Cloud Security

Best Practices for Securing Azure Compute

gregg rodriguez / 02.14.19

Cloud computing delivered through services like Microsoft Azure, and AWS, have delivered a bevy of benefits for enterprise IT. Among the most significant is the ability to quickly provision computing resources without major upfront investment or need for building on-premise data centers.

On-demand cloud computing resources have also given enterprise teams the ability to optimize servers and resources that might have otherwise gone underutilized in traditional IT environments.

What is Microsoft Azure Compute?

Microsoft Azure Compute is part of a collection of cloud computing services, including remotely hosted and managed versions of proprietary Microsoft technologies, and open technologies, such as Azure Virtual Machines, Azure Kubernetes Service (AKS), and Azure Container Service. With capacity, virtualization, and scale on demand based on usage-based billing, Azure Compute is a compelling option for enterprises transitioning from on-premise Windows servers to the cloud.

Azure Compute quickly provides the infrastructure you need to run your apps, whether you’re building new applications or deploying existing ones. It also offers the speed and scalability required in the modern app environment, along with opportunities for optimization on several fronts.

A Shared Approach to Security

Cloud computing is driven by a new infrastructure model, so it also requires a new approach to security. In the Azure environment, Microsoft provides a secure foundation across physical, infrastructure, and operational security, while you maintain responsibility for protecting the security of your application workloads, data, identities, on-premises resources, and all the cloud components that you control. This is referred as the “Shared Responsibility Model.”

To ensure the security of your Azure Compute resources, it’s important you fulfill your end of the shared responsibility model by using and configuring the service correctly based on security best practices.

What are the Risks to Misconfigured Azure Compute Resources

How Halo Cloud Secure Can Help

  • OS Disks: Not encrypting your OS disks (boot volumes) where possible may leave them open to unwarranted reads.
  • Lock Level: Not applying the appropriate lock level to a subscription, resource group, or resource, may leave them open for other users in your organization to accidentally delete or modify critical resources.
  • VM Extensions: Azure VM extensions are small applications that provide post-deployment configuration and automation tasks on Azure Windows VMs. Several such extensions are provided by the Azure portal and community.
    • Installing extensions on VMs not approved by your organization may unknowingly grant administrative privileges and access to those VMs.
  • Azure Managed Disks: Azure Managed Disks handle disk management by taking care of the storage accounts for you behind the scenes. You just specify what type and size of disk you need and it creates them for you.
    • If your VMs use unmanaged disks instead of managed disks, you will be limited by the storage account limits and have to copy your custom images (VHD files) to multiple storage accounts.
  • Boot Diagnostics: If your Windows VMs do not have boot diagnostics enabled it will be difficult to  diagnose and recover your virtual machines from boot failures.

How Halo Cloud Secure Can Help

Halo can help you ensure:

  • Azure VM’s OS disks (boot volume) are encrypted and that content is fully unrecoverable without a key, thus protecting the volume from unauthorized access.
  • The appropriate Lock Level has been applied to lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources.
  • VMs do not have extensions installed that have not been approved by your organization, as they may unknowingly grant administrative privileges and access to those VMs.
  • VMs are using managed disks, so you will not be limited by the storage account limits and can manage multiple accounts from a central location.
  • Windows VMs have boot diagnostics enabled so you can easily diagnose and recover your virtual machines from boot failures.

Read our solution brief to learn more about how Halo Cloud Secure can help reduce your cloud attack surface with security best practices.