Make your Azure PaaS environment security compliant in few easy steps

When working with Azure PaaS resources, we typically concentrate more on the code implementation part and external Azure Resources like Azure Application Gateway/Front door or Key vault to support Security of PaaS applications.

But there are few basic things which are supported by Azure PaaS Resources to help us to tighten internal security, which we may tend to forget sometimes.

We can focus on commonly used PaaS resources as shown below:

Azure App service/Azure Functions

Azure App Service: Lets you create apps faster with a one-of-a kind cloud service to quickly and easily create enterprise-ready web and mobile apps for any platform or device and deploy them on a scalable and reliable cloud infrastructure and Azure Functions allows you to create event-driven serverless compute platform that can also solve complex orchestration problems

Navigate to Configuration section of App service/Functions and check for below sections:

• FTP State: In most of the cases we deploy our code changes through DevOps CD pipelines. So, it is recommended to change the state to Disable, to avoid unnecessary code deployments through unauthorised channels.
• Remote debugging: In Production scenarios this should never be required, so it is recommended to turn off
• Client certificate mode: Enable this only if you need to restrict access to your Azure App service via certificated based authentication, else ignore it
• Platform: This is Optional but recommended change, convert your platform to 64 Bit to remove the risk of Memory Out of range exception

CORS: Search for CORS in App service/Functions and makes sure only valid Domains are mentioned for communications and it is never set to “*” as this will allow application to communicate with all other domains, with no restrictions

HTTPS & TLS: Search for TLS in Azure App service/Functions and make sure HTTPS Only is turned On and Minimum TLS Version is set to 1.2

Managed Identity: Applications may use the managed identity to obtain Azure AD tokens. For example, an application may use a managed identity to access resources like Azure Key Vault where developers can store credentials in a secure manner or to access storage accounts.

To enable managed identity Search for Identity in your App service, then in the System assigned enable the status to On and in the key vault under Access policies search for the same identity and provide the required access.

Azure Storage

Provides a set of highly scalable, secure, performant, and cost-effective foundation to run all your business applications

Navigate to configuration section of storage and check for below sections

• Look out for Allow Blob public access and make sure it is set to Disabled unless required
• Search for Secure transfer required i.e., all communication should happen via HTTPS only
• Look out for Minimum TLS version and make sure it is set to Version 1.2

Whenever possible when using blob container to storage images, make sure to change Public access level of container as private and use the blobs via Shared access keys

Key vault

Is used to safeguard cryptographic keys and other secrets used by cloud apps and services

Checkout for below options

• Under your key vault search for Networking and select to option of Private endpoint and selected networks and provide the IP address to restrict access to key vault
  
  (Please note: Enable this only if you know the source IP address will not change for e.g., When accessing secrets of key vault from Azure DevOps Default agent, this selection will not work as the IP address of Default agent is not static)

• Ideally Soft delete are enabled by default, but Purge operation should be enabled. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. To enable this, Navigate to Key vault -> Properties -> Purge protection -> Enable purge protection

SQL Azure

Azure SQL Database is an intelligent, scalable, relational database service built for the cloud. Optimise performance and durability with automated, AI-powered features that are always up to date

Check out for below options

• Transparent data encryption (TDE) : Transparent data encryption encrypts your databases, backups, and logs at rest without any changes to your application. To enable encryption, go to each database. This option is enabled by default in newly created Database. Existing SQL databases created before May 2017 and SQL databases created through restore, geo-replication, and database copy are not encrypted by default. This option is visible under security section of database.
• Auditing: Under security section of SQL Azure Database lookout for Auditing and enable the same. Auditing for Azure SQL Database tracks database events and writes them to an audit log in your Azure storage account, Log Analytics workspace, or Event Hubs. Auditing helps you maintain regulatory compliance, understand database activity, and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations.
• Enable vulnerability assessment & SQL Defender: Enable SQL Vulnerability Assessment, it’s a service that provides visibility into your security state. Vulnerability Assessment includes actionable steps to resolve security issues and enhance your database security. To enable this option, navigate to SQL server -> Security Center -> Configure then turn On Azure Defender for SQL, Turn On Periodic Scan’s and configure email alerts
• Firewall & Networks: Under this option of SQL server which is under security section make sure to review IP address, which are allowed to access SQL server frequently and make sure Minimum TLS version is set to 1.2

Additional points

• Most of the PaaS services allow Managed identity, CORS and access from specific IP Address which can help securing common points
• There is also a good option to explore when implementing Managed Identity to directly authorize communication between 2 Azure Resources without the need of exposing connection string in key vault more can be found in this https://docs.microsoft.com/en-us/azure/storage/common/storage-auth-aad-msi
• Azure Security Center which is part of Azure portal also scans your environment and give recommendations very frequently

By following above guidelines, we can improve our basic security of Azure PaaS services