+
EDITOR’S QUESTION
SEBASTIAAN ROTHMAN, SENIOR
CLOUD CONSULTANT FOR APPS AND
INFRASTRUCTURE AT ALTRON KARABINA
///////////////////
B
roadly speaking, cloud-based
applications typically consist of one
or more of the following platforms:
web and mobile application services;
storage; and databases.
Each of these platforms have their own
unique challenges when it comes to security,
with varying degrees of complexity.
monitoring, filtering and protection of web
and mobile applications hosted in Azure.
Storage
Having secure access to storage resources
is extremely important for obvious reasons,
but ultimately this is where your information
is stored, and as such extra care needs to be
taken when configuring access to storage.
Web and mobile application services
Securing applications services in Azure has
as much to do with process and policy as it
does with technology. Strong authentication,
preferably multi-factor authentication,
provides the first line of defence against
potential data breaches.
After authentication, granular role-based
access control ensures that authenticated
users only have access to the resources they
have been explicitly granted access to.
Secret, certificate and key protection
goes a long way in ensuring that this
information isn’t written into code and
locking down incoming requests to
applications from specific IP addresses
further reduce the potential attack
surface of an application. These goals
can be achieved by leveraging tools
such as Azure Key Vault and properly
designed networking.
It is highly recommended to install a
web application firewall (WAF) in the
environment to provide intelligent
www.intelligentcio.com
Configuring and using stored access
signatures is preferred over the use of
storage account keys.
Role-based Access Control (RBAC) should
always be used to configure for access by
natural persons or named processes outside
of application access.
Client-side encryption for high value data,
and Storage Service Encryption for data
at rest must be configured and used as a
minimum to secure data.
Databases
Several mechanisms and best practice
exist for securing databases, specifically
SQL, in Azure. As with both application and
storage security, the first line of defence for
databases comes in the form of efficient
identity management. The use of Azure
Active Directory authentication over SQL
authentication is recommended, allowing
for common security practice such as
password rotation to happen without
disruption to services.
Further technical configurations such as
a limited scope of network access, and
the use of Transparent Data Encryption
(TDE) on databases further secures
information and reduces the risk of any
unauthorised access.
Securing services in Azure, like any
infrastructure or hosted application, requires
diligent planning from the beginning to
ensure risk is mitigated as much as possible.
Even though the cloud provider makes all
these tools and features available to help
secure your environment, the onus is still
on you to make sure they are correctly and
effectively configured.
Relying on the cloud provider to keep your
information safe is a foolish mistake, and
one you will pay for dearly.
INTELLIGENTCIO
25