Getting into Azure Security
Getting into cloud security can be quite overwhelming, the ammount of services and possibilities in a cloud environment can be enourmous.
Having a proper understanding of the workings of Azure is key.
It is not realistic to know everything from every service, hence knowing where to find relevant information is important as well.
To get started into Azure security, I would recommend to first follow the Azure Fundamentals course and get the certification (AZ-900). This gives a brief introduction and overview of the Azure cloud platform. If you are already familiar with Azure or other cloud providers, some content will be redundant. Nevertheless, it is advices to read through everything. Having the AZ-900 certification does not provide enough background knowledge to deep-dive into complex environments and perfom pentests. For this, additional knowledge is required. Parts of this knowledge can be learned by doing the Azure Security Technologies (AZ-500) exam, other parts can only be learned with hands-on experience.
Azure Fundamentals (AZ-900)
The Azure Fundamentals exam comes with four free (suggested) learning paths, each consisting of several modules. These modules explain the core principles of Microsoft Azure and can be followed without any prior knowledge or experience with any Cloud Service Provider (CSP). Informatoin is mainly presented as text with some exercises for you to perform in a sandboxed Azure environment.
The first learningpath, Explore Microsoft Azure Cloud Concepts, gives an introduction into cloud concepts and terminology, such as the various cloud models (Public, Private, Hybrid) and service types (IaaS, SaaS, PaaS). Additionally advantages of using or moving to the cloud are explained. You’ll also setup your Azure account if you don’t have one already.
The second learning path, Distinguish Microsoft Azure Core Services, introduces you to Azure’s network architecture. Terminology such as Regions, Geographies, Availability sets and zones are introduced. After this, core Azure services are introduced, such as Compute, Storage, Databases and Virtual Networks. These are core services which are often seen in Azure environments and are usefull to familiarize yourself with. Up next are some more specific Azure solutions such as the IoT Hub, Azure Functions, DevOps and big data analytics services. Functions and DevOps are commonly seen services in client environments. The module ends with a brief introduction in deploying Virtual Machines using a template, Powershell and the Azure CLI.
The third learning path, Examine Microsoft Azure security, privacy, compliance, and trust, dives into the security aspect of using cloud services. What exactly are the providers and your responsibilities? The shared security model is explained, as well as Azure services such as Azure Firewall and Key Vaults to protect your cloud resources and handling secrets. Identity and Access Management (IAM) is a core concept of every cloud provider, letting users define who has access to what. Azure does this using the Azure Active Directory, which is briefly explained in this module. To make sure new resources comply to your security posture, Azure Policy can be used. This is briefly explained together with RBAC. Finally this learning path explains Azure monitoring services and what Microsoft does to protect your data. An overview of compliance and data protection standards is explained.
The fourth and final learning path, Review Microsoft Azure pricing, service level agreements, and lifecycles, explains the pricing models, SLAs and service lifecycles on the Azure platform. A brief explanation is given about how accounts are structured, how usage is metered on pay-per-use services. An example of SLAs is given and finally the Azure service development lifecycle is explained.
Am I ready now?
Having done all the modules should give you a good basic understanding of how Azure operates and which services are important. Having this basic knowledge of Azure will not directly be sufficient to perform security testing. The fundamental courses only touch briefly on every topic, such that you know it exists and have an understanding of what it can do or how it should be used. To actually apply, test and validate security best practices or configurations requires a deep understanding of Azure services and options. Furthermore, the fundamentals course does not talk about any possible security attacks or risks, such as API token theft, public Storage accounts and abusing the Instance Metadata Service. For this additional research needs to be done.
It is strongly advised to play around in the Azure environment with a free account to get familiar with the Azure Portal, Azure PowerShell modules and the Azure CLI. Additionally, discover new services such as Azure Kubernetes Service and play around with virtual networks, NSGs, endpoints, application gateways and firewalls. Try to setup a simple environment and then check if your setup is secure or conform to security baselines such as the CIS Azure benchmark.
Whatever you do, keep the Azure Rules of Engagement in mind!
The following activities are encouraged:
- Create a small number of test accounts and/or trial tenants for demonstrating and proving cross-account or cross-tenant data access. However, it is prohibited to use one of these accounts to access the data of another customer or account.
- Fuzz, port scan, or run vulnerability assessment tools against your own Azure Virtual Machines.
- Load testing your application by generating traffic which is expected to be seen during the normal course of business. This includes testing surge capacity.
- Testing security monitoring and detections (e.g. generating anomalous security logs, dropping EICAR, etc).
- Attempt to break out of a shared service container such as Azure Websites or Azure Functions. However, should you succeed you must both immediately report it to Microsoft and cease digging deeper. Deliberately accessing another customer’s data is a violation of the terms.
- Applying conditional access or mobile application management (MAM) policies within Microsoft Intune to test the enforcement of the restriction enforced by those policies.
Getting more knowledge
Once you are more familiar with the Azure basics, go ahead and apply for the Azure Security Technologies (AZ-500) exam. Similar to the AZ-900 exam, this comes with suggested learning paths. Additionally online training courses can be followed to prepare you for the exam.