As I talk to partners about moving to the cloud, security is a common topic of discussion. Most people want to use the same type of security controls they have on-premises since they are already familiar with the tools and processes. For the most part, the cloud can be managed in similar ways to an on-premises infrastructure, if you keep in mind that you are no longer responsible for the physical hardware. For most partners, getting out of the hardware business helps reduce their breadth of offerings so they can focus more time on adding value to the business.
Let’s look at 7 best practices for optimizing security in the cloud.
- Learn the new capabilities the cloud has to offer. Azure provides the Intelligent Security Graph. The Intelligent Security Graph benefits every customer but is managed by Microsoft. Microsoft is harnessing the insights from their global infrastructure to protect all their customers. Due to Azures global scale, it makes it possible for Microsoft to build something robust enough to “see” security events as they unfold and proactively protect their customers infrastructure from emerging threats. Think of the Intelligent Security Graph as a security boundary in front of your Azure infrastructure, that you do not have to manage, but that benefits you and your infrastructure. For example, if Azure sees an emerging threat from a set of IP addresses, Azure can block those addresses from attacking the customers’ Azure-based infrastructure.
- Azure uses Network Security Groups (NSG) as a low-cost alternative to the traditional firewall. I am not saying NSG’s can replace your traditional firewall. The situation depends on how you are using your firewall. If you are just protecting your infrastructure from inbound attacks, NSGs and Azures Intelligent Security Graph may be adequate to meet your needs while reducing your costs.
- You can install a firewall appliance “in front” of your Azure infrastructure. If you still need the traditional firewall for your infrastructure, the Azure gallery lists some of the more common firewall solutions. This allows you to just install the finished product, from the Gallery, into your infrastructure. If your favorite firewall solution is not already in the Azure gallery, you should also be able to install your chosen solution on a VM if it will run within a VM.
- MyCloudIT automates the creation and deployment of Remote Desktop Services in Azure. Automating key tasks, like the creation of RDS is a key. Automating tasks eliminates simple mistakes made by users that could be exploited by an attacker. The MyCloudIT automation also means that if you build 10 solutions for 10 different customers, all 10 solutions are identical. This makes it very easy for your team to quickly extend or update an existing infrastructure because your team can learn it once and then replicate it across all similar deployments.
- Leverage backups. This may sound like a defeatist attitude, but it is not. Backups are necessary for several reasons, including having to revert to a point in time in the event of malicious software. Azure even monitors your backup dataset for known malicious software. I’m not saying you should only rely on this type of monitoring, but this is another added benefit of Azures’ ability to help protect a customer and their infrastructure.
- Take advantage of best practices by leveraging solutions built by the experts. Most vendors are also working to integrate their solutions into cloud offerings. This means that you may no longer have to “build” a vendor’s solution, it may be pre-built for you. The benefit of this is that the solution is built according to the vendors best practices and is ready to be integrated into your solution. This reduces a lot of your install and test time thus allowing you to jump ahead to the integration process. The cloud allows you to deploy solutions faster by leveraging these pre-built, best practice-based solutions.
- Leverage Multi-Factor Authentication (MFA). If you are concerned about malicious people trying to logon from anywhere in the world, multi-factor authentication (MFA) is a good, low cost way to ensure the users that log on to your infrastructure are your people, not bad actors. While MFA is not the “perfect” solution, it is a very good solution when coupled with a user’s mobile phone. Now, when a user logs in, they provide their user name and password, then they will also have to respond to a challenge from their mobile device before they are logged in. This ensures that users must have the user name, password AND be able to respond to an action from their mobile device before being allowed to log into the infrastructure.
Like any technology, this one too can be compromised if not properly implemented, but a properly implemented MFA process will drastically reduce your risk of attackers trying to leverage usernames and passwords as malicious entry points into your infrastructure. We have tried both the built in Microsoft MFA and Duo Security. Personally, the Microsoft MFA configuration is still too complex to implement. I have found that Duo Security is straight forward to implement and easy to manage.
I mentioned Azure several times and for good reason. Azure knows that the only way they can grow a productive cloud infrastructure is if they build an infrastructure that can be protected from malicious software and malicious people. While people focus on the cloud to reduce costs and drive a global footprint, Azure is also spending the energy to ensure their cloud is robust and secure for its customers.