Azure Security Recommendations For enterprise Architects

Although Microsoft is committed to the privacy and security of your data and applications in the cloud, customers must take an active role in the security partnership. Ever-evolving cybersecurity threats increase the requirements for security rigor and principles at all layers for both on-premises and cloud assets. Enterprise organizations are better able to manage and address concerns about security in the cloud when they take a systematic approach. Moving workloads to the cloud shifts many security responsibilities and costs to Microsoft, freeing your security resources to focus on the critically important areas of data, identity, strategy, and governance.

Your responsibility for security is based on the type of cloud service. The chart summarizes the balance of responsibility for both Microsoft and the customer.

 

 

Develop Cloud Security Policies

Policies enable you to align your security controls with your organization’s goals, risks, and culture. Policies should provide clear, unequivocal guidance to enable good decisions by all practitioners.

Document Security Policies

In enough detail to guide personnel into quick and accurate decisions while adopting and managing cloud services. Ensure you have sufficient detail on policy areas that are well-established and critically important to your security posture.

Balance Security And Usability

Security controls that overly restrict the ability of admins and users to accomplish tasks will be worked around. Build buy-in through both threat education and inclusion in the security design process.

 

Document Protocols And Processes

For performing critically important security tasks such as using administrative credentials, responding to common security events, and recovering from significant security incidents.

 

Embrace shadow IT

Identify the unmanaged use of devices, cloud services, and applications. Identify business requirements that led to their use and the business risk that they bring. Work with business groups to enable required capabilities while mitigating risks.

Manage Continuous Threats

The evolution of security threats and changes requires comprehensive operational capabilities and ongoing adjustments. Proactively manage this risk.

Establish Operational Capabilities

To monitor alerts, investigate incidents, initiate remediation actions, and integrate lessons learned.

Build External Context

Of threats using available resources such as threat intelligence feeds, Information Sharing and Analysis Centers (ISACs), and other means.

Validate Your Security Posture

By authorized red team and/or penetration testing activity.

Manage Continuous Innovation

The rate of capability releases and updates from cloud services requires proactive management of potential security impacts.

Contain Risk By Assuming Breach

When planning security controls and security response processes, assume an attacker has compromised other internal resources such as user accounts, workstations, and applications. Assume an attacker will use these resources as an attack platform.

Least Privilege Admin Model

Apply least-privilege approaches to your administrative model, including:

  • Limit the number of administrators or members of privileged groups.
  • Delegate fewer privileges to accounts.
  • Provide privileges on demand.
  • Have existing administrators perform tasks instead of adding additional administrators.
  • Provide processes for emergency access and rare use scenarios.

Harden Security Dependencies

Security dependencies include anything that has administrative control of an asset. Ensure that you harden all dependencies at or above the security level of the assets they control.Security dependencies for cloud services commonly include identity systems, on-premises management tools, administrative groups and accounts, and workstations where these accounts logon.

Use Strong Authentication

Use credentials secured by hardware or Multi-Factor Authentication (MFA) for all identities with administrative privileges.

Use Dedicated Admin Accounts And Workstations

Separate high-impact assets from highly prevalent Internet browsing and email risks:

  • Use dedicated accounts for privileged administrative roles for cloud services and on-premises dependencies.
  • Use dedicated, hardened workstations for administration of high-business impact IT assets.
  • Do not use high privilege accounts on devices where email and web browsing take place.

Enforce Stringent Security Standards

Administrators control significant numbers of organizational assets. Rigorously measure and enforce stringent security standards on administrative accounts and systems. This includes cloud services and on-premises dependencies such as Active Directory, identity systems, management tools, security tools, administrative workstations, and associated operating systems.

Monitor Admin Accounts

Closely monitor the use and activities of administrative accounts. Configure alerts for activities that are high impact as well as for unusual or rare activities.

Educate And Empower Admins

Educate administrative personnel on likely threats and their critical role in protecting their credentials and key business data. Administrators are the gatekeepers of access to many of your critical assets. Empowering them with this knowledge will enable them to be better stewards of your assets and security posture.