Security is a cross-cutting concern relevant to all aspects of Cloudmarque. As a Building Block, it is comprised of several components designed to make secure management of a cloud environment easy to set up and operate.
Ensure least-privilege access to cloud environments. This can be achieved by partitioning workloads (separate test and production environments), using automation to reduce direct user interaction with cloud services, and utilising just-in-time privilege technologies.
Give technology partners controlled access your cloud estate to securely enable managed cloud services delivered by third-parties, while retaining ownership of the underlying cloud resources.
Enable your SecOps Team by plugging in additional tooling to monitor activity in your cloud environment.
Enforce compliance to organisational standards, wider industry standards, and best practises across your cloud environment. Monitor and mitigate breaches, or prevent them from happening in the first place.
Defense in depth
The “security onion” below outlines a comprehensive model for defense in depth, in the context of a specific cloud vendor.
While it may appear to be a daunting, complex, and costly exercise to set up a multi-layered defence, many security technologies and products are baked into cloud vendor tooling, included in cloud vendor marketplaces, or provided as part of a product suite providing an easy way to quickly deploy sophisticated tools.
The “security onion” can be understood in four broad categories:
Combining monitoring with Artificial Intelligence and Machine Learning helps to achieve a balance between comprehensive proactive alerts while also filtering out background noise for the Security Operations Center. This capability is typically delivered by SIEM tooling. Azure provides a cloud-native SIEM and SOAR tool called Azure Sentinel, while third party tools can provide equivalent capability using open source tools like Splunk, integrating directly with cloud native APIs and resources.
Identity and Access (Authentication and Authorisation)
Azure Active Directory P2 includes Azure Identity Protection, Password Protection, Multifactor authentication. AAD P2 can also be purchased as part of EM+S (Enterprise Mobility and Security Suite) which in turn is part of M365. M365 also includes MCAS, the Microsoft CASB solution. So essentially, M365 combined with a SIEM (Sentinel) tool would cover off most of the proactive monitoring stack as well as the Identity and Access stack (Role Based Access Control and Azure Policy are part of the Azure platform and there is no added cost for these).
Establish controls on network traffic using network virtual appliances via IaaS or PaaS services. These can be readily deployed as part of IaaS networking solution such as the Hub and Spoke pattern. Typical perimeter security includes:
- Layer 3 and 4 Firewalls (e.g. Azure Firewall, Sophos XG, Barracuda NGF)
- Layer 7 Application Gateways (e.g. Azure WAF and Front Door, Sophos XG, Barracuda WAF)
- CASB software with identity and data policy awareness
- Consider network attached PaaS resources for workloads (storage, BI, internal web apps)
- Deploy traffic controls on virtual networks and subnets (e.g. Network Security Groups)
Ensure that data is protected at rest and during transit. This can be accomplished by:
- Enabling encryption at rest by default
- Using TLS (1.2) when transmitting data between services
- Leveraging cloud key stores to persist and control access to encryption keys and secrets
- Manage keys outside of the service in which they are used (e.g. Azure SQL Always Encrypted Column Encryption Keys and Master Encryption keys stored outside of SQL)
Edit this page on GitHub
The content on this page is published under Open Source licenses via GitHub. To submit issues or provide feedback please visit the repository.Visit