With over 200,000 organizations operating in Microsoft Azure environments, public cloud has undoubtedly come to the forefront of application and data management. Security is one of the many reasons hundreds of thousands of organizations now build, test, deploy, and manage applications in Azure environments. With little patch management, no real physical security, and Microsoft itself taking most of the brunt of security and compliance, moving to Azure can greatly lighten your security workload. At the same time, you will eventually have to pentest the applications in your Azure environment, for compliance and for security.
Why Pentest Azure Environments?
You’re probably aware that Microsoft regularly pentests Azure. Why would you pentest it as well? Microsoft only pentests their own infrastructure. Client applications are never tested. So, Microsoft ensures the security of the infrastructure. Application security is completely up to you.
Application Vulnerabilities – While Microsoft’s Azure is likely secure, the applications you run on it might not be. Pentesting helps you to verify the security of your own code, including ports, integrations, and XML.
Configuration Vulnerabilities – Many Azure-related incidents link to poor environment configuration. This can include ports, internal policies, internal security configurations, missing patches, configuration errors, etc. You can check these, to some extent, via the Recommendations Tab in the Azure Security Center, but a pentest will show you where and how these issues affect your security.
Azure customers are responsible for all on-premises security, as well as:
- All data governance and rights management
- All client endpoint security
- All account and access management
- Identity and directory infrastructure security
- Network controls
- Application security
- Operation system security
For Azure, Microsoft handles physical data center security, physical network security, physical host security, and infrastructure security. You are still fully responsible for pentesting your own applications, and you will have to do so for compliance and regulation purposes, when applicable.
How Do You Pentest Azure?
Microsoft encourages its customers to pentest their applications inside Azure, following specific rules of engagement. These rules mostly boil down to: “Do not test anything that could impact other people’s property”.
This means, you can pentest properties on the cloud and in the cloud, but not the cloud itself, except when reviewing configuration and console or interface issues. Microsoft encourages:
- Testing systems hosted in the Azure environment, such as virtual systems, web applications, etc. Here, only the systems are included in the scope for assessment. This is about finding program errors, code failure, etc.
- Testing non-public Azure systems, such as the server hosting an application, bastion hosts, etc. This incorporates potential backend access to the Azure infrastructure (your application generating vulnerabilities for Microsoft) in the scope.
- Testing Azure configuration including user accounts, permissions, access controls, ports, settings, etc. Much of this can be solved by optimizing Azure settings from the Security Center.
In short, your properties remain your own, even when hosted in an Azure environment. Microsoft encourages you to pentest these properties in ways that do not impact other Microsoft Azure customers.
Azure Best Practices for Security
Microsoft offers out-of-the-box security tools, which you can configure to keep your environment as secure as possible. It’s also important to implement best practices in terms of internal processes designed to keep your organization and your virtual environments secure.
Azure Settings
- Use Azure Security Center for all subscriptions and sub-subscriptions. Azure Security Center automatically handles many of the issues which might lead to vulnerabilities such as:
- Anti-malware software
- Network security groups configuration
- Web application firewalls
- Automatic system updates
- Alerting administrators to application configurations that do not meet security recommendations
- Implement “recommendations” from the tab of the same name under the Azure Security Center
- Implement security standards like Azure Disc Encryption and Azure Storage Services encryption to protect data and environments
- Set up Just in Time (JIT) and Network Security Groups (NSGs) for all ports (under Advanced Cloud Defense in the Security Center)
- Enable app whitelisting under Adaptive Application Controls in the Security Center
- Link the Azure Security Center into your Security Incident and Event Management System
- Implement Web Application Firewalls
- Implement Azure Threat Protection, including monitoring and auditing, in the Security Center
Company Policy
- Align network security with that used inside your own organization and ensure compliance
- Use a Security Incident and Event Management System
- Link the Azure Security Center into your Security Incident and Event Management System
- Implement Access Level Matrixes to restrict admin access and manage user rights long-term with key or password vault and management
- Set up dedicated workstations for Azure properties to reduce physical device-related vulnerabilities
- Implement authenticators for all Azure properties
- Implement Network Security Group (NSG) to restrict network access and/or implement site-to-site VPN
- Monitor your operating system
Protecting your Azure environment is your responsibility. While Microsoft handles much of the physical security, your application is still at risk without proper security. Pentesting is a necessary part of evaluating your configurations, finding vulnerabilities, and ensuring ongoing security and compliance.
Getting Started with an Azure Pentest
If you’re ready to pentest your Microsoft Azure environment, PentestHero is here to help. We’ve pentested Microsoft environments since the early days of Azure, and we can thoroughly assess the security of your environments, within Microsoft guidelines, including reporting Pentests where necessary. Microsoft no longer requires notifications when you start a pentest. We will request access to your customer subscription for internal testing.
Contact us now to get started with a Pentest in our cloud platform or visit our Pentests page to learn more.