Skip to main content This browser is no longer supported. Show
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. Azure Operational Security best practices
In this articleThis article provides a set of operational best practices for protecting your data, applications, and other assets in Azure. The best practices are based on a consensus of opinion, and they work with current Azure platform capabilities and feature sets. Opinions and technologies change over time and this article is updated on a regular basis to reflect those changes. Define and deploy strong operational security practicesAzure operational security refers to the services, controls, and features available to users for protecting their data, applications, and other assets in Azure. Azure operational security is built on a framework that incorporates the knowledge gained through capabilities that are unique to Microsoft, including the Security Development Lifecycle (SDL), the Microsoft Security Response Center program, and deep awareness of the cybersecurity threat landscape. Manage and monitor user passwordsThe following table lists some best practices related to managing user passwords: Best practice: Ensure you have the proper level of password protection in the cloud. Best practice: Monitor for suspicious actions related to your user accounts. Best practice: Automatically detect and remediate high-risk passwords.
Receive incident notifications from MicrosoftBe sure your security operations team receives Azure incident notifications from Microsoft. An incident notification lets your security team know you have compromised Azure resources so they can quickly respond to and remediate potential security risks. In the Azure enrollment portal, you can ensure admin contact information includes details that notify security operations. Contact information is an email address and phone number. Organize Azure subscriptions into management groupsIf your organization has many subscriptions, you might need a way to efficiently manage access, policies, and compliance for those subscriptions. Azure management groups provide a level of scope that’s above subscriptions. You organize subscriptions into containers called management groups and apply your governance conditions to the management groups. All subscriptions within a management group automatically inherit the conditions applied to the management group. You can build a flexible structure of management groups and subscriptions into a directory. Each directory is given a single top-level management group called the root management group. This root management group is built into the hierarchy to have all management groups and subscriptions fold up to it. The root management group allows global policies and Azure role assignments to be applied at the directory level. Here are some best practices for using management groups: Best
practice: Ensure that new subscriptions apply governance elements like policies and permissions as they are added. Best practice: Align the top levels of management groups with segmentation strategy to provide a point for control and policy consistency within each segment. Best practice: Limit management group depth to avoid confusion that hampers both operations and security. Best practice: Carefully select which items to apply to the entire enterprise with the root
management group. Good candidates include:
Best practice: Carefully plan and test all enterprise-wide changes on the root management group before applying them (policy, Azure RBAC model, and so on). Streamline environment creation with blueprintsThe Azure Blueprints service enables cloud architects and central information technology groups to define a repeatable set of Azure resources that implements and adheres to an organization's standards, patterns, and requirements. Azure Blueprints makes it possible for development teams to rapidly build and stand up new environments with a set of built-in components and the confidence that they're creating those environments within organizational compliance. Monitor storage services for unexpected changes in behaviorDiagnosing and troubleshooting issues in a distributed application hosted in a cloud environment can be more complex than it is in traditional environments. Applications can be deployed in a PaaS or IaaS infrastructure, on-premises, on a mobile device, or in some combination of these environments. Your application's network traffic might traverse public and private networks, and your application might use multiple storage technologies. You should continuously monitor the storage services that your application uses for any unexpected changes in behavior (such as slower response times). Use logging to collect more detailed data and to analyze a problem in depth. The diagnostics information that you obtain from both monitoring and logging helps you to determine the root cause of the issue that your application encountered. Then you can troubleshoot the issue and determine the appropriate steps to remediate it. Azure Storage Analytics performs logging and provides metrics data for an Azure storage account. We recommend that you use this data to trace requests, analyze usage trends, and diagnose issues with your storage account. Prevent, detect, and respond to threatsMicrosoft Defender for Cloud helps you prevent, detect, and respond to threats by providing increased visibility into (and control over) the security of your Azure resources. It provides integrated security monitoring and policy management across your Azure subscriptions, helps detect threats that might otherwise go unnoticed, and works with various security solutions. The Free tier of Defender for Cloud offers limited security for only your Azure resources. The Standard tier extends these capabilities to on-premises and other clouds. Defender for Cloud Standard helps you find and fix security vulnerabilities, apply access and application controls to block malicious activity, detect threats by using analytics and intelligence, and respond quickly when under attack. You can try Defender for Cloud Standard at no cost for the first 60 days. We recommend that you upgrade your Azure subscription to Defender for Cloud Standard. Use Defender for Cloud to get a central view of the security state of all your Azure resources. At a glance, verify that the appropriate security controls are in place and configured correctly, and quickly identify any resources that need attention. Defender for Cloud also integrates with Microsoft Defender Advanced Threat Protection (ATP), which provides comprehensive Endpoint Detection and Response (EDR) capabilities. With Microsoft Defender ATP integration, you can spot abnormalities. You can also detect and respond to advanced attacks on server endpoints monitored by Defender for Cloud. Almost all enterprise organizations have a security information and event management (SIEM) system to help identify emerging threats by consolidating log information from diverse signal gathering devices. The logs are then analyzed by a data analytics system to help identify what’s “interesting” from the noise that is inevitable in all log gathering and analytics solutions. Microsoft Sentinel is a scalable, cloud-native, security information and event management (SIEM) and security orchestration automated response (SOAR) solution. Microsoft Sentinel provides intelligent security analytics and threat intelligence via alert detection, threat visibility, proactive hunting, and automated threat response. Here are some best practices for preventing, detecting, and responding to threats: Best practice: Increase the speed and scalability of your SIEM solution by using a cloud-based SIEM. Best practice: Find the most serious security vulnerabilities so you can prioritize investigation. The secure score, which is based on Center for Internet Security (CIS) controls, lets you benchmark your organization’s Azure security against external sources. External validation helps validate and enrich your team’s security strategy. Best practice: Monitor the security posture of machines, networks, storage and data services, and applications to discover and prioritize potential security issues. Best practice: Integrate Defender for Cloud alerts into your security information and event management (SIEM) solution. Best practice: Integrate Azure logs with your SIEM. Best practice: Speed up your investigation and hunting processes and reduce false positives by integrating Endpoint Detection and Response (EDR) capabilities into
your attack investigation. Monitor end-to-end scenario-based network monitoringCustomers build an end-to-end network in Azure by combining network resources like a virtual network, ExpressRoute, Application Gateway, and load balancers. Monitoring is available on each of the network resources. Azure Network Watcher is a regional service. Use its diagnostic and visualization tools to monitor and diagnose conditions at a network scenario level in, to, and from Azure. The following are best practices for network monitoring and available tools. Best practice: Automate remote network monitoring with packet capture. Best practice: Gain insight into your network traffic by using flow logs. Best practice: Diagnose VPN connectivity issues. Use the following DevOps best practices to ensure that your enterprise and teams are productive and efficient. Best practice: Automate the build and
deployment of services. You can use Azure Resource Manager to provision your applications by using a declarative template. In a single template, you can deploy multiple services along with their dependencies. You use the same template to repeatedly deploy your application in every stage of the application lifecycle. Best practice: Automatically
build and deploy to Azure web apps or cloud services. Best practice: Automate release management. Best practice: Check your app's performance before you launch it or deploy updates to production.
Apache JMeter is a free, popular open source tool with a strong community backing. Best practice: Monitor application performance. Mitigate and protect against DDoSDistributed denial of service (DDoS) is a type of attack that tries to exhaust application resources. The goal is to affect the application’s availability and its ability to handle legitimate requests. These attacks are becoming more sophisticated and larger in size and impact. They can be targeted at any endpoint that is publicly reachable through the internet. Designing and building for DDoS resiliency requires planning and designing for a variety of failure modes. Following are best practices for building DDoS-resilient services on Azure. Best practice: Ensure that security is a priority throughout the entire lifecycle of an application, from design and implementation to deployment and operations. Applications can have bugs that allow a relatively low volume of requests to use a lot of
resources, resulting in a service outage. Ensuring that an application is resilient enough to handle a denial of service that's targeted at the application itself is most important. Security and privacy are built into the Azure platform, beginning with the Security Development Lifecycle (SDL). The SDL addresses security at every development phase and ensures that Azure is continually updated to make it even more secure. Best practice: Design your applications to scale horizontally to meet the demand of an amplified load, specifically in the event of a DDoS attack. If your application depends on a single instance of a service, it creates a single point of failure. Provisioning multiple instances makes your system more
resilient and more scalable. For Azure Cloud Services, configure each of your roles to use multiple instances. For Azure Virtual Machines, ensure that your VM architecture includes more than one VM and that each VM is included in an availability set. We recommend using virtual machine scale sets for autoscaling capabilities. Best practice: Layering security defenses in an application reduces the chance of a successful attack. Implement secure designs for your applications by using the built-in capabilities of the Azure platform. Network security groups are another way to reduce the attack surface. You can use service tags and application security groups to minimize complexity for creating security rules and configuring network security, as a natural extension of an application’s structure. You should deploy Azure services in a virtual network whenever possible. This practice allows service resources to communicate through private IP addresses. Azure service traffic from a virtual network uses public IP addresses as source IP addresses by default. Using service endpoints switches service traffic to use virtual network private addresses as the source IP addresses when they're accessing the Azure service from a virtual network. We often see customers' on-premises resources getting attacked along with their resources in Azure. If you're connecting an on-premises environment to Azure, minimize exposure of on-premises resources to the public internet. Azure has two DDoS service offerings that provide protection from network attacks:
Enable Azure PolicyAzure Policy is a service in Azure that you use to create, assign, and manage policies. These policies enforce rules and effects over your resources, so those resources stay compliant with your corporate standards and service-level agreements. Azure Policy meets this need by evaluating your resources for non-compliance with assigned policies. Enable Azure Policy to monitor and enforce your organization’s written policy. This will ensure compliance with your company or regulatory security requirements by centrally managing security policies across your hybrid cloud workloads. Learn how to create and manage policies to enforce compliance. See Azure Policy definition structure for an overview of the elements of a policy. Here are some security best practices to follow after you adopt Azure Policy: Best practice: Policy supports several types of effects. You can read about them in
Azure Policy definition structure. Business operations can be negatively affected by the deny effect and the remediate effect, so start with the audit effect to limit the risk of negative impact from policy. For more information, see Create and manage policies to enforce compliance. Best practice: Identify the roles responsible for monitoring for policy violations and ensuring the right remediation action is taken quickly. Best practice: Azure Policy is a technical representation of an organization's written policies. Map all Azure Policy definitions
to organizational policies to reduce confusion and increase consistency. The vast majority of security breaches take place when attackers gain access to an environment by stealing a user’s identity. Discovering compromised identities is no easy task. Azure AD uses adaptive machine learning algorithms and heuristics to detect suspicious actions that are related to your user accounts. Each detected suspicious action is stored in a record called a risk detection. Risk detections are recorded in Azure AD security reports. For more information, read about the users at risk security report and the risky sign-ins security report. Next stepsSee Azure security best practices and patterns for more security best practices to use when you’re designing, deploying, and managing your cloud solutions by using Azure. The following resources are available to provide more general information about Azure security and related Microsoft services:
FeedbackSubmit and view feedback for What provides organizations with the ability to manage the compliance of Azure resources across multiple subscriptions?Resource groups provide organizations with the ability to manage the compliance of Azure resources across multiple subscriptions.
Which of the following allows you to easily manage access policies and compliance across multiple subscriptions?Azure Management Groups provide flexibility for organizing policy, access control, and compliance across multiple subscriptions.
What can you use to deploy Azure resources across multiple subscriptions?To simplify the management of resources, you can use an Azure Resource Manager template (ARM template) to deploy resources at the level of your Azure subscription. For example, you can deploy policies and Azure role-based access control (Azure RBAC) to your subscription, which applies them across your subscription.
Which of the following can be used to manage governance across multiple Azure subscriptions?Which of the following can be used to manage governance across multiple Azure subscriptions? Management Groups. Management groups facilitate the hierarchical ordering of Azure resources into collections, at a level of scope above subscriptions.
|