Azure Security for Modernised Apps: Key Practices

Securing your Azure applications is more critical than ever. With 45% of data breaches happening in the cloud and human error causing 82% of them, protecting your systems requires a robust, multi-layered approach. Here's what you need to focus on:

• Identity Protection: Use multi-factor authentication (MFA), role-based access control (RBAC), and conditional access policies to prevent unauthorised access.
• Data Security: Encrypt data at rest and in transit, manage secrets with Azure Key Vault, and secure database connections with firewalls and private links.
• Network Security: Implement virtual networks, network security groups (NSGs), web application firewalls (WAFs), and API protection to safeguard traffic and endpoints.
• Monitoring and Threat Detection: Leverage Microsoft Defender for Cloud, enable detailed logging, and automate responses to threats with tools like Microsoft Sentinel.

Start with these essentials to protect your apps, data, and users on Azure. Security isn't a one-time effort - it’s a continuous process. Always verify, monitor, and adapt to evolving threats.

How to Secure Your Azure App Services | Azure App Security | Azure Tips & Tricks | Datavalley.ai

Identity and Access Management

Strong identity management is at the heart of securing Azure environments. By implementing effective identity controls, organisations can protect against unauthorised access and potential insider threats. Azure's approach to identity management is deeply rooted in the zero trust principle, which requires every access request to be verified, no matter its origin.

Setting Up Multi-Factor Authentication (MFA)

Multi-factor authentication (MFA) is one of the most reliable ways to secure user accounts. It adds an extra layer of verification beyond just a password. Starting from 15 October 2024, Microsoft will make MFA mandatory for all Azure users performing any Create, Read, Update, or Delete (CRUD) operations.

Azure MFA integrates seamlessly with Azure AD, letting administrators enforce MFA based on factors like user roles, device types, locations, and risk levels. Conditional Access policies are the go-to method for enabling MFA, offering fine-tuned control over when additional verification is needed. Users can verify their identity through various methods, including Microsoft Authenticator, Windows Hello for Business, FIDO2 security keys, OATH tokens, SMS, and voice calls.

To roll out MFA effectively, follow these steps:

• Assess current MFA coverage across accounts.
• Test the setup to ensure it works as expected.
• Deploy MFA to all accounts systematically.
• Continuously monitor for alerts and adjust settings as needed.

Configuring Role-Based Access Control (RBAC)

Role-Based Access Control (RBAC) is a critical tool for limiting access to only what users need to perform their jobs, reducing the risk of both external and internal security breaches. Best practices for RBAC include:

• Granting the minimum privileges necessary for each role.
• Assigning roles to groups instead of individual users.
• Using unique role IDs for script-based role assignments to avoid errors.

For organisations requiring elevated permissions, Microsoft Entra Privileged Identity Management (PIM) provides features like just-in-time access, approval workflows, and detailed auditing for sensitive roles.

When creating custom roles, avoid using wildcards. Instead, explicitly define Actions and DataActions to prevent unintended permissions. Assign privileged roles with narrow scopes - such as at the resource group or resource level - rather than broader scopes like subscriptions or management groups. Regularly monitor and audit role assignments to catch and correct any unauthorised changes or discrepancies promptly.

Creating Conditional Access Policies

Conditional Access policies serve as dynamic security measures that adapt based on real-time signals such as user location, device compliance, and risk levels. These policies function as if-then statements, combining conditions with access controls to enforce rules intelligently.

Every Conditional Access policy requires users to meet all applied conditions. To implement these policies:

1. Gather session details, including user identity, device information, location, and the application being accessed.
2. Apply access controls based on the collected data.

When creating policies, define clear user assignments and access controls. Use the report-only mode to assess a policy's impact before enabling it, which helps prevent accidental lockouts. Testing policies with designated test users is a good practice, and it's wise to exclude emergency access and service accounts to avoid unintended disruptions.

Microsoft Entra ID P1 licences allow for basic Conditional Access features, while P2 licences unlock advanced policy conditions. To create and manage these policies, users need the Conditional Access Administrator, Security Administrator, or Global Administrator role.

Start with broad policies targeting high-risk scenarios, then refine them over time to address your organisation’s specific needs and risks.

With identity controls in place, the next step is to focus on securing data through encryption and establishing secure database connections.

Data Protection and Encryption

To complement strong identity controls, safeguarding data demands equally stringent encryption methods. Azure offers multiple encryption layers and security tools that work together to defend against data breaches and unauthorised access.

Managing Application Secrets

Azure Key Vault acts as a centralised hub for managing application secrets like passwords, API keys, certificates, and connection strings. By consolidating these credentials, including complex combinations such as usernames and passwords, you reduce the risk of accidental exposure and gain better control over their distribution. Azure Key Vault operates on two tiers: Standard, which uses software-based encryption, and Premium, which includes hardware security module (HSM) protection for enhanced security.

Rotating secrets regularly is essential to maintaining strong security. Microsoft advises rotating secrets at least every 60 days to limit the time attackers could exploit compromised credentials. When using Azure Key Vault, consider these best practices:

• Restrict access by IP address to control which networks can reach the vault.
• Enable purge protection to prevent accidental or malicious deletion of secrets.
• Turn on logging to monitor access attempts and lifecycle events.

Always follow the principle of least privilege, ensuring applications only have the minimal permissions required - typically, read-only access to retrieve secrets.

Enabling Encryption for Data at Rest and in Transit

Azure automatically encrypts data at rest using 256-bit AES encryption. For server-side encryption, Azure manages the encryption seamlessly, while client-side encryption offers customers full control over keys and processes, ideal for highly sensitive data. Whether you choose service-managed or customer-managed keys will depend on your compliance needs and desired control level.

For data in transit, Azure enforces SSL/TLS protocols across services. Azure SQL Database, SQL Managed Instance, and Azure Synapse Analytics require encrypted connections to protect data during transmission. Ensure your applications connect securely by setting Encrypt = On and TrustServerCertificate = Off in connection strings.

Transparent Data Encryption (TDE) is automatically enabled on new Azure SQL databases, securing data at rest without affecting application performance or requiring changes to your code.

For virtual machines, Azure Disk Encryption protects both operating system and data disks, supported on Linux and Windows VMs. Encryption keys are managed through Azure Key Vault, centralising control over your encryption setup. Additionally, for secure network-level access, use site-to-site or point-to-site VPN connections to Azure virtual networks. Azure also employs MACsec encryption at the data-link layer to secure traffic between its datacentres.

Securing Database Connections

Protecting database connections involves a combination of access control, network isolation, and data security measures. Firewall rules serve as the first layer of defence, blocking network access unless explicitly permitted by IP address or Azure Virtual Network traffic. Configure these rules to allow only necessary connections, adhering to the principle of least privilege.

Microsoft Entra authentication simplifies identity management for databases, enabling administrators to manage permissions centrally rather than maintaining separate accounts. For additional network security, Private Link assigns private IP addresses to database servers within your virtual network, keeping traffic off the public internet. Network Security Groups (NSGs) can further restrict access by controlling traffic over specific ports.

Azure also offers tools like Dynamic Data Masking to obscure sensitive information for non-privileged users. This is particularly useful in development or testing environments where realistic data structures are needed without exposing confidential details. For the highest level of protection, Always Encrypted ensures that sensitive data remains encrypted throughout its lifecycle, even during processing, and is inaccessible to database administrators.

To enforce secure connections, configure firewall rules and set the minimum TLS version to 1.2 or higher at the logical server level. By combining strict encryption with secure database connections, Azure ensures your applications remain resilient against unauthorised access and breaches, laying the groundwork for robust network controls in the next section.

Network Security Best Practices

Building on strong identity and data protection measures, network security adds another layer of defence to your Azure applications. By securing both external and internal network traffic, network-level controls complement earlier safeguards, creating a unified and robust defence strategy.

Controlling Network Access

Azure Virtual Network (VNet) is the backbone of secure communication, enabling Azure resources to connect safely with each other, the internet, and on-premises networks. When planning your VNet, ensure address spaces are carefully designed to avoid overlaps and allow room for future expansion.

To minimise the impact of potential breaches, segment your network using subnets. Network Security Groups (NSGs) act as stateful firewalls, filtering traffic based on IP addresses, protocols, and ports. Applying NSGs at both the subnet level and individual virtual machine (VM) network interfaces strengthens security by adhering to the principle of least privilege.

Simplify NSG management using service tags, and leverage Application Security Groups (ASGs) to group VMs for policy definition without relying on specific IP addresses. For advanced traffic management, User-Defined Routes (UDRs) allow you to control traffic flow between subnets. This is especially useful when deploying network virtual appliances or Azure Firewall for detailed traffic filtering.

Azure Private Link adds another layer of protection by enabling private access to Azure Platform-as-a-Service (PaaS) offerings via private IP addresses within your VNet. This approach keeps traffic off the public internet, reducing exposure to potential threats. To maintain visibility, monitor NSG flow logs to track and analyse network traffic patterns.

Setting Up Web Application Firewall (WAF)

Azure Web Application Firewall (WAF) is designed to protect internet-facing applications from common web vulnerabilities. Begin by running WAF in detection mode to fine-tune rules before switching to prevention mode. Use managed rules to address widespread threats, and regularly update these rules to keep pace with evolving risks.

Refine WAF policies to avoid blocking legitimate traffic, ensuring authorised users can access your applications without interruptions. You can define WAF configurations as code using tools like Azure CLI, PowerShell, Bicep, or Terraform to ensure consistency across environments and simplify updates. Integrate WAF logs with Azure Monitor and consider forwarding them to a Security Information and Event Management (SIEM) system for a comprehensive view of security events. Additionally, geo-filtering can block traffic from regions where legitimate access is not expected.

Protecting API Endpoints

While WAF protects web traffic, APIs require specific measures to secure data exchanges. Azure API Management serves as a central gateway, offering features such as OAuth 2.0 authorisation, authentication, rate limiting, and request validation.

Use OAuth 2.0 for secure API authentication and validate incoming requests to guard against injection attacks. Rate limiting enforces fair usage, helping to prevent abuse. Regularly review API documentation, ideally in standard formats like OpenAPI, to ensure it aligns with your implementation and remains up to date.

For high-risk scenarios, mutual TLS (mTLS) can provide an extra layer of security by authenticating both client and server communications. Monitor API activity through Azure Monitor, and integrate these insights with your broader security systems to detect unusual behaviour that could signal a threat.

The importance of these measures is underscored by recent breaches, such as those involving Russian state actors who exploited cryptographic secrets, including passwords and authentication keys. These incidents highlight the critical need for effective key management and a layered security approach to protect your applications and data.

Monitoring and Threat Detection

Strengthening Azure's security involves more than just robust network controls - continuous monitoring plays a pivotal role in identifying and addressing potential threats as they arise. This proactive approach transforms Azure’s security from a reactive system into one that stays ahead of evolving risks.

Using Microsoft Defender for Cloud

Microsoft Defender for Cloud acts as a centralised security hub, offering broad threat detection capabilities across all Azure resources. By harnessing advanced analytics, threat intelligence, behavioural analysis, and anomaly detection, this platform can identify risks before they escalate.

Microsoft’s investment in cybersecurity enhances Defender for Cloud’s capabilities. As Raoul van der Voort, Global Service Owner at Rabobank’s Cyber Defense Center, puts it:

"We wanted protection and visibility everywhere. That's why we use Defender for Cloud - it gives us visibility across our hybrid and multicloud environment."

Defender for Cloud doesn’t just generate alerts; it provides context, enabling organisations to view incidents as part of a larger attack campaign rather than isolated events. To optimise its use, enable Defender plans tailored to specific resource types, allowing advanced detection features to kick in. While the platform includes free Cloud Security Posture Management (CSPM) tools, additional paid options are available for more extensive protection. Keep in mind, though, that while the first 30 days are free, malware scanning for Defender for Storage incurs charges immediately.

Another standout feature is File Integrity Monitoring (FIM), which scans critical files - like operating system files, application software, and Windows registries - for unauthorised changes that might signal an attack. Activating FIM on essential systems can help detect tampering early.

A real-world example of the platform’s effectiveness comes from Land O'Lakes, Inc. In March 2023, Cory Durand, Senior Enterprise Cloud Architect, shared how Defender for Cloud helped them:

"identify a bad container and fix it before deploying it".

Setting Up Security Logging and Auditing

Effective threat detection begins with thorough logging. Ensure all resources - virtual machines, containers, serverless functions - are configured for logging. Store these logs in Azure Monitor or Log Analytics workspaces for better analysis and event tracking. Standardising log formats and tagging simplifies cross-service correlation, making it easier to trace security events.

Recent data highlights the importance of these measures: in 2023, 60% of businesses reported at least one major cloud security incident, and attackers launched 68 million phishing campaigns mimicking Microsoft.

Set up log query auditing to monitor and record all workspace queries, treating this data as highly sensitive. Use Log Analytics insights to periodically review audit data and create alerts for unauthorised access attempts.

Data retention policies should balance compliance needs with storage costs. Implement workspace locks to avoid accidental deletions and consider exporting critical logs to tamper-proof storage solutions. Additionally, configure alerts for anomalies like repeated sign-ins from unfamiliar locations or unusual data transfers. For added protection, link workspaces to dedicated clusters and use Azure Private Link to block public network access. These logging frameworks lay the groundwork for automated responses, further securing your environment.

Automating Security Responses

Manual responses to threats can be slow, delaying containment. Tools like Azure Logic Apps and Microsoft Sentinel playbooks enable automated workflows that act quickly and consistently. Microsoft Sentinel provides two automation options: centralised automation rules and playbooks for more complex scenarios.

Incident-triggered automation is often the preferred approach, as it compiles all relevant information into case files for faster investigations. Alert-triggered automation, on the other hand, works well for analytics rules that don’t create incidents.

Automation can handle tasks such as enriching threat data, syncing with external systems, orchestrating complex workflows, and taking immediate protective actions. For example, integrating Microsoft Entra ID Protection allows Sentinel to create an incident when suspicious activity occurs. An automated playbook can then block the affected user account, preventing further compromise while the security team investigates.

When setting up automation, test Logic Apps manually before enabling automatic execution. Assign the "Microsoft Sentinel Automation Contributor" role to the Sentinel service account for resource groups containing playbooks. Configure automation rules to trigger on incident creation or updates, or when specific alerts are generated. Actions can include assigning tasks, updating severity levels, tagging incidents, or executing playbooks. This approach ensures consistent handling of incidents, freeing security teams to focus on more complex investigations and strategic improvements.

Conclusion: Securing Your Modern Azure Applications

Protecting modern Azure applications requires a multi-layered defence strategy. The steps outlined in this guide provide a solid framework for small and medium-sized businesses to safeguard their systems and data effectively.

Identity protection is crucial - tools like multi-factor authentication (MFA), conditional access policies, and role-based access control (RBAC) serve as strong barriers against unauthorised access. Data security ensures sensitive information remains safe, with encryption and secret management keeping it secure even in the event of a breach. Network security measures, such as web application firewalls (WAFs), access restrictions, and API protection, further limit an attacker’s ability to navigate through your environment. These layers, combined with vigilant monitoring, create a comprehensive security shield.

Continuous monitoring and threat detection are essential components of this strategy. With cyber threats evolving at an alarming pace - attackers can exploit vulnerabilities in mere minutes - your defences must be agile and adaptive. The Zero Trust principle, which operates on the mantra of "never trust, always verify", reinforces the idea that every access attempt, no matter its source, requires thorough validation.

While Microsoft’s shared responsibility model secures the core infrastructure, your organisation is responsible for protecting applications, identities, and data. This shared approach underscores the importance of taking proactive steps to secure your environment.

Start with the basics: enable MFA, enforce strict access controls, and implement encryption. Build upon these essentials with advanced network security tools and consistent monitoring. Regular security assessments can uncover potential weaknesses, while staying informed through resources like Microsoft Learn ensures your strategies remain effective against emerging threats.

Remember, security is not a one-time effort - it’s a continuous process. As your applications grow and threats evolve, so too must your defences. The practices in this guide serve as a roadmap for creating and maintaining secure Azure applications. By adopting a Zero Trust approach and scrutinising every access request, you can better protect your organisation.

For more detailed guidance on improving your Azure setup, explore resources on Azure cost optimisation, cloud architecture, and performance best practices.

FAQs

What are the best ways to monitor and detect threats in Azure applications?

To keep Azure applications secure and resilient against threats, organisations should take full advantage of Azure's built-in security tools. Begin by activating Microsoft Defender for Cloud, which offers comprehensive threat protection for Azure resources. Pair this with Azure Security Centre to gain centralised visibility and control over your environment, and use Azure Monitor to dive deep into performance metrics and observability.

For more sophisticated threat detection, set up Azure Sentinel, a cloud-native SIEM (Security Information and Event Management) solution. It enables real-time identification and response to potential risks. Strengthen your strategy further by conducting regular security audits, implementing a zero-trust model, and deploying automated alert systems. Together, these measures help safeguard your modern applications from ever-changing threats.

What are the key best practices for using Role-Based Access Control (RBAC) on Azure to enhance security?

To boost security using Azure RBAC, consider these key practices:

• Assign only necessary permissions: Stick to the least privilege principle by giving users access to just what they need to do their jobs.
• Keep subscription owners to a minimum: Restrict the number of users with owner-level access to lower potential vulnerabilities.
• Develop custom roles: Instead of solely relying on built-in roles, create roles that align with your organisation's specific requirements.
• Regularly review role assignments: Keep a close eye on permissions to ensure they remain relevant and appropriate.
• Leverage Azure AD Privileged Identity Management: Use this tool for just-in-time access and to set up approval workflows for elevated permissions.

Taking these steps will help you tighten security and maintain better control of your Azure setup.

What is Azure Key Vault, and how can it help secure application secrets effectively?

Azure Key Vault: Strengthening Data Security

Azure Key Vault is a cloud-based service designed to bolster data security by securely storing and managing sensitive information, such as application secrets, encryption keys, and certificates. It employs envelope encryption and hardware security modules (HSMs), and works seamlessly with Azure Active Directory to enforce precise access controls.

Here are some practical tips for managing application secrets effectively:

• Separate vaults for different environments or applications: Keep secrets organised and isolated to minimise cross-environment risks.
• Apply the least privilege principle: Grant only the access necessary for specific roles or tasks.
• Rotate secrets regularly: Frequent updates reduce the chances of exposure or misuse.
• Monitor and audit access logs: Keep an eye on activity to spot any unauthorised access promptly.

By implementing these measures, you can significantly lower the chances of data breaches and maintain a strong security posture for your applications.

Related posts

• 5 Azure Security Best Practices for SMBs
• Checklist for Securing Azure Data in Transit
• Ultimate Guide to Azure Data Security Auditing
• 5 Steps to Implement Zero Trust in Azure