Protect against security threats on Azure

Introduction

 

In this module, you'll learn about some of the security tools that can help keep your infrastructure and data safe when you work in the cloud.

Security is a small word for a significant concept. There are so many factors to consider in order to protect your applications and your data. How does Azure help you protect workloads that you run in the cloud and in your on-premises datacenter?

 Meet Tailwind Traders

Tailwind Traders is a fictitious home improvement retailer. It operates retail hardware stores across the globe and online.

Tailwind Traders specializes in competitive pricing, fast shipping, and a large range of items. It's looking at cloud technologies to improve business operations and support growth into new markets. By moving to the cloud, the company plans to enhance its shopping experience to further differentiate itself from competitors.

 

How will Tailwind Traders run securely in the cloud and in the datacenter?

Tailwind Traders runs a mix of workloads on Azure and in its datacenter.

The company needs to ensure that all of its systems meet a minimum level of security and that its information is protected from attacks. The company also needs a way to collect and act on security events from across its digital estate.

Let's explore how Tailwind Traders can use some of the tools and features in Azure as part of its overall security strategy.

Learning objectives

After completing this module, you'll be able to:

• Strengthen your security posture and protect against threats by using Azure Security Center.
• Collect and act on security data from many different sources by using Azure Sentinel.
• Store and access sensitive information such as passwords and encryption keys securely in Azure Key Vault.
• Manage dedicated physical servers to host your Azure VMs for Windows and Linux by using Azure Dedicated Host.

 

Prerequisites

• You should be familiar with basic computing concepts and terminology.
• Familiarity with cloud computing is helpful but isn't necessary.

 

Protect against security threats by using Azure Security Center

 

Tailwind Traders is broadening its use of Azure services. It still has on-premises workloads with current security-related configuration best practices and business procedures. How does the company ensure that all of its systems meet a minimum level of security and that its information is protected from attacks?

Many Azure services include built-in security features. Tools on Azure can also help Tailwind Traders with this requirement. Let's start by looking at Azure Security Center.

 

What's Azure Security Center?

Azure Security Center is a monitoring service that provides visibility of your security posture across all of your services, both on Azure and on-premises. The term security posture refers to cybersecurity policies and controls, as well as how well you can predict, prevent, and respond to security threats.

Security Center can:

• Monitor security settings across on-premises and cloud workloads.
• Automatically apply required security settings to new resources as they come online.
• Provide security recommendations that are based on your current configurations, resources, and networks.
• Continuously monitor your resources and perform automatic security assessments to identify potential vulnerabilities before those vulnerabilities can be exploited.
• Use machine learning to detect and block malware from being installed on your virtual machines (VMs) and other resources. You can also use adaptive application controls to define rules that list allowed applications to ensure that only applications you allow can run.
• Detect and analyze potential inbound attacks and investigate threats and any post-breach activity that might have occurred.
• Provide just-in-time access control for network ports. Doing so reduces your attack surface by ensuring that the network only allows traffic that you require at the time that you need it to.

This short video explains how Security Center can help harden your networks, secure and monitor your cloud resources, and improve your overall security posture.

 

Understand your security posture

Tailwind Traders can use Security Center to get a detailed analysis of different components in its environment. Because the company's resources are analyzed against the security controls of any governance policies it has assigned, it can view its overall regulatory compliance from a security perspective all from one place.

Here's an example of what you might see in Azure Security Center:

Let's say that Tailwind Traders must comply with the Payment Card Industry's Data Security Standard (PCI DSS). This report shows that the company has resources that it needs to remediate.

In the Resource security hygiene section, Tailwind Traders can see the health of its resources from a security perspective. To help prioritize remediation actions, recommendations are categorized as low, medium, and high. Here's an example:

What's secure score?

Secure score is a measurement of an organization's security posture.

Secure score is based on security controls, or groups of related security recommendations. Your score is based on the percentage of security controls that you satisfy. The more security controls you satisfy, the higher the score you receive. Your score improves when you remediate all of the recommendations for a single resource within a control.

Here's an example from the Azure portal showing a score of 57 percent, or 34 out of 60 points:

Following the secure score recommendations can help protect your organization from threats. From a centralized dashboard in Azure Security Center, organizations can monitor and work on the security of their Azure resources like identities, data, apps, devices, and infrastructure.

Secure score helps you:

• Report on the current state of your organization's security posture.
• Improve your security posture by providing discoverability, visibility, guidance, and control.
• Compare with benchmarks and establish key performance indicators (KPIs).

Protect against threats

Security Center includes advanced cloud defense capabilities for virtual machines, network security, and file integrity. Let's look at how some of these capabilities apply to Tailwind Traders.

• Just-in-time VM access

  Tailwind Traders will configure just-in-time access to VMs. This access blocks traffic by default to specific network ports of virtual machines, but allows traffic for a specified time when an administrator requests and approves it.

• Adaptive application controls

  Tailwind Traders can control which applications are allowed to run on its virtual machines. In the background, Security Center uses machine learning to look at the processes running on a virtual machine. It creates exception rules for each resource group that holds the virtual machines and provides recommendations. This process provides alerts that inform the company about unauthorized applications that are running on its VMs.

• Adaptive network hardening

  Security Center can monitor the internet traffic patterns of the VMs and compare those patterns with the company's current network security group (NSG) settings. From there, Security Center can make recommendations on whether the NSGs should be locked down further and provide remediation steps.

• File integrity monitoring

  Tailwind Traders can also configure the monitoring of changes to important files on both Windows and Linux, registry settings, applications, and other aspects that might indicate a security attack.

Respond to security alerts

Tailwind Traders can use Security Center to get a centralized view of all of its security alerts. From there, the company can dismiss false alerts, investigate them further, remediate alerts manually, or use an automated response with a workflow automation.

Workflow automation uses Azure Logic Apps and Security Center connectors. The logic app can be triggered by a threat detection alert or by a Security Center recommendation, filtered by name or by severity. You can then configure the logic app to run an action such as sending an email or posting a message to a Microsoft Teams channel.

Detect and respond to security threats by using Azure Sentinel

Security management on a large scale can benefit from a dedicated security information and event management (SIEM) system. A SIEM system aggregates security data from many different sources (as long as those sources support an open-standard logging format). It also provides capabilities for threat detection and response.

Azure Sentinel is Microsoft's cloud-based SIEM system. It uses intelligent security analytics and threat analysis.

Azure Sentinel capabilities

Azure Sentinel enables you to:

• Collect cloud data at scale

  Collect data across all users, devices, applications, and infrastructure, both on-premises and from multiple clouds.

• Detect previously undetected threats

  Minimize false positives by using Microsoft's comprehensive analytics and threat intelligence.

• Investigate threats with artificial intelligence

  Examine suspicious activities at scale, tapping into years of cybersecurity experience from Microsoft.

• Respond to incidents rapidly

  Utilize built-in orchestration and automation of common tasks.

Connect your data sources

Tailwind Traders decides to explore the capabilities of Azure Sentinel. First, the company identifies and connects its data sources.

Azure Sentinel supports a number of data sources, which it can analyze for security events. These connections are handled by built-in connectors or industry-standard log formats and APIs.

• Connect Microsoft solutions

  Connectors provide real-time integration for services like Microsoft Threat Protection solutions, Microsoft 365 sources (including Office 365), Azure Active Directory, and Windows Defender Firewall.

• Connect other services and solutions

  Connectors are available for common non-Microsoft services and solutions, including AWS CloudTrail, Citrix Analytics (Security), Sophos XG Firewall, VMware Carbon Black Cloud, and Okta SSO.

• Connect industry-standard data sources

  Azure Sentinel supports data from other sources that use the Common Event Format (CEF) messaging standard, Syslog, or REST API.

Detect threats

Tailwind Traders needs to be notified when something suspicious occurs. It decides to use both built-in analytics and custom rules to detect threats.

Built in analytics use templates designed by Microsoft's team of security experts and analysts based on known threats, common attack vectors, and escalation chains for suspicious activity. These templates can be customized and search across the environment for any activity that looks suspicious. Some templates use machine learning behavioral analytics that are based on Microsoft proprietary algorithms.

Custom analytics are rules that you create to search for specific criteria within your environment. You can preview the number of results that the query would generate (based on past log events) and set a schedule for the query to run. You can also set an alert threshold.

 

Investigate and respond

When Azure Sentinel detects suspicious events, Tailwind Traders can investigate specific alerts or incidents (a group of related alerts). With the investigation graph, the company can review information from entities directly connected to the alert and see common exploration queries to help guide the investigation.

Here's an example that shows what an investigation graph looks like in Azure Sentinel:

The company will also use Azure Monitor Workbooks to automate responses to threats. For example, it can set an alert that looks for malicious IP addresses that access the network and create a workbook that does the following steps:

1. When the alert is triggered, open a ticket in the IT ticketing system.
2. Send a message to the security operations channel in Microsoft Teams or Slack to make sure the security analysts are aware of the incident.
3. Send all of the information in the alert to the senior network admin and to the security admin. The email message includes two user option buttons: Block or Ignore.

When an admin chooses Block, the IP address is blocked in the firewall and the user is disabled in Azure Active Directory. When an admin chooses Ignore, the alert is closed in Azure Sentinel and the incident is closed in the IT ticketing system.

The workbook continues to run after it receives a response from the admins.

Workbooks can be run manually or automatically when a rule triggers an alert.

 

Store and manage secrets by using Azure Key Vault

As Tailwind Traders builds its workloads in the cloud, it needs to carefully handle sensitive information such as passwords, encryption keys, and certificates. This information needs to be available for an application to function, but it might allow an unauthorized person access to application data.

Azure Key Vault is a centralized cloud service for storing an application's secrets in a single, central location. It provides secure access to sensitive information by providing access control and logging capabilities.

What can Azure Key Vault do?

Azure Key Vault can help you:

• Manage secrets

  You can use Key Vault to securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets.

• Manage encryption keys

  You can use Key Vault as a key management solution. Key Vault makes it easier to create and control the encryption keys that are used to encrypt your data.

• Manage SSL/TLS certificates

  Key Vault enables you to provision, manage, and deploy your public and private Secure Sockets Layer / Transport Layer Security (SSL/TLS) certificates for both your Azure resources and your internal resources.

• Store secrets backed by hardware security modules (HSMs)

  These secrets and keys can be protected either by software or by FIPS 140-2 Level 2 validated HSMs.

Here's an example that shows a certificate used for testing in Key Vault.

What are the benefits of Azure Key Vault?

The benefits of using Key Vault include:

• Centralized application secrets

  Centralizing the storage for your application secrets enables you to control their distribution and reduces the chances that secrets are accidentally leaked.

• Securely stored secrets and keys

  Azure uses industry-standard algorithms, key lengths, and HSMs. Access to Key Vault requires proper authentication and authorization.

• Access monitoring and access control

  By using Key Vault, you can monitor and control access to your application secrets.

• Simplified administration of application secrets

  Key Vault makes it easier to enroll and renew certificates from public certificate authorities (CAs). You can also scale up and replicate content within regions and use standard certificate management tools.

• Integration with other Azure services

  You can integrate Key Vault with storage accounts, container registries, event hubs, and many more Azure services. These services can then securely reference the secrets stored in Key Vault.

---

 

 

 

Host your Azure virtual machines on dedicated physical servers by using Azure Dedicated Host

On Azure, virtual machines (VMs) run on shared hardware that Microsoft manages. Although the underlying hardware is shared, your VM workloads are isolated from workloads that other Azure customers run.

Some organizations must follow regulatory compliance that requires them to be the only customer using the physical machine that hosts their virtual machines. Azure Dedicated Host provides dedicated physical servers to host your Azure VMs for Windows and Linux.

Here's a diagram that shows how virtual machines relate to dedicated hosts and host groups. A dedicated host is mapped to a physical server in an Azure datacenter. A host group is a collection of dedicated hosts.

What are the benefits of Azure Dedicated Host?

Azure Dedicated Host:

• Gives you visibility into, and control over, the server infrastructure that's running your Azure VMs.
• Helps address compliance requirements by deploying your workloads on an isolated server.
• Lets you choose the number of processors, server capabilities, VM series, and VM sizes within the same host.

Availability considerations for Dedicated Host

After a dedicated host is provisioned, Azure assigns it to the physical server in Microsoft's cloud datacenter.

For high availability, you can provision multiple hosts in a host group and deploy your virtual machines across this group. VMs on dedicated hosts can also take advantage of maintenance control. This feature enables you to control when regular maintenance updates occur, within a 35-day rolling window.

Pricing considerations

You're charged per dedicated host, independent of how many virtual machines you deploy to it. The host price is based on the VM family, type (hardware size), and region.

Software licensing, storage, and network usage are billed separately from the host and VMs. For more information. see Azure Dedicated Host pricing.

Knowledge check

 

Consider the following scenario. Then choose the best response for each question that follows and select Check your answers.

Tailwind Traders is moving its online payment system from its datacenter to the cloud. The payment system consists of virtual machines (VMs) and SQL Server databases.

Here are a few security requirements that the company identifies as it plans the migration:

• It wants to ensure a good security posture across all of its systems, both on Azure and on-premises.
• In the datacenter, access to virtual machines requires a TLS certificate. The company needs a place to safely store and manage its certificates.

Here are some additional requirements that relate to regulatory compliance:

• Tailwind Traders must store certain customer data on-premises, in its datacenter.
• For certain workloads, the company must be the only customer running VMs on the physical hardware.
• The company must only run approved business applications on each VM.

See the following diagram that shows the proposed architecture.

 On Azure, Tailwind Traders will use both standard virtual machines and virtual machines that run on dedicated physical hardware. In the datacenter, the company will run virtual machines that can connect to databases within its internal network.