Request a Quote

Improve your app security on Azure

We Keep you Connected

Improve your app security on Azure

Improve your app security on Azure
Your email has been sent
Application instance lock, Azure Virtual Network Manager and Network Watcher troubleshooting: tools for making the applications you run on Azure more secure.
When cloud computing first became popular, it was seen as a way of reducing both friction and costs. It was much faster and cheaper to spin up a virtual machine in the cloud than to wait for a physical server to be approved, ordered, delivered and set up.
SEE: Use this access management policy template from TechRepublic Premium to build secure policies around user access.
Now, cloud computing is powerful and robust enough to run mission critical workloads — as long as you know how to design applications to scale, configure cloud services to support them and handle the failures inevitable in any complex system.
Jump to:
If you’re building applications on Azure, Microsoft has a Well-Architected Framework to help you design and run your app for reliability, security, performance efficiency and effective operations. It even offers a quiz to help you assess if you’ve covered everything.
There’s also a growing number of tools and services to help make the applications you run on Azure more reliable and secure. These tools range from the Azure Chaos Studio service, which helps you test how your app will cope with failure, to the open-source OneFuzz project, which will look for flaws in your code.
If you use containers, the default configuration for .NET 8 Linux containers is now “rootless,” and it takes only one line of code to have your app run as a standard user rather than one with root access. This is to ensure attackers can’t modify files or install and run their own code if they are able to get into your app.
In addition to avoiding security flaws when you write your application, you need to make sure you’re only giving access to the right people.
You can apply locks to any Azure resource or even an entire Azure subscription, making sure they can’t be deleted or even modified. But because locks affect the Azure control plane rather than the Azure data plane, a database that’s locked against modification can still create, update and delete data, so your application will carry on working correctly.
For older applications that don’t have fine-grained options for managing how credentials are used, Azure Active Directory has a new option to help you secure those credentials. This way, an attacker can’t make changes that might let them take control of a key enterprise application and get credentials to move across your network and attack other systems.
Around 70% of all data breaches start with an attack on web applications, so you need to make sure attackers can’t use them as a stepping stone to other resources.
SEE: Discover how BYOD and personal applications can lead to data breaches.
The new app instance property lock feature covers credential signing with SAML and OpenID Connect, which means you can offer single sign-on that lets users sign in with Azure AD and get access to multiple applications.
It  also encrypts the tokens created using a public key, so apps that want to use those tokens have to have the correct private key before they can use those tokens for the user who’s currently signed in. That makes it harder to steal and replay tokens to get access.
Modern applications will usually have those kinds of protections available already. If you’re running a legacy application that wasn’t built to protect these sign-on flows, you can use Azure AD to stop the credentials used for signing tokens, encrypting tokens or verifying tokens from being changed. So even if an attacker does get access to the application, they can’t block legitimate admins and take over.
You might also want to look at the permissions users have to applications they install or register on your Azure AD tenant and what anyone with guest access will see.
If your cloud app has a problem, sometimes it’s a network problem, and sometimes it’s how you’ve configured the network options.
Azure Virtual Network Manager is a new tool for grouping network resources, configuring the connectivity and security for those resources and deploying those configurations to the right network groups automatically. At the same time it allows for exceptions for resources that need something like inbound Secure Shell traffic, which you’d normally block.
You can use this to create common network topologies like a hub and spoke that connects multiple virtual networks to the hub virtual network that contains your Azure Firewall or ExpressRoute connection. The Azure Virtual Network Manager also automatically adds new virtual networks that need to connect to that resource or (soon) a mesh that lets your virtual networks communicate with each other.
Azure Network Watcher already has a mix of tools to help you monitor your network and track down problems that might affect your VMs or virtual network. It can draw a live topology map that covers multiple Azure subscriptions, regions and resource groups as well as monitor connectivity, packet loss, and latency for VMs in the cloud and on your own infrastructure.
But, having multiple tools for finding specific problems means you have to know what you’re looking for. The new connection troubleshooting tool in Network Watcher runs those tools and reports back on network hops, latency, memory and CPU utilization as well as whether it could make a connection and, if not, whether that’s because of DNS, network routing rules, network security rules or the firewall configuration.
You can also use Network Watcher to run other tools like a packet capture session or Azure Traffic Analytics, which helps you visualize the network flow in your application. Azure Traffic Analytics can even map the topology of the network, so you can see which resources are in which subnet and which virtual network each subnet is part of.
If you use Network Watcher’s network security groups, you can use Traffic Analytics to make sense of the flow logs, which track ingress and egress traffic to look for traffic hotspots or just see where in the world your network traffic is coming from and if that matches what you expect.
You can also use this to check that you’re using private links rather than public IP connections to reach sensitive resources like Azure Key Vault — a mistake that’s surprisingly easy to make if you use a public DNS server rather than the Azure DNS server. Getting the network configuration right is an important part of keeping your apps secure in the cloud.
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Improve your app security on Azure
Your email has been sent
Your message has been sent
TechRepublic Premium content helps you solve your toughest IT issues and jump-start your career or next project.
Get up and running with ChatGPT with this comprehensive cheat sheet. Learn everything from how to sign up for free to enterprise use cases, and start using ChatGPT quickly and effectively.
Get the most out of your payroll budget with these free, open source payroll software options. We’ve evaluated the top eight options, giving you the information you need to make the right choice.
We highlight some of the best certifications for DevOps engineers. Learn more about DevOps certifications.
With so many project management software options to choose from, it can seem daunting to find the right one for your projects or company. We’ve narrowed them down to these ten.
This Microsoft PowerToys app simplifies the process of visualizing and modifying the contents of the standard Windows Registry file.
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Cybersecurity demands and the stakes of failing to properly secure systems and networks are high. While every organization’s specific security needs form a unique and complex blend of interconnected requirements, numerous security fundamentals almost always apply to each of these groups. It stands to reason that cybersecurity pros who effectively identify network and systems risks …
In this guide from TechRepublic Premium we’re going to explore the various things you can do with a Linux server. We won’t leave out any steps, so you won’t have to refer to another tutorial to complete the process. The only step we will leave out is the installation of Linux, as we’ll assume you …
If you want to deploy applications into a Kubernetes cluster, be warned — it’s not the easiest task. There are a lot of moving pieces that go into these scalable containers. Don’t you wish you had a complete roadmap, from start to finish, to walk you through the process of deploying the Kubernetes cluster, deploying …
The more flexibility you can create in your technology workforce, the better you’ll be equipped to manage tomorrow, whatever the future brings. Too often, we focus on helping our teams become technical specialists who know volumes about a single technology, but quickly lose sight of how that technology connects with others. This makes their skills …

source

 

Enterprise Guardian (EnGuard) specializes in HIPAA Compliant Email for the Healthcare Industry.
HIPAA Compliant Email, Telehealth & Cloud Made Easy.

 

GET THE LATEST UPDATES, OFFERS, INFORMATION & MORE