PILLAR 3: SECURITY
Welcome back to the Azure Well-Architected Framework blog series. So far, we have covered the introduction to the Azure Well-Architected Framework and the first 2 pillars, Cost Optimisation and Operational Excellence.
Now, we will dive deep into the third pillar that is high on a lot of people’s lists: Security
As a refresher, here’s a recap of the five pillars:
- Cost Optimisation: Managing costs to increase the value produced
- Operational Excellence: Processes which keep a system operating in production
- Security: Protecting applications and data from any threats
- Reliability: The system’s ability to recover from failures and resume operation
- Performance Efficiency: The system’s ability to adapt to changes in load
Design and build applications around security
Security is one of the most important aspects of any architecture, so it must be at the core of any workload. Security in applications is all about asking the right questions.
To identify which parts of your application need the greatest protection, perform a threat analysis by asking questions such as:
- What are the regulatory or governance requirements?
- How are you handling secrets in your applications host headers?
- Are the application language’s frameworks and libraries secure?
- What is the classification of the application?
Simple questions like these can provide insight into potential risk as well as a starting point for advanced threat modeling.
If you want to measure your application’s security, you can do so by using the Azure Well-Architected Assessment Tool. Select the workload type, then choose Security on the following page. You can perform this assessment on all pillars of the Azure Well-Architected Framework.
Security principles to evaluate
Whether on-premise, in the cloud or hybrid, you need a defense in-depth (DiD) strategy to secure your applications. Here is a list of recommended approaches to maintain the confidentiality, integrity and availability of your workload and its data.
- Align security goals and outcomes to your business
Security resources should be focused on people and assets (systems, data, accounts, etc.) with intrinsic business value and those with administrative privileges over mission-critical assets.
- Build a detailed strategy
Consider investments in culture, processes and security controls across all system components. You also want to think about implementing security for the full lifecycle of system components including software, hardware and services.
- Design for an attack
Design from an attacker’s point of view. Use penetration testing (pentest) and red teams to simulate attacks. Implement enterprise segmentation and reduce the attack surface.
- Leverage the cloud’s native security controls
Cloud-native security controls are maintained and supported by the service provider. This eliminates and/or reduces efforts required to integrate and update external security tooling. Services like Microsoft Defender and Microsoft Sentinel can be used for best-in-class security.
- Use identity as the primary access control
Access to resources in cloud architectures is primarily governed by identity-based authentication and authorisation. Use identity systems for controlling access rather than relying on network controls or direct use of cryptographic keys.
- Assign accountability
Define clear lines of ownership of resources and security responsibilities. Implement the practice of least privilege.
- Automate
Manual tasks are prone to error and are often not documented. Automate as much as possible and audit the process to ensure errors are being eliminated.
- Protect your information
Classify and tag all corporate information. Determine its value and the best way to protect it once it is being used in a collaborative setting (e.g. email, mobile, workstations, collaborative applications).
- Design for resilience
Implement a DID security posture, practice granting least privilege, maintain current security controls and ensure anomalies and threats can be addressed in a timely manner.
- Ensure compliance
Audit your baseline to be sure it conforms to your compliance benchmark. Non-compliance not only represents an opening for attack, but can result in a costly fine.
- Plan for continuous improvement
Implement processes that proactively integrate realistic penetration testing, red team activities, learnings from real world attacks and other sources.
- Implement ero-trust
When evaluating access requests, all requesting users, devices and applications should be considered untrusted until their integrity can be sufficiently validated.
- Educate users
It is critical to ensure all users are educated, informed and incentivised to support the security assurance goals of the system. This is especially important for administrative users.
Designing for Security
In addition to the list above, you can find more security guidance in the NIST Cybersecurity Framework lifecycle. Read on to learn more about what designing for security looks like in action.
Organisational policies
When designing for security, recognise the role of governance in reducing risks. Set organisational policies for operations, technologies and configurations based on internal factors (business requirements, risks, asset evaluation) and external factors (benchmarks, regulatory standards, threat environment).
After the policies are set, continuously improve those standards incrementally. Ensure the security posture doesn’t degrade over time by maintaining auditing and monitoring compliance.
Network security
Network security controls provide a DiD strategy that helps detect, contain and stop attackers. Protect endpoints with Azure Front Door, Application Gateway and Azure Firewall. Azure cloud services can scale out to handle distributed denial-of-service attacks, but enabling Azure’s DDoS Protection is recommended to ensure greater security.
Identity and access management
Identity and access management is another critical part of the unified implementation strategy we mentioned above. Use identity management services to authenticate and grant permission to users, partners, customers, applications, services and other entities. Avoid communication over the internet with service and private endpoints.
Data protection
Data classification allows you to determine and assign value to your organisation’s data in order to manage and protect sensitive or important data from theft or loss. Use tags to classify your data as a starting point for managing and securing cloud resources. Examples of classifications are: non-business, public, general, confidential and highly confidential.
Encrypt resources that are “at rest” and “in transit,” and monitor file access with Azure Monitor. Use identity-based storage access controls versus keys (if possible). Leverage built-in features such as disk encryption and Azure’s Key Vault with identity-based policies to access the vault. Lastly, monitor all user access to the vault with Azure Monitor for Key Vault.
Monitor your security position
Azure’s tools and services allow you to monitor your security and remediate incidents in one place. Consolidate security logs from Linux and Windows virtual machines with Azure Monitor via the Microsoft Monitoring Agent (MMA). Monitor for potential and successful attacks with tools including Microsoft Defender for Cloud (which includes Microsoft Defender for Cloud Apps) and Azure Sentinel (or other third-party SIEM tools).
Enable additional tools such as Azure DDoS, Azure Rights Management and Microsoft Purview Information Protection. Incorporate a rhythm of pentesting, identity and other simulated attacks to monitor and validate your application security health as well as periodic reviews and audits.
Optimise your security landscape
To set your security landscape on a path toward continuous improvement, implement a DevOps/DevSecOps strategy. Automate process where possible, replace insecure and outdated protocols, and enable just in time (JIT) access and Privileged Identity Management (PIM) to assist in keeping with the granting of least privilege. Always aim for the Zero-Trust strategy.
CONCLUSION
The importance of application security cannot be overstated. The Security Pillar of the Well-Architected Framework puts a spotlight on removing complexity from architectures, automating where possible, implementing a unified segmentation approach, monitoring and performing attack solutions and improving the security posture of the workload.
This post covered just the tip of the iceberg – we strongly recommend visiting the links peppered throughout this post to dive deeper into each topic.
Coming up next in the series
Our next post will be on the pillar of Reliability. Stay tuned!
In the meantime, check out our other Azure blog posts for more on Microsoft’s public cloud computing platform.
