Layered Approach to Security
You will appreciate that security is the first thing and has the topmost priority during the design of the system or architecture of an application. Just imagine, what would happen if there is a denial of service attack and you or the consumers of your services, your customers are not able to reach your website or the services. There can be another kind of a security incident, which could be a data breach. This is even worst as this could lead to legalities and loss of both reputation, money, and business.
We should, therefore, take a layered approach to security, which is termed as Defense in Depth. As I told you moments ago, this strategy utilizes a series of mechanisms for stopping the advancement of the attack at the different levels with an intention to get access to the information. This approach add their own layer of security to protect the data or the information, which is the core.
So the first layer is the data layer, which is where the unintended access is sought by the attackers. This data is stored in a variety of places including the databases, storage accounts, within the O365 or other SaaS applications, or even inside the virtual machines.
Then at the application layer, we need to ensure that the applications are secure and do not have any vulnerabilities related to the security. For this we need to store the sensitive information in a secure storage and ensure that all the security design requirements are met. This helps in reducing vulnerabilities at the code level and all the security requirements are met. We can also combine Azure DDoS protection with application design best practices for protecting against DDoS attacks like, volumetric attacks, protocol attacks, and the resource layer attacks. These are actually a separate topic in itself and should relay be looked into.
At the third level, we have compute, where as an administrator, we need to ensure secure access to the virtual machines, keep the security patch up-to-date, and also implement the endpoint protection. This will help keep the machines healthy and secured and also minimizes other security issues to occur.
We then have the Virtual Network. At this layer, we need to ensure that the communication between the resources are minimal and happens only when needed. If there is no need, no communication happens. Here we should also take care of the inbound and outbound traffic, which can be put in place by using the services like NSG, the network security group. With NSG in place, you can create a list of allowed and denied communication. Bottom line is that you need to control the traffic inside your virtual network.
In cases, where the network communication has to happen between the on-premises systems and Azure, we need to use the VPN connections for secure communications.
Then we have the Perimeter. Now, this one seems to be a little off track by name, but actually, this refers to the use of the distributed denial of service protection. How does this help. This is used for filtering large-scale attacks. The question is, how it can be implemented? This can be implemented by having firewalls implemented at the perimeter to identify and prohibit malicious access. For this you can use Azure Firewalls, Application Gateways, which not only provides the Load Balancing abilities but, also can act as the Web Application Firewalls (WAF), and the Network Virtual Appliance, which are ideal for non-HTTP services and you can compare them to the hardware firewall appliances.
Then at the sixth layer we have the Identity and Access security. This is where we need to control the access to the infrastructure and resources, exploit the SSO and Multi-Factor Authentication (MFA), and also have continuous monitoring implemented for events and changes occurring. This will help secure identities and have proper authorization and authentication as and when required.
Last, but not the least, we have the security at the physical layer. It is often termed as the first line of defense and comprises of building physical security to the resources at the data center level.
Understand that these security approach can be shared between your organization and Azure and depends on the model you have (IAAS, PAAS, or SAAS).