The Azure Well-Architected Framework is a set of guidelines spanning five key pillars that can be used to optimise your workloads. In the previous blog we covered Reliability, relevant services and the review tool provided by Microsoft. This time we will focus on the Security pillar of the framework.
Overview of Security
Security is a pillar that must be thought about throughout the lifecycle of a workload but especially during the initial design and architecture phase. The main aim of the security pillar is to protect applications and data from threats. By implementing security best practices, you improve the overall confidentiality, integrity and availability if your workloads. With the adoption of modern cloud services and architectures, the attack surface an attacker can exploit is far greater and more complex that it has ever been before. The modern services that improve the reliability, scalability and cost efficiency of your workloads can also be your downfall if security is an afterthought. As a minimum you should be thinking about the following areas during system design not just at code-level but infrastructure level too:
- Identity & Access Management
- Threat Protection
- Cloud Security
- Information protection
- Information Governance
- Risk management
- Compliance Management
- Discover & Respond
Security Principals
When designing for Security in Azure there are a set of principals covered in the Framework that you must think about before deploying the workloads, those principles include:
- Plan your workloads, consider security exploits when designing and understand how to harden them
- Drive least privileged processes throughout the application and use automation to minimize human interaction where needed.
- Classify data according to risk and apply industry standard encryption where possible.
- Monitor your workload security and ensure you have a planned response
- Protect against code-level vulnerabilities, not just infrastructure and networking
- Test potential threats and use the output to establish mitigation processes.
Security Services
When designing workloads, Azure provides a set of services that once implemented will assist with the principals of reliability, the main services you should be thinking about are below:
- Protect identities with MFA, Privileged identity Management, Conditional Access, Risk sign-ins, RBAC and Managed Identities.
- Monitor and secure networks using Network Watcher, Azure Firewall, WAF, DDoS Protection, Network Security Groups and segmentation.
- Encrypt data at rest using Key Vault, HSM and encryption an rest and transit.
- Understand your security posture and threat protection using Microsoft Defender for Cloud
- Model and test potential threats using code analysis and penetration testing
- Enforce governance, compliance and resource controls using Management Locks, Azure Policy, IaC and Blueprints.
Review your workloads
We will continue to cover the remaining pillars throughout this series of blogs. As highlighted on previous posts, you can review you current posture against the five well-architected pillars. The tool is free and can be accessed here.
For a more in-depth Architecture Review feel free to reach out to Transparity’s Azure Cloud Experts.