Fortifying your Azure Landing Zone: 6 key security considerations

Technical

2 May

As organisations move more of their sensitive workloads to the cloud, the issue of security becomes increasingly important, particularly as they implement DevSecOps to formalise defences.

Here are our top six security considerations as you strengthen your protections in the Microsoft Azure cloud.

1. Infrastructure as Code

Fundamental to an effective DevSecOps strategy, Infrastructure as Code allows you to deploy new systems quickly and efficiently using automated scripts. More importantly still, each new system is coded to adhere to your specific security requirements from the moment of deployment, reducing the need for post-install configurations (which can be easily overlooked when working at scale).

However, the IaC code itself needs to be carefully audited and maintained to ensure best practices are applied there too. Basic errors like including secrets (credentials, passwords etc) will undo the good work of the DevSecOps team and increase the vulnerability of your cloud-based apps. It is essential that any of these ‘time-saving’ workarounds are identified and eliminated before IaC code is put into production.

To adopt efficient Azure DevOps & IaC processes, consider exploring our DevOps & IaC Maturity Assessment service.

2. Pipeline security

Pipelines are intended to accelerate code deployment by automating various stages of the promotion process. Left unprotected however, these same pipelines can be hijacked and used to promote malicious code.

Microsoft’s advice is to upgrade / replace existing DevOps pipelines with YAML pipelines that are better suited to the new DevSecOps model. YAML pipelines are defined in code – and so they can be reviewed for malicious insertions that would compromise operations. It is also possible to configure and restrict resource access rules, limiting potential damage and to better manage runtime parameters.

3. Perimeter security

Hybrid cloud operations may have permanently blurred the border between on-premise and hosted platforms, but edge security is still an essential aspect of effective cloud strategy. After all, breaching the corporate firewall creates a route back to your Azure Landing Zones – which is why your defences need to be constantly reviewed and strengthened using defence in depth and zero trust principles across the entire estate.

4. Network security

Data leakage remains a very real possibility as data moves across the hybrid estate or between cloud services. Your operations need to be designed to accommodate (and protect) east-west traffic passing between subnets and north-south traffic between application tiers.

Again, a layered defence in depth strategy will be essential to identifying and isolating the various traffic types in play throughout your environment. Microsoft recommend using a Cloud Security Broker to help simplify and automate network security tasks. The Azure Firewall will also be essential to preventing data exfiltration by restricting traffic to authorised services only.

5. Identity security and governance

Zero trust operations require in-depth identity and governance controls to authorise access and to audit activity for signs of misuse. Azure Role-based Access Control (RBAC) provides tools to manage who has access to Azure resources, what they can do with those resources, and what areas they have access to. If there assigned role does not have the correct permissions, they will be unable to access anything except those which have been explicitly permitted.

Similarly, Privileged Identity Management (PIM) in Azure Active Directory enables you to manage, control, and monitor access to important resources in your organization – both in the cloud and on-premise. In this way you can construct a comprehensive end-to-end DevSecOps strategy that applies across the entire estate, regardless of where it is physically hosted.

6. Maintaining security compliance after build

Oftentimes, defences are only as good as the level of technical knowledge and understanding available at the time of deployment. Despite the best intentions and design guidelines, it is still possible that some elements of code within the Azure Landing Zone could be compromised.

DevSecOps is a process of continuous improvement, requiring ongoing monitoring of systems and their use to identify potential misuse. With proactive monitoring the security team can quickly identify and prevent non-compliant use and ensure that operations continue to adhere to the security posture your business has defined.