This is the second blog in a three-part series on security in Azure Government co-authored by Robert Jaffee, Sr. Program Manager, and Diego Lapiduz, Chief Information Security Architect, with Microsoft Azure Global Government. (In case you missed it, check out the first blog: Six tips for securing identity in the cloud.)
In this blog, we’ll cover specific recommendations for improving your IaaS security posture, focusing on data protection, network security, and security management, including threat protection.
Data protection: Ensure confidentiality and integrity of data by leveraging multiple encryption options for data at rest in virtual machines, databases and storage. Data encryption controls are built-in to services from virtual machines to storage, Azure SQL, and Azure CosmosDB. Azure Key Vault enables you to safeguard and control cryptographic keys and other secrets used by cloud apps and services.
- Tip #1: Manage your VM updates. Azure VMs, like all on-premises VMs, are meant to be user-managed. Azure doesn't push Windows updates to them. Ensure you have solid processes in place for important operations such as patch management and backup.
- Tip #2: Encrypt your virtual hard disk files to help protect your boot volume and data volumes at rest in storage, along with your encryption keys and secrets. (If you are using services like Azure Site Recovery, you should check compatibility before enabling encryption)
Network security: You can establish secure connections to and within Azure using virtual networks, network security groups, VPN, and ExpressRoute. Protect and ensure availability of your apps, protect against network layer threats with services like Web Application Firewall, Azure Firewall and Azure DDoS Protection
- Tip #3: Use virtual networks to isolate your workloads. Virtual machines connected to an Azure virtual network can connect to devices on the same virtual network, different virtual networks, the internet, or your own on-premises networks.
- Tip #4: Install a web application firewall. Web application firewall (WAF) is a feature of Application Gateway that provides centralized protection of your web applications from common exploits and vulnerabilities.
Threat protection and security management: It is equally important to assess your security state continuously, especially as cloud workloads change dynamically. Azure Security Center helps you monitor the security state of Azure resources and hybrid workloads. It provides a dynamic security scorecard and recommendations to improve your security in a centralized console. And you get advanced threat protection across many services like virtual machines, servers, apps, Azure SQL, Storage, containers on VMs. Backed by the Microsoft Intelligent Graph, you can detect and quickly respond to threats across these services.
- Tip #5: Enable Azure Security Center Standard. Security Center’s Standard tier helps you find and fix security vulnerabilities, apply access and application controls to block malicious activity, detect threats using analytics and intelligence, and respond quickly when under attack. Don’t forget to review your Security Center dashboard regularly to get a central view of the security state of your Azure resources and act on these recommendations.
Implementing these best practices is an essential step to securing your IaaS resources. Read the Azure Government Security documentation to understand features and variations for Azure Government. For a deeper dive on improving your security posture with Azure, we recommend the following resources:
Look for our next blog on the series next week, focused on new Key Vault capabilities in Azure Government.
We welcome your comments and suggestions to help us improve your Azure Government experience. To stay up to date on all things Azure Government, be sure to subscribe to our blog by clicking "Subscribe by Email!" on the Azure Government Blog.