Simon Deeb, one of our cloud colleagues, attended Microsoft's App Innovation Event in late November. The following message quickly emerged: on all accounts that have rights to an Azure Subscription, turn on MFA! Why? There are hackers active who turn on as many VMs (virtual machines) as possible in Azure subscriptions that are not properly secured and deploy them for crypto mining. An urgent warning shared by Tony Krijnen, Cloud Solutions Architect Security & Compliance. See also this post.
1. Turn on MFA!
We may be repeating ourselves a bit. But this is a tip that is the number one priority. For this, Simon is happy to point you to colleague Joe's blog. The importance of MFA - why you really need to have it in place by 2022 (teamvalue.com).
2. Use PIM for roles that are allowed to create resources
By default, your user settings are hopefully set to 'reader/user'. Via PIM (Privileged Identity Management) you can give 'contributors' or 'super admins' various roles via the Azure portal. Marco also referred to it in his article how important this setting is for your secure score > Why monitoring the secure score should be part of your security management (teamvalue.com). For simple adjustments you can create a resource yourself and don't need approval. You do when it comes to a production environment. Then you need additional approval for the audit trail. PIM is part of security policy and part of the Zero Trust principle & Just-in-time access. Apply this tip and your user management is no longer chaos from now on.
3. Set your Azure policies properly and don't create VMs unnecessarily
What do we mean by this? If your business does not involve graphics and Machine Learning, VMs with GPUs (graphics processing units) are of little use. You can then simply set policy and not create unnecessary VMs. The rights of your team will be set slightly differently. The allowed resources rules are determined together as an organization. For example, do you allow resources from Brazil or China? Do you place your app services and storage accounts only within Europe? We call these the 'game rules' for your Azure environment. What has your organization already set up to prevent hacking? Lower your risks!
4. Turn on anomaly detection and budgeting within your Azure environment
It's easy to set up and, according to Simon, a real lifesaver. Why? If you do get hacked you don't lose mega money. With anomaly detection you set a maximum budget in Azure. Anyone who follows all the steps above including setting this tip is 99.99% save.
The above 4 tips are for the Azure tenant and subscriptions. In the new year, we will create an advanced version on enterprise-level engineering where you can read more about the Azure Blueprints, network architecture, managed devices, add extensions and the Modern Workplace.
A little chat?
Do you have a data, cloud or IT transformation challenge? We'd love to think with you. Please contact us without obligation.