Azure security – For beginners and advanced users
When people talk about the public cloud, it doesn't take them long to namedrop the major hyperscalers like Amazon AWS and Microsoft Azure. Azure in particular is catching up with Amazon in Germany and all over the world. Now there is generally nothing wrong with using the public cloud – where it makes sense. This has a lot to do with the confidentiality of the processed data and the intended type of application. If an organization decides that it is in favor of using Microsoft Azure after considering these aspects, that's fine. However, before handing over the corporate credit card and creating an account, there is still much to think about. Even if you want to migrate existing workloads to the cloud, direct migration of existing systems is not always possible and rarely makes sense. Azure includes many native features that harness the real potential of the public cloud. Without customizing existing applications, an organization can risk missing out on key features.
It is just as important to take a good look at information security. Even if compliance is an unpopular topic, Azure requires a great deal of preparation to ensure a secure environment that is easy to manage. Fortunately, Microsoft has been working hard to help its users with these questions. The Cloud Adoption Framework has been available for some time. It is a comprehensive guide on how to tackle cloud migration in easy to follow parts. From the defining strategy to the topics of governance and management, it includes everything an organization – especially a cloud architect – should be thinking about. The Cloud Adoption Framework is not a quick assessment tool, but is actually indispensable for using cloud services effectively. However, it does not specifically address security issues. These are covered by the Security Baselines.
The Security Baselines are derived from the CIS benchmarks. CIS – Center for Internet Security – is a non-profit organization that manages various security initiatives. CIS are also well known for hardening instructions for operating systems and network equipment. They use the term benchmark for best practices. CIS has also worked with Microsoft to develop a specific benchmark for Azure. Microsoft refer to this as Security Baseline in official training and technical documentation. Similar to a compliance framework, but much more detailed, the Security Baseline describes how to configure Azure to achieve a defined security level. There are two levels: Level 1 represents the recommended minimum requirements, Level 2 is designed for highly secure applications and restricts some functionality.
The beauty of Security Baseline is its practical relevance. Unlike ISO or BSI Basic Protection, it clearly describes how to configure Azure to achieve the desired security level. Whether identity and access management, security centers, storage accounts or SQL databases – the Security Baseline has it covered. Businesses who choose not to implement security and advance planning, tenant/subscription design, management groups or policy structure should at least implement the Security Baseline.
And if that's not enough, Microsoft recently released an important tool for security professionals: The Security Compass. This set of videos and documents includes a 150-page presentation and contain complete blueprints for a secure Azure environment. In addition to example tables for roles/rights assignments , there is also a short version with 10 best practices in a streamlined PowerPoint deck. Reading and understanding the main presentation alone takes a whole day. Anyone who wants to work with the template can prepare for a few weeks of intensive discussions and coordination throughout their organization. At the end of the day, it's almost like painting by numbers for security: All you need to do is connect the dots and in the end you will have a secure Azure setup.