A few weeks ago I spoke to a new Microsoft employee who is trying to find his spot in security within the company. What follows is some advice I gave him.
Before I get started I want to share something that serves as the cornerstone for the rest of this article.
Some years ago, I made a comment that if you’re a developer working in the cloud then you need to learn basic networking, and if you’re a networking geek, you need to learn basic programming.
This comment is, in my opinion, as true today as it was when I first made the comment. The worlds of development and networking are deeply intertwined in the cloud and if you want to excel, you really need to understand both.
Now onto my Azure security advice.
Embrace the complexity
First up, cloud infrastructure is complex, so don’t be too concerned if you don’t understand all of it at once. No-one I know understood all of it from the get-go, either. When you do finally understand it, something new or updated will come along anyway! So don’t be disheartened! Just roll with the punches and keep learning.
I set aside a 2-3 hours a week in my calendar labeled ‘Learn’ and I use Microsoft ToDo to track “Stuff to Learn” as I run across items of interest where I feel I should know more.
Right now I have about 20 items on the list, and whenever I come across something of interest, I add it to the list.
Examples in the list include:
Setup an Azure account
If you don’t already have a free Azure account, sign up for one. There is absolutely nothing that can compare with getting your hands dirty. Head over here to get your free account.
Learn the basic network defenses and technologies
Azure has many network defenses, below is a list of some defenses/techs you MUST understand, I would recommend you learn these before you progress:
- Virtual Networks <link>
- Network Security Groups <link>
- Service End-points <link>
- Azure Private Link<link>
- Web Application Firewall <link>
- Azure Bastion <link>
- Azure Firewall <link>
- Azure Security Center <link>
- Azure Sentinel (at least understand what it is) <link>
- DDoS Protections <link>
Learn the basic application defenses and technologies
Next, you need to understand various application-layer defenses/techs, examples include:
- Azure Active Directory <link>
- Setting up Multi-Factor Authentication <link>
- Azure AD Privileged Identity Management <link>
- Service Principals and Managed Identities <link>
- Application Gateway <link>
- Application Security Groups (they are associated with NSGs) <link>
- Application-specific ‘firewalls’ (eg; SQL Server, CosmosDB etc) <link><link>
- Key Vault <link>
- RBAC <link>
- Azure Policy and Blueprints <link> <link>
- OAuth 2 and OpenID Connect <link>
- Application-specific encryption of data at rest, such as for Storage accounts <link>
Another important topic is compliance. Yes, I realize that security != compliance, but it’s a topic you must be versed in. Start here for your Azure compliance journey.
Now that you have a basic idea of the core security-related tools and technologies available to you in Azure, it’s time to create something. When I want to learn something I build something.
Some years ago when PowerShell was still in its infancy, I asked Lee Holmes, “What’s the best way to learn PS?” He replied, “You know all those tools you wrote in C/C++/C#? Re-write them in PowerShell!” So I did, and I learned an incredible amount about PowerShell in a short time.
What you decide to create is up to you, but what I’d start with is:
- Create two VMs in the same VNet, but different subnets – try pinging one VM from the other, does it work? Explain.
- Using the same VMs, add an NSG to one subnet that blocks all traffic to/from the other VM’s IP address. Can you ping one VM from the other? Explain.
- Create two VMs in different VNets – try pinging them, does it work? Explain.
- Encrypt the hard drive of one of the VMs. You will need to create a Key Vault to do this.
- Take a look at the NSG associated with a VM. Enable Just-in-Time (JIT) access to the VM in Azure Security Center. Now look at the NSG again. Now request JIT access and take another look at the NSG. Explain what happened.
- Create a Key Vault, add a secret and pull out the secret from, say, an Azure Function. This is quite complex and requires you add a managed identity to the Function or run the function in the same VNet as the Key Vault.
- If you used a managed identity in the example above, make sure you assign least privilege access to the Key Vault (ie; read access to secrets and nothing else)
- Create a custom role with very specific actions.
- Create a blob in a Storage Account. Experiment with the various authorization polices, most notably SAS tokens.
- Install Azure SQL and configure ‘Always Encrypted’
- Use Azure Monitor to see who is doing what to your subscription.
- Set an alert on one of the event types.
- Open Azure Security Center – look at your issues (red). Look at the compliance issues (PCI etc)
- Remediate something flagged by ASC.
- Set a policy that only allows a hardware-backed Key Vault and create a non-HSM KV (ie; not Premium). Use this as a starting point https://github.com/x509cert/AzurePolicy. Remember, it can take 30mins after a policy is deployed to it being effective. I previously wrote about Policy here.
I could keep going with more examples and I will update this list over time!
As a side-note, I often use a resource group named rg-dev-sandbox, when experimenting, that way I can blow the resource group away when I am done, leaving nothing behind.
After you have learned and experimented, it’s time to go deep. Pick a product, say Azure SQL Database, and learn absolutely everything there is to know about security, reliability, compliance and privacy for that product. For a product like Azure SQL, this would include:
- Access Policies for data at rest
- Crypto for data at rest (TDE, Always Encrypted, Column Encryption)
- Crypto for data on the wire (ie; TLS!)
- Disaster recovery
- Secure access to connection strings
- Azure AD vs SQL Authentication
- Data masking (ok, not REAL security, but useful nonetheless)
- Threat Protection
- Azure SQL firewall (note a lower-case ‘f’ as it’s not a true ‘F’irewall)
- SQL injection issues and remedies
Consider AZ-500 Certification
I know some people are cynical about certification, but the Azure certifications are not easy and from customers I have spoken to, they are welcome and required. I worked with a large financial organization for over a year and they required their staff working on Azure get certified in various Azure topics. You can get more information about certifications here.
AZ-500 measures Azure security knowledge, and the exam includes labs. I would highly recommend you read the skills outline. Even if you don’t take the exam and get certified, this is a broad set of security-related items you really ought to know.
I hope this helps you on your journey through Azure security, even if this post only skims the surface!
But remember, as soon as you understand it, something will change, so stay abreast of new features and function by monitoring the Azure Heat Map.
Big thanks to my colleague Ravi Shetwal for his review and feedback.