Azure Cloud & Container Security Best Practices
With a total market share that hovers north of 20 percent, the Microsoft Azure cloud has grown into a top contender in the public cloud computing market in recent years. At the same time, Azure cloud security has become a top contender for more and more businesses.
Although Azure security boils down to the same practices and principles as security on any major public cloud platform in most ways, there are some important distinctions and nuances to know about when devising an Azure security strategy. Keep reading for an overview of these details as we unpack the fundamentals of Azure cloud security, followed by a discussion of Azure security best practices.
Azure’s Shared Responsibility Model
Like all public clouds, Azure uses a shared responsibility model to define which security tasks fall to customers and which ones Azure handles. Understanding shared responsibility concepts in Azure is the first step in building an Azure cloud security strategy that allows you to manage the security responsibilities Azure doesn’t oversee within your cloud environments.
Azure spells out the details of its shared responsibility model here, but they can be summarized as follows:
- Azure assumes most security responsibilities for SaaS offerings, with the exception of customer-created data or applications customers deploy on a SaaS service.
- Customers share responsibility with Azure for securing workloads deployed on Azure PaaS services. In this context, Azure secures the underlying physical infrastructure, but most responsibilities related to networking and Identity and Access Management (IAM) fall to customers.
- On Azure IaaS services, customers handle most security tasks. The exception is the underlying physical infrastructure, which Azure secures.
- If customers integrate on-premises infrastructure, applications, or data with Azure via one of Azure’s hybrid cloud frameworks (such as Azure Stack or Azure Arc), customers bear full responsibility for securing on-premises resources.
If you’re familiar with cloud shared responsibility models in general, all the above should be unsurprising. Azure’s shared responsibility architecture is very consistent with the models embraced by other major public cloud providers.
Azure Cloud Security Best Practices
Once you’ve identified the security responsibilities that fall to you based on which types of Azure cloud services you consume, you can plan an Azure security strategy that allows you to meet your security obligations.
Standard Cloud Security Best Practices
Many of the best practices you’ll want to follow in this respect are standard fare for securing any major public cloud environment. They include:
- Use IAM: Identity and Access Management, or IAM, is a fundamental tool for securing workloads in any public cloud. If you use Azure, be sure to make full use of its IAM framework to manage access to your cloud resources based on the principle of least privilege. As we discuss below, Azure IAM works a little differently from other cloud IAMs because it is based on Active Directory, but you can nonetheless achieve the same granular access control configurations on Azure that you could enforce on any major public cloud. For example, this Azure IAM role example creates a role that can monitor and restart virtual machines:
{
"Name": "Virtual Machine Operator",
"Id": "88888888-8888-8888-8888-888888888888",
"IsCustom": true,
"Description": "Can monitor and restart virtual machines.",
"Actions": [
"Microsoft.Storage/*/read",
"Microsoft.Network/*/read",
"Microsoft.Compute/*/read",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/restart/action",
"Microsoft.Authorization/*/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/diagnosticSettings/*",
"Microsoft.Support/*"
],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
"/subscriptions/{subscriptionId1}",
"/subscriptions/{subscriptionId2}",
"/providers/Microsoft.Management/managementGroups/{groupId1}"
]
}
Code language: JSON / JSON with Comments (json)
- Isolate cloud networks: Where possible, use Azure virtual networks and private clouds to isolate your cloud environments at the network level. These services aren’t available for every type of Azure workload, but most IaaS- and PaaS- based workloads (and some SaaS-based workloads as well) can be isolated in private networks or virtual private clouds.
- Use cloud tags: Like most other clouds, Azure lets you label and organize resources using tags. Although cloud resources that lack tags are not necessarily insecure, tags are beneficial from a security perspective because they make it easier to keep track of which cloud resources you have running and where. In turn, they help ensure that you don’t overlook some workloads when configuring access controls, auditing your cloud environment, and so on.
- Secure Azure data: In addition to using Azure IAM to manage access to data that you store in Azure Blob Storage or other storage services within Azure, you should encrypt your cloud data as well as the transport layers that you use to access data. Azure also offers a storage account “lock” feature, which is useful for preventing unauthorized tampering with cloud data.
Special Security Considerations for Azure
Beyond generic cloud security best practices, there are some considerations specific to Azure that you should factor into your Azure cloud security strategy:
- Understand Azure IAM: As we mentioned above, Azure’s IAM system is unique among the major public clouds because it is based on Microsoft Active Directory. You can configure and enforce very effective access policies using Azure IAM, but the policies are written and managed differently than those of clouds like AWS. If you haven’t worked with Active Directory previously, you’ll want to spend some time educating yourself about Azure Active Directory and its role in Azure cloud IAM.
- Use hybrid cloud services wisely: Azure has invested significantly in its hybrid cloud offerings in recent years with the introduction of Azure Stack and Azure Arc, both of which allow customers to manage on-premises or colocated infrastructure through Azure. As noted above, Azure expects customers to manage most security risks on private infrastructure, so it’s important not to assume that just because Azure is managing your private infrastructure, it’s also securing it.
- Azure security tools: Azure provides some cloud-specific security tools to help users secure and audit workloads. The two most important are Azure Security Center and Azure Defender (which is technically part of Azure Security Center, but operates as a distinct service). These services are useful for configuring and managing alerts related to security events and risks on both Azure itself and hybrid cloud environments that include Azure. Although you’ll typically want to use external security tools as well to manage risks that Azure’s native services can’t handle, you should familiarize yourself with the basic security services that Azure provides natively.
Azure Container Security Best Practices
Because container services have become one of the most important product offerings within Azure, it’s worth saying a few words about how to manage container security on Azure.
This is a complex topic because Azure provides several container services. The most notable include:
- Azure Kubernetes Services (AKS), a managed Kubernetes service.
- Azure Container Instances, a managed container service that doesn’t require users to work with Kubernetes or another orchestration service.
- Azure Red Hat OpenShift, a managed OpenShift service. (OpenShift is based on Kubernetes, but is not identical to it.)
- Azure Web App for Containers, which lets users deploy containers quickly without having to manage orchestration or infrastructure themselves.
Securing containers on Azure depends in large part on which of these services you choose to use. But in general, best practices for Azure container security include:
- Scan container images, because Azure won’t automatically detect vulnerabilities or malware within your images for you.
- Manage access to container registries, whether you use Azure’s native container registry service or a third-party registry.
- If your container environment includes Kubernetes, use Kubernetes audit logs, RBAC, and security contexts to help secure the environment. This is important even if you use a managed Kubernetes service like AKS. On AKS, Azure mostly secures only the cluster infrastructure; responsibility for securing Kubernetes itself and containers deployed in it, falls to the customer.
- Audit your container and Kubernetes configuration data, deployments, and other files to catch misconfigurations that could cause a weak security posture.
Building Strong Azure Cloud Security Posture
As one of the world’s largest cloud computing platforms, Azure offers dozens of cloud services that can be deployed as part of single-cloud, multi-cloud, or hybrid cloud models. All of this complexity means that there is no simple formula for securing Azure cloud environments.
However, by identifying the security risks that you need to manage based on the Azure services you consume, then deploying tools that can harden those services against attack and detect breaches when they do occur, you’ll set yourself up for the strongest possible Azure cloud security posture.