Azure Services Zero Trust Implementation

In order to keep all services safe from outside threats, MobileTrack has decided to implement a Zero Trust security model on Azure. This model is based on the principle of "never trust, always verify," and it requires strict identity verification and access controls for all users and devices attempting to connect to the network. By implementing Zero Trust on Azure, MobileTrack can better protect its data, applications, and infrastructure from cyberattacks and other security threats.

Required services to implement Zero Trust on Azure

1. Identity and Access Management:

  • Microsoft Entra ID - Managed IdentitiesMicrosoft Entra ID: Centralized identity management with multi-factor authentication (MFA) and identity protection.
  • Conditional AccessRole-Based Access control: All resources are only allowed least-privileged access resources they need to function using user-assigned managed identities. For Kubernetes, this is handled via a federated identity on the user-assigned managed identity. The software engineers of MobileTrack have access to the testing resources from their own laptops, using their Microsoft Entra ID account to authenticate. However, IP-address filters are applied to make sure they can only access the testing environment from their home or the office, and production resources are only accessible from the office for emergency situations.

    Azure Machines On production, only 2 IT workers have access to the production environment's inner ssytem, but only when logged in from the office. All resources are locked to prevent accidental deletions/editing, and the database is read-only for these administrators. Whenever any administrator needs access to the resource group for maintenance or inspection, all actions will have to be manually logged and approved by another administrator.

  • Azure PolicyAzure policies: as a default, all services (and backups) can only be instantiated on the West Europe region. This is to prevent data from being stored in regions that are not GDPR-compliant. Only the two IT workers have access to the backups for disaster recovery.

2. Network Security:

We use the following security measures on Azure itself:

  • Virtual NetworksVirtual Network (VNet) Segmentation: Divides networks into smaller segments to reduce the risk of lateral movement. Specific resources (e.g. the database) cannot be accessed from outside the Virtual Network, except from MobileTrack's main office.
  • Network Security GroupsPrivate Endpoints:Specific resources (like databases or file storage) are accessed by the servers through private endpoints, ensuring that the traffic between them never leaves the Azure backbone network and is not exposed to the public internet.
  • DDoS Protection PlansAzure DDoS Protection: The free default version is sufficient for our needs - the paid one is very expensive.
  • Azure MonitorAzure Security Center: Monitors and provides security recommendations for devices connected to Azure.

3. Data Protection:

  • Azure KeyVaultAzure KeyVault: Encrypts data at rest and in transit using Azure Key Vault for key management. In this way, if our codebase was ever leaked, there would be no way to access the services like the Azure Cosmos Database without the proper keys.
  • 02360-icon-service-Azure-Backup-CenterRestricted backups: In order to follow laws and regulations, we have to keep backups of our data. We only use Zone redundancy, meaning the data never leaves the Europe West region.
  • 10064-icon-service-DNS-ZonesAzure DNS: DNS is stored in Azure, meaning MobileTrack manages its own DNS records. We use strict policies against email spoofing and phishing, and we have heavy-handed DMARC, DKIM and SPF records set up to prevent abuse of our domain.

4. Monitoring and Analytics:

  • Application InsightsApplication Insights: Azure Application Insights is an extensible Application Performance Management (APM) service for web developers on multiple platforms, used to track the performance of life services. It will automatically detect performance anomalies, and includes powerful analytics tools to help you diagnose issues and to understand what users actually do with the applications. For our purposes, this data is parsed daily by the Performance Monitor app, which will alert the DevOps team if any anomalies are detected. All recent data will also be available to MobileTrack support on the Portal Website.
  • Azure AlertsAlert rules: if anomalies are detected in performance optimization, security, or availability, the DevOps team will be alerted by Azure.

Benefits of Zero Trust on Azure

  • Enhanced Security By continuously verifying and applying the principle of the least privilege, Zero Trust helps protect against both external and internal threats.
  • Reduced Risk of Data Breaches: Micro-segmentation and rigorous access controls reduce the potential impact of compromised credentials or devices.
  • Improved Compliance Helps meet regulatory requirements by ensuring robust security practices and comprehensive logging and monitoring. (NIS2, AVG/GDPR, etc.)
  • Scalability: Azure's cloud-native tools allow for scalable security measures that can grow with the organization.

By leveraging these Azure services and adhering to Zero Trust principles, organizations can significantly enhance their security posture and better protect their assets in a dynamic threat landscape.

See Also