Regardless of the deployment type, you always retain responsibility for the following items:
In almost all cases, attackers are after data:
Azure AD provides services such as:
The more identities a user has to manage, the greater the risk of a credential-related security incident.
Multi-factor authentication (MFA) provides additional security for your identities by requiring two or more elements for full authentication. These elements fall into three categories:
A service principal is an identity that is used by a service or application. And like other identities, it can be assigned roles.
When you create a managed identity for a service, you are creating an account on your organization’s Active Directory (a specific organization’s Active Directory instance is known as an “Active Directory Tenant”).
Roles are sets of permissions, like “Read-only” or “Contributor”, that users can be granted to access an Azure service instance.
Symmetric encryption uses the same key to encrypt and decrypt the data.
Asymmetric encryption uses a public key and private key pair. Either key can encrypt but a single key can’t decrypt its own encrypted data. To decrypt, you need the paired key. Asymmetric encryption is used for things like Transport Layer Security (TLS) (used in HTTPS) and data signing.
Data at rest is the data that has been stored on a physical medium. This data could be stored on the disk of a server, data stored in a database, or data stored in a storage account.
Data in transit is the data actively moving from one location to another, such as across the internet or through a private network. Secure transfer can be handled by several different layers.
Azure Storage Service Encryption for data at rest helps you protect your data to meet your organizational security and compliance commitments. With this feature, the Azure storage platform automatically encrypts your data before persisting it to Azure Managed Disks, Azure Blob storage, Azure Files, or Azure Queue storage, and decrypts the data before retrieval. The handling of encryption, encryption at rest, decryption, and key management in Storage Service Encryption is transparent to applications using the services.
Azure Disk Encryption is a capability that helps you encrypt your Windows and Linux IaaS virtual machine disks. Azure Disk Encryption leverages the industry-standard BitLocker feature of Windows and the dm-crypt feature of Linux to provide volume encryption for the OS and data disks. The solution is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets (and you can use managed service identities for accessing Key Vault).
Transparent data encryption (TDE) helps protect Azure SQL Database and Azure Data Warehouse against the threat of malicious activity. It performs real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application. By default, TDE is enabled for all newly deployed Azure SQL Database instances.
Azure Key Vault is a centralized cloud service for storing your application secrets. Key Vault helps you control your applications’ secrets by keeping them in a single, central location and by providing secure access, permissions control, and access logging capabilities.
Certificates used in Azure are x.509 v3 and can be signed by a trusted certificate authority, or they can be self-signed.
You can store your certificates in Azure Key Vault - much like any other secret. However, Key Vault provides additional features above and beyond the typical certificate management.
Automating certificate management helps to reduce or eliminate the error prone task of manual certificate management
A layered approach provides multiple levels of protection, so that if an attacker gets through one layer, there are further protections in place to limit further attack.
Azure Security Center is a great place to look for this information, because it will identify internet-facing resources that don’t have network security groups associated with them, as well as resources that are not secured behind a firewall.
A firewall is a service that grants server access based on the originating IP address of each request. You create firewall rules that specify ranges of IP addresses. Only clients from these granted IP addresses will be allowed to access the server. Firewall rules, generally speaking, also include specific network protocol and port information.
Once inside a virtual network (VNet), it’s crucial that you limit communication between resources to only what is required. For communication between virtual machines, Network Security Groups (NSGs) are a critical piece to restrict unnecessary communication.
Virtual private network (VPN) connections are a common way of establishing secure communication channels between networks. Connections between Azure Virtual Network and an on-premises VPN device are a great way to provide secure communication between your network and your VNet on Azure. To provide a dedicated, private connection between your network and Azure, you can use Azure ExpressRoute. ExpressRoute lets you extend your on-premises networks into the Microsoft cloud over a private connection facilitated by a connectivity provider.
Microsoft Azure Information Protection (sometimes referred to as AIP) is a cloud-based solution that helps organizations classify and optionally protect documents and emails by applying labels.
Azure Advanced Threat Protection (Azure ATP) is a cloud-based security solution that identifies, detects, and helps you investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.
Azure ATP is available as part of the Enterprise Mobility + Security E5 suite (EMS E5) and as a standalone license. You can acquire a license directly from the Enterprise Mobility + Security Pricing Options page or through the Cloud Solution Provider (CSP) licensing model. It is not available to purchase via the Azure portal.
The Microsoft Security Development Lifecycle (SDL) introduces security and privacy considerations throughout all phases of the development process.
Defense in depth is the overriding theme - think about security as a multi-layer, multi-vector concern.
Cloud security is a shared responsibility between you and your cloud provider. Which category of cloud services requires the greatest security effort on your part?
Infrastructure as a service (IaaS)
Platform as a service (PaaS)
Software as a service (SaaS)
Which of these options helps you most easily disable an account when an employee leaves your company?
Enforce multi-factor authentication (MFA)
Monitor sign-on attempts
Use single sign-on (SSO)
Which of these approaches is the strongest way to protect sensitive customer data?
Encrypt data as it sits in your database
Encrypt data as it travels over the network
Encrypt data both as it sits in your database and as it travels over the network
There has been an attack on your public-facing website, and the application’s resources have been overwhelmed and exhausted, and are now unavailable to users. What service should you use to prevent this type of attack?
Network Security Group
You want to store certificates in Azure to centrally manage them for your services. Which Azure service should you use?
Azure Key Vault