This is a summary of the Azure Fundamentals part 4: Describe general security and network security features learning path. Aside from the usual “Introduction to Azure fundamentals” module repeated in every learning path in the series, there are only a couple of other modules on general and network security, respectively.
General Security
This is a summary of the Protect against security threats on Azure module.
Azure Security Center is a service that gives you visibility into the overall security of your Azure and on-premises services, referred to as your security posture. It provides ratings against different regulatory benchmarks such as Azure CIS or PCI DSS, and also provides an overall secure score. The Resource security hygiene section provides a breakdown of security warnings by service type.
Azure Security Center also provides additional security capabilities including:
- Permitting temporary access to VMs that would normally be blocked to outside traffic
- Controlling which applications can run on VMs
- Recommendations for hardening network security groups
- Monitoring system files on both Windows and Linux against tampering
- Integration with Azure Logic Apps to automatically trigger actions based on threat detection alerts of Security Center recommendations.
Azure Sentinel is a security analytics service (the more formal term would be security information and event management (SIEM) system). It can:
- Collect security information from different sources
- Microsoft services such as Office 365 or Azure Active Directory
- Non-Microsoft services such as AWS CloudTrail or Okta SSO
- Other sources that use recognised formats including Common Event Format (CEF), Syslog, or REST API
- Detect threats based on built-in or custom rules
- Investigate incidents or suspicious activity
- Use Azure Monitor Workbooks to automate responses to threats
Azure Key Vault is another security-related service used to store secrets, including passwords, encryption keys, and certificates. These secrets can also be protected by hardware security modules (HSMs). Access to the secrets can be easily monitored.
Azure Dedicated Host is a special VM offering where you have sole access to the physical hardware (as opposed to normal VMs which are shared). This can sometimes be required for compliance reasons.
- A host group contains multiple dedicated hosts for high availability, similar to VM scale sets.
- Maintenance control provides control over when regular maintenance updates occur, within a 35-day rolling window.
- Pricing is per dedicated host, not per VM running on it. Additional charges apply for software licencing, storage, and network usage.
Network Security
This is a summary of the Secure network connectivity on Azure module.
Defence in depth refers to multiple layers of defence including:
- Physical security: physical access to the data centre.
- Identity & access: control access to infrastructure and change control. This includes use of SSO and multifactor authentication, as well as auditing events and changes.
- Perimeter: DDoS protection and perimeter firewalls.
- Network: use access control to limit communication between resources, and ensure any external connectivity (e.g. to on-premises networks) is secure.
- Compute: secure access to VMs and ensure they have the latest security updates.
- Application: ensure applications are free of vulnerabilities, and store secrets securely.
- Data: store and transmit data securely, whether it’s in a database, VM disk, SaaS application (e.g. Office 365) or in other cloud storage.
Data protection is based on the CIA principles:
- Confidentiality: Use the principle of least privilege to give access only to those who really need it. Protect secrets and resources from unauthorised access.
- Integrity: Protect data at rest and in transit from tampering. Hash algorithms are usually used to verify whether data has changed.
- Availability: Ensure services are able to run and that access to their data is not compromised, e.g. by DDoS attacks.
Azure Firewall is a highly available and scalable stateful firewall used to protect resources within virtual networks. It can be configured to allow or deny traffic based on rules including:
- Source IP address
- Protocol
- Destination port
- Destination address
- Which domains can be accessed from a subnet
Network Address Translation (NAT) rules can also be configured in Azure Firewall.
Azure Application Gateway, Azure Front Door and Azure Content Delivery Network offer a different kind of firewall known as web application firewall (WAF), which provides protection tailored to web applications.
Azure DDoS Protection resists attempts to overwhelm or overallocate resources by flooding them with requests. This is available in two tiers:
- Basic: free and automatically enabled. The Azure global network is used to distribute and mitigate attack traffic across Azure regions; it ensures that Azure infrastructure is not affected by DDoS attacks. Includes always-on traffic monitoring and real-time mitigation of common network-level attacks.
- Standard: provides additional protection for virtual network resources linked to public IP addresses. Adapts mitigation measures via dedicated traffic monitoring and machine learning algorithms.
DDoS Protection can help prevent the following types of attacks:
- Volumetric attacks: flood the network layer with requests.
- Protocol attacks: exploit weaknesses in layer 3 or 4 protocols.
- Resource/application-layer attacks (only with web application firewall): target HTTP endpoints that are relatively slow to process, so many such requests ultimately overwhelm the server and make it unable to process additional requests. This requires the HTTP-aware WAF to mitigate.
Network security groups (NSGs) are like internal firewalls. Whereas Azure Firewall controls what traffic comes from outside, NSGs can be used to allow or deny traffic between resources in a virtual network, based on things like source/destination IP (single address or range), protocol (TCP, UDP or both) and direction (incoming or outgoing traffic).