MVP INSIGHTS: Stay secure! - Protecting your web application in Azure

Tech Insights

December 15, 2021

Mustafa Toroman, Cloud Solution Architect at CLOUDEON – part of Devoteam, is a Microsoft Azure MVP and the author of several books on Azure networking and security. In this article, he guides you through web application protection in Azure and gives some general tips on security in the Cloud. 

CLOUDEON

At CLOUDEON – part of Devoteam we meet customers who are hesitant to embrace the full scope of possibilities in the Cloud. They are afraid that Cloud will compromise IT security or that they will have to lower their compliance standards. 

 

However, our experience with Cloud has shown that you can protect yourself just as well – if not better – in the Cloud. You must work on developing not just the technical understanding needed to solve specific security problems, but a general understanding of cybersecurity and shared responsibility on all levels of your organization. 

 

The 2021 Gartner report “The Urgency to Treat Cybersecurity as a Business Decision” emphasizes that one of the key challenges to cybersecurity spending is the lack of knowledge across the organization and in the corporate decision-making structures. If knowledge about security is stuck in the IT department the business is neither protected from nor aware of its shortcomings. 

 

In this article you will learn about one aspect of Cloud security from Mustafa Toroman, Azure MVP, and author of Master Azure Security (2020) and the Azure Networking Cookbook (2019). Mustafa writes about how to protect your web application in Azure. We encourage you to pass the knowledge on to colleagues and decision-makers in your organization to share the responsibility of application security in the Cloud! 

 

Security in the Cloud means SHARED RESPONSIBILITY 

When talking about security in the Cloud, it is essential to understand and live up to the fact that it is a shared responsibility. Who are sharing the responsibility? One part of the responsibility is on the Cloud provider who build security into the Platform. For example, they handle DDoS attacks on your behalf. They also offer to you, the customer, powerful security services. The other responsible party is you and your organization – and you need to take control of security to do the right thing for your applications. 

 

The Cloud provider’s area of responsibility includes complete accountability for the physical security and for the infrastructure security. In some other areas, though, the responsibility depends on the hosting model. IaaS, PaaS, and SaaS hosting have different assigned responsibilities for things such as the operating system or the network. In other areas, like access and data protection, the responsibility will always lie with you as the customer organization. 

 

In layman’s terms, this means that the Cloud provider makes sure that nothing bad happens to the servers inside their data centers. If we, as an organization, were to leave data exposed over a public endpoint without any protection, or if we create a new application that is vulnerable to SQL injections or XSS – then that mistake is ours to own. When working in the Cloud, we must know which security failures are for us to prevent and fix. In general, we cannot blame the Cloud provider for any number of bad things that may happen in our environments. 

 

MicrosoftTeams-image (12)

Creating bulletproof environments 

Microsoft Azure offers multiple services to help us on our way to a secure and bulletproof environment. Using these services, for instance Security Center or Sentinel, we can take full control of the aspects of cybersecurity that lie under our responsibility. Further, every service in Azure has a form of security settings that need to be considered to increase the company’s security posture. 

 

One of services that increase your security effectively is the Azure Web Application Firewall (WAF). Azure WAF provides protection for your web applications and can prevent the most common exploits and vulnerabilities, like the SQL injection or XSS mentioned above. WAF is not a standalone service but works as an improvement on other services and adds L-7 load balancing. Services that work in synergy with WAF are Azure Application Gateway, Azure Front Door, and Azure Content Delivery Network (CDN).  

 

Front Door or Gateway? Choose your own Security Adventure 

How can you choose the best option for your application security in the catalogue of Azure services? Put simply, it depends on type of workload you want to use it for. Azure Application Gateway targets regional delivery when your application is targeted to be hosted and accessed in a single geographical region. Azure Front Door aims at global delivery when your application needs to be accessed across regions and/or anywhere in the World. Azure CDN with WAF is still in preview and, although it works like Front Door, it is not recommended for production workloads. 

 

‘How does WAF work?’, you might ask. Web Application Firewall comes with a set of managed rules. The rules are defined based on the OWASP (Open Web Application Security Project) core rules sets 3.2, 3.1, 3.0 or 2.2.9. The default preconfigured set is CRS 3.0.  You can define your own custom rules, along with custom alerts, exclusions, and request size limits. It can work in two modes: detection (only logging requests that violate rules) or prevention (both logs and blocks requests). 

 

MicrosoftTeams-image (13)

Want to block malicious requests? Look no further! 

If you placed the web application behind WAF (either using Application Gateway or Front Door) incoming requests would be inspected by WAF before they are forwarded to the web application. I strongly recommend using prevention mode to block malicious requests. If a malicious request is blocked, it will never reach your application and the damage is prevented. This way, our application is protected, and data is safe, even when the code is not of the highest quality (which should not be the case, but that is another story entirely!).   

 

This article has mentioned just two examples of malicious requests that can be stopped, but the list is much longer, and it includes remote command execution, PHP injection, and protocol attacks to name a few. The OWASP rule set is continuously improved with the goal to protect the application from the latest vulnerabilities and zero-day attacks. 

 

So, be smart and use the services Microsoft Azure offers to protect your applications and data. Modern cybersecurity threats are becoming more and more sophisticated, and we need to be alerted to stop them. Stay secure! 

Find this interesting

Keep updated with news and events on the Cloud and cloudeon.