More security for the cloud landing zone on Azure
How companies can make their cloud landing zone on Azure more secure - 10 measures that make a difference: Having looked at Cloud Landing Zone Security on AWS in another article, in this article we look at how to make a Cloud Landing Zone on Azure more secure.
1 Implement multi-factor authentication (MFA)
- Why: MFA provides an additional layer of protection by requiring users to verify their identity using a second method, such as a mobile app or hardware token.
- How:** Enforce MFA for all users, especially administrators and privileged accounts, using Azure Active Directory (Entra ID) conditional access policies. Use Microsoft Entra ID as centralised identity management.
2 Enable Azure Security Centre
- Why: Azure Security Centre provides a unified security management system and offers advanced threat protection for all your Azure resources to identify and remediate security risks.
- How: Enable the Security Centre to gain access to advanced features such as just-in-time VM access, adaptive application controls and threat detection.
3 Use role-based access control (RBAC)
- Why: RBAC helps ensure that users only have the minimum required permissions to perform their tasks, reducing the risk of over-authorisation.
- How: Assign roles to users based on their responsibilities and regularly review access permissions to ensure they comply with the principle of least privilege.
4 Implement network security groups (NSGs) and Azure Firewall
- Why: NSGs and Azure Firewall control inbound and outbound traffic, helping to protect your resources from unauthorised access and malicious activity.
- How: Define NSGs to filter network traffic to and from Azure resources and deploy Azure Firewall to create a centralised, managed firewall with advanced threat protection capabilities.
5 Encrypt data at rest and in transit
- Why: Encryption protects your data from unauthorised access, both in storage and in transit.
- How:** Use Azure Disk Encryption for VMs, Azure Storage Service Encryption and enforce HTTPS for all Azure services that support it. Implement Azure Key Vault for secure encryption key management.
6 Regular monitoring and auditing with Azure Monitor, Log Analytics and Sentinel
- Why: Continuous monitoring helps to detect and respond to potential security issues in real time.
- How:** Set up Azure Monitor and Log Analytics to collect, analyse and respond to telemetry data. Use built-in threat detection and set up alerts for suspicious activity. Advanced threat analysis is possible with Sentinel. In addition, the Azure Threat
Intelligence Feeds provide important information on current threats.
7 Secure identities with Azure AD Identity Protection
- Why:** Azure AD Identity Protection can detect and respond to identity-based threats such as compromised accounts or risky logins in real time.
- How: Enable Azure AD Identity Protection policies to automatically respond to detected risks by enforcing MFA, blocking logins, or requiring users to change passwords.
8. Implement Just-In-Time (JIT) access for VMs
- Why: JIT access reduces the attack surface by allowing access to VMs only when needed and for a limited time.
- How: Enable JIT VM access in Azure Security Center to minimise exposure of management ports and other services.
9. Regular patch management
- Why: Regular patching of systems helps protect against known vulnerabilities and exploits.
- How: Use Azure Automation Update Management to automate the patching of Windows and Linux systems across your environment and ensure they stay up to date.
10 Conduct regular security assessments and penetration tests
- Why: Regular security assessments and penetration tests help to identify and fix potential vulnerabilities before they can be exploited by attackers.
- How:** Schedule regular security assessments using Azure Security Centre’s Secure Score recommendations and consider third-party penetration testing services for a more thorough assessment.
In addition to these Azure-specific measures, you should of course create backups of the applications and data and test them regularly with a previously created disaster recovery plan.
By the way: Never include the backup servers as members in Entra ID. If the Entra ID is compromised by an attack, your backup is also an easy target for encryption Trojans. Another important point that should continuously accompany the security concept is the sensitisation and training of employees in order to minimise the risk of attacks via email, telephone and chat.
By implementing these recommendations, you can significantly improve the security status of your Azure environment.
Do you still have questions about this or would you like to have your company setting independently reviewed?Feel free to contact us!
Thomas Strigel
Business Development Managed Solutions und Consulting, SPIRIT/21
Phone: +49 1726327678
E-Mail: tstrigel@spirit21.com
Thomas is an all-rounder when it comes to managed services and cloud solutions. He is always willing to listen to your questions and suggestions.