How to Secure Azure Deployments
That this year has been an interesting one for us in IT is an understatement. It’s been a very good year for public cloud though, with record growth in AWS and Azure. And for many businesses, the “digital transformation” journey towards the cloud has been highly accelerated. Maybe last year’s small proof-of-concept Azure deployments have grown into full-scale production resources. Or the inability to access your co-lo datacenter servers due to COVID-19 restrictions has forced a migration of VMs to public cloud.
Whatever the reason, you may find yourself responsible for a lot more cloud Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) resources and now taking stock of the security posture of all of it.
This article will look at the comprehensive guidance Microsoft offers for “how to do security” in Azure and how to use the tool that brings it all together: Azure Security Center (ASC).
Cloud Adoption Framework
The CAF is a good place to start, at any stage in your cloud journey, particularly for larger businesses. Based on cloud adoption best practices from Microsoft, partners and customers, it has guidance and tools to shape technology, people and processes for cloud success. It covers strategy and planning, migration, governing, management, organization and innovation. Here we’re going to focus on the security strategy, part which covers conceptS such as securing your cloud resources as well as using cloud technology to transform how you do security, along with the shared responsibility model.
Moving to the cloud means that some parts of security (physical hosts/network/datacenters) are now the responsibility of the provider, whereas other parts stay with you (data, endpoint devices, accounts and identities). Further, with IaaS you still have to secure the OS and applications in your VMs, apply network controls and manage your identity directory (Azure Active Directory — AAD). Using PaaS services shifts some of these responsibilities to the cloud provider, depending on the service you’re using. This is one reason that you should look to modernize your applications away from IaaS towards PaaS as there’s less for you to secure, but new features to understand to ensure a good security resilience.
The CAF also covers different admin security roles involved in managing cyberrisk and how they change when you’re in the cloud. More direct guidance is also on offer through a set of recommendations and a reference implementation.
The Well-Architected Framework, on the other hand, is a set of assessments building on these five pillars:
The assessments ascertain where you’re at today, and then spits out a set of curated guidance to improve your approach.