Back to all blog posts

Azure Cloud Security: Misconfigurations, Misunderstandings, and More

Written by Aakash Shah, CTO & Co-Founder
April 8, 2021

Cloud solutions like Azure and AWS have become the heart of most IT deployments. Despite the fact that most businesses use the cloud in some capacity and are concerned about cloud security, unfortunately, over 70% of organizations experienced a cloud-related breach in 2019. Want the harsh truth? Nearly all of these breaches were user-error. When cloud breaches happen, they usually boil down to infrastructure vulnerabilities — which are often artifacts of today’s fast-paced DevOps ecosystem. We want to deploy faster, smarter, and with more purpose than ever before. But that rapid speed can quickly lead to vulnerabilities — and the reason to shift security even further left than many companies have even considered.

Today, let’s look at some of Azure’s most common security issues. These are the frictions and pain points causing organizations security headaches in Azure environments. Luckily, all of these issues are easily fixable. You just need the right tools.

 

The 4 Most Common Azure Security Issues

1. Misconfigurations

Microsoft is hyper-focused on the application layer of Azure. Most guides and Microsoft-focused conversations will generally orient themselves towards APIs and app configurations. But infrastructure configuration is equally important, and it’s easy to get tripped up when you’re deploying IaaS/PaaS across a large number of buckets — which are likely cross-stacked across Azure and AWS.

According to a McAfee report, the average enterprise has 14 misconfigured Azure or AWS services (usually both) running at any given time, which results in 2,269 security incidents per month. It’s a big problem. We’ll cover the most common misconfigurations in this guide, but it’s important to note that there are a wide variety of misconfiguration issues that happen in the public cloud, so it’s important to dive through your buckets and blobs with a fine-toothed comb and implement best-in-class policies to mitigate these misconfigurations at scale.

Common Azure misconfiguration include:

  1. Failure to integrate Azure Active Directory SSO with AWS Single-Account Access
  2. Improperly configured Network Security Groups (e.g., trying to apply NSG and ACL on the same VM, failing to associate pre-configured security groups with launches, relying on default security groups, misunderstanding how NSG works across subnets and VMS, etc.)
  3. Misconfigured encryption for blobs or SQL
  4. Failure to apply MFA at scale
  5. Unused security groups
  6. Keeping outbound access unrestricted

Again, these are just six common misconfigurations. There are plenty of other issues. McAfee found the average enterprise is running at least one open-write S3 bucket, so we assume organizations may also be running open-write blogs. And keeping these in open-write is an invitation for anyone to jump in and steal your entire blob’s worth of data. As a whole, 27% of organizations using PaaS/IaaS have experienced cloud-based data theft.

The threat is real! And misconfigurations are most likely to blame for cloud security issues. AWS and Azure are hyper-secure, but you need to implement world-class policies and combine existing security infrastructure with specific cloud infrastructure requirements to operate safely in cloud environments.

 

2. Shared Security Responsibilities

Azure operates on “shared responsibility.” In other words, Microsoft is directly responsible for certain aspects of Azure security, but your organization is equally responsible for other security components. This responsibility split is usually broken down like this:

Microsoft is responsible for:

  • The physical datacenter
  • The physical network
  • Any physical hosts
  • OS (only on PaaS/SaaS)
  • Network Controls (on SaaS)

You’re responsible for:

  • Data
  • Devices
  • Accounts
  • Non-Microsoft apps
  • OS (on IaaS/On-prem)
  • Network Controls (on IaaS/PaaS/on-Prem)
  • Identity
  • Most apps

That’s a lot of responsibilities that fall on the user, right? To be fair, Azure does provide a swarm of tools you can use to satisfy those responsibilities. So they aren’t leaving you in the dark, but you do have security responsibilities. From role-based access to encryption and device management, your organization has plenty of acute security needs to tackle.

 

3. Accounting for External Threats & Internal

The average organization experiences 12.2 stolen credential issues each month, and a massive 92% of organizations have stolen accounts for sale somewhere on the Dark Web. Here’s the problem: it takes an average of +300 days to mitigate a breach, and the average cost of a breach hovers around $4 million. Scary? Yes. But manageable, because you can mitigate those threats. And Azure gives you some nifty tools to do just that. We recommend you thoroughly read and understand how these tools work, such as:

You also need to apply existing internal security controls.

Internal threats are another problem. 34% of breaches involve internal actors. And while you may have employees that download data maliciously before joining another company, most internal threats are accidental. The good news? You can prevent 99.9% of these internal threats with robust access controls and least-privileged access. Remember to enable Azure Activity Log and monitor it using OMS or PowerBI. In addition, Sentinel can pick up on any strange user access behaviors using ML, which can also notify you of any internal threats stemming from stolen account info or malicious employee behaviors.

 

4. Infrastructure Provisioning on the App Level

So far, we’ve discussed IaaS/PaaS on the cloud level. Let’s talk about individual apps. For many organizations, app-level infrastructure involves plenty of manual touchpoints and dedicates sysadmins on regular patrol. You spin up and down buckets or blobs regularly, and any infrastructure changes need to be managed carefully to avoid drift. According to GitLab, most companies are deploying multiple times a day. Every deployment, every infrastructure change, and every new connection can create security vulnerabilities.

Ideally, your organization wants to monitor infrastructure in real-time across your entire app infrastructure. You can use a tool like ARM to deploy and deal with resources across each Azure group, but that’s a granular IaC tool. You need something more robust and cross-platform. For example, 78% of organizations use IaaS/PaaS in both AWS and Azure. You need to manage deployments and changes on both platforms simultaneously.

 

oak9 & Azure: Security-at-Scale

These messy complex problems are exactly why the oak9 team set out to build a platform into your Azure, AWS, CI/CD, and on-prem environments that can secure an entire evolving ecosystem. With instant visibility into your security level, compliance adherence, and infrastructure security you can detect every misconfiguration, network issue, encryption woe, and code integrity problem.

Contact us to learn how oak9 can help you build a secure Azure ecosystem.

(Photo by: https://icons8.com/)