Business Scenario:
Organizations should start looking toward more advanced approaches like zero-trust model and identity-centric services if they are facing below scenarios.
Zero Trust is a security strategy. It is not a product or a service, but an approach in designing and implementing the of security principles like: Verify explicitly, use least privileged access, Assume breach.
Implementing the Zero Trust mindset to “assume breach, never trust, always verify” requires changes to cloud infrastructure, deployment strategy, and implementation.
- The cloud is an essential technology for remote work, but it also comes with risks. poor configuration in the public cloud, particularly relating to access. Organizations can unintentionally grant users too much access or fail to implement the strong access controls.
- Employees working remotely have expanded attack fronts.
- Possibility of ransomware attacks increasing in remotely working environment.
- Users are accessing sensitive data through unsafe Wi-Fi networks.
- Employees are protecting their accounts with weak passwords.
- DDoS attack might impact the business by preventing remote workers from accessing services over the internet.
Business Challenges:
while implementing below challenges might be encountered.
- Managing multiple Azure subscription.
- Managing Azure storage with granular permission.
- Managing Virtual Machine in terms of identity and access.
- Managing Spoke and Hub VNets in a secure way.
- Managing Azure monitor and Defender in a consolidated way.
Solution Strategy:
Below strategy can be implemented to ensure Zero Trust and overcome the above business challenges.
Azure Subscription
- One or more subscriptions can be managed together using a Management Group.
- This will give you the capability to apply permissions with role-based access control (RBAC) and Azure policies to a group of subscriptions rather setting up each subscription individually.
Azure Storage
- Isolate each storage account in a different resource group for more granular permission control.
- You can deploy one storage account for each type of storage, Blob storage and Azure Files. This gives more granular access control and can enhance performance.
- To protect data in all three modes: data at rest, data in transit, data in use.
- Use encryption in transit, often use HTTPS to secure communication over the public internet.
- Prevent anonymous public read access, to prevent data violations from anonymous access, you should specify who has access to your data.
- Prevent shared key authorization, this configuration will force the storage account to reject all requests made with a shared key and require Azure AD authorization instead. Azure AD is a more secure choice as you can influence risk-based access mechanisms to harden access to data tiers.
- Implement a minimum required version of transport layer security (TLS), Implementing a minimum TLS version will reject requests from clients using older versions.
- Outline the scope for copy operations, restricting copy operations to source storage accounts with private endpoints is the extremely restrictive option.
- Using customer-managed keys (CMK) provides more abilities to control rotation of the key encryption key or cryptographically erase data.
- Verify users and control access to storage data with the minimal privileges, Using Role-based Access Control with Storage Accounts allows you to granularly outline access-based job function using OAuth 2.0. You can correspond your granular access to your Conditional Access Policy.
- Use Defender for Storage for automated threat detection and protection.
Azure Virtual Machines
- Logical isolation for virtual machines, Deploy virtual machines for workload tiers such as front end, application, and data in different resource groups to further isolate access control.
- Configure logical isolation for virtual machines; using dedicated resource groups permits you to set policies and permissions that apply to all the virtual machines Inside the resource group.
- Leverage Role Based Access Control (RBAC), Implement just-in-time and just-enough access (JIT/JEA) based on the user role.
- Secure virtual machine boot components, Enable Secure boot, enable vTPM, Enable Integrity Monitoring.
- Enforce customer-managed keys and double encryption ensures that if a disk is exported, it is not readable or able to function.
- Implement Virtual Machine Applications feature to control the applications that are installed on virtual machines.
- Implement multi-factor authentication with conditional access within Azure AD. Implement Azure Bastion to secure connections to virtual machines.
- Set up secure maintenance of virtual machines, Implement anti-malware in virtual machine. Automate the updates using Azure update manger, so that virtual machines are protected from the latest malware and misconfiguration exploits.
- Enable advanced threat detection and protection, based on Microsoft’s threat intelligence Advanced threat protection verifies the activities occurring on virtual machine.
Azure Spoke Virtual Network
- Implement Azure AD RBAC built-in roles for network contributors. Set up custom roles to access just what is needed.
- Isolate infrastructure into its own resource group, with dedicated resource group you can assign a custom role using RBAC for Spoke virtual network.
- Create a network security group for each subnet, apply a network security group to each subnet.
- For a multi-tier virtual machine-based application, Enforce dedicated network security group.
- Implement application security group for each virtual machine role.
- Secure traffic and resources within the VNet, implement baseline deny rules for network security groups, implement application specific rules for application security groups, project for management traffic in the VNet, Deploy network security group flow logging.
- Secure access to the VNet and application, enforce multi-factor authentication and conditional access policies for user access to the application.
- Enable advanced threat detection and protection.
Azure Hub Virtual Network
- Azure Firewall Premium provides advanced features for examining traffic.
- Configure Azure Firewall Premium for Zero Trust, Enable Threat Intelligence, Enable TLS inspection, Enable the Intrusion Detection and Prevention System.
- Deploy Azure DDoS Protection Standard, this increases Zero Trust protection supplied on the Azure Platform. Create a DDoS protection plan, Enable DDoS protection for all virtual networks.
- Configure network gateway routing to the firewall, configure route tables on various subnets to assure that traffic between spoke VNets and the on-premises networks are inspected by the Azure Firewall.
- This will accelerate the level of audit and increase the security of your environment.
- Configure gateway subnet routing, associate the route table to the gateway subnet, configure spoke subnet routing.
Microsoft Defender for Cloud and Azure Monitor
- Use Management group as the extent, you will be able to combine in a single portal for all the functioning of Azure Monitor and Defender for Cloud. For example, Secure Score, provided by Defender for Cloud, will be combined for all your subscriptions.
- Enable Microsoft Defender for cloud to automatically evaluate your storage accounts.
Reference architecture for this Zero Trust
Outcome & Benefits:
- Lowered an organization’s attack surface.
- Microsegmentation minimize the damage when an attack does occur by limiting the violation to a small area.
- Low cost of recovery from a security attack.
- Fewer chances of user credential theft and phishing attacks by needing multiple authentication factors.
- Elimination of the risk posed by vulnerable devices, including IoT devices.
Ratnadeep Sawate
Azure Infrastructure Architect