Cloud hosting unlocks a level of speed and agility that were previously out of reach for most organizations. With cloud infrastructure such as Amazon (AWS), Microsoft Azure or Microsoft Web Services in place—also known as infrastructure-as-a-service (IaaS)—teams can move at a disruptive pace while realizing savings and efficiencies along the way.
Some of the specific benefits of IaaS include the following:
While the benefits of cloud hosting are well-documented, security in the cloud is still new for many organizations. The reality is that for the most part, the same security considerations and responsibilities that exist in an on-premises environment are still present in some manifestation in the cloud as well.
One new challenge is that while the perimeter in an on-premises environment is well understood, the shifts to cloud hosting and cloud applications have led to perimeters becoming more ubiquitous. Cloud customers share the responsibility of security with their providers and should ensure these responsibilities are well understood and documented to avoid any relapses. Read on to learn more about securing Microsoft Azure environments or learn more about AWS cloud security best practices.
Microsoft Azure customers will have access to some security features but will also need to supplement those with their own security efforts and tools for comprehensive coverage. Customers have to consider securing and monitoring their Azure cloud computing infrastructure, as well as any of Microsoft’s SaaS applications they may be using.
Like in on-premises systems, it’s critical to have an understanding of who is accessing what and when. Ahead of migration, teams should not only have a plan of what this will look like initially, but also how they’ll scale this as their cloud adoption grows over time. Multi-factor authentication and minimum access privileges are good places to start.
It’s also important to understand what’s in the box. Not all packages are created equal, and unfortunately, some fundamental monitoring may not be included or turned on by default. Again, it’s important to ensure the scope of security coverage is well understood prior to migration and the appropriate plans are in place to fill any existing gaps.
As is the case with protecting any environment, the first step in protecting Azure cloud and users is visibility. Early detection into potentially malicious behavior is contingent on understanding the activity in the environment. Cloud logs are the best source of this insight, but many teams are new to this type of logging and may encounter challenges when configuring these logs and yielding actionable insights from them.
As teams build a plan for logging in the cloud and determining which logs are most relevant for their Azure environment, there are a few important considerations to ensure success.
First, logs need to be on! Some Azure logs are enabled by default, but many others may need to be explicitly configured. Each subscription tier has different default logging configurations that may need to be adjusted to ensure the right logs are flowing. Don’t make any assumptions. It’s important to understand which logs are on by default, configure any that may be missing, and confirm the relevant and expected objects are being captured in these logs.
Second, centralize to Event Hubs. Methods for exporting data may vary by log type. Event Hub logs, for example, are sometimes offered via an export feature, setting, or a checkbox as you configure the log. You have to make sure the logs are flowing appropriately.
Third, check your subscription. Again, there are logging and configuration nuances with each subscription type. For example, Azure Security Center access is not available in all subscription tiers, which means you could miss these third-party alerts. Azure Active Directory Sign-In and Audit Logs, which many security teams would consider a must-have, require a P1 or P2 subscription at minimum to start.
With the proper configuration and log flow in place, teams can begin pushing this data to their security information and event management (SIEM) tool. Azure Event Hubs are often leveraged to aggregate and export logs into the SIEM. Again, the logs will be configured individually to flow into the Event Hub.
With this data in a SIEM, you’ll have consolidated visibility of your Azure environment, but also be able to view this data alongside data from other systems in your environment. Some traditional SIEMs may not yet be able to inject these diverse datasets. When evaluating modern SIEMs, it’s important to understand and validate how your team will be able to aggregate data across cloud, on-premises, and remote assets. Additionally, a strong SIEM tool will offer normalization, correlation, and attribution to help detect and track attackers as they move across these systems.