Common security issues in Azure & the importance of configuring your cloud environment
Azure audits (or Azure configuration reviews) are slowly becoming more common as larger organisations move their infrastructure and applications to the cloud and require assurance in the security of those cloud-based deployments.
Over the past year, NCC Group’s work with Azure has highlighted a number of common operating system build review and misconfiguration issues within hosted environments.
Below is a non-exhaustive list of common security issues that have been observed:
High risk issues
- Load balancer(s) configured to permit clear text communications
- Missing Linux security updates
- Missing Microsoft updates
- Missing third party patches
Medium risk issues
- Anti-virus only executable by administrators
- Application gateway(s) configured without a web application firewall (WAF)
- Auditing and threat detection disabled on databases
- Azure Active Directory (Azure AD) identity protection disabled
- Azure AD Federation Service claims not encrypted
- Encryption disabled for storage accounts
- Azure AD Federation Service extranet lock-out feature not configured
- Hosted machines without back-up configured
- Hosted machines without full disk encryption
- SQL server encryption not enabled
- Azure user access configured with single, and not multi-factor, authentication
Low risk issues
- Azure AD Federation Service extended protection for authentication feature not configured securely
- Security group configured without rules
- SSL and Tinfoil not enabled on application services
Out of three randomly chosen Azure configuration reviews performed during the past year, all three reviews had an average of two high risk issues, four medium risk issues and at least one low risk issue. This implies that a typical Azure configuration without hardening can introduce a substantial risk to business data, availability and reputation.
Resilience to environment downtime and data corruption is rarely, if ever, seen to be configured for Azure resources. This is despite asset uptime/availability being an ever-growing business concern in the wake of global ransomware-based threats.
Azure configuration remediation
Having a strong patching policy in place that encourages regular updates to operating systems and any installed third party software (such as Adobe Flash and web browsers) will alleviate most high risk issues.
Utilising and enforcing encryption throughout the environment would solve the majority of medium risk issues. And ensuring all hardening options are enabled and configured should mean the environment has an above average security posture.
Due to the somewhat volatile nature of a hosted environment, a back-up solution should be considered; Azure provides off-site backups in the form of geographically distributed data stores. This makes it very unlikely that data will become corrupted due to service outages or malicious software and encrypting/destructive ransomware.
To further harden an Azure environment, configure security groups to prevent traffic from crossing IP subnets.
Note that Microsoft enables the below security features by default:
- Auditing and threat detection enabled on all databases
- Security policy included on all Azure security controls
While cloud removes the complexity and burden of hosting and building systems from scratch, hopefully the observations above demonstrate how cloud-based environments should not be assumed secure by default.
There is still a need for robust policy and procedure around cloud security; these environments need to be patched, locked down and securely maintained, just as with more traditional on-premise/hosted infrastructures.
Recently migrated to Azure?
If you have recently migrated to Azure and want assurance that your environment is configured securely, email firstname.lastname@example.org or call 0161 209 5200. Alternatively, click the button below.
Published date:  21 November 2017
Written by:  Ashley Cox