A notice to our customers: Microsoft are experiencing disruption related to several of their M365 services that could impact your system. We are carefully monitoring the situation. You can be kept updated via Microsoft's service page.

Minimum Recommended Practice for PaaS Security - 2023

26 May 2023 By Frans Lytzen

Security vendors and hackers are locked in an arms race. The hackers are getting more organised, more prolific and they get better and better tools. The security vendors build and release more and more tools and services to counter the threat. You, as an application owner, have to try to keep up with this and figure out which tools you should adopt to keep your system secure.

There is a lot you can do, but it can be difficult to work out what tools and actions are proportionate to your specific circumstances. There is no such thing as a 100% secure system - everything is a matter of judgement and proportionality. (Incidentally, if you are in Azure, NewOrbit offers a Security Review that will assess your risk exposure and then give you appropriate recommendations.)

There is, however, a certain minimum you should always have, no matter what your system is or does. At NewOrbit, we have updated our Minimum Recommended Practice for Azure PaaS applications. Think of this as the equivalent of a car alarm: It’s not that car alarms necessarily stop cars from being stolen - but it is harder to steal a car with a car alarm than one without one, so it shifts the risk. These minimum recommendations are similar; they stop you from being the easiest system to hack, which can reduce the risk of opportunistic attacks.

Many of the updated recommendations were either impossible or at least very hard to apply to PaaS only a few years ago, so if your system has been around for a while, chances are it does not meet these new recommendations.

I must stress, these are the minimum recommendations that any Azure PaaS solution should, in our opinion, have. There are very likely more things you should do in addition to this - but which ones are most important will depend on your specific circumstances.

The five minimum things we recommend for an Azure PaaS solution in 2023 are the following (see the video for more details)

Network Isolation

Use Virtual Networks and Private Link to limit access to your resources from the internet. This used to be really difficult with PaaS but is now very doable with only a few quirks left in some corners.

Managed Identity

Stop using secrets and passwords to connect to databases and other services: Managed Identity provides an automated, password-less approach to almost all inter-service authentication in Azure. This is genuinely a game changer - and is essentially free.

Azure Defender for Cloud

This is a whole suite of solutions - we recommend switching it all on. It will analyse your current setup and give you recommendations on how to strengthen your security as well as give you some level of active monitoring and alerting in real-time.

Logging, Monitoring and Alerting

If you don’t log what happens in your system, if you don’t monitor those logs, how do you know if an attacker is in your system right now? Azure provides a range of tools to help you store and access log as well as automate alerting.

Front Door

Front Door (or one of the equivalent solutions in Azure) provides a layer between the public internet and your Web or API server. This, in itself, removes a certain class of attacks and it gives you the ability to block certain traffic based on patterns, which you can use both ahead of time and to mitigate an active attack. Front Door has a lot more functionality than that, both around security and other things such as CDN capability etc.

Next step

NewOrbit is an Azure Cloud Solution Provider providing Azure Hosting and Support as well as Application Development to a wide range of clients. We have a particular focus on secure and scalable solutions.

If you have any question, if you would like some help with implementing these recommendations or if you could use a security review to assess your wider exposure, do get in touch.
We are happy to provide you with some consultancy to get you started, or we can go as far as becoming your Azure provider, providing you not just with Azure itself but support, monitoring and proactive advice to reduce cost and increase security in your Azure setup.