Securing Your Microsoft Azure Environment

As organizations navigate their digital transformations and embark on adopting Microsoft Azure, one of the biggest challenges they face is ensuring that their new cloud infrastructure is secure. Many IT leaders and professionals make the mistake of approaching security in the cloud the same way they approached security in a traditional data center. However, in the software-defined world of Microsoft Azure, there is an added wrinkle. Without a holistic approach to security that includes a view of configuration, you can easily open yourself up to undue risk.

First, understand that security in the cloud is a shared responsibility between the cloud provider and the customer. All of the major cloud providers, including Microsoft Azure, operate under this premise. Microsoft’s Shared Responsibilities for Cloud Computing white paper explains the shared responsibilities a customer needs to be aware of and purposeful in managing when adopting Azure. In a nutshell, with Azure, Microsoft provides security for certain elements, such as the physical infrastructure and network elements, but Azure customers must be aware of their own responsibilities. For example, Microsoft provides services to help protect data, but customers must also understand their role in protecting the security and privacy of their data. The best illustration of this issue involves the poor implementation of a password policy; Microsoft’s best security measures will be defeated if customers fail to use complex passwords.

Second, customers are often left with the question, “How do I know what good security looks like in Azure?” To help answer that question, Microsoft has developed the CIS Microsoft Azure Foundations Security Benchmark, based on the Center for Internet Security’s best practices for protecting public and private organizations from cyber threats. The Azure CIS Benchmark provides guidance for establishing a secure baseline configuration such as how to configure a firewall within Azure or how to set permission levels for various applications. It also provides quantitative scoring of an organization’s Azure security posture.

Many organizations struggle with this because it is really hard to operationalize the guidance in this document. You need to have the people who can translate these documents to your environment. You need to have centralized visibility into all the configuration choices being made. Dealing with software-defined infrastructure in the public cloud is a challenge, especially when empowering developers and engineers with self-service for provisioning and configuration, as these personnel may not be familiar with security and having to deal with the rate of change in the cloud. Because cloud technology is always changing, it’s vitally important to understand the configuration choices being made. Validating those configuration choices against security standards becomes far more important for most companies now than in the past because failing to do so can lead to the company to falling victim to the data breaches that we continuously hear about in the news.

Visibility Is Key

It is critical to have a comprehensive view into your cloud environment to identify misconfigurations as well as to see who has access to what resources and what level of access is permitted.

To avoid this visibility gap and common misconfigurations, organizations need automation tools that provide full visibility into their cloud infrastructure and the ability to identify and remediate issues on the fly. When it comes to selecting automated systems that deliver continuous security and compliance, here are some top considerations:

  • Support for multiple Azure subscriptions and multi-cloud 
  • Alerting and remediation (allows for IFTTT-like automation rule building to enable proactive security)
  • Support for sending incidents to systems like Service-Now
  • Integrations with systems like Splunk
  • Support for SAML like PingFed or Okta
  • Ability to create dynamic groups of resources based on tags
  • Support for an extensive set of pre-built policies that tie back to common regulatory standards, such as the Azure CIS Benchmark

Operationalizing Security Benchmarks Through Automation

Continuous security and compliance in the cloud is essential. “Trust, but verify” is a common phrase in the cloud computing industry, meaning that you should trust that developers and engineers are provisioning and configuring cloud and container services appropriately, but they also need to verify this relative to security, compliance, and governance policies.  

DivvyCloud has taken the pain out of making cloud infrastructures secure in a shared responsibility world by providing a framework for what organizations should be doing via a continuous, real-time process. DivvyCloud’s Cloud Security and Compliance Buyer’s Framework provides a preset list of criteria across several categories so organizations can easily establish common criteria to objectively compare and evaluate competing products. This prescriptive guidance establishes a secure baseline configuration for Microsoft Azure and is implemented in DivvyCloud’s Insight Packs. These provide immediate and continued visibility into the posture of Azure environments against the Azure CIS Benchmark, as well as bots to automate the remediation of policy violations.

DivvyCloud is a software appliance, not a SaaS offering, which allows enterprise customers to give the software read/write access to their critical infrastructure. The software platform allows customers to use underlying data to drive orchestration, easily extend our product (so they can buy and build), and deeply integrate the solution throughout their technology stack. DivvyCloud puts forth policies and monitors them to ensure compliance and provides the active protection necessary throughout an organization’s cloud journey.

Here are the key features of DivvyCloud’s cloud automation platform:

  • Automates the verification process and makes it easy to automatically remediate policy violations so that the environments are always secure and compliant
  • Identifies security risks in real time and takes automatic, user-defined action to fix problems before they’re exploited
  • Automates enforcement of best practices and standards, including SOC 2, CIS, PCI DSS, HIPAA, and GDPR
  • Provides a global tagging policy that allows the use of metadata to assign different levels of security to your data
  • Improves cloud governance and cloud cost management by enforcing your global tagging policy

It is important to remember that choosing a cloud provider such as Microsoft Azure does not mean your cloud infrastructure is automatically secure. There are other security considerations that companies must configure in order to be in compliance and ensure that their network and applications are secure. Using established frameworks can provide a baseline for evaluating your security and compliance. This, coupled with an automated cloud management solution, enables organizations to fully operationalize their network in real time and gain visibility and control of their security posture.

Interested in learning more? Watch DivvyCloud in action in our demo!