Recovery
An essential part of your organization's business continuity/disaster recovery (BCDR) strategy is figuring out how to keep corporate workloads and apps up and running when planned and unplanned outages occur. Azure Site Recovery helps orchestrate replication, failover, and recovery of workloads and apps so that they are available from a secondary location if your primary location goes down.
Virtual Networking
Virtual machines need network connectivity. To support that requirement, Azure requires virtual machines to be connected to an Azure Virtual Network. An Azure Virtual Network is a logical construct built on the physical Azure network fabric. Each logical Azure Virtual Network is isolated from all other Azure Virtual Networks. This isolation helps ensure that network traffic in your deployments is not accessible to other Microsoft Azure customers.
Patch Updates
Patch Updates provide the basis for finding and fixing potential problems and simplify the software update management process, both by reducing the number of software updates you must deploy in your enterprise and by increasing your ability to monitor compliance.
Security Policy Management And Reporting
Defender for Cloud helps you prevent, detect, and respond to threats and provides you increased visibility into and control over the security of your Azure resources. It provides integrated Security monitoring and policy management across your Azure subscriptions, helps detect threats that might otherwise go unnoticed, and works with a broad ecosystem of security solutions.
Secure Apps And Data
Azure Active Directory, a comprehensive identity and access management cloud solution, helps secure access to data in applications on-site and in the cloud and simplifies the management of users and groups. It combines core directory services, advanced identity governance, security, and application access management. It makes it easy for developers to build policy-based identity management into their apps. To enhance your Azure Active Directory, you can add paid capabilities using the Azure Active Directory Basic, Premium P1, and Premium P2 editions.
Want More Information About Our Services? Talk to Our Consultants!
Summary
This article will assist in your understanding and implementation of Azure Defender and Azure Security Center on your subscriptions. To maximize its potential, you must understand how this service operates to fully utilize it.
Investigate the pricing and plans of Azure Security Center to enable security configuration for selected developing windows azure and web services resources in Azure or other clouds, providing hands-on experience to safeguard against malicious attacks or threats to your cloud infrastructure.