Cloud Workload Security: Part 3 - Explaining Azure’s Security Features

Written by Intezer

Cloud security management will always remain an ongoing journey, as threats keep evolving and organizations need to keep updating their cloud security strategy. A well-defined set of security controls and categories helps you set a strong baseline in this journey, irrespective of your cloud platform. This blog series will help you understand what your cloud security focus areas should be and the most important controls and categories you should take into account for building this strategy.

We explored this framework in the first part of the series, which covered the focus areas to consider when designing your cloud security strategy, such as reducing the attack surface, detecting attacks and breaches, and responding to attacks.

We also discussed the controls and categories aligned with these focus areas. Implementing these controls in your cloud platform of choice is the next step. This article will help you understand the different Microsoft Azure services and tools that you can use to implement the security controls for your workloads in the cloud.

Azure Cloud Security Controls

The rule of thumb for implementing cloud security controls is to leverage the services and tools natively available on the cloud platform. You can consider third-party services for features and capabilities that are not natively available. Let’s explore the options for implementing the relevant security controls and categories in Azure.

Network

Application security groups for VNet microsegmentation: Application security groups help with microsegmentation of application components deployed in Azure VNets. They abstract IP configuration and management by aligning fine-grained security policies with the business logic. Application security groups can be used in NSGs to manage East-West and North-South traffic filtering. If you’re looking for the simplest way to implement network microsegmentation in your Azure VNet, application security groups are the solution.

Azure Firewall threat intelligence-based filtering: Azure Firewall protects your workloads by providing threat intelligence-based filtering that denies traffic from or to known malicious sources. The information about malicious sources is derived from the Microsoft Threat Intelligence feed, which is powered by Microsoft’s Intelligent Security Graph service, used by multiple security services in Azure, including Azure Security Center.

Azure Web Application Firewall: Azure Web Application Firewall (WAF) protects your web applications deployed in Azure from common threats and known vulnerabilities. It offers automated protection against evolving exploits as well as known exploits like SQL injection and cross-site scripting. WAF can be integrated with these Azure services for comprehensive workload protection: Azure Application Gateway, Azure Front Door, and Azure Content Delivery Network (CDN) (public preview).

WAF is most commonly used with Azure Application Gateway and offers protection based on the ModSecurity Core Rule Set from the Open Web Application Security Project (OWASP).

Azure DDoS protection: Azure offers basic and standard DDoS protection. Basic protection is available for all Azure resources by default, while customers can configure standard DDoS protection for additional security for workloads connected to Azure VNets. The standard service offers protection and automated mitigation of volumetric, protocol, and application-layer attacks with real-time telemetry for monitoring and analysis of the attack vector.

You can configure alerts to notify stakeholders about ongoing attacks by leveraging built-in attack metrics. When integrated with layer 7 protection services like WAF or third-party application firewalls, Azure’s DDoS protection delivers protection for layer 3 to layer 7 for your Azure workloads.

Cloud Security Posture Management

Azure Security Center policies and recommendations: Azure Security Center is a built-in cloud security posture management solution that monitors your Azure deployments for possible misconfigurations and for alignment with Azure security benchmarks. Azure Security Center does a continuous assessment of resources against defined security controls and assigns a security score that helps to prioritize remedial actions.

Azure Security Center comes with built-in policies and recommendations for security, compliance, and cost and administrative control of a wide range of services. These include data protection, storage, compute, app services, VMSS, and containers, a few of which are listed below:

• Adaptive network hardening requirements based on analysis of traffic patterns
• Pod security policies to restrict pods’ access to each other in Kubernetes clusters
• Alignment of Azure subscription ownership with recommended best practices
• Advanced data security configuration for managed and unmanaged database instances
• Advanced threat protection for storage accounts
• Protection of internet-bound traffic
• Just-in-time network access control implementation
• Configuration of diagnostics logs for crucial services
• Encryption for databases and storage services

Vulnerability Management

Azure Update Management: Azure offers a hybrid patch deployment option through Azure Update Management, which is part of Azure Automation service. It can be used to assess patch levels of Windows and Linux machines and initiate the deployment process. The assessment and deployment process leverages the Log Analytics agent for Windows/Linux, along with Hybrid Runbook Worker, DSC (for Linux machines), and WSUS (for Windows machines). Connecting the machines to a Log Analytics workspace is a prerequisite for update management.

Azure Security Center vulnerability assessment: Azure Security Center provides real-time integrated vulnerability scanning for virtual machines, powered by Qualys, and presents the results for review. You can also leverage Azure Resource Graph to export the vulnerability scanning results for further querying, analysis, and filtering.

If you’ve already purchased a license for a third-party vulnerability assessment solution, you have the option to integrate it with Security Center.

Cloud Workload Protection Platform (CWPP)

Azure Security Center threat protection: Azure Security Center offers endpoint detection and response through integration with Microsoft Defender Advanced Threat Protection (ATP).

Azure Security Center threat protection is powered by big data, advanced analytics, and intelligent security graphs, which helps it adapt to fast-evolving threats and provides actionable alerts for remediation. Microsoft Defender ATP integration with Azure Security Center helps with automated onboarding of Windows servers and provides a single-pane view of the security status of all machines.

The Azure Defender Service offers extensive protection capabilities for Windows servers, but its coverage for Linux servers is less extensive. It uses audit logs and applies behavioral rules to detect threats. The service is enabled by the Log Analytics agent, which helps collate and aggregate the data and then detects suspicious activities based on Linux signals.

A threat-detection approach that monitors/inspects the executed code, rather than using behavioral indicators and anomaly detection, has been proven to be more effective in detecting the latest Linux threats. Hence, customers can consider augmenting protection for Linux workloads through third-party solutions like Intezer Protect, which is designed specifically to protect Linux systems from advanced threats in the cloud.

Azure Security Center adaptive application controls: In order to implement best-in-class security, it’s important to closely monitor your cloud environment and allow only legitimate software and processes to run. Adaptive application control analyzes your machines using advanced machine learning for application analysis and categorization to define a list of safe applications.

Running any applications on your machines other than those on the allowed list will generate alerts. However, this could lead to noise in dynamic environments, with the possibility of a high rate of false positives, in addition to increased overhead. Application Control operates at disk level and is not effective against threats injected into system memory. Hence, it’s important to implement in-memory protection in dynamic environments to protect against unauthorized and malicious code at runtime. You can consider third-party tools here.

Container Security

Azure Security Center container registry image scanning: You can enable the optional Container Registry bundle in Azure Security Center to initiate automated scanning of Linux container images pushed to Linux-hosted Azure Container Registry images. This scanning process is powered by Qualys and does not require any additional integration steps. The service provides detailed vulnerability scanning reports as well as classification of severity. Reports also provide prescriptive guidance on mitigating those vulnerabilities.

Azure Security Center container environment protection: Azure Security Center continuously monitors Azure Kubernetes Service (AKS) clusters and container hosts (VMs running Docker Engine) against baseline security configurations, and also provides hardening recommendations. For unmanaged containers running on VMs, the configurations are compared against CIS benchmarks for Docker containers. Runtime protection for containers is available through Azure Defender integration.

Azure Defender monitors Linux AKS nodes for suspicious activities and connections, privileged container deployments, SSH servers in containers, and the like. AKS cluster-level runtime protection is enabled by analysis for audit logs for events like privileged role creation, vulnerable dashboard deployments, and configuration of sensitive mounts.

Security Information Event Management (SIEM)

Azure Sentinel: Azure offers a cloud native SIEM and Security Orchestration Automated Response (SOAR) solution called Azure Sentinel that can integrate data from multiple sources and analyze it for potential threats and attacks. Azure Sentinel has built-in connectors for real-time integration with multiple data sources like Azure Cloud App Security, Office 365, Azure Active Directory (AD), and Microsoft 365 Defender.

Additionally, you can configure Sentinel to receive data from sources using common event format/syslog or using REST-API integration. Azure Sentinel’s out-of-the-box advanced analytics capabilities help correlate security incidents from different entities that could point to potential high-fidelity attacks. The Azure Sentinel advanced hunting and query feature facilitates tailored detection, in-depth insights, and automated investigation.

Azure Security Center Threat Protection

Azure Security Center provides additional threat detection and alerting capabilities—for Windows/Linux machines, Azure App Service, containers, Kubernetes services, and more—to protect your workloads from nuanced advanced attacks: unauthorized digital currency mining, bulk deletion of system logs, suspicious file downloads, and brute force attack attempts, to name a few.

Log and Security Monitoring in Azure

By configuring resource diagnostic settings in Azure, you can configure the resource logs to be sent to Azure Event Hubs, Azure Storage, or Log Analytics workspace integrated with Azure Monitor. Any Azure subscription-level activities, such as resource modification, new deployments, or updates, are captured by Azure Activity logs.

Azure Active Directory logs provide insights into usage patterns of applications and resources accessed by users, and any security risks associated with user accounts. They flag compromised user accounts, risky sign-ins, and issues related to sign-in activity.

Network Security Group (NSG) flow logs is another notable Azure monitoring feature, which helps to monitor the IP traffic flow through NSGs associated with VM NIC cards or subnets. This helps you keep a close watch on network connections to your environment, any intrusion attempts, unexpected network traffic, and throughput monitoring. You can import the data to SIEM tools for storage, or to visualization tools for reporting purposes.

Summary

Azure, one of the leading cloud service providers, has a very strong focus on security and compliance. Microsoft follows an “assume breach” strategy and regularly conducts red team/blue team exercises to detect threats proactively and strengthen the security posture of the cloud platform. The security tools and services can be well integrated with Windows workloads, but options for Linux servers are comparatively limited. With the increased use of Linux workloads and containers in the cloud, it comes as no surprise that over 50% of workloads in Azure use Linux. If your cloud workload real estate is mostly Linux, you can look into external CWPP/runtime protection solution that specializes in Linux Threat Detection.

To understand how other cloud service providers, like AWS and GCP, support these security controls, refer to other parts of this series.