Our Azure products and services come with comprehensive security features and configuration settings. They are mostly customizable (to a point), so you can define and implement a security posture that reflects the need of your organization. But adopting & maintaining a good security posture goes far beyond turning on the right settings.
Mark Simos, lead Cyber security architect for Microsoft, explored the lessons learned from protecting both Microsoft’s own technology environments and the responsibility we have to our customers, and shares the top 10 (+1!) recommendations for Azure security best practices.
1. People: Educate teams about the cloud security journey
2. People: Educate teams on cloud security technology
3. Process: Assign accountability for cloud security decisions
4. Process: Update Incident Response (IR) processes for cloud
5. Process: Establish security posture management
6. Technology: Require Passwordless or Multi-Factor-Authentication
7. Technology: Integrate native firewall and network security
8. Technology: Integrate native threat detection
9. Architecture: Standardize on a single directory and identity
10. Architecture: Use identity based access control (instead of keys)
11. Architecture: Establish a single unified security strategy
These best practices have been included as a resource in the Microsoft Cloud Adoption Framework for Azure, where you can get more details on the what, why, who and how of each of these points. Get the details here.
I love that this is broken into people, process, technology and architecture. While statistics prove that capabilities like Multi-Factor Authentication significantly reduce security risk, both people and processes are crucial to protecting from and responding to security threats.
Some of those points look clear and simple on the surface, but may be the hardest to implement in your organization (like assigning accountability for cloud security decisions). Or you may have many of the people and process items already in place for an on-premises environment – these are just as valid for on-prem or hybrid environments too.
Don’t brush this off as too simple and not worth your time. Locking the front door of your house is a simple but effective habit for increasing the security of your home. Complex technology systems can also benefit from organizations having the simplest, most effective people and process elements too.
Prefer to watch a video? Let Mark take you through the details of each tip: