As Microsoft Azure begins to take hold as a leader in cloud computing and infrastructure, it only makes sense that security is coming to the forefront as well. The Azure infrastructure itself includes many safeguards in order to protect customer data, but that doesn’t mean that users don’t make mistakes that put that data at risk. Often these errors stem from an overconfidence in the technologies built into the platform, but in other cases, they are due to a failure to implement the same basic security protocols that apply to any platform.
With that in mind, here are a few of the most common cloud platform security mistakes.
1. Improper Password Management
When it comes to security, password management usually comes up as an issue, whether we’re talking about a cloud platform or personal mobile phones. The fact is strong passwords that are kept secure are one of the best ways to keep hackers from getting their hands on your data.
Within Azure, hackers often access credentials the same way they do in other cases: they crack weak passwords, or access them when developers share them in plain, unencrypted text over the network or include them in configuration files. Azure developers have attempted to solve some of these problems by not allowing certain common passwords (like [email protected] or another similar configuration) or administrator names, but there are some common combinations that might have been missed. For that reason, it’s recommended that you use a passphrase to develop a password, and create a unique name for all virtual machines. It’s also recommended that you do not use the same password for all virtual machines, and follow established best practices for password management, including enforcing password changes and lockout periods, and not sending passwords via email or storing them without encryption.
2. Not Securing Access Points to the Cloud
Managing the access to your Azure virtual machines is vitally important. It’s a mistake to allow users to access the VM from any machine, anywhere, as that leaves the entire infrastructure vulnerable to attack. Ideally, users who have been granted access to the Azure platform should only be able to access it from a single, secure, dedicated workstation. Said workstation should only be configured to run the specific applications, and have limited network access to only perform the specific tasks needed. In other words, the access to your Azure platform should not come from a machine used for day-to-day activities, a mobile device, or any other non-hardened device.
3. Not Managing Patches Correctly
Properly managing Azure security requires applying regular security updates — something that can be difficult and expensive when your applications are “always on.” Some businesses take a reactive approach, and only apply patches when they discover a problem. Others try to operate complementary systems, applying patches to one that is not in use, and then switching traffic to that network while the other is updated — and expensive and time-consuming approach.
The best patch management strategy is actually a proactive one, especially when combined with virtual patching. Virtual patching uses a variety of technologies, including intrusion detection, to provide a layer of protection as soon as a vulnerability is announced. Instead of waiting for patches to be developed and deployed, virtual patching provides immediate protection and eliminates downtime.
4. Not Testing Security
Vulnerability testing is an important part of any security strategy, as it identifies the potential flaws in your defenses that hackers can use to wreak havoc. However, many experts suggest also conducting a penetration test in addition to a vulnerability assessment, in order to test your security methods and gauge the potential damage that a breach could cause.
Microsoft has developed a policy governing such tests, with the understanding that they are vital to a comprehensive security strategy, so there is no reason not to conduct them. Consider hiring a trained external assessor to conduct these tests and make recommendation to get an unbiased perspective.
5. Not Checking Compliance
One reason for the explosive growth of Microsoft Azure is it’s built in compliance with several security standards, including HIPPA and PCI. However, the Azure compliance is not always in line with specific regulatory guidelines for businesses, and it’s important that those companies contemplating a move to Azure check with their legal and IT security teams to ensure that they are meeting all of the requirements. Failing to do so could lead to fines and sanctions — not to mention, problems should a data breach occur when the company was out of compliance.
Microsoft Azure has many advantages, but like any platform, requires businesses to maintain its own security measures to protect data. However, if you avoid these common mistakes, you will already be ahead of the curve.