Microsoft Azure Best Practices
For most Cloud Solution Architects and technical decision-makers in your respective companies, this article aims to provide an overview of some Best Practices on Windows Azure and how to effectively use Windows Azure with today’s existing Enterprise IT environments.
Best is relative. In this case, we refer that to Practices that have helped others. When we talk about Best Practices, one needs to bear in mind that the actual implemntation can change based on the need and requirements. Furthermore, there are just too many Best Practices which makes that even harder to cover all of them as many practices require to dive deeper into specific topics itself.
Azure Data Security and Encryption Best Practices
Many a times when we face various customers and especially if we talk about Cloud Computing regardless of which Cloud Providers, you often get questions like “How secure is the cloud?”, “What if someone hacks my cloud and my data are on it?”, etc. Notice that most of the time amidst the other queries on what cloud computing could do generally, data security is usually the first to raise tons of questions.
Here are some best practices by Microsoft
- Enforce Multi-Factor Authentication
- Use Role-based Access Control (RBAC)
- Encrypt Azure Virtual Machines
- Use hardware security models
- Manage with Secure Workstations
- Enable SQL data encryption
- Protect data in-transit
- Enforce file level data encryption
I’ll focus on the best practices for Azure data security and encryption that revolves around two data states:
- Data at ‘rest’ — means that your data including all information storage objects, containers, and types that exist, sits in your storage account.
- Data in-transit — means that data is being transferred over the network whether is it across the network or a service bus (from on-premise to cloud and vice-versa, including hybrid connections such as ExpressRoute).
General Blob Storage Best Practices
- Always encrypt data at “rest”. Encrypt data on client before uploading to storage.
- Always use secure connection on HTTPS to ensure data are also encrypted “in-transit”.
- Ensure that Blob storage issues out ‘Shared Access Signatures’ to secure access to files on storage.
- Use Content Delivery Network (CDN) for better user experience. CDN Edge nodes to delivery content faster to users globally.
- Use leases to control 1 RW (read/write) copy but many RO (read-only) snapshot copies.
General Table Storage Best Practices
- Use PartitionKey and RowKey for querying tables. The index is based on these values.
- Consider multiple tables with different PartitionKey and RowKey.
- Consider using Continuation Token across distributed partitioned servers.
- Consider using a Retry Strategy to handle storage operation failures to ensure that you do not lose any data updates.
- Load balancing at partition layer.
General Queue Storage Best Practices
- Consider using a Retry Strategy to handle storage operation failures to ensure that you do not lose any data updates.
- Idempotence and Poisoned messages must be handled.
- Reduce Storage transactions with Exponential Backoffs and Batched Dequeues.
- Dequeue Count should be used to identify poison messages or the validity of invisibility time used.
- Message Count should be used to scale workers.
I’ll briefly walkthrough some of the key points to data security and encryption best practices mentioned earlier.
The first step in data access and control is to always authenticate your users. Given an increase in cybercrimes, and the degree of its attacks, many organizations enforce in employing Two-Factor Authentication. Microsoft provides a service known as Azure Multi-Factor Authentication (MFA), similar to Two-Factor Authentication in verifying and identifying user’s identity besides your username and password.
By enabling Azure MFA for your users, you are adding a second layer of security to user sign-ins and transactions. Azure MFA also help to reduce the likelihood that a compromised credential will have access to organization’s data.
For many organizations, data at rest is a mandatory step towards data privacy, compliance and data sovereignty. Azure Disk Encryption enables IT administrators to encrypt Windows and Linux IaaS Virtual Machine (VM) disks. Encrypting customers data and properly managing the encryption keys can help mitigate the risk of unauthorized access to that data. I’ll leave it to another series to talk about Azure KeyVault to enhance data protection and compliance by safeguarding cryptographic keys and other secrets used by cloud applications and services.
For on-premises Windows Servers, you could,
- Enforce Data Encryption using BitLocker.
- Store recovery information in Azure Active Directory Domain Services.
Furthermore, protecting data in transit should be an essential part of data protection strategy. The general recommendation is to use SSL/TLS protocol to exchange data across different locations. In some instances, it might be critical to isolate the entire communication channel between on-premise and cloud infrastructure by using a virtual private network (VPN).
Azure Rights Management (RMS) is another protection technology used by Azure Information Protection. Azure RMS uses encryption, identity, and authorization policies to help secure your files and email. You can be assured that Azure RMS uses industry-standard cryptography with full support of FIPS 140-2 and the protection stays with the file even if it is copied to storage not under the control of IT.
In this article, although it is still pretty preliminary as compared to the extend of the list of best practices out there; However, this should give you an idea of something to work with the next time you architect a solution on Azure.
Cheers!