As of this writing, the Azure cloud platform has more than 200 products and services to choose from. With these tools you can create, run, and manage applications across on- premises networks or multiple clouds. Azure also has a wide variety of security tools and features that allow you to customize security in order to meet your company’s security needs and make it possible to create secure solutions by using the Azure subscription platform.
Azure security has a number of built- in tools that can be organized into six different functional areas. I will discuss some of the tools and features. This is not a complete list. These functional areas include Applications, Compute, Identity and Access, Networking, Operations, and Storage.
Applications
This section will discuss some of the tools and features that are available for application security. I will briefly discuss some of these tools/features and what each is capable of.
Authentication and Authorization in Azure App Service
This feature allows users to sign into applications without having to change the code on the application backend. It can protect your apps and work with data on a per-u ser basis.
Layered Security Architecture
App developers can create a layered security approach to provide different levels of network access for each application tier. So, on an Azure Virtual Network (VNet) subnet that contains an App Service Environment, developers can use network security groups (NSGs) to restrict public access to applications.
Web Application Firewall
The Web Application Firewall (WAF) in the Azure Application Gateway can help protect web applications from common web- based attacks. WAF is preconfigured with protection from threats that have been listed as the top 10 common vulnerabilities by the Open Web Application Security Project (OWASP).
Web Server and Application Diagnostics
For both the web server and web applications, the App Service web app can provide diagnostics for logging information. These are categorized into two different diagnostics, one for the web server and one for applications. Information pertaining to application pools, worker processes, sites, application domains, and running requests can be seen in real time.
Compute
This section will discuss some of the tools and features that are available for compute security. I will briefly discuss some of these tools/features and what each is capable of.
Antimalware and Antivirus
With Azure IaaS, you can use antimalware software from a wide variety of security vendors to protect your VMs. Microsoft Antimalware for Azure Cloud Services and Virtual Machines can help you identify and remove viruses, spyware, and other threats as well as allow you to configure alerts. It can be deployed by using Microsoft Defender for Cloud, which I will be discussing in greater detail later in this chapter.
Azure Confidential Computing
Azure confidential computing lets you keep your data encrypted all the time by using Remote Attestation. Remote Attestation will verify that the VM has securely booted and is properly configured prior to unlocking your data.
Azure Site Recovery
Azure Site Recovery can help with replication, failover, and the recovery of workloads and apps from a secondary location if your primary location fails. I will be discussing Azure Site Recovery in greater detail later in this chapter.
Hardware Security Module
The Azure Key Vault can protect and manage the security of your critical secrets and keys by storing them. Permissions and access to these protected items are managed using Azure AD.
Virtual Machine Backup
Azure Backup can protect your application data. It will automatically allocate and manage your backup storage. You only pay for the storage you use since Azure Backup uses a pay- as- you- use model. I will be discussing Azure Backup in greater detail later in this chapter.
Virtual Networking
Azure requires VMs to be connected to VNet since VMs need network connectivity. A
VNet allows many types of Azure resources to communicate securely with other VNets, the Internet, and on- premises networks. Each VNet is isolated to make sure that network traffic in your deployments is not accessible to other Azure customers.
VM Disk Encryption
You can encrypt your IaaS VM disks using Azure Disk Encryption for Linux VMs or Azure
Disk Encryption for Windows VMs. Azure Disk Encryption for Windows VMs applies the Windows BitLocker feature while the Azure Disk Encryption for Linux VMs applies the DM- Crypt feature to provide volume encryption for the operating system and the data disks. This works with your Azure Key Vault subscription.
Identity and Access Management
This section will discuss some of the tools and features that are available for identity and access management. I will briefly discuss some of these tools/features and what each is capable of.
Secure Apps and Data
There are a number of tools/features that can secure applications and data, such as the following:
■ Azure AD is a cloud- based identity and access management service that helps protect access to data in applications on- premises and in the cloud. It also helps with the management of users and groups. You can add other paid features by using the Basic, Premium P1, or Premium P2 edition.
■ Cloud App Discovery allows you to identify cloud applications that are being used by your employees. It is a Premium feature of Azure AD.
■ Azure Active Directory Identity Protection is a security tool that detects identity- based risks. It can provide a consolidated view of risk detections and possible vulnerabilities.
■ Azure Active Directory Domain Services (Azure AD DS) allows you to add Azure VMs to a domain without having to deploy domain controllers. To access resources, your users sign in to the VMs by using their corporate AD credentials.
■ Azure Active Directory B2C (Azure AD B2C) is a customer identity access management (CIAM) solution that allows your customers to sign in to all your apps using their existing social media accounts, or you can create new stand- alone credentials.
■ Azure AD joined allows you to expand cloud capabilities to Windows 10/11 devices for centralized management. Allows users to connect to the corporate cloud using Azure AD, which will simplify access to apps and resources.