The Northwestern Cloud Community of Practice recommends these practices for secure operation of Microsoft Azure accounts and resources.
All use of Azure for storing Northwestern data or hosting Northwestern services should occur in accounts provisioned under or migrated to the Northwestern contract with Microsoft Azure.
The Northwestern Azure contract includes a discount on Azure services, a data egress fee waiver, direct billing to a chart string, and access to the CloudCheckr cost and security management tool.
Additionally, Northwestern has a Business Associate Agreement in place with Microsoft, which is a requirement for running regulated workloads or storing regulated data with Azure (e.g. HIPAA). The Business Associate Agreement can only be utilized through an Azure account under the Northwestern contract.
To request a new Azure account under the Northwestern contract, fill out the Public Cloud Account Request Form. To transfer an existing Azure subscription, please contact the Cloud Operations Group directly.
Credentials and Access Control
Role-based Access Control should be used to limit user and service accounts to the least privileges necessary to perform their work.
Use Azure Network Security Groups configured in a default deny mode and permit only the minimum necessary services for each application.
Additionally, enable host-based firewalls on any virtual servers running in Azure.
Security and Monitoring
Use Azure Monitor to collect and analyze Azure activity logs.
Activity log collection via Azure Monitor is a crucial measure for intrusion detection and secure operations. The Azure Monitor service can also be used to ingest performance and availability logs and metrics for applications and services running on Azure.
Use Azure Security Center for baseline assessment and continuous security monitoring of Azure resources.
The free tier of Azure Security Center provides continuous assessment and security recommendations for Azure resources, including virtual machines.
Data stored in Azure VMs or Azure Files should be backed up via Azure Backup.
Azure Blob Storage buckets are already architected for high durability and there is no managed service for backing them up, although geo-replication can be used to ensure business continuity.
All data volumes and storage accounts must be tagged with approved data sensitivity classification (e.g. “Sensitive”, “Non-sensitive”, “HIPAA”).
This will aid in auditing to ensure appropriate data access and backup controls are in place.
Software Updates and Patching
Apply critical security patches within seven days of publishing and all other security patches within 90 days.
The Update Management solution in Azure Automation can manage operating system updates for your Windows and Linux computers in Azure.
VM Operating Systems
Use only Windows Server operating systems or Linux distributions endorsed by Azure.
Account owners should review account charges regularly to mitigate the risk of unauthorized or unintended use of cloud resources.
The Azure Billing and Cost Management Dashboard in Cloudcheckr provides access to billing reports for Northwestern Azure subscriptions.
Additionally, account owners should review the Azure Advisor service, available within the Azure portal, for cost optimization recommendations.
Account owners should leverage the Azure Hybrid Use Benefit for reduced cost on Windows server instances. This benefit allows the campus-wide license for Windows Server to be used for Azure instances.