Photo by Scott Webb on Unsplash

Factors for securing your Azure Infrastructure and Applications

This article will list common security controls available at the disposal of Azure Architects, Developers and Devops Engineers and should be adopted as a common practice.

Network Segregation

• Deploy Services within VNet whenever possible, should be must for production grade applications.
• Utilise separate subnets within VNet for seperating services, ideally based on domains.
• Ensure Network Security Groups are configured, and check NSG’s being used/attached to Subnets.
• Lock down incoming traffic via NSG as a standard practice. Do not leave networks open for inbound traffic. Review your network posture.
• Utilise perimeter protection when needed. E.g. DDOS protection services. In production deployments do not rely on basic service tiers. Utilise Standard service tiers.
• Utilise isolated service tier for your workloads in production.

PIM and IAM:

• Rely and utilise Azure AD as a IDP solution for cloud.
• Utilise Azure AD’s Privilege Identity Management.
• Utilise MFA with Conditional Access Policy evaluation.

Security Posturing

• Utilise Azure Sentinel for central security threat monitoring.

RBAC

• Utilise RBAC for the provisioned users and service principles.User Managed Identity where needed.
• Use Application Objects when needed, it is more secure method of managing permissions rather than using standard user and passwords.

Data Management

• Utilise Managed Disc for data discs. They are encrypted by default

Routing Traffic

• Use Azure Firewalls, Azure Application Gateways to protect your vital infrastructure and application workloads.
• Use Private Endpoint and Service Endpoints where possible.

Credential Management

• Do not store credentials, connections strings in the application code. Integrate applications with Key Vault Solution and then reads keys, secrets or certificates as needed.
• Utilise Azure Key Vault for key, secret and certificate management.
• Do note use storage keys for Azure Storage Access, this should be least preferred option. This should be the last and most discouraged mechanism for access provisioning.
• Azure Storage is secure by default, but utilise Client Managed Encryption Keys. They provide additional level of security control.
• Use Shared Access Signature for Azure Storage access provisioning only if Azure AD based mechanisms can not serve the purpose. It is highly unlikely that later will be the case.
• Lock down your Azure subscriptions via Azure Blueprints and Policies.
• Utilise locks on key resources.