Penetration testing in the Azure cloud has important differences from an on-prem assessment. This range of unique technologies often leads to complications in security architecture and configuration– as well as the penetration testing process itself.
But the integration of new technologies brings about new security vulnerabilities as well. By penetration testing your Azure cloud environment, you can identify and eliminate these security risks – including those unique to your private cloud.
Azure comes with a number of security protections for experienced users. Microsoft also makes a point to adhere strictly to compliance and undergoes regular third-party audits. While this is a good place to start, it is each user’s responsibility to maintain their stability and security.
The Azure services provide the structure to create virtual machines, networks, and applications, but it is the end-user that owns them. For this reason, it is essential that your Azure instances also receive regular security audits to protect your most sensitive assets.
Many elements of cloud services can’t be tested. For instance, it’s strictly forbidden to perform DDoS attacks on the network, as it may result in unplanned downtime for many users. There are also several services that can (and should) receive a regular assessment. The following are a few examples of those that we will test:
Microsoft Dynamics 365
Visual Studio Team Services
Unlike Amazon Web Services (AWS), no pre-approval is needed to conduct penetration tests on Azure services, as of June 2017. While this helps save time during the pre-engagement process, there are still many factors to consider before testing your Azure network.
It is important to note that certain assessment techniques are off-limits to protect other Azure users. Some are more obviously destructive, such as executing Denial of Service (DoS) attacks on the server.
Others, such as scanning an out of scope service or running a scanner that generates excessive traffic, can also have negative, unintended impact on the Azure user base.
These rules of engagement exist to keep other Azure clients from becoming affected by an otherwise planned security test.
It is crucial to seek out experienced security engineers to aid in assessing your Azure network, as it greatly reduces the possibility of extensive damage.
Microsoft offers a series of robust security features to Azure users. While these precautions apply only to the Azure services and don’t provide the same protections for user-installed applications, they are a good first line of defense.
Transparent DDoS Protection – Network-wide coverage (excluding app-specific DoS, such as a registration signup DoS crashing a SQL Database).
Endpoint Access Control List (ACL) – Applied to each virtual machine to allow selective permissions for incoming and outgoing traffic.
User Defined Routing (UDR) - Allows specific, manually-created routes for third-party security appliances such as spam filters, network IDS, etc.
Full Disk Encryption – Utilizes Bitlocker for Windows VMs or DM-Crypt for Linux-based VMs.
Database Encryption – Transparent Data Encryption (TDE) for locking down your SQL databases.
Azure Key Vault – A tool for cryptographically securing keys, passwords, and other sensitive information for services on your Azure instance.
Data Masking in SQL Databases – Data masking is supported a column level, only available to administrators and pre-specified users.
Endpoint Protection – Real-time, automated antivirus protection for the Azure operating system.
Logging and Alerting/Auditing – Microsoft will collect and analyze logs, including logs of activity on the network. This activity allows for users to be notified of threats in real-time and can provide Microsoft with information to help you respond appropriately.
Customized Security Recommendations – The Azure Security Center can offer targeted, specific recommendations based on your individual security needs. They can also provide aid through monitoring, tightening access controls, policy, incident investigation/response, and other means.
Rhino Security Labs’ Azure penetration test reports are similar to network or web application pentest reports – available for download here. Our reports offer the technical depth to aid engineers in their remediation and strategic insight for leadership.
A primary addition is that Azure reports cover unique vulnerabilities specific to the platform. Along with them, you will receive strategic recommendations and mitigations for your own Azure instances, and the cloud environment as a whole.
Performing a security assessment on your Azure environment can be complex. Let Rhino Security Labs engineers do the heavy lifting and create a more secure environment for your organization.
Need more information? Get a Quote for penetration testing your Azure cloud environment.