Sonrai Security website logo for identity and data governance and cloud security

Avoiding Common Microsoft Azure Configuration Errors

Author: Eric Kedrosky | Date: September 1, 2020
Read Time: 5 minutes
Skill Level: Technical
Skill Level: Technical
Avoiding common Microsoft Azure Configuration Errors icon for enterprise cloud security

If you're still wondering if 'identity' is the new perimeter for cloud security, you only have to look at how the major cloud services purveyors are managing that premise. The truth is that all three of them - AWS, Google Cloud Provider, and Microsoft Azure - now assert that 'identity' and access management (IAM) are essential tools for maintaining today’s secure enterprise infrastructure. 

Too many companies make the same mistakes when configuring their cloud-based IAM strategy, resulting in unnecessary vulnerabilities. If your organization uses Microsoft's Azure IaaS platform, then you'll want to avoid making the Azure configuration errors that are most common among like-minded users.   

Start at the Center

Network perimeters have become particularly porous, especially with today's extended remote workforce deployments. Any one of those BYOD's at work in your organization could be the unprotected portal that allows entry to your system of a devastating virus or worse. It's almost impossible for any company to maintain a secure perimeter that encompasses all of those distributed endpoints. Instead, look to the center of your enterprise - its foundational databases, servers, and processing units - as the source of your optimal security defenses. Maintaining tight controls over who or what gains entry to those is where you'll find your data security peace of mind.    

Azure's Active Directory

Microsoft's Azure platform protects critical corporate information through the IAM controls embedded in its Azure Active Directory (Azure AD). The Azure AD manages access to both your internal resources (your proprietary apps, network, and intranet connections, etc.) and your external resources (such as the Azure portal, Microsoft 365, and all of Microsoft's thousands of other SaaS options). Administrators set the Azure AD controls' parameters to ensure only the right people and programs access only the information they need for the job at hand. Multi-factor authorizations, complex passwords, and encryption are just some of the data-security options administrators can use to ensure only appropriate people gain access to corporate computing information.    

The Azure AD also offers other benefits and opportunities. Provisioning can be complicated, especially when there are numerous devices and machines drawing from data stores with limited availability. The Azure AD facilitates provisioning for both your Windows server and all your Microsoft apps. The platform also automates the protection of user credentials and identities to achieve compliance with data security regulations, so you are always assured that your organization is secure and that it can prove that fact.   

Avoid These Microsoft Azure Mistakes

All that being said, perhaps the most common data security mistake made by most companies is their lapse of system oversights after they've engaged the Azure AD platform. Yes, the system does perform amazing feats, but it still requires appropriate configuration and attention to retain its mastery of data protection. Further, ongoing attention to these details will also save money while optimizing the performance of your system.

Data Security Errors:

Tune-up fundamental access procedures

There are two types of cybercriminals to guard against: 

  • Hackers - those external malfeasants who gain entry through phishing or other outside-in ploys, and 
  • Insiders - trusted colleagues, staffers, and business partners who exploit their position to gain access to information they then use for personal gain. 

Fundamental access controls, including Role-Based Access Control (RBAC) and Multifactored Authorizations (MFAs), can prevent intrusions by both types of criminals. These controls verify the identity of valid users, then monitor their usage to ensure it remains within the security parameters mandated by their work. 

Tune-up subsequent access privileges

Network Security Groups manage ingress and egress to the Azure resources contained within an Azure network. Often, to ease access and speed productivity, Admins will set broader security configurations on these controls so that essential access isn't inadvertently denied. However, that broad access rule also allows insiders to access resources they don't need to access. Setting the controls with the least permissive settings will prevent intrusions through these portals.  

Monitor your activity logs

Your Azure databanks also record who's accessing your Azure resources, and that information can alert you to inappropriate use or activity. The Azure Activity Log integrates with Azure's Operations Management System (OMS) and Power BI solutions, allowing you to monitor all the create, delete, update, and action behaviors occurring across your Azure network.  

Watch your resting data, too

Not all your data is used all the time, but most of it still needs storage and security until it's needed or permanently deleted. Too many companies fail to adequately protect their "data at rest," leaving them vulnerable to external and internal intrusions. Encrypting it, which makes it unintelligible to unauthorized entities, maintains its integrity and keeps it secure. Azure automatically encrypts all new data storage banks by default; your organization should keep those settings and apply them to your older stores, as well. 

Data Optimization Errors

Another error often made in Azure's configuration is the failure to optimize its operations tools. 

Optimize your resource tags

Tagging Azure resources identifies them within the database so that other resources can find and access them. Managing tags is a critical operational and security function since they allow access to vital corporate resources — accordingly, only users with write access to the Microsoft.Resources/tags resource can apply tags to resources. 

Optimize your inventory utilization

Just like resting data, not all resources are in high demand all the time. Maintaining them for that level of functioning is expensive, so Azure gives you the power to scale them down when demand is low. Tracking your corporate resources allows you to scale up and down according to your market sector's requirements. 

Expensing Errors:

Monitor your metrics

Resource tracking provides not just information about cyclical demands on your organization, but also about the costs of maintaining readiness to meet those demands. Overprovisioned but unused resources waste money. Azure can alert you when your resources are sitting idle so you can adjust your settings appropriately.

Access the Microsoft Azure Resource Manager (ARM)  

You'll need control over all your Azure assets to maximize your organizational security, and the ARM gives you that control. This overarching layer lets you create, enable, update, and delete the full scope of your Azure account's resources, including your access and identity controls. The ARM manages your account using templates, not scripts so that you can control all your assets as a group. It applies access control to all your services by the native integration of RBAC in the management platform, as well as facilitates tagging, billing, and ensuring consistent scaling. 

Explore the values of Microsoft Azure Hybrid Benefits

Microsoft's Windows platform has been a top enterprise OS choice for years, which is why so many companies select Windows Servers and their companion SQL Servers as their on-prem computing solution. The Microsoft Azure Hybrid Benefit maximizes the investment value of those on-prem servers by permitting the running of Windows VMs on Azure's cloud after the migration to a hybrid configuration. Customers reduce their costs by using their own "virtual" machines while gaining the benefits of Azure cloud assets.  

Today's complex computing environments are rife with threats and vulnerabilities, some of which come from external sources, and others that exist within the company HR roster. Keeping your organizational data safe from intrusion by either requires employing today's best data security practice: adopting the premise that identity and access management provides - the new and true data security perimeter. Microsoft's Azure platform offers a wide range of identity and access management tools you can use to ensure your company's information is safe and protected, while also optimizing its performance and productivity.  

You Might Also Like

AWS IAM Breakdown… and common mistakes!

Let me just start with this statement… EVERYTHING in AWS (Amazon Web Services) is related to an AWS Identity and Acce[...]

Read More

Attackers Find AWS S3 Bucket With 17m Users

CouchSurfing is an online service that lets users find free lodgings around the world. Currently the company is inv[...]

Read More

Identities Are Still The New Perimeter

Powerful identity and access management (IAM) models of public cloud providers like AWS, Microsoft Azure, and Googl[...]

Read More
magnifier