Exciting news! We are thrilled to announce the launch of Microsoft Azure support in Horangi Warden. We now have over 40 security configuration rules covering 14 different resource types across the most popular Microsoft Azure services. You can now onboard your Azure subscription through Warden and leverage integrations such as Slack to stay on top of vulnerabilities in their Azure environments, packed with features like Vulnerability Management to quickly and easily triage findings.
Microsoft Azure Subscription on Warden
Common Vulnerabilities in Microsoft Azure
In order to keep your infrastructure secure in the cloud, Azure users need to ensure their cloud is appropriately configured and free of risky vulnerabilities. We will look into some of these common vulnerabilities caused by misconfigurations in Azure in this section.
1. Failing to encrypt data at rest and in transit
Data should be encrypted both at rest and in transit to follow security best practices. While encryption in transit can be difficult, encryption at rest is straightforward on Azure, which offers several encryption options and key management strategies depending on the type of storage.
Azure Blob Storage encrypts blobs by default either with Microsoft-managed or user-supplied keys, as compared to AWS’s S3. It is recommended that Azure users should activate disk encryption as Virtual Machine disks are not encrypted by default and it can potentially create security vulnerabilities.
2. Data storage access misconfiguration
A permission system governs access to data stored in Azure Blob Storage. Azure Storage has a rather straightforward permission system compared to other cloud platforms, which makes misconfigurations less likely. However, a user can still mistakenly set permissions that expose data to the entire internet.
Often, this is done out of convenience in order to share data without having to set fine-grained access permissions scoped to specific identities. Whatever the motivation, it is a mistake that can expose Azure users to security risks with expensive, embarrassing, and potentially legal consequences.
3. Exposing services to the open internet
IaaS users are responsible for the security of operating systems and applications that run in the cloud, which includes databases and other services running on the servers.
For example, users are responsible for securing MongoDB or MySQL databases they install on their Azure Virtual Machine (VM). These databases are not necessarily insecure, but inexperienced users can mistakenly configure them such that anyone can access the data that they store.
What is Covered in Warden Azure Support?
Here's the list of Azure resource types that Warden currently covers, with more on the way!
- Authorization Role Definition
- Security Auto Provisioning Settings
- Security Security Contacts
- Storage Storage Account
- SQL Server
- SQL Database
- Postgresql Server
- Mysql Server
- Insights Diagnostic Settings
- Insights Log Profile
- Network Network Security Group
- Compute Virtual Machines
- KeyVault Key
- AppService Site
Microsoft Azure Rules on Warden
Network Security: Network Security Group Unrestricted Access - SSH
Warden reviews all network security groups to look for unrestricted access on port 22 (port 22 is the default port for the SSH server). If an attacker has unrestricted access to SSH over the internet, it allows them to use various brute force techniques to gain access to Azure Virtual Machines, which can be a launch point for compromising other machines or resources in Azure.
IAM Security: Custom Role with Subscription Owner Privileges
Custom roles with subscription owner privileges go against the principle of least privilege. It is recommended that the least necessary permissions be given initially to all identities. Entitlements and permissions can be added later on the go as needed by the account holder. Warden reviews all role definitions for this potential vulnerability.
Data Encryption: SQL Data Encryption Not Enabled
Enabling SQL Data Encryption protects Azure SQL Databases against the threat of malicious offline activity by encrypting data at rest. Warden evaluates all SQL Databases in your Azure subscription for this configuration, helping to safeguard your crown jewels.
As organizations adopt a multi-cloud strategy, there is a greater need to look beyond native cloud security tools that provide holistic coverage across clouds. With Azure support in addition to Amazon Web Services (AWS) and Google Cloud Platform (GCP), with Huawei Cloud and Alibaba Cloud available in early access, Horangi Warden now provides coverage for the big 5 cloud providers and is better poised to solve this problem.
To stay updated with the latest additions to Warden’s features, you can visit our blog. You can also fill up this form to schedule a customized demo to see how Warden can help with all your cloud security needs.