Defense in Depth — Running Secure Workloads in Azure, Part 2

In this continuation of our earlier post on securing workloads in Azure, we’ll dive deeper into the network control within Azure and look at a newer security paradigm for an assumed breach and detection once a bad actor has gained access to your environment, plus how to prevent them from doing damage or exfiltrating your data.

Previously, we covered the responsibility of security and compliance within Azure, delineating what responsibility falls to Microsoft, what is shared and what is solely the customer’s. We also covered some of the basics of perimeter protection and how to protect your applications and workloads.

Assume a breach

While you can and should configure a secure perimeter, that’s no longer sufficient. Today’s attackers have gained access to more sophisticated tooling and are very persistent when it comes to accessing your environment; you must assume they will eventually find their way in. That’s why it’s critical to expand your focus beyond merely blocking attackers, to learning how and where to apply security best practices and how to detect and contain an intruder if they do gain access.

External threat protection

One best practice security configuration that has recently been made available within the Azure platform is the layer seven protection for public facing workloads. If your workload is governed by a PCI compliance regime, it’s a requirement that you protect your web applications against web-based threats such as SQL injection or cross-site scripting attacks.

The preferred methodology is to leverage a Web Application Firewall (WAF), like the recently released Azure WAF, as a part of the Application Gateway. While you can do this with a traditional network appliance, we would recommend a service such as Incapsula, which offers not only protection against application threats but protection against distributed denial of service (DDoS) attacks as well.

Network virtual appliances

While gateway services such as an Incapsula are great for external threat protection, as a public SaaS solution, it’s not going to help you with internal threat detection or mitigation. Your environment requires a mix of network virtual appliances, such as an intrusion detection system (IDS) or possibly even a next generation firewall (NGFW), to add additional inspection of your traffic within your network. These two traditional network appliances allow you to detect and react to potential threats to your environment.

User defined routing

An IDS can use an agent on your VMs to detect threats; NGFWs can only inspect the traffic that flows through it.  For those paying attention, our previous post illuminates that all resources within an Azure Virtual Network (VNET) are natively routable to each other via Azure System Routes.  While this is great for ease of configuration and management, it also means that internal traffic can bypass your NGFW, thereby nullifying its capabilities.

This is where we introduce User Defined Routing (UDRs) in Azure. UDRs allow you to dictate the flow of the traffic within a VNET as well as how traffic leaves the VNET to the internet or to an on-premises network. In this case, you’ve deployed an NGFW to perform packet inspection to ensure that even when the app tier and database tier communicate, they do so through the NGFW. This requires the creation of a route table that forces all traffic leaving the app subnet to leverage the internal network interface as its next hop, allowing the NGFW to handle its inspection before forwarding on to the DB tier.

Cyber defense

Now that you’ve applied best practices around perimeter security and you’re inspecting internal traffic, who is keeping an eye on your environment? Is your team making sure that should an attacker occur, it does not remain undetected for a long period?

This is what distinguishes traditional reactive point security solutions from modern active security approaches. The best defense is frequently a good offense, and actively hunting for security vulnerabilities is better than waiting for an alert that might come too late, if at all. You need a security operations center staffed with people who know where your most valuable information assets reside and will prioritize their protection. This security team should detect that nefarious activity is happening or that a breach has occurred and the bad actors are “laying low” until they feel they can exfiltrate your most precious data.

Working with a trusted partner

With Rackspace’s Fanatical Support for Microsoft Azure and Managed Security Service, you get two teams of engineers and analysts: one focusing on a best practice Azure configuration and deployment of your perimeter defense, while the other focuses on cyber defense, watching for the breach.

Check out our whitepaper to learn more about how Rackspace built a security operation that incorporates the most effective elements of traditional security strategies.

Gerry Le Canu is a cloud solution architect at Rackspace specializing in Microsoft Azure. With over 15 years in IT, Gerry has worked at Rackspace for the past 10,and spent his first five years as a systems engineer supporting Rackspace’s growth from 500 to over 5000 employees, managing the systems to support the explosive growth. Over the last five years, he's worked in the product organization where he's been responsible for the management and launch of many products, including Rackspace Services for SharePoint, Rackspace Dedicated Exchange, Microsoft Cloud Platform and Fanatical Support for Microsoft Azure.


Please enter your comment!
Please enter your name here