3 PEAT
GigaOm Names Cobalt an “Outperformer” for Third Consecutive Year in Annual Radar Report for PTaaS.
3 PEAT
GigaOm Names Cobalt an “Outperformer” for Third Consecutive Year in Annual Radar Report for PTaaS.

10 Steps to Secure Your Azure Cloud Environment

The blog discusses ten essential steps to secure your Azure cloud environment, from access management to network security. It emphasizes using Azure CLI to implement these best practices and safeguard against potential security threats. The steps include multifactor authentication, compliance standards, encryption, backups, and disaster recovery plans.

Securing your Azure cloud infrastructure is vital in today's digital landscape. This blog will explore ten steps to secure your Azure cloud environment, from implementing secure identity and access management to configuring basic security settings.

By following these best practices using the Azure CLI, you can ensure the security of your Azure environment from potential security risks.

  • Enabling multifactor authentication

  • Monitoring and alerting for security threats

  • Implementing least-privilege access controls

  • Establishing security policies for maintaining compliance standards

  • Managing sensitive information securely via Azure Key Vault

  • Adhering to infrastructure and applications by following security best practices

  • Mitigating insider risks via logging and monitoring

  • Protecting data with encryption, backups, and disaster recovery plans

  • Enhancing network security through the deployment of virtual networks and network security groups

  • Protecting against external threats with web application firewalls and DDoS protection

Enabling multifactor authentication

Multifactor authentication (MFA) is the first step in securing your Azure cloud environment. MFA adds an extra layer of protection by requiring users to provide at least two verification forms before accessing the cloud resources. This significantly reduces the risk of unauthorized access and strengthens your overall security posture, safeguarding sensitive data and applications from potential threats.

First, identify the user account for which you want to enable MFA, but if you list all user accounts in your Azure Active Directory (AAD), you can use the command `az ad user list.` 

Select the desired user and you can follow the below steps to enable MFA on the selected user.

  1. Navigate to the Azure portal.

  2. Open the "Azure Active Directory" service.

  3. In the left-hand menu, click on "Users."

  4. Find the user for whom you'd like to enable MFA, and click on their name to open the user's settings.

  5. Under the "Manage" section in the left-hand menu, click on "Authentication methods."

  6. Click on "Require multi-factor authentication" to enable MFA for the user.

Monitoring and alerting for security threats

As we all know, monitoring & alerting is vital to control organizations. The blue team would proactively detect and take necessary actions by continuously monitoring potential threats and setting up alerts for your organization. 

For setting up monitoring and alerting for security threats in Azure, you can use a variety of Azure CLI commands, such as `az monitor log-profiles create` command to create a log profile that specifies the logs that you want to collect and the storage destination for the logs.

 
az monitor log-profiles create --name <<LOG_PROFILE_NAME>> --location eastus --storage-account <<LOG_DESTINATION>> --service-bus-rule-id <<RULE_ID>> --categories Security
 

The above example creates a log profile that collects security logs and stores them in the storage account using the service bus rule ID.

Furthermore, to set up an alerting system for security threats, you can use the `az monitor alerts create` command to create an alert rule that specifies the condition that will trigger the alert and the action to take when the alert is triggered.

az monitor alerts create --name yourAlertRule --resource-group yourResourceGroup --target yourResource --condition "Percentage CPU > 90" --action yourActionGroup

In the above example, we created an alert rule named `yourAlertRule` that triggers an alert if the CPU usage of the resource `yourResource` exceeds 90% and sends the alert to the action group `yourActionGroup`.

After creating the alert rule, you can use the command `az monitor action-group create` to create an action group that will specify the notifications to send when an alert is triggered.

az monitor action-group create --name yourActionGroup --resource-group yourResourceGroup --email-receiver cobalt@example.com --sms-receiver "+1234567890" --webhook-receiver yourWebhookURL

 

In the above example, we created an action group named `yourActionGroup` that sends an email to `cobalt@example.com` and sends an SMS to the phone number `+1234567890`, using a webhook to `yourWebhookURL` whenever an alert is triggered.

The webhook URL can be the endpoint of an application or service that can receive and process HTTP requests. 

 

Implementing least-privilege access controls

You can use the Azure Role-Based Access Control (RBAC) system to enable limited access permissions in Azure. This lets you give users, groups, and service principals specific permissions.

Ensure you determine the scope at which you want to apply the least privilege access controls. This can be at the subscription level or the resource group level. Post that, you can use the command `az role definition create` to create a new role definition. This will allow you to specify the permissions, including the role definition. After creating the role definition, use the command `az role assignment create` to assign a role to a specific user, group, or service principal.

 

az role definition create --name "Read-Only Contributor" --permissions Reader --assignable-scopes /subscriptions/<subscriptionID>

az role assignment create --role "Read-Only Contributor" --assignee "cobalt@example.com" --scope /subscriptions/<subscriptionID>

 

In the above example, we created a role definition called "Read-Only Contributor" with reader permission, allowing the user to read resources and perform actions only allowed by read permissions. The role is then assigned to the user `cobalt@example.com` at the subscription level using the `az role assignment create` command.

 

Establishing security policies for maintaining compliance standards

This usually must be done because of "regulations and standards." One of the common rules in most compliance standards is to establish password policies; you can use the `az ad password policy set` command to set the password policy. In the below example, we have set the minimum password length to 12 characters and the maximum password age to 90 days.

 

az ad policy password update --min-length 12 --max-age 90

 

The Azure also has "Azure Security Benchmark" which has a pattern across 22+ standards which includes this, like "CIS Microsoft Azure Foundations Benchmark 1.4.0" and "Reserve Bank of India - IT Framework for NBFC."

One of the examples which I would like to demonstrate is email notification should be enabled for any high-severity alerts.

az monitor action-group create --name "High Severity – Compliance Alert" --resource-group "YourResourceGroup" --short-name "HSAAG" --email "cobalt@example.com"

 

Ensure you replace your resource group from "YourResourceGroup" with an appropriate email; user `cobalt@example.com` will start receiving an email for this.

One of the most common patterns/rules that can help you comply with most regulatory standards is a list of external accounts with owner permission that should be removed from your subscription. To check this, you should know "PrincipaID" "SubcriptionID"

az role assignment list --role "Owner" --query "[?principalType!= 'User'].{principalId:principalId, objectId:objectId, roleDefinitionId:roleDefinitionId}" --output table

 

az role assignment delete --assignee <PrincipalId> --role "Owner" --scope <YourSubscriptionId>

 

The above command will list the owner role by the definition ID, giving you a list of external users with "Owner" permission in your subscription.

 

Managing sensitive information securely via Azure Key Vault

We have created a key vault for your resource group in the below command. This is usually required because Azure key vault can store any business information or keys. Azure key vault also has SDKs that will support various programming languages enabling you to install or deploy this in your Azure app.

 
az keyvault create -name yourKeyVault --resource-group yourResourceGroup

 

Next is to store a secret in the key vault. You can use the command `az keyvault secret set` and specify the flag's name under your key vault.

az keyvault secret set --name yourSecret --value "yourSecretValue" --vault-name yourKeyVault

 

You can also use the Azure key vault for storing SSL certificates.

az keyvault certificate import -name yourKeyVault --name yourCertificate --file yourCertificate.pem

 

Similarly, there are commands to retrieve or delete secrets from your vault. In the above example, it stores an SSL/TLS certificate named `yourCertificate` in the key vault `yourKeyVault`. The certificate is in a file named `yourCertificate.pem`.

 

Adhering to infrastructure and applications by following security best practices

There are multiple ways to adhere to your infrastructure and application via best practices, like establishing your security policies against the security policies. Here are a few pointers that can help you enable security best practices.

To ensure you have the least privilege access controls, you can use the command `az ad user update` to update the permissions for a specific user account and then `az role assignment create` command to assign privileges to a user or a group.

MFA is one of the most commonly used security practices, which should be enabled by default for "root" and other users; you can use the command `az ad user update` to enable MFA for a user account and then `az account update` command to enable MFA for any local or subscription account.

Ensure you have control over outbound/inbound traffic. You can use the command `az network vnet create` and `az network nsg` commands to create virtual networks and then `az network nsg rule create` to create rules for traffic controlling.

  • Data backups should be enabled. This can also help you to comply with any regulatory standards. To enable data backups which can be used during (Disaster Recovery), you can use the `az sql db create` command to create SQL databases and then enable encryption, the `az backup protection enable-for-vm` this command will help to enable Azure backup for virtual machines, and the command `az sql db replica create` to create replicas of SQL databases.
  • Alerting is one of the important aspects which can help your blue team to detect live threats against your Azure infrastructure. To enable it, you can use the command `az monitor log-profiles create`, which creates a log profile and collect those logs, then `az monitor alerts create` to create alert rules based on your requirement. 

 

Mitigating insider risks via logging and monitoring

By logging and monitoring activity which we discussed under "Monitoring and alerting for security threats," you can help to detect and prevent unauthorized activity by insiders, which can be employees or contractors.

For viewing the logs for an Azure resource, you can use the command `az monitor log-analytics query`.

To enable logging for an Azure resource, you can use the command `az resource update` and to set the ` properties.logging.read` property, and the value should be true, enabling logging for your subscription ID.

az resource update --ids <YourSubscriptionId>" --set properties.logging.read=true

 

az monitor log-analytics query -g yourResourceGroup --workspace yourLogAnalyticsWorkspace --analytics-query "AzureActivity | where ResourceGroup == 'yourResourceGroup'"

 

The above command will execute a query that retrieves the Azure activity logs for the `yourResourceGroup` from the `yourLogAnalyticsWorkspace` log analytics workspace.

You can also manage your legacy log profiles by using the command ` az monitor log-profiles list`, which will list if any active profiles exist, and then use ` az monitor log-profiles create` to create a log profile.

 

Protecting data with encryption, backups, and disaster recovery plans

Encrypting data at rest and in transit can help to protect it from unauthorized access or tampering, while regular backups and a robust disaster recovery plan can help to ensure that your data is available and recoverable in the event of an outage or disaster.  

To encrypt data at rest, you can use the command `az sql db create` to create a SQL database and specify the `--encryption` flag to enable encryption for the database.

az sql db create --name yourDB --resource-group yourResourceGroup --server yourServer --encryption

 

Further, you can encrypt data in transit; you can use the command `az network vnet create` to create a virtual network and specify the `--enable-private-endpoint-network-policies` flag to enable private endpoint network policies.

 

az network vnet create --name yourVNET --resource-group yourResourceGroup --location eastus --enable-private-endpoint-network-policies

 

The above command creates a virtual network named `yourVNET` in the `eastus` region and enables private endpoint network policies for the virtual network.

To frequently create data backups, you can use the `az backup protection enable-for-vm` command to enable Azure backup for a virtual machine. This command allows you to specify the virtual machine and the backup policy for the backups.

az backup protection enable-for-vm --vm-name yourVM --policy-name yourPolicy --resource-group yourResourceGroup

 

 

This command will enable Azure backup for the virtual machine `yourVM` using the backup policy `yourPolicy.`

You can use the `az sql db replica create` command to create a replica of a SQL database. This command allows you to specify the source database, the target server and database, and the failover policy for the replica. Additionally, this is how you can implement a disaster recovery plan.

az sql db replica create --resource-group yourResourceGroup --server yourServer --name yourDB --partner-server yourPartnerServer --partner-resource-group yourPartnerResourceGroup --failover-policy automatic.

 

This will create a replica of the SQL database `yourDB` on the server `yourServer` with a failover policy of automatic.

 

Enhancing network security through the deployment of virtual networks and network security groups

Virtual networks allow you to create isolated, private networks within Azure, while network security groups (NSGs) allow you to control inbound and outbound traffic from your virtual networks and resources.  

With the `az network vnet create` command, you can establish a virtual network by specifying essential details like its name, location, address space, and subnet configuration.

 

az network vnet create -g yourResourceGroup -n yourVNET --address-prefix 10.0.0.0/16 --location eastus --subnet-name yourSubnet --subnet-prefix 10.0.0.0/24

 

The above command generates a virtual network called `yourVNET` in the `eastus` region, with an address space of `10.0.0.0/16` and a single subnet with IP range `10.0.0.0/24`

Following that, you can use `az network nsg create` command to establish a network security group, allowing you to define its name and location.

az network nsg create -g yourResourceGroup -n yourNSG --location eastus

 

Once the NSG is created, you can use the `az network nsg rule create` command to configure a rule that manages your virtual network's inbound and outbound traffic.

az network nsg rule create -g yourResourceGroup --nsg-name yourNSG -n AllowHTTPS --priority 1000 --protocol tcp --destination-port-range 443 --access allow.

 

This example creates an inbound rule for `yourNSG`, allowing TCP traffic on port 443. After creating the NSG, the command `az network vnet subnet update` can be used to set a connection between the NSG and the virtual network.

az network vnet subnet update --resource-group yourResourceGroup --vnet-name yourVnet --name yourSubnet --network-security-group yourNSG

 

Protecting against external threats with web application firewalls and DDoS protection

WAF is one of the compensating controls that can help you prevent common threats such as SQL injection, cross-site scripting, and other web-based exploits. Additionally, you can enable DDoS protection on your virtual networks where the application deploys.

To implement WAFs, you can use the command `az network application-gateway create,` which creates an application gateway and specifies the –waf-enabled` flag to enable WAF. 

az network application-gateway create -g yourResourceGroup -n yourAppGateway --location eastus ---sku WAF_v2 --tier Standard_v2

 

The above will enable WAF on your `yourAppGateway`. Additionally, to configure the WAF rules for the application gateway, you can use the command `az network application-gateway waf-config set`, which sets the configuration for WAF.

az network application-gateway waf-config set --enabled true --firewall-mode Prevention --resource-group yourResourceGroup --gateway-name yourAppGateway.

 

This will enable the web application firewall for the application gateway `yourAppGateway` and sets the firewall mode to Prevention. Additionally, you can then use the `az network DDoS-protection plan show` command to retrieve the ID of the DDoS protection plan.

az network ddos-protection plan show --name yourDDosProtectionPlan --resource-group yourResourceGroup --query id --output csv

 

Once you have the ID of the DDoS protection plan, you can use the `az network vnet update` command to enable DDoS protection for a virtual network. 

az network vnet update --name yourVnet --ddos-protection-plan yourDDosProtectionPlanId --resource-group yourResourceGroup

The above command line will enable DDoS protection for the virtual network `yourVnet` using the DDoS protection plan `yourDDosProtectionPlanId`.

Additional security components can help you secure your Azure environment; one of my favorites is enabling the "soft delete" feature. If a user deletes a namespace/subscription or container by mistake and the soft delete feature is enabled, you retain it back within the defined retention period.

References: 

 

Back to Blog
About Dhiraj Mishra
An active speaker who has discovered multiple zero-days in modern web browsers and an open-source contributor. He is a trainer at Blackhat, BruCON, 44CON and presented in conferences such as Ekoparty, NorthSec, Hacktivity, PHDays & HITB. In his free time, he blogs at www.inputzero.io and tweets on @RandomDhiraj. More By Dhiraj Mishra
Active Directory Series: Active Directory Fundamentals
Active Directory is a Microsoft service that provides centralized management of user accounts, devices, and access to resources in a networked environment. It allows IT professionals to create and manage users, groups, computers, and other resources on a network, and control access to those resources based on policies and permissions.
Blog
Mar 13, 2023
Back to Basics: How to Build Resilient Blue Teams
A comprehensive guide on how security teams can keep up with organizational change.
Blog
Feb 24, 2023