5 Must-Haves for Effectively Securing Azure
As enterprises move more data and applications to the cloud, security becomes an even more a foundational component because, in order to meet industry compliance requirements, and map to an organization’s larger security strategy, it must be built into the overall cloud platform. When security is deployed as an afterthought, it often needs to be reconfigured by hand when network resources adjust to meet new business needs. Which defeats the whole purpose of building and deploying a scalable and highly elastic cloud infrastructure.
Unfortunately, blanket security is not part of any cloud benefits package. Security is a shared responsibility between your organization and the cloud provider, with very clean lines drawn between responsibilities. True, Microsoft Azure and the other major cloud providers have native security options, but they are focused primarily on securing the underlying network, while customers are expected to secure their own data, applications, workflows, and resources.
Most cloud providers provide documentation that spells out how responsibilities are divided between the provider and the consumer. Below is an example of the Azure model.
While this division may seem clear, the challenge tends to be one of scope and scale. Enterprises today use an average of 61 different cloud applications, about one-third of their total apps, according to the Fortinet Threat Landscape Report for Q3 2017. Complicating things further, many of these apps often span across multiple clouds. Which means that not only does security need to be deeply embedded within a single cloud environment, but security functionalities and protocols need to be able to operate consistently across different cloud environments so that enforcement can be consistently applied even as applications, data, and workflows move across and between cloud networks.
In addition to secure a cloud infrastructure, another serious challenge is the rapid adoption of Software as a Service. Today, anyone with a credit card can spin up or subscribe to a cloud-based application, a problem known as Shadow IT. The result is that many organizations have little to no idea where critical data and resources are being stored, or what tools are being used to access and process information. As a result, combined data breaches and losses from shadow IT applications (those outside of the IT department’s control) are estimated to cost companies between $1.5 trillion and $1.8 trillion every year, according to a 2017 post in the CloudCodes blog.
Concerns about security in the cloud have discouraged many executives from embracing the public cloud. However, the challenge exists not in the security of the cloud infrastructure, but in the policies and technologies used to secure and control the organization’s data and applications. Some analysts are predicting that, through 2022, at least 95% of cloud security failures will be the fault of the customer and not that of the cloud provider.
So, how can enterprises themselves prevent breaches and vulnerabilities when working in the cloud? Each cloud environment is unique, so requirements can change from provider to provider.
For this blog, here are our five must-haves for organizations to effectively secure their workloads in Microsoft Azure, especially when it is part of a larger, multi-cloud strategy.
1. Establish Ease of Use
You must centralize and simplify cloud security management, thereby enabling the automation of lifecycle management processes as well as establish and enforce consistent security policies.
Enforcing security for all assets and applications can be simplified through automation. Dynamic security policies can then rely on workload metadata to immediately and consistently capture all application traffic and assign a level of security commensurate to the needs of the workload.
To begin, therefore, you need to find a security solution that simplifies management, allowing you to focus on security issues and not things like configuration, enforcement, or maintaining consistency between the cloud and other environments.
2. Implement Native integration
Native integration of security capabilities in Azure — such as container security, auto scaling, Azure Resource Manager (ARM) templates, and more — helps you utilize cloud-based automation. This allows you to define consistent policies across your hybrid cloud environment, operate at speed and scale, and dynamically adapt as resources shift. Integration with cloud management resources through APIs also allows you to leverage cloud-based information as part of your overall security policy management and enforcement strategy.
3. Implement Intrusion Protection Systems
As organizations move more services to SaaS and IaaS platforms, complexity increases. With increased complexity comes an even greater need for an integrated approach to threat detection and response. Intrusion Protection Systems (IPS) provide a critical defense against malware, attacks, and exploits. This is especially important given the complexities of the current threat landscape and continually expanding attack surface.
To successfully detect complex threats in public cloud computing environments, comprehensive visibility is absolutely necessary. Network security teams need to be able to monitor and track all security components centrally, while threat intelligence not only needs to be centralized, but also shared in real time across multiple clouds — regardless of which cloud a threat has targeted.
With DevOps environments, teams need the ability to detect suspicious activity and identify compromised accounts. And for the entire network, an integrated security architecture should be backed by threat intelligence powered by advanced artificial intelligence and machine learning methodologies to better correlate threat intelligence, detect unknown threats, and respond at digital speeds.
4. Ensure Application Control
You also need to find a solution that uses application-level visibility and management to help build a secure, fluent multi-cloud infrastructure. Here are a few critical functions that an effective solution needs to provide:
- Blocking or restricting access to risky applications
- Setting security policies based on application type
- Optimizing bandwidth usage by prioritizing, de-prioritizing, or blocking traffic based on the application
5. Maintain High performance and High Availability
Securing Azure and other cloud environments requires resilience through high availability. To achieve this new security paradigm, services need to be available at ever higher SLAs.
To achieve high performance, you need a solution with:
- Security that matches the scalability and elasticity of cloud workloads
- Native cloud orchestration to automate auto scaling, high availability, and segmentation
- Resilient designs that meet your application requirements, without the need for complicated, expensive deployment tools
While public clouds support up to 99.999% of uptime, cloud-based data centers have still failed. A best security practice is to assume that everything will fail at some point, and build in resilience at the application layer sitting on top of the cloud infrastructure.
To avoid unwanted and unexpected downtime, Azure provides various mechanisms for redundancy through Fault Zones and Availability Zones. These provide the opportunity for application architects to implement instance-level and service-level redundancy. Remember that resiliency needs to include your security solutions as well as any infrastructure or applications.
Fortinet security solutions for Azure provide all five of these must-have capabilities.
They offer a broad set of tools that cover the entire attack surface to protect against advanced threats, the ability to integrate cloud controls with on-premises security solutions, and seamless integration and functionality with Fortinet solutions deployed in other environments, regardless of form factor. This means an enterprise gets consistent visibility and control across the entire organization that spans the entire distributed network.
You can discover for yourself the power and simplicity of the Fortinet Security Fabric by test driving our FortiGate Next-Generation Firewall, or taking it for a longer spin with a free 30-day trial. Both options are available now in the Microsoft Azure Marketplace.
For more on this topic, view the complementary on-demand webinar, “5 Essential Capabilities to Effectively Secure Azure,” with Brian Page, Fortinet cloud security architect.