Set a Secure Foundation for Your Move to Microsoft Azure

The ease of spinning up resources is a key characteristic of cloud environments, but it also makes it easy for organizations to overlook essential security aspects. For instance, when customers move to Microsoft Azure, it’s beneficial to take a step back to assess data access parameters and cloud segmentation. 

Azure has built-in threat intelligence and numerous security controls, but that doesn’t alleviate the need for a proper security review. In many cases, we find that customers haven’t implemented best practices for segmentation, which means their Azure applications may be talking to each other when they shouldn’t be. Another common misstep is to mirror existing access privileges in Azure, which can also create risk. 

That’s why I look at an Azure deployment as a great opportunity to hit the reset button, ensuring that as customers adopt Infrastructure as a Service, they improve their security posture at the same time. 

A gap assessment is an excellent opportunity to establish best practices for the cloud. For example, we look at administrative credentials versus user credentials: Does someone in Azure have administrative privileges they shouldn’t have? When we show customers their gaps and potential risks, we educate them on how to make better decisions as they move forward within Azure. 

A robust data governance strategy is essential to securing data throughout its life cycle. It is crucial to understand what data is going into Azure, who will access it and how. Organizations often want to follow the traditional Microsoft Active Directory infrastructure and put all their user information in the cloud. A common assumption is that whoever served as an administrator before should be an administrator again.

A better approach is to assess user accounts from a risk perspective before putting them into the platform. We also recommend minimizing administrative users in Azure because these can contribute to a breach. Carefully defining who should have privileged access to data and resources in Azure is a great way to close a potential security gap.

Segmentation — for instance, segmenting workloads from data — is another area where customers often make mistakes. Although many organizations move to Azure precisely so they don’t have to manage all those servers, crafting a segmentation plan is vital. The reality is that, for many organizations, cloud segmentation and microsegmentation of services can become very strategic and complex. That’s why we often work side by side with our customers to accomplish this.

Putting silos around data applications is a best practice, just as much as ensuring that privileged access is justified. For example, when developers build new applications within Azure, they should be implementing segmentation at the same time.

Some customers want to rely on all the toolsets and security capabilities Azure offers. Others want to take existing tools and import them into Azure. They often need help, however, to ensure those tools work together seamlessly. Azure is a phenomenal platform, but mistakes can happen when organizations try to export something to an entirely new infrastructure.

Complexities also arise when organizations are in a hybrid cloud infrastructure. For example, they may need better visibility and synergy between Azure and legacy data centers. Various strategies can help organizations achieve these goals, such as writing APIs or putting an instance of a security technology in Azure. We often find, however, that not all IT teams are comfortable or experienced enough to manage these processes.

Setting up the Azure environment correctly is much easier on day zero than two years down the road. When organizations take an Azure investment as an opportunity to harden their infrastructure and improve their security posture, they’re in a stronger position to handle cloud security challenges.

Story by Jeremy Weiss