Definitive Guide To Azure Security - McAfee
EBOOKDefinitive Guide to Azure Security1Definitive Guide to Azure Security
EBOOKTable of Contents3Introduction6Azure Adoption Trends8Azure Security ChallengesThreats to Data and Applications on AzureShared Responsibility Model12 Azure Security Best PracticesSecurity PolicyIdentify and Access ManagementStorage AccountsSQL ServicesNetworkingVirtual MachinesMiscellaneous24 Security Best Practices of Custom Applications26 How a Cloud Access Security Broker Helps Secure Workloads Running on Azure28 How a Cloud Access Security Broker Helps Secure Applications Deployed on Azure2Definitive Guide to Azure Security
EBOOKDefinitive Guide to Azure SecurityIntroduction: While popular out-of-the-box SaaS products like Salesforce, Box, Dropbox, andOffice 365 are becoming common in the workplace, many enterprises have business needsthat require custom-made applications.At one time, enterprises relied on custom, in-housedeveloped applications hosted in their own data centers.Having recognized the advantages of cloud computing,over the last 10 years these applications have slowlymigrated to the public, private, or hybrid cloud.According to a Cloud Security Alliance report in 20171,60.9% of all custom applications were being hosted inprivate datacenters as recently as 2016. However, cloudusage has reached a tipping point, and deployment oftest and production application workloads in the publiccloud is accelerating at the expense of enterprise datacenters.Not only are enterprises increasingly developing newcustom applications on infrastructure-as-a- service(IaaS) platforms like Microsoft Azure, but enterprisesare also migrating their existing custom applicationsand workloads to the public cloud. Collectively, thesetwo trends have driven the percentage of customapplications running in the datacenter to an all-time lowof 46.2% in 2017.Application Workloads60.9%201646.2%201734.2%22.6%12.4% 13.9%4.0%DatacenterPrivate cloudPublic cloud5.7%Hybrid public/private cloudApplication Workloads: Percentage deployed by infrastructure typeConnect With Us3Definitive Guide to Azure SecurityCustom Applications and IaaS Trends 2017, CSA Report1
EBOOKNumber of Custom Applications788“In terms of vendor share,Gartner expects 70 percentof public cloud servicesrevenue to be dominatedby the top 10 public cloudproviders through employees30,000-50,000employees50,000 employeesNumber of Custom Applications: By company sizeWhile the number of custom applications at anenterprise varies, the average enterprise has 465custom applications deployed. Larger enterprises tendto have more applications—organizations with morethan 50,000 employees have an average of 788 customapplications. Enterprises increasingly rely on theseapplications to handle business-critical functions. Most4Definitive Guide to Azure Securityorganizations today have at least one custom applicationthat, if it experienced several hours of downtime, couldhave a significant impact on its business. Given theoperational and financial disruption this could cause,these applications and the infrastructure they run onare increasingly lucrative as targets of cyber-attacks.
EBOOKThe worst-case scenario can be far worse thandowntimeThe Guardian released an article in 2016 about a databreach. One of the world’s “big four” accountancy firmsDeloitte was hacked. Deloitte provides auditing, tax,accounting, and high-end cybersecurity support tosome of the world’s largest banks, multinational firms,government agencies, pharmaceutical and mediacompanies.Attackers gained access to Deloitte’s Azure cloudservice they use to store emails that the staff sendsand receives. The attackers gained access to anadministrator account of the email service, which gavethem control of sensitive data. They exposed emailsto and from Deloitte’s 244,000 staff. They may havealso retrieved usernames, passwords, IP addresses,architectural diagrams for businesses and healthinformation, but that hasn’t yet been confirmed.“Platforms from leading CASB vendors wereborn in the cloud, designed for the cloud,and have a deeper understanding of users,devices, applications, transactions andsensitive data than CASB functions thatare designed as extensions of traditionalnetwork security and SWG securitytechnologies.”—Gartner, Magic Quadrant for Cloud Access Security Brokers5Definitive Guide to Azure SecurityDeloitte wasn’t making security their number onepriority. They could have protected their informationand avoided this situation if they had used two-factorauthentication instead of a single password.The threat landscape is evolving rapidly, but with theright preparation, any company can implement securitypractices that significantly reduce the potential impact ofa cyber-attack. In this eBook, we will discuss the currentstate of Azure adoption, Microsoft’s model for Azuresecurity, security challenges and threats to applicationsand data in Azure, and Azure infrastructure securitybest practices. Lastly, we will explore how a cloud accesssecurity broker (CASB) can help enterprises securetheir Azure environments and the custom applicationsdeployed in them.
EBOOKAzure Adoption TrendsThe IaaS market consists of three dominant players:Microsoft, Amazon, and Google. Azure has the highestgrowth rate almost doubling what AWS achieved. In theirrecent Q1 FY 2018 earnings report Microsoft reported2that revenue generated from Azure grew at 90%compared to Q1 FY 2017, which follows a similar growth(97%) they reported in their Q4 FY 2017 earnings report.With the increase in Azure adoption, it isn’t surprisingto see that enterprises are gradually divesting fromtheir data centers and moving application workloads tothe public cloud. According to the CSA survey report,in 2016, 60.9% of applications workloads were still inenterprise datacenters. By the end of 2017, however,fewer than half (46.2%) remained there. This is, in part,due to new applications primarily being deployed in thecloud.“Cloud access security brokers have becomean essential element of any cloud securitystrategy, helping organizations govern theuse of cloud and protect sensitive data inthe cloud.”—Gartner, Magic Quadrant for Cloud Access Security Brokers6Definitive Guide to Azure Security2Tech CNBC
EBOOKKey public cloud adoption trends3 Overall Azure adoption grew from 34% to 45%between 2017 to 2018 Among enterprises, Azure increased adoptionsignificantly, from 43% to 58%Public cloud adoption increased to 92% in 2018 from89% in 2017 More enterprises see public cloud as their top priority,up from 29% in 2017 to 38% in 201826% of enterprises spend more than 6 million a yearon public cloud, while 52% spend more than 1.2million annually20% of enterprises plan to more than double theirpublic cloud spend in 2018, and 71% will grow theirpublic cloud spend by more than 20%96% of Respondents Are Using CloudPublic CloudOnly21%Public: 92%71%Hybrid4%Private CloudOnlyPrivate: 75%Source: RightScale 2018 State of the Cloud Report7Definitive Guide to Azure Security3RightScale 2018 State of the Cloud Report
EBOOKAzure Security Challengescapabilities delivered in Azure Marketplace. However,it’s possible a large attack could overwhelm Azure’sdefenses and take an application running on theplatform offline for a period of time until the attack isremediated.Threats to data and applications on AzureEnterprises can’t afford to have their Azure environmentor the custom applications running on Azure,compromised. Enterprises store sensitive data such ascredit card numbers and Social Security numbers incustom applications. 72.2% of enterprises have businesscritical applications–defined as an application that, ifit experienced downtime, would greatly impact theorganization’s ability to operate. For example, an airlinecannot operate if their flight path application goes down. Business Critical ApplicationsPercent of enterprises with at least one 6.1%21.2%Does your enterpriserun a business-criticalcustom applicationthat would impactyour operations if itwent down?72.7% YesUnsureNoThreats to applications running on Azure and the datastored within them can take many forms: 8Denial-of-Service (DoS) attack on an application:Azure has developed sophisticated DoS protectionDefinitive Guide to Azure Security Insider threats and privileged user threats: Theaverage enterprise experiences 10.9 insider threatsand 3.3 privileged user threats each month. Theseincidents include both malicious and negligentbehavior. In most cases, well-intentioned employeeswill misconfigure an Azure service or otherwiseoverlook a critical security control that will expose theenterprise to security risks, but threats can come fromprivileged or malicious users as well.Third-party account compromise: According to theVerizon Data Breach Investigations Report4, 63% ofdata breaches were due to a compromised accountwhere the hacker exploited a weak, default, or stolenpassword. Misconfigured security settings or accountsthat have excessive identity and access management(IAM) permissions can increase the potential damage.Sensitive data uploaded against policy/regulation:Many organizations have industry-specific regionalregulations or internal policies, that prohibit certaintypes of data from being uploaded to the cloud. Insome cases, data can be safely stored in the cloud, butonly in certain geographic locations (e.g. datacenter inChina but not in the United States).Software development lacks security effort:Unfortunately, IT security isn’t always involved in thedevelopment or security of custom applications.42016 Data Breach Investigations Report, Verizon
EBOOKAwareness of Custom Applications by Job Role as a Percentof Total Custom ApplicationsQA2.6%Operations4.3%IT Security38.6%50.2%DevOpsDeveloperAwareness of custom applications by job role asa percent of total custom applicationsIT security professionals are only aware of 38.6% ofthe custom apps. This means when it comes to customapplication development, IT security is often bypassed,making the task of securing these applications moredifficult.According to Gartner, from now through 2020, 95%of security incidents in the cloud will be the fault ofthe customer, not the cloud provider. As enterprisescontinue to migrate to or build their custom applications9Definitive Guide to Azure Security27.8%in Azure, the threats they face will no longer be isolatedto on-premises applications and endpoint devices.While the move to the cloud transfers some securityresponsibilities from the enterprise to the cloudprovider, as we will see in the next section, preventingmany of these threats is in the hands of the customers.
EBOOKShared responsibility modelLike most cloud providers, Azure operates under ashared responsibility model. Azure takes responsibilityfor the security of its infrastructure and has madeplatform security a priority in order to protectcustomers’ critical information. Azure detects fraud andabuse and responds to incidents by notifying customers.However, the customer is responsible for ensuringtheir Azure environment is configured securely, data isnot shared with someone it shouldn’t be shared with,identifying when a user misuses Azure, and enforcingcompliance and governance policies.Azure’s ResponsibilitySince Microsoft has little control over how Azure is usedby its customers, Microsoft has focused on the securityof Azure’s infrastructure which includes computing,storage, and networking. Physical security of Azureinfrastructure is the one responsibility that is whollyowned by Microsoft. Microsoft is responsible for thesecurity of the software, hardware, servers, buildings,hypervisor, configuration of managed services, and thephysical facilities that host Azure services.5Customer’s ResponsibilityAzure customers are responsible for or share theresponsibility for securing and managing the operatingsystem, network configuration, applications, identity,clients, and data with Azure. Customers are responsiblefor ensuring that the data and its classification are donecorrectly, and that the solution will be compliant withregulatory obligations. The customer is responsible formanaging their users and end-point devices.10Definitive Guide to Azure SecurityShared Responsibility Modelat a GlanceResponsibilityOn-PremIaaSPaaSSaaSData classification& accountabilityClient & end-pointprotectionIdentity & accessmanagementApplication levelcontrolsNetwork controlsHost infrastructurePhysical securityCloud CustomerCloud Provider5Microsoft Azure Security Blog
EBOOKDetailed division of Azure security responsibilityCustomer11Preventing or detecting when an Azure account has been compromised Preventing or detecting a privileged or regular Azure user behaving in aninsecure manner Preventing sensitive data from being uploaded to or shared fromapplications in an inappropriate manner Configuring Azure services in a secure manner Restricting access to Azure services or custom applications to only thoseusers who require it Updating Guest Operating Systems and applying security patches Ensuring Azure and custom applications are being used in a mannercompliant with internal and external policies Ensuring network security (DoS, MITM, port scanning) Azure Providing physical access control to hardware/software Providing environmental security assurance against things like masspower outages, earthquakes, floods, and other natural disasters Database patching Protecting against Azure zero-day exploits and other vulnerabilities Business continuity management (availability, incident response) Data breach falloutWho is Fired After a BreachAn incident that results in downtime of even a fewhours could have a considerable impact. For example,in August 2016, a six-hour application outage at DeltaAirlines delayed flights for hundreds of thousands ofpassengers and is estimated to have cost the companytens of millions of dollars. With stakes this high, a databreach will likely lead to people getting fired. Both theCEO and CIO of Target were fired after a breach of 2014that compromised payment card numbers for upwardsof 40 million customers. In a 2017 survey of IT securityleaders, 29.1% said the top IT leader would be let gofollowing a damaging and costly data breach.Percent of respondentsDefinitive Guide to Azure SecurityThe CIO29.1%The IT Security Person(s) Responsible for IaaS Security50.3%The Operations Person(s) Responsible for the IaaS Platform31.5%The Developer(s) who built the application21.8%
EBOOKAzure Security Best PracticesBelow are actionable best practices derived by McAfeeSkyhigh Security Cloud customers. The list of bestpractices described below are meant for SecDevOps,Cloud Security Architects, Security Analysts, andSecurity Administrators.Below are best practices for 7 critical areas of security inAzure that customers must follow to ensure their Azureworkloads are secure:1.Security Policy2. Identify and Access Management3. Storage Accounts4. SQL Services5. Networking6. Virtual Machines7.MiscellaneousSecurity policy1. Ensure that ‘data collection’ is set to on. Enableautomatic provisioning of monitoring agent to collectsecurity data. When Automatic provisioning ofmonitoring agent is turned on, Azure Security Centerprovisions the Microsoft Monitoring Agent on allexisting supported Azure virtual machines and anynew ones that are created. The Microsoft Monitoringagent provides alerts and scans for various securityrelated configurations and events such as systemupdates, OS vulnerabilities, and endpoint protection.12Definitive Guide to Azure Security“McAfee’s expansion of itssecurity controls beyondSaaS is a key way IT canempower the businessto fully leverage customapplications running inpublic IaaS, as well ashaving the confidence inprotecting the IaaS platformsthemselves.”—David Smoley, Chief InformationOfficer, AstraZeneca
EBOOK2. Ensure that ‘system updates’ is set to on.Enable system updates recommendations for virtualmachines. When this setting is enabled, AzureSecurity Center retrieves a daily list of availablesecurity and critical updates from Windows Updateor Windows Server Update Services. The retrievedlist depends on the service that’s configured for thatvirtual machine and recommends that the missingupdates be applied. For Linux systems, the policyuses the distro-provided package managementsystem to determine packages that have availableupdates. It also checks for security and criticalupdates from Azure virtual machines.3. Ensure that ‘OS vulnerabilities’ is set to on.Enable OS vulnerabilities recommendations forvirtual machines. When this setting is enabled, itanalyzes operating system configurations dailyto determine issues that could make the virtualmachine vulnerable to attack. The policy alsorecommends configuration changes to correct thesevulnerabilities.4. Ensure that ‘endpoint protection’ is set to on.Enable endpoint protection recommendations forvirtual machines. When this setting is enabled, AzureSecurity Center recommends endpoint protectionbe provisioned for all Windows virtual machinesto help identify and remove viruses, spyware, andother malicious software.5. Ensure that ‘disk encryption’ is set to on.Enable disk encryption recommendations forvirtual machines. When this setting is enabled,Azure Security Center recommends enabling disk13Definitive Guide to Azure Securityencryption in all virtual machines to enhance dataprotection at rest.6. Ensure that ‘network security groups’ is set toon.Enable network security groups recommendationsfor virtual machines. When this setting is enabled,Azure Security Center recommends that networksecurity groups be configured to control inboundand outbound traffic to virtual machines (VMs) thathave public endpoints. Network security groupsthat are configured for a subnet is inherited by allvirtual machine network interfaces unless otherwisespecified. In addition to checking that a networksecurity group has been configured, this policyassesses inbound security rules to identify rules thatallow incoming traffic.7.Ensure that ‘web application firewall’ is set to on.Enable web application firewall recommendations forvirtual machines. When this setting is enabled, AzureSecurity Center recommends that a web applicationfirewall be provisioned on virtual machines wheneither of the following is true: Instance-level public IP (ILPIP) is used and theinbound security rules for the associated networksecurity group are configured to allow access toport 80/443. Load-balanced IP is used and the associatedload balancing and inbound network addresstranslation (NAT) rules are configured to allowaccess to port 80/443.
EBOOK8. Ensure that ‘next generation firewall’ is set to on.Enable next generation firewall recommendationsfor virtual machines. When this setting is enabled,it extends network protections beyond networksecurity groups, which are built into Azure. SecurityCenter will discover deployments for which a nextgeneration firewall is recommended and enable youto provision a virtual appliance.12. Ensure that ‘SQL auditing & threat detection’ isset to on.Enable SQL auditing & threat detectionrecommendations. When this setting is enabled,Azure Security Center recommends that auditingof access to Azure Database be enabled forcompliance, advanced threat detection, and postincident forensic investigations.9. Ensure that ‘vulnerability assessment’ is set toon.Enable vulnerability assessment recommendationsfor virtual machines. When this setting is enabled,Azure Security Center recommends that you install avulnerability assessment solution on your VM.13. Ensure that ‘SQL encryption’ is set to on.Enable SQL encryption recommendations. Whenthis setting is enabled, Azure Security Centerrecommends that encryption at rest be enabled foryour Azure SQL Database, associated backups, andtransaction log files. Even if your data is breached, itwill not be readable.
Below are actionable best practices derived by McAfee Skyhigh Security Cloud customers. The list of best practices described below are meant for SecDevOps, Cloud Security Architects, Security Analysts, and Security Administrators. Below are best practices for 7 critical areas of security in Azure that customers must follow to ensure their Azure .
Resource Manager and the Azure portal through Azure Arc to facilitate resource management at a global level. This also means a single vendor for support and billing. Save time and resources with regular and consistent feature and security updates. Access Azure hybrid services such as Azure Security Center, Azure Backup, and Azure site recovery.
Microsoft Azure Shared Responsibility Model Like most cloud providers, Microsoft Azure operates under a shared responsibility model. Azure takes care of the security ‘of’ the cloud while Azure customers are responsible for security ‘in’ the cloud. Microsoft Azure
AZURE TAGGING BEST PRACTICES Adding tags to your Azure resources is very simple and can be done using Azure Portal, Azure PowerShell, CLI, or ARM JSON templates. You can tag any resources in Azure, and using this service is free. The tagging is done on the Azure platform level and does not impact the performance of the resource in any way.
DE LAS UNIDADES PROGRAMA CURRICULAR UNIDAD 2 - Introduccion a los servicios de azure - Los servicios de Azure - Cómo crear un App Service en Azure - Administrar App Service con Azure Cloud Shell Azure UNIDAD 3 - Introduccion al Modulo - Regiones y centros de datos en azure - Zonas Geograficas en
students solve a variety of challenges faced in education through Microsoft Azure and the cloud. Azure for research staff Azure for teaching staff Azure for students Azure for academic institutions Azure is a powerful tool for research and education, and Microsoft provides a number of programs to meet the needs of academic institutions.
Gain Insights into your Microsoft Azure Data using Splunk Jason Conger Splunk. Disclaimer 2 . Deploying Splunk on Azure Collecting Machine Data from Azure Splunk Add-ons Use cases for Azure Data in Splunk 3. Splunk available in Azure Marketplace 4. Splunk in Azure Marketplace
Azure Active Directory (AD) can be configured as the identity provider for GitHub 8. GitHub Commit tracked by Azure Board 9. Azure Pipelines integrates with the Terraform tool which can managing cloud infrastructure as code 10. Azure Pipelines enable Continuous Delivery (CD) to Azure Kubernetes Service
You need to collect and automatically analyze security events from Azure Active Directory (Azure AD). What should you use? A. Azure Sentinel B. Azure Key Vault C. Azure Synapse Analytics D. Azure AD Connect Answer: A Question: 93 HOTSPOT For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each .
