As organizations navigate their digital transformations and embark on adopting Microsoft Azure, one of the biggest challenges they face is ensuring that their new cloud infrastructure is secure. Many IT leaders and professionals make the mistake of approaching security in the cloud the same way they approached security in a traditional data center. However, in the software-defined world of Microsoft Azure, there is an added wrinkle. Without a holistic approach to security which includes a view of configuration, you can easily open yourself up to undue risk.
First, understand that security in the cloud is a shared responsibility between the cloud provider and the customer. All of the major cloud providers, including Microsoft Azure, operate under this premise. Microsoft’s Shared Responsibilities for Cloud Computing white paper explains the shared responsibilities a customer needs to be aware of and purposeful in managing when adopting Azure. In a nutshell, with Azure, Microsoft provides security for certain elements, such as the physical infrastructure and network elements, but Azure customers must be aware of their own responsibilities. For example, Microsoft provides services to help protect data, but customers must also understand their role in protecting the security and privacy of their data. The best illustration of this issue involves the poor implementation of a password policy; Microsoft’s best security measures will be defeated if customers fail to use complex passwords.
Second, customers are often left with the question, “How do I know what good security looks like in Azure?” To help answer that question, Microsoft has developed the CIS Microsoft Azure Foundations Security Benchmark, based on the Center for Internet Security’s best practices for protecting public and private organizations from cyber threats. The Azure CIS Benchmark provides guidance for establishing a secure baseline configuration such as how to configure a firewall within Azure or how to set permission levels for various applications. It also provides quantitative scoring of an organization’s Azure security posture.
Many organizations struggle with this because it is really hard to operationalize the guidance in this document. You need to have the people who can translate these documents to your environment. You need to have centralized visibility into all the configuration choices being made. Dealing with software-defined infrastructure in the public cloud is a challenge, especially when empowering developers and engineers with self-service for provisioning and configuration, who may not be familiar with security and having to deal with the rate of change in the cloud. Because cloud technology is always changing, it’s vitally important to understand the configuration choices being made. Validating those configuration choices against security standards becomes far more important for most companies now than in the past because failing to do so can lead to the company to falling victim to the data breaches that we continuously hear about in the news.
Visibility is Key
It is critical to have a comprehensive view into your cloud environment to identify misconfigurations as well as to see who has access to what resources and what level of access is permitted.
To avoid this visibility gap and the common misconfigurations, organizations need automation tools that provide full visibility into their cloud infrastructure and the ability to identify and remediate issues on the fly. When it comes to selecting automated systems that deliver continuous security and compliance, here are some top considerations:
- Support for multiple Azure subscriptions and multi-cloud.
- Alerting and remediation (Allows for IFTTT-like automation rule building to enable proactive security).
- Support for sending incidents to systems like Service-Now.
- Integrations with systems like Splunk.
- Support for SAML like PingFed or Okta.
- Ability to create dynamic groups of resources based on tags.
- Support for an extensive set of pre-built policies that tie back to common regulatory standards – such as the Azure CIS Benchmark.
Operationalizing Security Benchmarks Through Automation
Continuous security and compliance in the cloud is essential. “Trust, but verify” is a common phrase in the cloud computing industry meaning that you should trust that developers and engineers are provisioning and configuring cloud and container services appropriately, but they also need to verify this relative to security, compliance, and governance policies.
DivvyCloud has taken the pain out of making cloud infrastructures secure in a shared responsibility world by providing a framework for what organizations should be doing via a continuous, real-time process. DivvyCloud’s Cloud Security and Compliance Buyer’s Framework provides a preset list of criteria across several categories to make it easier for organizations to establish common criteria to objectively compare and evaluate competing products. This prescriptive guidance establishes a secure baseline configuration for Microsoft Azure and is implemented in DivvyCloud’s Insight Packs. These provide immediate and continued visibility into the posture of their Azure environments against the Azure CIS Benchmark, and the use of Bots to automate the remediation of policy violations.
DivvyCloud is a software appliance, not SaaS offering, which allows enterprise customers to give the software read/write access to their critical infrastructure. The software platform allows customers to use underlying data to drive orchestration, easily extend our product (so they can buy, and build), and allows them to deeply integrate the solution throughout their technology stack. DivvyCloud puts forth policies and monitors them to ensure compliance and provides the active protection necessary throughout an organization’s cloud journey.
Key features of DivvyCloud’s cloud automation platform include:
- Automating the verification process and makes it easy to automatically remediate policy violations so that the environments are always secure and compliant.
- Identifying security risks in real-time and take automatic, user-defined action to fix problems before they’re exploited.
- Automating enforcement of best practices and standards including SOC 2, CIS, PCI DSS, HIPAA, and GDPR.
- Providing a global tagging policy that allows the use of metadata to assign different levels of security to your data.
- Improving cloud governance and cloud cost management by enforcing your global tagging policy.
It is important to remember that choosing a cloud provider such as Microsoft Azure does not mean your cloud infrastructure is automatically secure. There are other security considerations that companies must configure in order to be in compliance and ensure that their network and applications are secure. Using established frameworks can provide a baseline for evaluating your security and compliance. This, coupled with an automated cloud management solution, enable organizations to fully operationalize their network in real time and gain visibility and control of their security posture.
Interested in learning more? Get your free trial of DivvyCloud or speak with a DivvyCloud expert today!
Establishing Guardrails with DivvyCloud
DivvyCloud mitigates security and compliance risk by providing virtual guardrails for security, compliance, and governance to customers embracing the dynamic, self-service nature of public cloud, and container infrastructure. Customers like General Electric, Discovery Communications, and Fannie Mae run DivvyCloud’s software to achieve continuous security governance in cloud and container environments (AWS, Azure, GCP, Alibaba, and Kubernetes). First, our software performs real-time, continuous discovery of infrastructure resources allowing customers to identify risks and threats. Second, customers can implement out-of-the-box or custom cloud-native policy guardrails that identify and alert on violations. Third, we automate the enforcement and remediation of these policies.