![\"\"](\"http:\/\/www.kofrimpong.com\/wp-content\/uploads\/2019\/01\/defense_in_depth_layers_small.png\")
<\/figure><\/div>\n\n\n\nData<\/strong><\/p>\n\n\n\n It’s the responsibility of those storing and controlling\naccess to data to ensure that it’s properly secured:<\/p>\n\n\n\n Application<\/strong><\/p>\n\n\n\n Compute<\/strong><\/p>\n\n\n\n Networking<\/strong><\/p>\n\n\n\n Perimeter<\/strong><\/p>\n\n\n\n Identity and access<\/strong><\/p>\n\n\n\n Physical security<\/strong><\/p>\n\n\n\n With the explosion of bring your own device (BYOD), mobile\napps, and cloud applications, network perimeters, their firewalls, and physical\naccess controls are no longer the best primary way to protect corporate data. Identity\nhas become the new primary security boundary.<\/p>\n\n\n\n Single sign-on is a great identity security feature you\nshould use. Users need to remember only one ID and one password. Access across\napplications is granted to a single identity tied to a user, thereby simplifying\nthe security model.<\/p>\n\n\n\n Azure Active Directory (AD) has built in support for\nsynchronizing with your existing on-premises Active Directory or can be used\nstand-alone. This means that all your applications, whether on-premises, in the\ncloud (including Office 365), or even mobile can share the same credentials.<\/p>\n\n\n\n Multi-factor authentication (MFA) provides additional\nsecurity for your identities by requiring two or more elements for full\nauthentication<\/p>\n\n\n\n It’s usually valuable for services to have identities.\nOften, and against best practices, credential information is embedded in\nconfiguration files. Use service principals and managed identities. <\/p>\n\n\n\n A principal<\/strong> is an\nidentity (a thing that can be authenticated) acting with certain roles or\nclaims. Groups are often also considered principals because they can have\nrights assigned.<\/p>\n\n\n\n A service principal<\/strong>\nis an identity that is used by a service or application. And like other\nidentities, it can be assigned roles.<\/p>\n\n\n\n Managed identities for Azure services makes the creation and management of service principal easy. A managed identity can be instantly created for any Azure service that supports it. When you create a managed identity for a service, you are creating an account on the Azure AD tenant. The Azure infrastructure will automatically take care of authenticating the service and managing the account.<\/p>\n\n\n\n More info at: Use RBAC to map identities to roles. Roles are sets of\npermissions that users can be granted to access an Azure service instance. Roles\ncan be granted at the individual service instance level, but they also flow\ndown the Azure Resource Manager hierarchy.<\/p>\n\n\n\n Azure AD Privileged Identity Management (PIM) is an additional, paid-for offering that provides oversight of role assignments, self-service, and just-in-time role activation and Azure AD and Azure resource access reviews.<\/p>\n\n\n\n Encryption makes data unreadable and unusable to\nunauthorized viewers. You can use symmetric or asymmetric encryption.<\/p>\n\n\n Symmetric encryption uses the same key to encrypt and decrypt the data.<\/p>\n Asymmetric encryption uses a public key and private key pair. Either key can encrypt but a single key can’t decrypt its own encrypted data. To decrypt, you need the paired key. Transport Layer Security (TLS) (used in HTTPS) is an example.<\/p>\n<\/div>\n\n\n Encryption is typically approached in two ways: encryption\nat rest and encryption in transit.<\/p>\n\n\n\n Encryption of data at rest ensures that the stored data is\nunreadable without the keys and secrets needed to decrypt it.<\/p>\n\n\n\n Azure provides many ways to help you encrypt your data, be it at rest or in transit.<\/p>\n\n\n\n Azure Storage Service Encryption for data at rest helps you\nprotect your data to meet your organizational security and compliance\ncommitments.<\/p>\n\n\n\n Storage Service Encryption provides low-level encryption\nprotection for data written to physical disk. Azure Disk Encryption leverages\nthe industry-standard BitLocker feature of Windows and the dm-crypt feature of\nLinux to provide volume encryption for the OS and data disks. The solution is\nintegrated with Azure Key Vault to help you control and manage the disk\nencryption keys and secrets (and you can use managed service identities for\naccessing Key Vault).<\/p>\n\n\n\n Transparent data encryption (TDE) helps protect Azure SQL\nDatabase and Azure Data Warehouse against the threat of malicious activity. It\nperforms real-time encryption and decryption of the database, associated\nbackups, and transaction log files at rest without requiring changes to the\napplication. By default, TDE is enabled for all newly deployed Azure SQL\nDatabase instances.<\/p>\n\n\n\n How do we ensure that the keys use to encrypt and decrypt\ndata are themselves secure? Azure Key Vault is a cloud service that works as a\nsecure secrets store. Key Vault allows you to create multiple secure\ncontainers, called vaults. These vaults are backed by hardware security modules\n(HSMs). Vaults help reduce the chances of accidental loss of security\ninformation by centralizing the storage of application secrets.<\/p>\n\n\n\n Because Azure AD identities can be granted access to use Azure Key Vault secrets, applications with managed service identities enabled can automatically and seamlessly acquire the secrets they need.<\/p>\n\n\n\n Azure provides the tools for a layered approach to securing\nyour network footprint.<\/p>\n\n\n\n To provide inbound protection at the perimeter, you have a\ncouple of choices:<\/p>\n\n\n\n Azure DDoS protection provides basic protection across all\nAzure services and enhanced protection for further customization for your\nresources. Azure DDoS protection blocks attack traffic and forwards the\nremaining traffic to its intended destination. Within a few minutes of attack\ndetection, you are notified using Azure Monitor metrics.<\/p>\n\n\n\n Once inside a virtual network (VNet), it’s crucial that you\nlimit communication between resources to only what is required.<\/p>\n\n\n\n For communication between virtual machines, network security\ngroups are a critical piece to restrict unnecessary communication. They provide\na list of allowed and denied communication to and from network interfaces and\nsubnets, and are fully customizable.<\/p>\n\n\n\n It’s common to have existing network infrastructure that needs to be integrated to provide communication between on-premises networks and services in Azure. Use Virtual private network (VPN) connections or Azure ExpressRoute.<\/p>\n\n\nIdentity and access<\/i><\/a><\/h2>\n\n\n\n
Single sign-on<\/i><\/a><\/h4>\n\n\n\n
Multi-factor authentication<\/i><\/a><\/h4>\n\n\n\n
Providing identities to services<\/i><\/a><\/h4>\n\n\n\n
https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/develop\/howto-create-service-principal-portal<\/a><\/p>\n\n\n\nRole-based access control<\/i><\/a><\/h4>\n\n\n\n
![\"\"](\"http:\/\/www.kofrimpong.com\/wp-content\/uploads\/2019\/01\/3-role-assignment-scope.png\")
<\/figure><\/div>\n\n\n\nPrivileged Identity Management<\/i><\/a><\/h4>\n\n\n\n
Encryption<\/i><\/a><\/h2>\n\n\n\n
Encryption in Transit<\/i><\/a><\/h4>\n\n\n\n
Encryption at rest<\/i><\/a><\/h4>\n\n\n\n
Encryption on Azure<\/i><\/a><\/h3>\n\n\n\n
Encrypt raw storage<\/i><\/a><\/h4>\n\n\n\n
Encrypt virtual machines<\/i><\/a><\/h4>\n\n\n\n
Encrypt databases<\/i><\/a><\/h4>\n\n\n\n
Encrypt secrets<\/i><\/a><\/h4>\n\n\n\n
Protecting your network<\/i><\/a><\/h2>\n\n\n\n
Internet protection<\/i><\/a><\/h4>\n\n\n\n
![\"\"](\"http:\/\/www.kofrimpong.com\/wp-content\/uploads\/2019\/01\/ddos.png\")
<\/a><\/figure><\/div>\n\n\n\nVirtual network security<\/i><\/a><\/h4>\n\n\n\n
Network integration<\/i><\/a><\/h4>\n\n\n\n