Author: Howard M. Cohen
You’re well protected! When you use Azure cloud services, there are many ways in which you’re well protected. Many data and network protections. Flexible data backup services. Multiple layers of security tools and systems. Yes, when you use Azure you’re well protected from just about everything…
Except yourself.
You’re well aware that a sizable proportion of data threats come from people internal to your own organization. They swipe the credentials of those they work with to access data they have no right to see. They copy valuable data to removable media. They have all manner of ways to steal from you. But they are not who we’re talking about here.
We’re talking about your best-intentioned, most reliable, most trustworthy employees.
They Make Mistakes
This is by no means an indictment of your good people. They’re human. Everyone makes mistakes, but these can erode the safety and efficiency of your cloud operations. They most often come in the form of misconfigurations of the cloud service.
Frequent Misconfigurations on Azure
Azure is a vast, complex computing environment providing many opportunities, each of which require multiple decisions regard options, settings, and other technical details. The simple law of big numbers tells us that in such a large quantity of decisions there will be errors.
Here are a few misconfigurations that are routinely made:
Allowing login without multi-factor authentication (MFA)
This one is just too simple to solve. MFA should simply be a default requirement, but it is still an optional setting. Passwords are simply too easy to steal, and a major proportion of users still use “password” or “12345678” as their password. Combining this with a multi-digit number that is instantiated at the time of login and provided to the user via a device they possess makes password theft useless. It can be argued that users find MFA inconvenient, but the value gained clearly outweighs the extremely minor inconvenience. Failure to implement MFA is not just a poor choice, it’s a misconfiguration.
Giving Every User Azure AD Admin Access
Another almost unimaginable misconfiguration is the bad practice of issuing admin rights to access the Azure Active Directory (AD) portal. This is the equivalent of giving everybody every key to every door in your building. It obliterates security completely. Yet, many Azure users do this for “convenience” reasoning that they don’t have to manage anyone’s rights or access authorizations when everybody has access to everything by default. That convenience will inevitably cost them dearly.
Not Turning on Identity Protection
Azure Identity Protection detects unusual user behaviors, malware attachments, too many retries when someone is trying to log in, potential credential leaks, and more. But it only does that when it’s turned on. While there’s seemingly no good reason not to, many Azure environments run without it due to a simple failure to turn it on.
No Email Notifications
Do you have people sitting at consoles staring at the screens watching literally everything that happens in your Azure environment? If you’ve failed to enable email notifications and given Azure an active email address to send them to, you had better have people wasting their time in that fashion.
No Alerts
Most every deployed Azure service produces activity logs, and you can readily establish customized alerts to actively notify you when log data indicates potential problems, or thresholds have been exceeded. All too often, users choose the “ignorance is bliss” option and fail to establish any alerts. This requires Azure to use its defaults and basic security features to manage the health of your Azure environment. Another invitation to potential disaster.
Too Many Guests
If “two is company, three is a crowd,” then the sheer number of vendors, suppliers, clients, and other external associates allowed access via Azure AD can turn into a stampede. All too often, Azure users fail to remove guest credentials when no longer needed enabling those outsiders to quietly enter and begin finding ways to compromise data assets later on. Onboarding and proper offboarding of employees is difficult enough to get right. Too many guests is another unforced error.
No Network Watcher
Data sitting still produces no value. All Azure environments depend upon the network to transport data to where it can do some good. Azure Network Watcher helps them identify, understand, and troubleshoot problems that many arise on that network. Again, there’s really no good reason to disable it, or never enable it. Yet, all too often Azure Network Watcher is not in use.
Static IP Addresses
Dynamic Host Configuration Protocol (DHCP) is among the most valuable features of IP networking in that it turns every host into a moving target. While cybercriminals may be able to identify the IP address of a given device, that address will soon change. Yet, many Azure users establish static, unchanging IP addresses all too often. When a DHCP lease is renewed all previous DNS records and logs become completely unavailable, which stymies any external effort to obtain and compromise them.
Orphaned or Over-Provisioned Virtual Machines (VM)
Any Azure administrator who has had a user leave a VM running unnecessarily has felt the budgetary pain of allowing such a thing to happen. What’s more insidious are VMs that are configured lazily in the first place, requiring far more and many resources than they really required. These are far harder to detect. These are misconfigurations that directly cause potentially significant overspending.
Totally Preventable if Someone is Minding the Operation
We’ve only scratched the surface of the many misconfigurations that are routinely observed in many Azure environments. The one thing all of these and all the one’s we don’t have room to describe have in common is that they’re all preventable.
All it takes is having someone or something constantly monitoring and managing the entire Azure environment. Of course, the challenge is that most enterprises have difficultly justifying the budget required to staff such critical functions.
Automated Azure Hosting
As with so many other IT functions, the most cost-effective way to supplement for a shortage of human resources is to automate as many functions as possible as completely as possible.
This is why Idenxt was developed. Based on technologies provided by Microsoft for Azure operation, augmented by customized management automation, Idenxt assures the elimination of common and not-so-common misconfiguration errors, providing continuous optimization of your Azure environment. This assures that you and your users enjoy the best possible Azure experience and efficiency enhancement.
For more information and insight into how to leverage Idenxt to increase your revenue without proportional increases to operating costs, contact us here.