Microsoft Azure users often find their cloud infrastructure grows faster than they expected. Because Azure cloud infrastructure is flexible and easy to provision, they discover new ways to use it, moving more data and code into the cloud as time goes by.
Unfortunately, security vulnerabilities grow with the growing infrastructure. Security, data privacy, and regulatory compliance aren’t free on the cloud. They require rigorous adherence to security best practices. Azure offers security, monitoring, and automation services that help users to run code and store data securely, but it offers little help to use those tools effectively.
Azure users must understand how to secure their infrastructure or hire someone to secure it for them. In this article, we look at six of the most common security problems our Azure management and DevOps teams find on business’s Azure infrastructure.
Misconfiguration is the root cause of most Azure security problems. Azure itself is a secure platform, but it is easy to configure and use Azure infrastructure insecurely. Millions of private records have leaked in the last few years because of cloud misconfiguration, especially the misconfiguration of databases and object storage services.
The average organization operates at least 14 misconfigured IaaS instances, according to McAfee’s Cloud Adoption and Risk Report, with an average of 2,269 misconfiguration incidents per month. Misconfiguration doesn’t always cause cloud security problems, but cloud security problems are almost always caused by misconfiguration.
Misunderstanding The Shared Responsibility Model
Microsoft Azure operates a shared responsibility security model. Microsoft is responsible for some aspects of Azure security; users are responsible for other aspects. Security vulnerabilities result when Azure users don’t understand what they are responsible for and the tools and services Azure provides to help them. The division of responsibility differs depending on the Azure service.
For IaaS services such as Azure VMs, Microsoft is responsible for physical security, network hardware, and the hypervisor. Users are responsible for the security of the operating system, network configuration, identity management, data storage, applications, and more. On a PaaS platform like Azure Web Apps, Microsoft takes additional security responsibilities, including for network configuration and the operating system.
Azure users who don’t understand where the division of responsibility is are at risk of creating easily avoided security vulnerabilities.
Failing To Encrypt Data At Rest
Data should be encrypted at rest and in transit. While encryption in transit can be complicated, encryption at rest is straightforward on Azure, which offers several encryptions and key management strategies depending on the type of storage.
Unlike AWS’s S3, Azure Blob Storage encrypts blobs by default, either with Microsoft-managed or user-supplied keys. However, VM disks are not encrypted by default, creating a potential security vulnerability. Azure users can, and should, activate disk encryption. For managed disks, Azure offers both server-side encryption and Azure Disk Encryption options, both of which are free.
Data Storage Access Misconfiguration
A permission system governs access to data stored in Azure Blob Storage. Azure Storage has a simple permission system compared to other cloud platforms, which makes misconfiguration less likely. But it is possible for a user to set permissions that expose data to the entire internet.
Often, this is done for convenience or to share data without having to set access permissions and identities correctly. Whatever the motivation, it’s a mistake that can expose Azure users to expensive, embarrassing, and potentially illegal security risks.
Exposing Services To The Open Internet
When we mentioned the shared responsibility model for security, we said that IaaS users are responsible for the security of operating systems and applications. That includes databases and other services running on servers.
For example, users are responsible for securing MySQL or MongoDB databases they install on their Azure VM. Those databases are not particularly insecure, but inexperienced users can configure them so that anyone can access the data they store. Hundreds of millions of records have been leaked in this way over the past few years.
Lack of Security Monitoring
Azure lacks out-of-the-box alerts and notifications for the telemetry businesses care most about. While tools such as Azure Security Center include some alerts and will let you know about serious security flaws, such as unencrypted disk volumes, for the most part, Azure expects users to create and manage alerts and notifications based on the extensive telemetry Azure provides.
The consequence is that many businesses with infrastructure on Azure lack insight into their infrastructure and potential security vulnerabilities.