You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/security/fundamentals/operational-best-practices.md
+5-6Lines changed: 5 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,16 +6,15 @@ description: This article provides a set of operational best practices for prote
6
6
services: security
7
7
documentationcenter: na
8
8
author: TerryLanfear
9
-
manager: barbkess
10
-
editor: tomsh
9
+
manager: rkarlin
11
10
12
11
ms.assetid:
13
12
ms.service: security
14
13
ms.subservice: security-fundamentals
15
14
ms.topic: article
16
15
ms.tgt_pltfrm: na
17
16
ms.workload: na
18
-
ms.date: 05/06/2019
17
+
ms.date: 01/16/2023
19
18
ms.author: terrylan
20
19
21
20
---
@@ -71,7 +70,7 @@ Here are some best practices for using management groups:
71
70
Good candidates include:
72
71
73
72
- Regulatory requirements that have a clear business impact (for example, restrictions related to data sovereignty)
74
-
- Requirements with near-zero potential negative affect on operations, like policy with audit effect or Azure RBAC permission assignments that have been carefully reviewed
73
+
- Requirements with near-zero potential negative effect on operations, like policy with audit effect or Azure RBAC permission assignments that have been carefully reviewed
75
74
76
75
**Best practice**: Carefully plan and test all enterprise-wide changes on the root management group before applying them (policy, Azure RBAC model, and so on).
77
76
**Detail**: Changes in the root management group can affect every resource on Azure. While they provide a powerful way to ensure consistency across the enterprise, errors or incorrect usage can negatively affect production operations. Test all changes to the root management group in a test lab or production pilot.
@@ -179,7 +178,7 @@ Ensuring that an application is resilient enough to handle a denial of service t
179
178
180
179
For Azure Cloud Services, configure each of your roles to use [multiple instances](../../cloud-services/cloud-services-choose-me.md).
181
180
182
-
For [Azure Virtual Machines](../../virtual-machines/windows/overview.md), ensure that your VM architecture includes more than one VM and that each VM is included in an [availability set](../../virtual-machines/windows/tutorial-availability-sets.md). We recommend using virtual machine scale sets for autoscaling capabilities.
181
+
For [Azure Virtual Machines](../../virtual-machines/windows/overview.md), ensure that your VM architecture includes more than one VM and that each VM is included in an [availability set](../../virtual-machines/windows/tutorial-availability-sets.md). We recommend using Virtual Machine Scale Sets for autoscaling capabilities.
183
182
184
183
**Best practice**: Layering security defenses in an application reduces the chance of a successful attack. Implement secure designs for your applications by using the built-in capabilities of the Azure platform.
185
184
**Detail**: The risk of attack increases with the size (surface area) of the application. You can reduce the surface area by using an approval list to close down the exposed IP address space and listening ports that are not needed on the load balancers ([Azure Load Balancer](../../load-balancer/quickstart-load-balancer-standard-public-portal.md) and [Azure Application Gateway](../../application-gateway/application-gateway-create-probe-portal.md)).
@@ -223,4 +222,4 @@ See [Azure security best practices and patterns](best-practices-and-patterns.md)
223
222
224
223
The following resources are available to provide more general information about Azure security and related Microsoft services:
225
224
*[Azure Security Team Blog](/archive/blogs/azuresecurity/) - for up to date information on the latest in Azure Security
226
-
*[Microsoft Security Response Center](https://technet.microsoft.com/library/dn440717.aspx) - where Microsoft security vulnerabilities, including issues with Azure, can be reported or via email to [email protected]
225
+
*[Microsoft Security Response Center](https://technet.microsoft.com/library/dn440717.aspx) - where Microsoft security vulnerabilities, including issues with Azure, can be reported or via email to [email protected]
Copy file name to clipboardExpand all lines: articles/security/fundamentals/services-technologies.md
+29-30Lines changed: 29 additions & 30 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,16 +4,15 @@ description: The article provides a curated list of Azure Security services and
4
4
services: security
5
5
documentationcenter: na
6
6
author: terrylanfear
7
-
manager: barbkess
8
-
editor: TomSh
7
+
manager: rkarlin
9
8
10
9
ms.assetid: a5a7f60a-97e2-49b4-a8c5-7c010ff27ef8
11
-
ms.service: information-protection
12
-
ms.subservice: aiplabels
10
+
ms.service: security
11
+
ms.subservice: security-fundamentals
13
12
ms.topic: conceptual
14
13
ms.tgt_pltfrm: na
15
14
ms.workload: na
16
-
ms.date: 1/29/2019
15
+
ms.date: 01/16/2023
17
16
ms.author: terrylan
18
17
19
18
---
@@ -28,7 +27,7 @@ Over time, this list will change and grow, just as Azure does. Make sure to chec
28
27
## General Azure security
29
28
|Service|Description|
30
29
|--------|--------|
31
-
|[Microsoft Defender for Cloud](../../security-center/security-center-introduction.md)| A cloud workload protection solution that provides security management and advanced threat protection across hybrid cloud workloads.|
30
+
|[Microsoft Defender for Cloud](../../defender-for-cloud/defender-for-cloud-introduction.md)| A cloud workload protection solution that provides security management and advanced threat protection across hybrid cloud workloads.|
32
31
|[Microsoft Sentinel](../../sentinel/overview.md)| A scalable, cloud-native solution that delivers intelligent security analytics and threat intelligence across the enterprise.|
33
32
|[Azure Key Vault](../../key-vault/general/overview.md)| A secure secrets store for the passwords, connection strings, and other information you need to keep your apps working. |
34
33
|[Azure Monitor logs](../../azure-monitor/logs/log-query-overview.md)|A monitoring service that collects telemetry and other data, and provides a query language and analytics engine to deliver operational insights for your apps and resources. Can be used alone or with other services such as Defender for Cloud. |
@@ -40,34 +39,32 @@ Over time, this list will change and grow, just as Azure does. Make sure to chec
40
39
|Service|Description|
41
40
|------|--------|
42
41
|[Azure Storage Service Encryption](../../storage/common/storage-service-encryption.md)|A security feature that automatically encrypts your data in Azure storage. |
43
-
|[StorSimple Encrypted Hybrid Storage](../../storsimple/storsimple-ova-overview.md)| An integrated storage solution that manages storage tasks between on-premises devices and Azure cloud storage.|
44
-
|[Azure Client-Side Encryption](../../storage/common/storage-client-side-encryption.md)| A client-side encryption solution that encrypts data inside client applications before uploading to Azure Storage; also decrypts the data while downloading. |
45
-
|[Azure Storage Shared Access Signatures](../../storage/common/storage-sas-overview.md)|A shared access signature provides delegated access to resources in your storage account. |
46
-
|[Azure Storage Account Keys](../../storage/common/storage-account-create.md)| An access control method for Azure storage that is used for authentication when the storage account is accessed. |
47
-
|[Azure File shares with SMB 3.0 Encryption](../../storage/files/storage-files-introduction.md)|A network security technology that enables automatic network encryption for the Server Message Block (SMB) file sharing protocol. |
48
-
|[Azure Storage Analytics](/rest/api/storageservices/Storage-Analytics)| A logging and metrics-generating technology for data in your storage account. |
42
+
|[Azure StorSimple Virtual Array](../../storsimple/storsimple-ova-overview.md)| An integrated storage solution that manages storage tasks between an on-premises virtual array running in a hypervisor and Microsoft Azure cloud storage.|
43
+
|[Client-Side encryption for blobs](../../storage/blobs/client-side-encryption.md)| A client-side encryption solution that supports encrypting data within client applications before uploading to Azure Storage, and decrypting data while downloading to the client. |
44
+
|[Azure Storage shared access signatures](../../storage/common/storage-sas-overview.md)|A shared access signature (SAS) provides delegated access to resources in your storage account. |
45
+
|[Azure Storage Account Keys](../../storage/common/storage-account-create.md)| An access control method for Azure storage that is used authorize requests to the storage account using either the account access keys or an Azure Active Directory (Azure AD) account (default). |
46
+
|[Azure File shares](../../storage/files/storage-files-introduction.md)| A storage security technology that offers fully managed file shares in the cloud that are accessible via the industry standard Server Message Block (SMB) protocol, Network File System (NFS) protocol, and Azure Files REST AP. |
47
+
|[Azure Storage Analytics](../../storage/common/storage-analytics.md)| A logging and metrics-generating technology for data in your storage account. |
49
48
50
49
<!------>
51
50
52
51
## Database security
53
52
|Service|Description|
54
53
|------|--------|
55
54
|[Azure SQL Firewall](/azure/azure-sql/database/firewall-configure)|A network access control feature that protects against network-based attacks to database. |
56
-
|[Azure SQL Cell Level Encryption](/archive/blogs/sqlsecurity/recommendations-for-using-cell-level-encryption-in-azure-sql-database)| A database security technology that provides encryption at a granular level. |
57
55
|[Azure SQL Connection Encryption](/azure/azure-sql/database/logins-create-manage)|To provide security, SQL Database controls access with firewall rules limiting connectivity by IP address, authentication mechanisms requiring users to prove their identity, and authorization mechanisms limiting users to specific actions and data. |
58
-
|[Azure SQL Always Encryption](/sql/relational-databases/security/encryption/always-encrypted-database-engine)|Protects sensitive data, such as credit card numbers or national identification numbers (for example, U.S. social security numbers), stored in Azure SQL Database or SQL Server databases. |
59
-
|[Azure SQL Transparent Data Encryption](/sql/relational-databases/security/encryption/transparent-data-encryption-azure-sql)| A database security feature that encrypts the storage of an entire database. |
60
-
|[Azure SQL Database Auditing](/azure/azure-sql/database/auditing-overview)|A database auditing feature that tracks database events and writes them to an audit log in your Azure storage account. |
61
-
|[Virtual network rules](/azure/azure-sql/database/vnet-service-endpoint-rule-overview)|A firewall security feature that controls whether the server for your databases and elastic pools in Azure SQL Database or for your dedicated SQL pool (formerly SQL DW) databases in Azure Synapse Analytics accepts communications that are sent from particular subnets in virtual networks. |
62
-
56
+
|[Azure SQL Always Encrypted](/sql/relational-databases/security/encryption/always-encrypted-database-engine)|Protects sensitive data, such as credit card numbers or national identification numbers (for example, U.S. social security numbers), stored in Azure SQL Database, Azure SQL Managed Instance, and SQL Server databases. |
57
+
|[Azure SQL transparent data encryption](/sql/relational-databases/security/encryption/transparent-data-encryption-azure-sql)| A database security feature that helps protect Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics against the threat of malicious offline activity by encrypting data at rest. |
58
+
|[Azure SQL Database Auditing](/azure/azure-sql/database/auditing-overview)|An auditing feature for Azure SQL Database and Azure Synapse Analytics that tracks database events and writes them to an audit log in your Azure storage account, Log Analytics workspace, or Event Hubs. |
59
+
|[Virtual network rules](/azure/azure-sql/database/vnet-service-endpoint-rule-overview)|A firewall security feature that controls whether the server for your databases and elastic pools in Azure SQL Database or for your dedicated SQL pool (formerly SQL DW) databases in Azure Synapse Analytics accepts communications that are sent from particular subnets in virtual networks. |
63
60
64
61
## Identity and access management
65
62
|Service|Description|
66
63
|------|--------|
67
64
|[Azure role-based access control](../../role-based-access-control/role-assignments-portal.md)|An access control feature designed to allow users to access only the resources they are required to access based on their roles within the organization. |
68
-
|[Azure Active Directory](../../active-directory/fundamentals/active-directory-whatis.md)|A cloud-based authentication repository that supports a multi-tenant, cloud-based directory and multiple identity management services within Azure. |
69
-
|[Azure Active Directory B2C](../../active-directory-b2c/overview.md)|An identity management service that enables control over how customers sign-up, sign-in, and manage their profiles when using Azure-based applications. |
70
-
|[Azure Active Directory Domain Services](../../active-directory-domain-services/overview.md)| A cloud-based and managed version of Active Directory Domain Services. |
65
+
|[Azure Active Directory](../../active-directory/fundamentals/active-directory-whatis.md)|A cloud-based identity and access management service that supports a multi-tenant, cloud-based directory and multiple identity management services within Azure. |
66
+
|[Azure Active Directory B2C](../../active-directory-b2c/overview.md)| A customer identity access management (CIAM) solution that enables control over how customers sign-up, sign-in, and manage their profiles when using Azure-based applications. |
67
+
|[Azure Active Directory Domain Services](../../active-directory-domain-services/overview.md)| A cloud-based and managed version of Active Directory Domain Services that provides managed domain services such as domain join, group policy, lightweight directory access protocol (LDAP), and Kerberos/NTLM authentication. |
71
68
|[Azure AD Multi-Factor Authentication](../../active-directory/authentication/concept-mfa-howitworks.md)| A security provision that employs several different forms of authentication and verification before allowing access to secured information. |
72
69
73
70
## Backup and disaster recovery
@@ -79,19 +76,21 @@ Over time, this list will change and grow, just as Azure does. Make sure to chec
79
76
## Networking
80
77
|Service|Description|
81
78
|------|--------|
82
-
|[Network Security Groups](../../virtual-network/virtual-network-vnet-plan-design-arm.md)| A network-based access control feature using a 5-tuple to make allow or deny decisions. |
79
+
|[Network Security Groups](../../virtual-network/network-security-groups-overview.md)| A network-based access control feature to filter network traffic between Azure resources in an Azure virtual network. |
83
80
|[Azure VPN Gateway](../../vpn-gateway/vpn-gateway-about-vpngateways.md)| A network device used as a VPN endpoint to allow cross-premises access to Azure Virtual Networks. |
84
-
|[Azure Application Gateway](../../application-gateway/overview.md)|An advanced web application load balancer that can route based on URL and perform SSL-offloading. |
81
+
|[Azure Application Gateway](../../application-gateway/overview.md)|An advanced web traffic load balancer that enables you to manage traffic to your web applications. |
85
82
|[Web application firewall](../../web-application-firewall/overview.md) (WAF)|A feature that provides centralized protection of your web applications from common exploits and vulnerabilities|
|[Azure ExpressRoute](../../expressroute/expressroute-introduction.md)| A dedicated WAN link between on-premises networks and Azure Virtual Networks. |
88
-
|[Azure Traffic Manager](../../traffic-manager/traffic-manager-overview.md)| A global DNS load balancer.|
89
-
|[Azure Application Proxy](../../active-directory/app-proxy/application-proxy.md)| An authenticating front-end used to secure remote access for web applications hosted on-premises. |
90
-
|[Azure Firewall](../../firewall/overview.md)|A managed, cloud-based network security service that protects your Azure Virtual Network resources.|
84
+
|[Azure ExpressRoute](../../expressroute/expressroute-introduction.md)| A feature that lets you extend your on-premises networks into the Microsoft cloud over a private connection with the help of a connectivity provider. |
85
+
|[Azure Traffic Manager](../../traffic-manager/traffic-manager-overview.md)| A DNS-based traffic load balancer.|
86
+
|[Azure Active Directory Application Proxy](../../active-directory/app-proxy/application-proxy.md)| An authenticating front-end used to secure remote access to on-premises web applications. |
87
+
|[Azure Firewall](../../firewall/overview.md)|A cloud-native and intelligent network firewall security service that provides threat protection for your cloud workloads running in Azure.|
91
88
|[Azure DDoS protection](../../ddos-protection/ddos-protection-overview.md)|Combined with application design best practices, provides defense against DDoS attacks.|
92
-
|[Virtual Network service endpoints](../../virtual-network/virtual-network-service-endpoints-overview.md)|Extends your virtual network private address space and the identity of your VNet to the Azure services, over a direct connection.|
93
-
|[Azure Private Link](../../private-link/private-link-overview.md)|Provides private connectivity from a virtual network to Azure platform as a service (PaaS), customer-owned, or Microsoft partner services.|
94
-
|[Azure Bastion](../../bastion/bastion-overview.md)|A service you deploy that lets you connect to a virtual machine using your browser and the Azure portal.|
89
+
|[Virtual Network service endpoints](../../virtual-network/virtual-network-service-endpoints-overview.md)| Provides secure and direct connectivity to Azure services over an optimized route over the Azure backbone network. |
90
+
|[Azure Private Link](../../private-link/private-link-overview.md)|Enables you to access Azure PaaS Services (for example, Azure Storage and SQL Database) and Azure hosted customer-owned/partner services over a private endpoint in your virtual network.|
91
+
|[Azure Bastion](../../bastion/bastion-overview.md)|A service you deploy that lets you connect to a virtual machine using your browser and the Azure portal, or via the native SSH or RDP client already installed on your local computer.|
95
92
|[Azure Front Door](../../frontdoor/front-door-application-security.md)|Provides web application protection capability to safeguard your web applications from network attacks and common web vulnerabilities exploits like SQL Injection or Cross Site Scripting (XSS).|
96
93
94
+
## Next steps
97
95
96
+
Learn more about Azure's [end-to-end security](end-to-end.md) and how Azure services can help you meet the security needs of your business and protect your users, devices, resources, data, and applications in the cloud.
0 commit comments