Proactive Security: leveraging Azure Security Services
From Azure Security by Bojan Magusic
This excerpt covers:
- Cybersecurity as an infinite game
- Shared responsibility model
- Azure security services
- Threat landscape
- Cloud security challenges
- Zero Trust security model
- Defense in depth
Read on to learn more.
Security is one of the greatest unsolved problems of our time. This complex problem set spans digital, physical, businesses, and individuals. Digital services have become an integral part of our lives in finance, health, transportation, our jobs, and even how we connect with each other. With all this, however, we’re outstripping our ability to provide security. If you think of the word security, by its very definition means freedom from threats or danger. This is an impossible goal, however, as businesses are under constant threat. This concern is further highlighted by news headlines you can see daily about ransomware attacks, fraud, theft, public exposure of private data, espionage, and even attacks against physical infrastructure. James P. Carse, a professor from New York University (NYU), came up with an interesting theory of how the world works, which was recently popularized by Simon Sinek. Carse theorized there are two types of games: finite and infinite games, e.g. chess. Infinite games are very different. There are no agreed upon rules in infinite games. Players can be known or unknown and winning is about staying in the game. Take finance for example, where rules vary dramatically from country to country. There are both known and unknown players that influence the game, and their decisions can have a massive impact on everyone involved. Cybersecurity is an infinite game.
Cybersecurity as an infinite game
The cyber bad guys are not playing by any agreed upon rules. There is no such thing as a level playing field, when a state decides to target a business. Today, too many businesses and security teams have a finite mindset. In their mind, it is a winner-take-all game. I believe thinking like this is quite dangerous, because the landscape changes so dramatically fast. I caution you against thinking in that finite game mindset and falling into a trap that a single security solution can solve this problem, because there is no final victory in security — the victory lies in staying in the game. Cybersecurity requires a fundamental shift of mindset. Especially, when it comes to cloud security, where the pace of innovation, agility, and complexity can sometimes be overwhelming. I believe in this constantly changing game, the future of cloud security is going to be shaped with an infinite mindset. We have to turn this game in our favor and take the initiative from the bad actors.
Unfortunately, a significant number of breaches still happen due to poor cyber security practices. Insecure configurations of cloud workloads continue to be one of the top causes of breaches. This has been exacerbated by the conditions created due to the Covid-19 pandemic, where many companies had to accelerate their digital transformation and rushed to move their workloads from on-premises to the public cloud, without giving much thought to security. Virtual machines running on public cloud platforms have been left exposed to the public-facing Internet and subjected to attacks. User credentials have been leaked and used by attackers to gain unauthorized access to an organization’s environment. Secrets were unencrypted and left exposed in source code repositories. Chances are that you have read about such attacks in news headlines. They’re representative of common causes how cloud security breaches start. The following list highlights a subset of relevant cloud security threats, but is by no means meant to be exhaustive:
- Ransomware
- Brute-force attacks
- Supply chain attacks
- Zero-day exploits
- Security vulnerabilities
- Misconfigurations
- Unauthorized access
- Denial-of-service attacks
- Insider threats
- Data theft
The question then becomes, how do you secure your Azure environments against common cloud security issues and threats against your cloud resources? In order to make progress on this issue, you can leverage the set of native security services that are available in Azure, most commonly referred to as Azure security. The Azure security services this book teaches you are the following:
- Azure Active Directory
- Azure DDoS Protection Standard
- Azure Firewall Standard
- Azure Firewall Premium
- Azure Web Application Firewall
- Microsoft Sentinel
- Microsoft Defender for Cloud
- Microsoft Defender for DevOps
- Azure Monitor
- Azure Key Vault
- Azure Policy
You learn more about these services throughout the book. They can be used to secure Azure environments big and small, consisting out of a variety of different resources types. The overarching goal of Azure security is to help you secure your digital estate running on Azure, while at the same time minimizing the likelihood of security breaches — like the ones you read about in the news. I encourage you to consider what else you need to secure on top of these services, as there are plenty of other misconfigurations that can happen, like lack of encryption. Azure security fundamentally revolves around people, processes, and technologies. Most people appreciate security, but they don’t necessarily know how go about applying the technology effectively to future proof their Azure environments from disruption and potential attacks. This book teaches you how to configure and implement Azure security correctly. As an organization looks to secure their public cloud infrastructure, the public cloud provider shares with them the burden of security. This is widely referred to as the shared responsibility model.
Shared responsibility model
There are tasks that the public cloud provider is responsible for securing and there are tasks that are your responsibility. Knowing what these are matters greatly. You can imagine them as two pieces of a puzzle that need to fit together perfectly! With regards to Azure, you might be asking yourself what is taken care of by Microsoft? Microsoft takes care of securing the cloud. This included physically securing the datacenters where compute, storage and networking resources reside, which run your digital services. This includes security checks and authorized personnel that would make some airport security checks look like a stroll in the park. In addition, Microsoft takes care of hardware failure, alternate power supply and much more. Essentially, Microsoft ensures that the public cloud runs smoothly without you needing to worry about all the things that could possibly go wrong (natural disasters like earthquakes notwithstanding).
What is your responsibility then? Your responsibility is the security inside of the cloud. This means that it’s your responsibility to ensure that access to those resources is secure. Including data that resides in the cloud, as well aspects of infrastructure resources, such as compute resources that are deployed. In an on-premises world, everything would be your responsibility of securing. However, with public cloud platforms like Azure, you offload a part of that burden to the public cloud provider. How much burden you offload to the public cloud provider comes down to the service model in question. Cloud service models originated from The National Institute of Standards and Technology (NIST) and with regards to public cloud, the three main service models are:
- Infrastructure-as-a-Service (IaaS): offers you with core compute, storage and networking resources on-demand.
- Platform-as-a-Service (PaaS): offers resources you can use to develop and deploy everything from simple cloud-based applications to enterprise-ready applications
- Software-as-a-Service (SaaS): offers you with cloud-based applications, that can be used and accessed over the Internet.
Each service model outlines your and the cloud providers responsibilities. Depending on the service model in questions, these responsibilities vary.
Azure security services
Azure security is important, because by properly configuring Azure security services, you’re able to avoid disruption to your business and realize the full value out of the Azure platform. If you don’t secure your environment correctly, there might be no business at all. Second, it helps manage the increasing complexity of attacks. Attacks are getting more sophisticated by the minute and are in increasing in volume, both of which are alarming trends!
Even while writing this, there are probably new security services being developed and/or existing ones refined, based on what’s working well and what’s working less well for organizations. Indeed, security is complex. What I’ve learned from many organizations is that security is not a problem you solve. It’s a problem you manage. This problem is further compounded by the fact that no two organizations are the same. Some even have complex requirements and large footprints in Azure. How do you then do about managing this problem? I’d like to acknowledge that improving an organization’s security posture is a journey. It can even be seen as an ever-evolving cyclical process (figure 1).
You can think of improving your organization’s security posture like going to the gym. You consistently need to be putting in work in order to achieve results. When looking holistically at improving an organization’s security posture, you can think of it in the form of an iterative process that consists of three phases. The first phase is about securing Azure workloads by ensuring they adhere to security best practices. After security best practices have been applied, this brings you to the second phase, where you monitor the environment for potential signs of compromise and suspicious activity (like lateral movements). Should there be a potential sign of compromise, you need to investigate in order to get a better understanding of what occurred and if need be, to respond accordingly — third phase. Based on the findings of the investigation, it’s paramount to learn from what has occurred and evolve your thinking on how to better secure workloads going forward. Effectively, this is done by applying learnings to security best practices that are used to securely deploy your Azure workloads going forward. You should look to incorporate learnings from outside of your environment too, like from Azure specific breaches in other organizations and general security advice from reputable sources. Making this an iterative and ever-evolving process. To better understand how to protect your environment attacks, you first need to get a better understanding of the threat landscape that is affecting organizations.
Threat landscape
New attacks, on average happen every couple of minutes, affecting companies big and small. They are performed by bad actors — cyber adversaries who are trying to attack and infiltrate digital systems. Bad actors (or cyber threat actors as they’re also called) are usually motivated by financial gain, politics or some malicious intent. Their attacks are made possible through vulnerabilities that allow bad actors to bypass security controls you put in place to secure your digital systems. Therefore, it’s important to understand how to prevent common vulnerabilities. Vulnerabilities together with malware, and specific groups of bad actors usually make up the threat landscape.
Returning to the analogy of improving your organizations security posture being like going to the gym, any person that has ever visited a gym will tell you, chances are you won´t be the only person working out. Probably, there are other people in the gym, putting in hard work. If you’re brand new to working out, you might choose to ask someone for advice, or potentially observe how others use a particular machine and adopt parts of their workout routine. The same logic can be applied to cybersecurity. By having insight into the evolving nature of cyberthreats, businesses can better prepare themselves and minimize the likelihood of potentially getting compromised. What can help is to try to understand the behavior of bad actors and consider what steps they could take to compromise your environment — so that you can protect against it! Bad actors have an intended outcome in mind, which they’re trying to achieve. In cybersecurity this intended outcome tends to be called goal. Now, there are different ways of achieving a goal and the high-level description of the behavior bad actors exhibit to achieve their goal is called tactic. In the context of a tactic you have more detailed description of the bad actors behavior called techniques. Highly detailed descriptions about how a bad actors will leverage techniques are called procedures. The more you know about the bad actors’ behavior, the better prepared you are at preempting it.
Cybercrime is a thriving industry. Solving cybercrime is similar to solving ‘ordinary’ crime — in a sense it’s a very difficult (if not impossible) task to accomplish. The number of daily pieces of malware continues to rise, which is alarming! However, still a significant number of breaches happen due to poor security practices. Bad actors like to pick “low-hanging fruit,” so consistent improvement in security practices is a must.
Cloud security challenges
Traditional on-premises security controls differ from security controls in the public cloud. Knowing how they differ is key to understanding how to go about getting results. In the last ten years, the pace of technical innovation with regards to public cloud has been staggering. And as businesses have taken advantage of these technical innovations, so too have bad actors. There is a clear need to evolve from constantly responding to the innovations of attackers, to finding a way to be consistently ahead of bad actors.
What can help here is to again think about how breaches might occur and then implement security controls to prevent breaches from happening. Resources deployed in the public cloud (among other tasks) need to be remotely accessible for management purposes. This opens up the possibility of those resources, accessible over the Internet, to be compromised by a bad actor. After gaining access to your environment, the bad actor might look to compromise an account, and then use that account to gain unauthorized access to more of your environment’s resources. They can even spread to other resource types, like databases, storage, IoT devices and more. This is commonly referred to as lateral movement, where the bad actor will try to gain access to as many resources as possible, even moving between different resource types. Once they’ve established control over the environment, bad actors will try to accomplish their goal, which might be financial gain by holding the organizations environment hostage and asking for ransom payment. This is an example of a ransomware attack. Sadly, there are many more types of attacks out there. This notion of how breaches occur and what steps bad actors might look to perform to potentially compromise your public cloud environment is often referred to as the kill chain model. A simplified version of the kill chain model in the context of cloud security is shown in figure 2. consisting out of the following steps: exposure, access, lateral movement, actions on objective, and goal.
You might be asking yourself, if this really happens in the real world? Unfortunately, it does and it affects companies big and small. To make this palpable, I provide a concrete example (figure 3). I’m confident you can find one as well, by simply searching for latest cyberattacks on the web. Let’s say a VM is deployed in the public cloud and is not adhering to any security best practices. What could possibly go wrong, you think? Well, if that VM’s ports are publicly accessible from the Internet, an attacker might use this fact to try and guess the username and password of the account that has access to that VM (remember what this type of an attack is called?). People in general are not great with passwords. They tend to re-use them, keep them simple and not leverage strong factors, such as multi-factor authentication (MFA). Seeing cloud resources are located in the public cloud providers data centers, they need to be remotely accessible for management purposes. This means, if the account on that VM is compromised, a bad actor has access to that VM and in turn unauthorized access to the environment. With this access the bad actor can deploy malware on that VM to exploit vulnerable applications or systems. This in turn allows the bad actor to spread inside of the environment laterally by compromising even more resources. Even spanning different resource types. Meaning bad actors could get access to other resource types such as Kubernetes clusters. After gaining access to clusters, the bad actor is able to deploy a malicious container image to the compromised cluster. This container image in turn could be used to run a crypto-miner, which incurs financial cost to the unsuspecting owner of the Azure environment while providing financial gain to the bad actor. Demonstrating that a VM left with an open port, left exposed to the Internet, could open the door to crypto-miners being installed on your Azure compute resources (or worse). Using crypto mining specific software has been a successful strategy for hackers to deliver malware/ransomware in the recent past.
Digital medievalism
It used to be that you could block or allow access at the perimeter of your corporate network. Company resources and applications that users needed to get their job done were, after all, inside the corporate network, guarded by the ’defenses‘ you put up to safeguard against the threats from outside. Everything inside defenses you built was considered trusted, whereas everything outside them was considered untrusted. A term that I believe best describes this is digital medievalism, where organizations and individuals each depend on the walls of their castles and the strength of their citizens against bad actors who can simply retreat to their own castle with the spoils of an attack. However, with the rapid adoption of cloud services, nowadays users need to access a variety of different applications to get their job done. These applications can be accessed from a variety of devices (for example, a mobile phone, tablet, or personal laptop). This has fundamentally changed the security perimeter as many of these applications don’t reside inside of your corporate network and behind the walls of the castles which you’ve built. They reside outside them and if they’re outside your walls, how can you ever trust that they’re safe? Blocking or allowing access doesn’t happen any longer at the perimeter of your corporate network. Therefore, the traditional based security model of the digital medievalism is no longer sufficient. It is necessary to adopt a perimeter-less security approach, where instead of trusting that resources are safe because they are located behind the walls of your castle, you need to verify every attempt to access/use them. This concept of never implicitly trusting that resources are safe and always verifying is the cornerstone of what is commonly referred to as the Zero Trust security model
Zero Trust security model
The premise behind Zero Trust is that requests made to public cloud resources shouldn’t be trusted by default. Instead, they should be verified. This holds true even if these resources are located behind your castles’ walls and inside your corporate network. Remember the legend of the Trojan horse?! In it, soldiers were able to capture the city of Troy by allegedly hiding inside a wooden horse to get past the city’s walls. Instead of assuming that everything inside your corporate network is secure, the Zero Trust model assumes breach and verifies each request as though it originated from outside your castles’ walls (or from an untrusted location). This assume-breach mindset also helps with minimizing the potential impact of a bad actor gaining access to your Azure environment, by helping to respond and remediate quicker.
The three-cornerstone widely referenced principles of the Zero Trust security model are:
- Verify explicitly: always authenticate and authorize based on all available data points (including identity, device, location, service, and unusual behavior).
- Use least-privileged access: give just enough access and permissions for the task at hand, and only when needed.
- Assume that breaches will happen: improve defenses by minimizing the blast radius and actively monitor the environment for potential signs of compromise.
Zero Trust is not a specific product or service, but rather an approach in designing and implementing the three-cornerstone principles of the Zero Trust security model. Instead of shying away from using services that are outside of your corporate network, this security model allows you to adapt to them and manage their complexity. You might be asking yourself, why should you care about Zero Trust? The straightforward reason is that most of the services and applications that users need to access are located outside your corporate network (for example, Microsoft 365 or Salesforce CRM). It’s important to note there is no silver bullet when it comes to security. Therefore, it’s prudent to apply several layers of security. This pattern is commonly referred to as defense in depth.
Defense in depth
Defense in depth helps you to reduce the overall likelihood of a successful breach happening. The idea behind it, is that several layers put together, reduce the probability of a breach being successful, compared to a single layer. By adding more layers of security, you’re effectively making it harder for an attacker to get past your security measures and be successful in their attack. Also, by having more layers of security, if one layer fails, the other layers are still there to secure the underlying workloads in Azure.
This means that the process of improving an organizations security posture is a never-ending journey, which consists of three phases: securing workloads, monitoring and detecting threats, and investigating and responding. Furthermore, we can combine this with a defense in depth approach and add more than one layer of security to each one of these three phases. Adding several layers of security to each layer can be accomplished by using more than one Azure security service. These layers of security need to take into account and protect against the steps bad actors could take to compromise your environment). The reason that you need to take these steps into account is because an attack might not start with a bad actor trying to gain access to your Azure environment. A bad actor might have already gained access to your environment and be looking to achieve their goal (for example, launching a ransomware attack to hold your Azure resources hostage for ransom payment). This means that you need multiple layers of defense.
But before you start throwing up defenses willy-nilly, you need to identify the resources that you need to secure! Azure environments tend to be comprised of a vast number of different resources types. For the sake of simplicity, I group these different resource types into five categories: identities, data, applications, infrastructure and networking resources (figure 4). We can secure each of these categories by applying several layers of security.
With users being able to access cloud services from any location and any device, it is clear that identity has turned itself into the primary security perimeter. Bad actors are adapting their attack strategies to focus on the human layer of an organization’s cyber defense. And because identities are used to access cloud services and perform specific actions with resources, they are often a weak point. After identities, it is important to create a second layer of defense by securing infrastructure and networking resources. This helps prevent an attacker from spreading laterally in the event of a breach. The next line of defense is to secure applications and data. Leveraging multiple Azure Security services adds more layers of security — applying a defense in depth mindset. This in turn minimizes the likelihood of bad actors being successful with their attacks. It is important to emphasize (again) that adding multiple layers of Azure Security to each line of defense vastly improves overall security and goes a long way to preventing/limiting the amount of damage a bad actor can do.
Imagine each line of defense as a wall. A wall is a decent defense, but a determined attacker can climb it. This becomes much harder if you put soldiers on top of and patrolling behind the wall, and harder still if you dig a moat in front of the wall, and so on. The soldiers, moat, and whatever else you can think of are your layers of defense that make the walls more secure.
Summary
- Cybersecurity can be seen as an infinite game. The players in this game are not playing by any agreed upon rules.
- The shared responsibility model gives you a sense as to what is your responsibility of securing in Azure, compared to what the public cloud provider is responsible for securing.
- Improving an organization’s security posture can be seen as an iterative process, consisting of several phases. Azure Security is a set of security services that you can use to secure identities, data, applications, infrastructure and networking resources of your Azure environment.
- Understanding how attacks occur is important, because it allows you to precipitate what security controls you need to implement in order to improve your overall security posture.
- Behaviors of bad actors continue to evolve, as do their tactics, techniques and procedures that they use in attacks.
- Adding several layers of security helps to reduce the probability of a breach being successful. This can be achieved by applying more than one Azure security service.
Learn more about the book here.
