The malicious East-West traffic trying to approach your workload creates security risk. As a remediation measure, you can shut down the affected workload. Tag workloads Tag your instances with McAfee ePO tags related to product deployment tasks. You can create auto tags for your instances based on account name and platform. One product for all your cloud security needs. Get streamlined with a complete set of workload security capabilities and protect your cloud-native applications, platforms, and data in any environment with a single agent. Proactively defend against network threats with intrusion prevention and firewall.
-->
This article describes security best practices for VMs and operating systems. The best practices are based on a consensus of opinion, and they work with current Azure platform capabilities and feature sets. Because opinions and technologies can change over time, this article will be updated to reflect those changes. In most infrastructure as a service (IaaS) scenarios, Azure virtual machines (VMs) are the main workload for organizations that use cloud computing. This fact is evident in hybrid scenarios where organizations want to slowly migrate workloads to the cloud. In such scenarios, follow the general security considerations for IaaS, and apply security best practices to all your VMs. Shared responsibilityYour responsibility for security is based on the type of cloud service. The following chart summarizes the balance of responsibility for both Microsoft and you: Security requirements vary depending on a number of factors including different types of workloads. Not one of these best practices can by itself secure your systems. Like anything else in security, you have to choose the appropriate options and see how the solutions can complement each other by filling gaps. ![]() Protect VMs by using authentication and access controlThe first step in protecting your VMs is to ensure that only authorized users can set up new VMs and access VMs. Note To improve the security of Linux VMs on Azure, you can integrate with Azure AD authentication. When you use Azure AD authentication for Linux VMs, you centrally control and enforce policies that allow or deny access to the VMs. Best practice: Control VM access. If your organization has many subscriptions, you might need a way to efficiently manage access, policies, and compliance for those subscriptions. Azure management groups provide a level of scope above subscriptions. You organize subscriptions into management groups (containers) and apply your governance conditions to those groups. All subscriptions within a management group automatically inherit the conditions applied to the group. Management groups give you enterprise-grade management at a large scale no matter what type of subscriptions you might have. Best practice: Reduce variability in your setup and deployment of VMs. Best practice: Secure privileged access.
Your subscription admins and coadmins can change this setting, making them administrators of all the VMs in a subscription. Be sure that you trust all of your subscription admins and coadmins to log in to any of your machines. Note We recommend that you consolidate VMs with the same lifecycle into the same resource group. By using resource groups, you can deploy, monitor, and roll up billing costs for your resources. Organizations that control VM access and setup improve their overall VM security. Use multiple VMs for better availabilityIf your VM runs critical applications that need to have high availability, we strongly recommend that you use multiple VMs. For better availability, use an availability set. An availability set is a logical grouping that you can use in Azure to ensure that the VM resources you place within it are isolated from each other when they’re deployed in an Azure datacenter. Azure ensures that the VMs you place in an availability set run across multiple physical servers, compute racks, storage units, and network switches. If a hardware or Azure software failure occurs, only a subset of your VMs are affected, and your overall application continues to be available to your customers. Availability sets are an essential capability when you want to build reliable cloud solutions. Protect against malwareYou should install antimalware protection to help identify and remove viruses, spyware, and other malicious software. You can install Microsoft Antimalware or a Microsoft partner’s endpoint protection solution (Trend Micro, Symantec, McAfee, Windows Defender, and System Center Endpoint Protection). Microsoft Antimalware includes features like real-time protection, scheduled scanning, malware remediation, signature updates, engine updates, samples reporting, and exclusion event collection. For environments that are hosted separately from your production environment, you can use an antimalware extension to help protect your VMs and cloud services. You can integrate Microsoft Antimalware and partner solutions with Azure Security Center for ease of deployment and built-in detections (alerts and incidents). Best practice: Install an antimalware solution to protect against malware. Best practice: Integrate your antimalware solution with Security Center to monitor the status of your protection. Manage your VM updatesAzure VMs, like all on-premises VMs, are meant to be user managed. Azure doesn't push Windows updates to them. You need to manage your VM updates. Best practice: Keep your VMs current. Computers that are managed by Update Management use the following configurations to perform assessment and update deployments:
If you use Windows Update, leave the automatic Windows Update setting enabled. Best practice: Ensure at deployment that images you built include the most recent round of Windows updates. Best practice: Periodically redeploy your VMs to force a fresh version of the OS. Best practice: Rapidly apply security updates to VMs. Best practice: Install the latest security updates. Best practice: Deploy and test a backup solution. Test and dev systems must follow backup strategies that provide restore capabilities that are similar to what users have grown accustomed to, based on their experience with on-premises environments. Production workloads moved to Azure should integrate with existing backup solutions when possible. Or, you can use Azure Backup to help address your backup requirements. Organizations that don't enforce software-update policies are more exposed to threats that exploit known, previously fixed vulnerabilities. To comply with industry regulations, companies must prove that they are diligent and using correct security controls to help ensure the security of their workloads located in the cloud. Software-update best practices for a traditional datacenter and Azure IaaS have many similarities. We recommend that you evaluate your current software update policies to include VMs located in Azure. Manage your VM security postureCyberthreats are evolving. Safeguarding your VMs requires a monitoring capability that can quickly detect threats, prevent unauthorized access to your resources, trigger alerts, and reduce false positives. To monitor the security posture of your Windows and Linux VMs, use Azure Security Center. In Security Center, safeguard your VMs by taking advantage of the following capabilities:
Security Center can actively monitor for threats, and potential threats are exposed in security alerts. Correlated threats are aggregated in a single view called a security incident. Security Center stores data in Azure Monitor logs. Azure Monitor logs provides a query language and analytics engine that gives you insights into the operation of your applications and resources. Data is also collected from Azure Monitor, management solutions, and agents installed on virtual machines in the cloud or on-premises. This shared functionality helps you form a complete picture of your environment. Organizations that don't enforce strong security for their VMs remain unaware of potential attempts by unauthorized users to circumvent security controls. Monitor VM performanceResource abuse can be a problem when VM processes consume more resources than they should. Performance issues with a VM can lead to service disruption, which violates the security principle of availability. This is particularly important for VMs that are hosting IIS or other web servers, because high CPU or memory usage might indicate a denial of service (DoS) attack. It’s imperative to monitor VM access not only reactively while an issue is occurring, but also proactively against baseline performance as measured during normal operation. We recommend that you use Azure Monitor to gain visibility into your resource’s health. Azure Monitor features:
Organizations that don't monitor VM performance can’t determine whether certain changes in performance patterns are normal or abnormal. A VM that’s consuming more resources than normal might indicate an attack from an external resource or a compromised process running in the VM. Encrypt your virtual hard disk filesWe recommend that you encrypt your virtual hard disks (VHDs) to help protect your boot volume and data volumes at rest in storage, along with your encryption keys and secrets. Azure Disk Encryption helps you encrypt your Windows and Linux IaaS virtual machine disks. Azure Disk Encryption uses the industry-standard BitLocker feature of Windows and the DM-Crypt feature of Linux to provide volume encryption for the OS and the data disks. The solution is integrated with Azure Key Vault to help you control and manage the disk-encryption keys and secrets in your key vault subscription. The solution also ensures that all data on the virtual machine disks are encrypted at rest in Azure Storage. Following are best practices for using Azure Disk Encryption: Best practice: Enable encryption on VMs. Best practice: Use a key encryption key (KEK) for an additional layer of security for encryption keys. Add a KEK to your key vault. Best practice: Take a snapshot and/or backup before disks are encrypted. Backups provide a recovery option if an unexpected failure happens during encryption. Best practice: To make sure the encryption secrets don’t cross regional boundaries, Azure Disk Encryption needs the key vault and the VMs to be located in the same region. When you apply Azure Disk Encryption, you can satisfy the following business needs:
Restrict direct internet connectivityMonitor and restrict VM direct internet connectivity. Attackers constantly scan public cloud IP ranges for open management ports and attempt “easy” attacks like common passwords and known unpatched vulnerabilities. The following table lists best practices to help protect against these attacks: Best practice: Prevent inadvertent exposure to network routing and security. Best practice: Identify and remediate exposed VMs that allow access from “any” source IP address. Best practice: Restrict management ports (RDP, SSH). Next steps![]() See Azure security best practices and patterns for more security best practices to use when you’re designing, deploying, and managing your cloud solutions by using Azure. The following resources are available to provide more general information about Azure security and related Microsoft services:
0 Comments
Leave a Reply. |