Author: Stefan Gajic, Cloud and Infrastructure Lead at P3 Group, MCT at Semos Education

In this blog, we are going to cover the most important security best practices to protect your IaaS. This will be a teaser for those who are not familiar with these methods to start thinking and learning about security in Azure, and for those of you who are already implementing some of these security features reminders to continue doing so or to even pay more attention security of IaaS.

Remember, security in Azure is shared responsibility and we are responsible for how the infrastructure will be protected. Don’t allow incidents to be initiators of tidying up security but better be proactive and always have in mind that you’re responsible for the security of workloads in Azure.

Here are the topics that we are going to cover, and these best practices are already written in official Microsoft documentation, however, I was free to spice it up with my experience:

1. Virtual Machines planning and deployment
2. Protect Virtual Machines with Access Control (IAM)
3. Endpoint protection for virtual machines
4. VMs availability
5. VM Updates – security patching
6. Encrypt hard drives
7. Network security for VM
8. Just in time VM access
9. Monitoring your infrastructure

Virtual Machines planning and deployment
When it comes to planning there are a lot of things considered as common sense and from my practical experience, most of the things that are “going without saying” are the place where things will fall apart. That is why I always like to start a project with proper planning, or how my ex-boss would say “Doing something without planning is equal to not doing it”. To analyze and talk to people, you might be working in IT ops or DevOps team that will be responsible for assigning access to IaaS to others or you can be requestor, doesn’t matter, always ask for planning sessions – the question is why? Well people sometimes asking for resources in cloud that is not necessarily needed, and, in most cases, they will not pay a lot of attention to security. Security is SHARED RESPONSIBILITY between cloud provider, in this case, Microsoft and you as a client:

Once you clear up everything with your clients, colleagues or whoever you are working with, document it (don’t go lazy and leave that for later), send it as a mini-project plan to your team, and as a best practice, in this case, make your documentation with the practices you want to be implemented –of course, you can have Blueprints and policies in place, and if your environment is on this level, thumbs up, however usually IT departments will not have much time configuring all of these, so be prepared with “best practices” documents. 

During the planning use, Azure Calculator and setup budget alerts for your infrastructure at least to avoid financial risk with are under the scope of security. 

Protect Virtual Machines with Access Control (IAM)

The first thing you want to know during the planning sessions is what is required for the team or the person who will use IaaS – always use the least privilege approach – so you give them exactly what they need, if they need more you will be the one who will approve it, and if they don’t complain, well, you are good to go and be safe. There are a few different roles that you can use. Follow the official Microsoft link to check which one fits your needs the best.

Endpoint protection for virtual machines

Once you have deployed infrastructure or virtual machine, then it’s time for you to think about Endpoint protection. Same as for your personal laptop, you want to be safe, right? Then how come some people forget to set up an endpoint on VMs.

You should install antimalware protection to help identify and remove viruses, spyware, and other malicious software. You can install Microsoft Antimalware or a Microsoft partner’s endpoint protection solution (Trend Micro, Broadcom, McAfee, Windows Defender, and System Center Endpoint Protection). Microsoft is spending 1billion a year for security —why not use it, it’s like free money that can save your infra? 

VMs availability

When it comes to availability the guaranteed numbers for SLA (service level agreement) are really good, but your VM may go down if there is some issue or maintenance window You want to prevent this the best you can.

These two practices will help you out: Availability sets and Availability Zone 

If you are still not familiar with how to utilize these great features I strongly advise you to find it in Microsoft docs and start using it for the most important resources in your environment.

VM Updates – security patching

• Azure VMs, like all on-premises VMs, are meant to be user-managed. Azure does not push Windows updates to them. You need to manage your VM updates.
• Keep your VMs current. 
• If you use Windows Update, leave the automatic Windows Update setting enabled. Ensure at deployment that images you built to include the most recent round of Windows updates.
• Periodically redeploy your VMs to force a fresh version of the OS.
• Define your VM with an Azure Resource Manager template so you can easily redeploy it. Using a template gives you a patched and secure VM when you need it.  
• Rapidly apply security updates to VMs.
• Azure Security Center (Free tier or Standard tier) to identify missing security updates and apply them.
• Install the latest security updates.
• Deploy and test a backup solution.
  

A backup needs to be handled the same way that you handle any other operation. This is true of systems that are part of your production environment extending to the cloud.

Encrypt hard drives

• It’s highly recommended that you encrypt your virtual hard disks (VHDs) to help protect your boot volume and data volumes at rest in storage, along with your encryption keys and secrets. Azure Disk Encryption uses the industry-standard BitLocker feature of Windows and the DM-Crypt feature of Linux to provide volume encryption for the OS and the data disks.
• Use a key-encryption key (KEK) for an additional layer of security for encryption keys. Add a KEK to your key vault.
• Take a snapshot and/or backup before disks are encrypted. Backups provide a recovery option if an unexpected failure happens during encryption.
• To make sure the encryption secrets don’t cross regional boundaries, Azure Disk Encryption needs the key vault and the VMs to be located in the same region.

Network security for VM

• Identify and remediate exposed VMs that allow access from “any” source IP address.
• Configure NSG – Network security groups. 
• By default, every VM has opened RDP and SSH ports from any location. This, with a public IP address assigned to VM, is a call for hackers, as every public IP address is scanned and attackers can, or I would even say will attack it if you leave it like that.
• Get into details and build your NSG so only users from certain IP addresses can access your VM.
• Take some highly confidential server where user data is stored. How would you protect it? Consider using jump servers. These are virtual machines, non-domain joined, from only which you can further access other VMs in your environment. 

Just in time VM access (JIT)
Restrict management ports (RDP, SSH). Detail: Just-in-time (JIT) VM access can be used to lock down inbound traffic to your Azure VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed. When JIT is enabled, Security Center locks down inbound traffic to your Azure VMs by creating a network security group rule. You select the ports on the VM to which inbound traffic will be locked down. These ports are controlled by the JIT solution.

Read about potential attack scenarios that can happen to you and then you will implement JIT quickly 😊.

Monitoring your infrastructure

Azure Security Center is a unified infrastructure security management system that strengthens the security posture of your data centres, and provides advanced threat protection across your hybrid workloads in the cloud – whether they’re in Azure or not – as well as on-premises. Recommended is the usage of Azure Monitor to gain visibility into your resource’s health. Azure Monitor features:

• Resource diagnostic log files: Monitors your VM resources and identifies potential issues that might compromise performance and availability.
• Azure Diagnostics extension: Provides monitoring and diagnostics capabilities on Windows VMs. You can enable these capabilities by including the extension as part of the Azure Resource Manager template.

Organizations that don’t monitor VM performance can’t determine whether certain changes in performance patterns are normal or abnormal. A VM that is consuming more resources than normal might indicate an attack from an external resource or a compromised process running in the VM.

Thank you for reading this blog.

More details and references see on this link