An overview of Microsoft’s top best practices for cloud security for your organization.
Cloud security is a fundamentally new landscape for many companies who’ve recently moved to the cloud from on-premises. While many security principles remain the same as on-premises, the approach and implementation is often very different. If your organization is currently operating a cloud-based solution, these best practices from Microsoft offer a solid starting point to protect your company and customer data.
Source: Microsoft Azure, Five Best Practices For Cloud Security Infographic.
1. Strengthen access control
Traditional security practices are not enough to defend against modern security attacks. Therefore, the modern security practice is to “assume breach”: protect as though the attacker has breached the network perimeter. Due to the rise of remote and hybrid work, as users now work from multiple locations across multiple devices, access control is more important than ever.
Operate in a zero-trust model
Zero Trust is the essential security strategy for today’s reality. Instead of assuming everything behind the corporate firewall is safe, this security model assumes breach and verifies each request as though it originates from an open network. Your company should “never trust, always verify” when operating with this model. Regardless of where the request originates or what resource it accesses, verify the identity of everything and anything trying to authenticate or connect before granting access.
Institute multifactor authentication
Provide another layer of security by requiring two or more of the following authentication methods:
Something you know (typically a password)
Something you have (a trusted device that is not easily duplicated, like a phone)
Something you are (biometrics)
This can further reduce the risk of someone accessing your data, even if they have managed to get a hold of passwords and usernames.
Implement a password security policy
Ensure employees practice good password hygiene and implement strong password policies by requiring one upper-case letter, one lower case letter, one symbol, one number, and a minimum set of 14 or more characters. Employees should also change their passwords every 90 days for extra security.
Take advantage of conditional access
Master the balance between security and productivity by factoring how a resource is accessed into an access control decision. Implement automated access control decisions for accessing your cloud apps that are based on conditions.
2. Secure apps and data
Protect data, apps, and infrastructure through a layered, defense-in-depth strategy across identity, data, hosts, and networks.
Encryption
Implement encryption for your data both in rest and in transit. Consider encrypting data at use with confidential computing technologies.
Create a cloud security policy
Create written guidelines that specify how to use cloud services, what data should be stored in the cloud, and how employees should safeguard data and applications in the cloud. You should also train everyone in the company on how to spot cyberthreats and how to respond to them and other basic security tactics.
Share the responsibility
When a company operates primarily on-premises, it owns the whole stack and is responsible for its security. Your responsibilities change depending on how you use the cloud, with some responsibilities moving to your cloud provider.
IaaS: for applications running in virtual machines, more of the burden is on the customer to ensure that both the application and OS are secure.
PaaS: as you move to cloud-native PaaS, cloud providers like Microsoft will take more security responsibility at the OS level itself.
SaaS: at the SaaS level, more responsibility shifts away from the customer as your cloud provider hosts your solution. See the shared responsibility model for Microsoft here.
3. Mitigate threats
Operational security posture—protect, detect, and respond—should be informed by unparalleled security intelligence to identify rapidly evolving threats early so you can respond quickly.
Enable detection for all resource types
Ensure threat detection is enabled for virtual machines, databases, storage, and IoT. For instance, Microsoft's Azure Security Center has built-in threat detection that supports all Azure resource types.
Integrate threat intelligence
Use a cloud provider that integrates threat intelligence, providing the necessary context, relevance, and prioritization for you to make faster, better, and more proactive decisions.
4. Protect your network
We’re in a time of transformation for network security. As the landscape changes, your security solutions must meet the challenges of the evolving threat landscape and make it more difficult for attackers to exploit networks.
Keep strong firewall protection
Setting up your firewall is still essential, even with identity and access management. Controls must be in place to protect the perimeter, detect hostile activity, and build your response. A web application firewall (WAF) protects web apps from common exploits like SQL injection and cross-site scripting.
Enable Distributed Denial of Service (DDoS) Protection
Protect web assets and networks from malicious traffic targeting application and network layers to maintain availability and performance while containing operating costs.
Create a micro-segmented network
A flat network makes it easier for attackers to move laterally. Familiarize yourself with virtual networking, subnet provisioning, and IP addressing concepts. Use micro-segmentation, and embrace a new concept of micro perimeters to support zero-trust networking.
Takeaway
Don’t let data security concerns prevent your company from leveraging the many benefits of cloud solutions. Typically, cloud solutions offer greater security than on-premises because you share the responsibility of security with your cloud provider.
That’s why if you’re considering a move to the cloud, it is critical to select a trusted cloud provider, who has a range of certifications, security compliance, and robust security protocols. To learn more about how Microsoft protects your data in the cloud, check out this blog post about Security in Dynamics 365.