Securing Azure VM - Checklist

Organization lean towards cloud is growing. Many enterprises are planning to fully deploy their infrastructure to the cloud. As an initial step they are embracing Software as a Service and extending their workload to the cloud, making it as a secondary site for compute and storage resources.

Creating resources in Azure is simple, will finishes within few clicks, however if we missed few steps or rule of thumbs on provisioning resources, it might leave a loop hole which could be easily exploited.

Below is the checklist for consideration to ensure that you have securely deployed your resources (VM) to Azure Cloud.

  • Network Setup

    • Is your network Isolated and breakdown into different zones? 
    • Do you need to stop different zones/subnets communicating with each other? 
    • Is Network Security Group applied? 
    • Can you justify the need of PublicIP?
    • How you are planning to RDP VM? 
    • Did you have list of endpoints of Azure VM to be provisioned?
    • Do you need all those endpoints?
    • How secure is your VPN connection to Azure?

  • Storage Setup

    • Make a choice of your Storage, Managed Storage is recommended.  
    • Do you have policy defined to change Storage Key frequency? 

  • Role Base Access Control 

    • Who has access to which Resources? 
    • Is there separation of duty? 
    • Does they need that level of Access? 
    • Is it based on absolute need?
    • Is any user is over privileged?
    • Are you following rule of least privilege? 

  • Diagnostic Setting 

    • Is logging required?  
    • Is retention period meet your business needs? 

  • Operational Management Suite (OMS)

    • Is  agent deployed?
    • Is your objectives clear? 
    • Do you regularly check it? 
    • Do you have response plan? 

  • Insight and Analytics 

    • Do you regularly analyze the usages pattern of  the resources? 
    • Is there any suspicious activities? 

  • Azure Logging and Auditing

    • Has logging been enabled? 
    • Do you get notification of changes about the resources? 

  • Threat Intelligence

    • Do you read the security alerts? 
    • How often you respond to those alerts? 
    • Golden rules : Identify - Isolate - Analyze - Respond 

  • Backup

    • Is data being backed up regularly? 
    • Does it meet your business needs?
    • Who has access to theses backup Storage Accounts?
    • How quickly you can restore them? 
    • Is it stored in an Isolated Environment? 

  • Encryption 

    • Is Data Encrypted ?
    • Is your VM Encrypted ? 

Comments

  1. ITGOLD Solutions2 March 2022 at 21:16

    Outstanding as well as powerful suggestion by the writer of this blog site are truly valuable to me. Sophos antivirus Brisbane

    ReplyDelete

Post a Comment

Popular posts from this blog

Deploy Palo Alto in Azure

Image
There are many ways to deploy Palo Alto Firewall in Azure. Out of those options today I will discuss how Palo Alto can be configured to protect your Azure workload. This setup is suitable for Proof of Concept only. Planning-Includes Minimum Requirement - Without HA Logical Diagram:  Create Virtual Network Name: PAN-VNet Address Space: 10.0.0.0/16 Subnet Name: Management Subnet Address Space: 10.0.1.0/24 Subnet Name: Untrust Subnet Address Space: 10.0.2.0/24 Subnet Name: Trust Subnet Address Space: 10.0.3.0/24 Resource Group: PA-VNet    Subnet Spin Web Server Virtual Machine  Name: SecureWebServices Image: Windows Server 2016 Resource Group: Services Network: PAN-VNet Subnet: Trust Role: Web Server (IIS) Installed Change NSG rules of Web Server to accept request on port 80, if you wish to test the web request. However, later on, this behaviour will be controlled through firewall. Spin Palo Alto Firewall Virtual Machine Name: vmseries300 Im
Read more

Demystifying System and User Define Routes of Azure

Image
As Virtual Network is created, Azure automatically create its own route tables for that Virtual Network, so that all the packets which enters the virtual network can traverse within its address prefix and leave the subnet for its destination. These are known as the Default Routes . We can’t modify these routes; however, we can add our custom routes on top of default routes for the traffic leaving the subnet. These custome route is known as User Define Routes . In this case, we are modifying the default behaviour of packets routing but still the internal and external routing of packet is done by virtual network to ensure that our packets are never hijacked.  In another word, we are adding routes and requesting virtual network to routes traffic in the way we want. So far its not possible to route the traffic independently bypassing the Azure Virtual Network routing mechanism and for security reason I do not think this will ever be possible. Common Use Case of UDR:  Every bus
Read more

Azure Web App Vnet Integration - Hub and Spoke Scenario

Image
Integrating Web Apps with virtual network allows us to access the resources which is located within our private network space, however web apps will be still be accessible from internet. App Service Environment could be possible solution if you wish to make your Web App completely private. In this blog I will be discussing the 3 possible use cases. Integrate Web Apps with VNet and verify connectivity between Web App and a VM which is deployed within the same VNet.  Web App Integration in Hub and Spoke  Establish connectivity between On-Prem network and Azure Web App Use Case 1 - Simple We need to have the following things to meet the goal with use case 1. 1. Virtual Network - Ansible-vnet - Address Space -10.0.0.0/16 2. Provision a Gateway Subnet - Address Space - 10.0.1.0/24 3. Virtual Network Gateway - WebApp-GW : SKU - VpnGw1 4. Create Point to Site in WebApp-GW - Address Space : 172.16.201.0/24 5. Since, SKU - VpnGw1 is used, IKEv2 VPN should be unchecked. (
Read more