73 Azure Security Best Practices Everyone Must Follow - Skyhigh

9/2/2018 73 Azure Security Best Practices Everyone Must Follow | Skyhigh
Register for our upcoming event: The CASB Insider Webcast ×

Register Now
Product Customers Partners Resources Company

   
Request
Blog a Demo
Contact
POPULAR POSTS
Gartner’s CASB Magic

   
Request
Quadrant a Demo
is Finally Here
CASB RFP Template: 200+

Common Questions
Enterprises Are Asking
73 Azure Security Best Practices

2

O ce 365 Security
Concerns: Download
Everyone Must Follow

De nitive Guide to O ce
365 eBook
2
SHARES
51 AWS Security Best
Practices
Cloud Market Share 2018:

AWS vs Azure vs Google –
Who’s Winning?
VIEW ALL
By Leah Dekalb
Infrastructure-as-a-Service (IaaS) adoption continues its upward trend as the fastest growing public cloud segment.
Not surprisingly, in Microsoft’s latest Security Intelligence Report from 2017, cloud service users saw a 300% year-
over-year increase in attacks against them, with over a third of attacks against Azure services in particular
originating from China.
With the rapid adoption of IaaS providers like Azure, the threat environment has evolved, but with the right
preparation, any company can implement cloud security practices for services that signi cantly reduce the
potential impact of an attempted breach.
While Microsoft provides security capabilities to protect enterprise Azure subscriptions, cloud security’s shared
responsibility model requires Azure customers to deliver security “in” Azure. Below are best practices, derived from
customers and Center for Internet Security (CIS) recommendations for 7 critical areas of security in Azure that
everyone must follow to ensure their Azure subscriptions are secure.
https://www.skyhighnetworks.com/cloud-security-blog/73-azure-security-best-practices/ 1/6
Register for our upcoming event: The CASB Insider Webcast ×

Register Now

   
Request a Demo
POPULAR POSTS

Quadrant is Finally Here
Get the Full List of 73 Best Practices


Common Questions

Download this eBook to learn about Azure security challenges, detailed best practices around
O ce Azure and
365 Security
applications deployed in Azure, and how CASBs can secure your Azure infrastructure. Concerns: Download
365 eBook
2 Download Here
SHARES
Practices
1. Security Policy
Ensure that ‘OS vulnerabilities’ is set to on. AWS vs Azure vs Google –
Who’s Winning?
Enable OS vulnerabilities recommendations for virtual machines. When this setting is enabled, it analyzes operating system
con gurations daily to determine issues that could make the virtual machine vulnerable to attack. The policy also recommends
VIEW ALL
con guration changes to correct these vulnerabilities.
Ensure that ‘endpoint protection’ is set to on.

Enable endpoint protection recommendations for virtual machines. When this setting is enabled, Azure Security Center
recommends endpoint protection be provisioned for all Windows virtual machines to help identify and remove viruses, spyware,
and other malicious software.
Ensure that ‘JIT network access’ is set to on.

Enable JIT network access for virtual machines. When this setting is enabled, the Security Center locks down inbound tra c to your
Azure VMs by creating an NSG rule. You select the ports on the VM to which inbound tra c should be locked down. Just-in-time VM
access can be used to lock down inbound tra c to your Azure VMs, reducing exposure to attacks while providing easy access to
connect to VMs when needed.
2. Identify and Access Management

Ensure that for all users, multi-factor authentication is enabled.
Enable multi-factor authentication for all user credentials who have write access to Azure resources. Multi-factor authentication
requires an individual to present a minimum of two separate forms of authentication before access is granted. Multi-factor
authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multifactor
authentication, an attacker would need to compromise at least two di erent authentication mechanisms, increasing the di culty of
compromise and thus reducing the risk.
Ensure that users can consent to apps accessing company data on their behalf’ is set to no.
Require administrators to provide consent for the apps before use. Until you are running Azure Active Directory as an identity
provider for third-party applications, do not allow users to use the identity outside of your cloud environment. User’s pro le
×
information contains private information such as phone number and email address which could then be sold o to other third
Register
parties without requiring forconsent
any further our upcoming event:
from the user. The CASB Insider Webcast
Ensure that ‘restrict access to Azure AD administration portal’ is set to yes.

Register Now
Restrict access to Azure AD administration portal to administrators only. Azure AD administrative portal has sensitive data. You
should restrict all non-administrators
Product  from accessing any
Customers Azure ADdataResources
Partners in the administration portalto avoid exposure.
Company


Request a Demo
POPULAR POSTS
3. Storage Accounts Gartner’s CASB Magic

Ensure that ‘secure transfer required’ is set to enabled.
Enable data encryption is transit. The secure transfer option enhances the security of your storage account by only allowing

requests to the storage account by a secure connection. For example, when calling REST APIs to access your storage
Common accounts, you
Questions
Enterprises
must connect using HTTPS. Any requests using HTTP will be rejected when ‘secure transfer required’ is enabled. When Areyou
Asking
are using
the Azure les service, connection without encryption will fail, including scenarios using SMB 2.1, SMB 3.0 without encryption, and
2

some avors of the Linux SMB client. O ce 365 Security
Concerns: Download
Ensure that ‘storage service encryption’ is set to enabled. De nitive Guide to O ce
365 eBook
Enable data encryption at rest for blobs. Storage service encryption protects your data at rest. Azure storage encrypts your data as
2
it’s written in its data centers, and automatically decrypts it for you as you access it.
SHARES
Practices
4. SQL Services
On SQL servers, ensure that ‘auditing’ is set to on. Cloud Market Share 2018:
Enable auditing on SQL Servers. Auditing tracks database events and writes them to an audit log in your Azure storage account. It
Who’s Winning?
also helps you to maintain regulatory compliance, understand database activity, and gain insight into discrepancies and anomalies
that could indicate business concerns or suspected security violations.
VIEW ALL
On SQL servers, ensure that ‘threat detection’ is set to on.

Enable threat detection on SQL Servers. SQL Threat Detection provides a new layer of security, which enables customers to detect
and respond to potential threats as they occur by providing security alerts on anomalous activities. Users will receive an alert upon
suspicious database activities, potential vulnerabilities, and SQL injection attacks, as well as anomalous database access patterns.
SQL Threat Detection alerts provide details of suspicious activity and recommend action on how to investigate and mitigate the
threat.
Transparent data encryption on SQL databases.

Azure SQL Database transparent data encryption helps protect against the threat of malicious activity by performing real-time
encryption and decryption of the database, associated backups, and transaction log les at rest without requiring changes to the
application.
5. Networking
Disable RDP access on network security groups from internet.
The potential security problem with using RDP over the Internet is that attackers can use various brute-force techniques to gain
access to Azure Virtual Machines. Once the attackers gain access, they can use your virtual machine as a launch point for
compromising other machines on your Azure Virtual Network or even attack networked devices outside of Azure.
Disable SSH access on network security groups from internet.

The potential security problem with using SSH over the Internet is that attackers can use various brute force techniques to gain
access to Azure Virtual Machines. Once the attackers gain access, they can use your virtual machine as a launch point for
compromising other machines on your Azure Virtual Network or even attack networked devices outside of Azure.
Disable Telnet (port 23) access on network security groups from internet.
Register
Disable unrestricted access for our
on Network upcoming
Security event:
Groups (i.e. TheonCASB
0.0.0.0/0) Insider
TCP port 23 andWebcast
restrict access to only those IP addresses
×
that require it in order to implement the principle of least privilege and reduce the possibility of a breach. TCP port 23 is used by the
Register
Telnet server application (Telnetd). Telnet is usually used to Now a client is able to make TCP/IP connections to a particular
check whether
service.

   
Request a Demo
POPULAR POSTS
6. Virtual Machines

Install endpoint protection for virtual machines.
Installing endpoint protection systems (antivirus/anti-malware) provides real-time protection capability that helps identify and
remove viruses, spyware, and other malicious software, with con gurable alerts when known malicious or unwanted software

Common Questions
attempts to install itself or run on your Azure systems. Enterprises Are Asking
Enable latest OS patch updates for virtual machines.

2

Ensure Latest OS Patches for virtual machines. Windows and Linux virtual machines should be kept updated
O to:
ce 365 Security
Concerns: Download
Address a speci c bug or aw 365 eBook
2
Improve an OS or application’s general stability
SHARES
Fix a security vulnerability Practices
Enforce disk encryption on virtual machines.

Ensure that data disks (non-boot volumes) are encrypted, where possible. Encrypting your IaaS VM’s data disks (non-boot volume)
ensures that its entire content is fully unrecoverable without a key and protects the volume from unwarranted
Who’sreads.
Winning?
7. Miscellaneous VIEW ALL
Secure the subscription.

A secure Azure cloud subscription provides a core foundation upon which subsequent development and deployment activities can
be conducted. An engineering team should have the capabilities to deploy and con gure security in the subscription including
elements such as alerts, ARM policies, RBAC, Security Center policies, JEA, Resource Locks, etc. Likewise, it should be possible to
check that all settings are in conformance to a secure baseline.
Minimize the number of admins/owners.

Each additional person in the Owner/Contributor role increases the attack surface for the entire subscription. The number of
members in this role must be kept as low as possible.
Do not grant permissions to external accounts (i.e., accounts outside the native directory for the subscription).
Non-AD accounts (i.e. xyz@hotmail.com) subject your cloud assets to undue risk. These accounts are not managed to the same
standards as enterprise tenant identities.
NEXT IN TRENDING

Register for Quadrant
our upcoming is Finally
event: The CASB Here
Insider Webcast ×
Skyhigh was rst to market ve years ago with a solution built from the ground up to secure
Register Now
corporate data in cloud...

   
Request a Demo
POPULAR POSTS


Common Questions
 LinkedIn
2  Twitter
 Facebook

O ce 365 Security
Language Selector Concerns: Download
365 eBook
2
SHARES
Practices

Cloud Compliance AWS vs Azure vs Google –
Who’s Winning?
HIPAA Compliance
FISMA Compliance VIEW ALL
ITAR Compliance
GDPR Compliance
FIPS 140-2 Compliance
Sarbanes-Oxley Compliance
GLBA Compliance
FITARA Compliance
PCI DSS Compliance
Solutions
Cloud Data Loss Prevention
Cloud Encryption
Featured Resources
What is a CASB?
What is a Cloud Security Gateway?
What is Shadow IT?
Tokenization vs Encryption
How Safe is My Data in O ce 365?
×
O ce 365 Bene ts
Register for our upcoming event:
SharePoint Online TheBest
Security CASB Insider Webcast
Practices
OneDrive Security Best Practices

Register Now
Salesforce Data Security Best Practices
Product Customers Advantages

Partnersofthe Resources Company

 Cloud  
Request a Demo
Cloud Computing Trends 2017 POPULAR POSTS
Cloud Computing Security Risks Gartner’s CASB Magic

Top Data Loss Prevention Tools?
Incident Response Plan Template

Most Common Passwords

Common Questions
Information Rights Management (IRM)? Enterprises Are Asking
Azure vs AWS vs Google Cloud Market Share

2
 Top Cyber Security Companies and Vendors O ce 365 Security

Concerns: Download
Box Security Best Practices De nitive Guide to O ce
365 eBook
What Is HIPAA Security Rule and Privacy Rule?
2 HIPAA Violations Examples and Cases
SHARES
Top 5 HIPAA-Compliant Cloud Storage Services Practices
CISM vs CISSP
Top Cloud Security Vendors

225 IT Interview Questions AWS vs Azure vs Google –
Who’s Winning?
200 IT Security Interview Questions
SaaS Security
VIEW ALL
Cloud Usage Statistics
CASB RFP
AWS Security Best Practices
AWS IAM Best Practices
AWS Shared Responsibility Model
Gartner’s CASB Magic Quadrant
Blog Careers Security Terms Privacy Contact Support
Copyright © 2018 Skyhigh Networks

73 Azure Security Best Practices Everyone Must Follow - Skyhigh

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

73 Azure Security Best Practices Everyone Must Follow - Skyhigh

Uploaded by

Copyright:

Available Formats

9/2/2018 73 Azure Security Best Practices Everyone Must Follow | Skyhigh

Register for our upcoming event: The CASB Insider Webcast ×

Product Customers Partners Resources Company

CASB RFP Template: 200+