Project Description

Why Microsoft Azure’s default security settings aren’t good enough.

After seeing the clear benefits of the immensely popular Microsoft 365 suite, a growing number of New Zealand’s organisations are moving their server, storage, and other infrastructure into the Azure cloud. It makes good sense. After all, as the hassles of on-premises hardware evaporate, our generally enviable connectivity puts the enormous range of Azure resources and services within easy reach.

But as always, there is a potential ‘but’. In this case, it’s security.

Now to be clear, I am not claiming Azure has a security problem. Far from it. Microsoft has invested heavily in securing its various cloud services. As a result Azure (and any one of the hundreds of products Microsoft offers) enjoy a generally sound reputation for security. That’s why millions of customers trust Microsoft Azure for a wide array of infrastructure services. This is despite the recent flak received for less than stellar practices.

Pieter Jordaan – Senior Trusted Advisor

The security challenge faced by many, especially smaller-to-medium-sized organisations, is one of appropriate configuration and review. (Security vendor Trend Micro has a paper on configuration issues which can leave Azure open to attack).

One size doesn’t fit all. In fact, one size generally doesn’t even fit most. Even when doing the same kind of work, different organisations will often have radically different approaches.

And that’s fine.

What isn’t fine is firing up an Azure instance, tenant, or service and simply sticking with the standard baseline security settings. Yet this is exactly what most SMEs do when moving into the cloud.

There’s good reason for that, even if it is a risky practice. One is the sheer accessibility of those services (and the quickly appreciated utility). Put simply, getting into Azure is easy.

Then there’s the fact that the default Microsoft policy is reasonably good (it has to be, as a ‘coverall’).

The problem is that ‘pretty good’ isn’t good enough. Good defence must defend against everything, while a successful hack is a bit like a burglar making it into your home. Just one unlatched window is all it takes.

The other problem is that security expertise is in short supply. At the same time a culture of ‘she’ll be right’, and ‘it won’t happen to me’ is still prevalent. Although, with endless examples of local attacks, that mindset is diminishing!

What this means in practice is that while features like; geolocation blocking, multifactor authentication, conditional access and more are available in Azure, they often aren’t enabled in your Azure tenant.

And if that’s the case, the burglar has an open window or two, through which they might jump.

At CodeBlue, we believe every system should be hardened, secure and protected. We also believe every customer should utilise every feature / benefit, built into the software / services already paid for.

With the cloud in general, and Azure in particular, those features and benefits evolve rapidly. Your organisation and its tech requirements, too, change constantly. And so does the security landscape.

That’s why we recommend a quarterly review, with a solid focus on security. This ensures your systems are always closely aligned with business requirements. While keeping those ‘burglars’ out!