The rise of cloud platforms like Microsoft Azure has brought many benefits to the computer and software industry. With on-demand services, easy scalability, hybrid storage options and a huge range of tools, the cloud has opened up the landscape for machine learning, distributed cache and many other cutting-edge innovations. But the flip side of this flexibility and ease of use is a whole set of security concerns that are specific to cloud platforms.
Luckily Microsoft’s Azure offers a range of specific solutions to address these security requirements. Azure security includes tools for encryption, access control, data integrity and more while allowing full accountability. In this article, we’ll consider a number of these essential security tools as well as some best practices to help you turn principles into action.
Introduction: key concepts of cloud security
There are certain concepts in digital network security that are nearly as old as networks themselves. Public key cryptography, for example, has existed since the 1970s and is a widely-used technology to prevent unwanted interception of sensitive information as it passes across networks. Access controls – the core principles of authentication and authorization are another well-established technique vital to ensuring that only the right people have access to digital resources and services. However, because of the fundamental architectural differences and the nature of the supported vendor-customer relationships, cloud infrastructures demand some additional processes and responsibilities to maintain security standards. These are of particular concern for engineers and businesses looking to migrate more of their services to the cloud.
Broadly speaking, cloud security involves a set of technologies and techniques that keep cloud infrastructures safe from threats or data breaches and compliant with all relevant standards. Core to this is the model of shared responsibility, which makes security concerns the business of both vendors and customers. Typically in this relationship, cloud service providers look after the hardware and network infrastructural aspects of the security ecosystem, while customers are expected to maintain and follow proper usage protocols. In practice, the exact division of responsibility depends on the nature of the specific services and platforms. However, the shared responsibility model also promotes vigilance by enhancing awareness of security needs from top to bottom.
Cloud security with Azure
Azure is one of the big three cloud service platforms. Though it is provided by Microsoft, it is not restricted to Windows systems and also supports a wide range of databases, frameworks and languages. Like its competitors, Google Cloud and Amazon Web Services (AWS), it features a comprehensive collection of resources for maintaining cybersecurity standards. The core Azure security tools are:
- Microsoft Defender for Cloud. Users familiar with Windows will be familiar with Defender as a malware protection and threat notification system. Defender for Cloud extends this to your cloud-native applications. Its development security operations (DevSecOps) capabilities enable you to embed security practices throughout your software development process. It also provides cloud security posture management (CPSM) to secure your environment with proper configuration, breach risk analysis, permissions management and more. Defender for Cloud incorporates protections specifically designed for servers, containers, databases and other workload components.
- Microsoft Identity Plaftorm. This full-feature identity platform is composed by an identity provider, a set of tools to manage identity and access control, documentation and SDK to use it in different languages. It is fully compatible with OAuth 2.0 and OpenID, as well as being compliant with open standards. It also features an application management portal, configuration API and Powershell to help manage your DevOps processes.
- Azure Sentinel. Sentinel is a scalable cloud-native solution for managing threat intelligence and analytics. Its core aspects are security information and event management (SIEM), as well as security orchestration, automation and response (SOAR). It is able to collect data across complex cloud infrastructures, enabling coherent analytics powered by AI, plus rapid threat responses.
- Azure Key Vault. Key Vault is Microsoft’s cloud-based secret-management service. It allows you to store and access application secrets in general, keys, and certificates securely. It provides granular controls on access rights, with a division between key vault owners and vault consumers, whose permissions can be configured as required. It features several different authentication methods as well as transport layer security (TLS) to protect data in transit between vaults and clients.
- Azure Firewall. Like any firewall, Azure’s cloud-native version provides tight controls on incoming and outgoing network traffic. However, Azure Firewall is also stateful, intelligent and scalable to meet the versatility of cloud infrastructures. It monitors for threats with feeds from Microsoft Cyber Security and can dynamically block communications with identified malicious IPs and domains.
Best Practices for Developing Safe Cloud Applications with Azure
While it is essential to have infrastructural cybersecurity features, it is also vital to pursue best practices at a consumer level in order to maintain standards. The following are some of the most important.
- Implementing Role-Based Access Control (RBAC). With authenticated users, access to different resources can be granted at a more or less granular level. A useful way of managing such authorizations is RBAC. This method is used for managing identity, and it is also possible to use RBAC to provide credentials to applications or Service Principal in general.
- Using secure coding practices to prevent common vulnerabilities. Good security begins at ground level with your code. Many basic but sadly still too common vulnerabilities can be lessened by strong coding practices. For example, you can easily avoid SQL injection attacks by using object-relational mappers (ORM) and prepared statements rather than leaving SQL directly in your application code. Similarly, cross-site scripting (XSS) can be mitigated by escaping output data, validating input and using template engines. Most contemporary web frameworks already have these protections built in.
- Enabling Multi-Factor Authentication (MFA). MFA simply means using two or more authentication measures to prove user identities. A very familiar example of this is the use of mobile phone confirmations for online banking systems. MFA can be easily enabled with Azure AD Security Defaults.
- Manage and secure application secrets with Key Vault. Azure’s Key Vault allows you to store, manage and access all your secrets and credentials securely. You can control roles at different levels, including Azure developer, SaaS developer and CSO.
- Continuously monitor and manage security configurations. Security is not a one-off responsibility. Continuous shifts in the threat landscape, application updates and user configuration changes all mean that the cybersecurity situation is far from static. It’s worth using tools like Azure Sentinel’s AI analytics to help you monitor for live threats and security incidents. You can also subscribe to receive Azure incident notifications from Microsoft.
- Setting up Azure Network Security Groups (NSGs) and Azure Firewall. Azure NSGs and Firewalls allow you to filter and control network traffic within your Azure virtual network. Filters can be based on IP addresses, protocols and ports, allowing you to apply different security levels to more or less sensitive nodes in your service infrastructure.
- Service Principal and Managed identity. These Azure Active Directory identities provide configuration options for service architectures. The difference between Service Principal and managed identity is that, while the first are used for applications that run outside Azure, Managed identity is instead used for resources inside Azure.
Why should I care about compliance in cloud development?
In any sensible conception of the digital world, security and compliance should go hand-in-hand. Compliance is especially valuable with cloud environments as it helps to consolidate a number of different practices and codes. Standards like the GDPR in the EU and the Payment Card Industry Data Security Standard (PCI DSS) are invaluable for maintaining customer data to the correct level of confidentiality and safety. There are also several cloud-specific standards produced by, among others, the Cloud Standards Customer Council (CSCC), European Telecommunications Standards Institute (ETSI), Open Grid Forum (OGF) and Open Commons Consortium (OCC).
Adherence to standards is beneficial for a number of reasons, not least of them legal. Compliance could save you significant sanctions where security standards are legally enforceable in your jurisdiction. But compliance also helps to maintain those security standards themselves, often offering clear guidelines about the levels your business is expected to adhere to. With such compliance comes greater consumer trust and confidence.
Conclusion
As we’ve seen, good cybersecurity practices are of the foremost importance in cloud computing. They help to protect user data, maintain the integrity of your applications and prevent downtime from intrusions and service attacks. Azure Security provides multiple means to maintain high standards, including firewalls, intrusion monitoring systems and AI-based threat analytics. And these tools help you to adhere to those all-important compliance regimes.
Of course, with the range and depth of security tools and the need to be constantly vigilant, security concerns can seem a little daunting. However, by building in security from the start at every level of your application and service framework, by having a well-maintained, compliance plan and by following best practices for Azure Security, good cybersecurity can set up your operations with fewer troubles in the long run.