Skip to main content

Azure Recommendations

The Northwestern Cloud Community of Practice recommends these practices for secure operation of Microsoft Azure accounts and resources.

To discuss these recommendations or for advice and guidance on implementation please visit the Resources section of this site. AWS recommendations are also available.

Account Creation

All use of Azure for storing Northwestern data or hosting Northwestern services should occur in accounts provisioned under or migrated to the Northwestern contract with Microsoft Azure.

The Northwestern Azure contract includes a discount on Azure services, a data egress fee waiver, direct billing to a chart string, and access to the CloudCheckr cost and security management tool.

Additionally, Northwestern has a Business Associate Agreement in place with Microsoft, which is a requirement for running regulated workloads or storing regulated data with Azure (e.g. HIPAA). The Business Associate Agreement can only be utilized through an Azure account under the Northwestern contract.

To request a new Azure account under the Northwestern contract, fill out the Public Cloud Account Request Form. To transfer an existing Azure subscription, please contact the Cloud Operations Group directly.

Credentials and Access Control

Role-based Access Control should be used to limit user and service accounts to the least privileges necessary to perform their work.

Network Firewalls

Use Azure Network Security Groups configured in a default deny mode and permit only the minimum necessary services for each application.

Additionally, enable host-based firewalls on any virtual servers running in Azure.

Security and Monitoring

Use Azure Monitor to collect and analyze Azure activity logs.

Activity log collection via Azure Monitor is a crucial measure for intrusion detection and secure operations. The Azure Monitor service can also be used to ingest performance and availability logs and metrics for applications and services running on Azure.

Use Azure Security Center for baseline assessment and continuous security monitoring of Azure resources.

The free tier of Azure Security Center provides continuous assessment and security recommendations for Azure resources, including virtual machines.

Data Protection

Data stored in Azure VMs or Azure Files should be backed up via Azure Backup.

Azure Blob Storage buckets are already architected for high durability and there is no managed service for backing them up, although geo-replication can be used to ensure business continuity.

All data volumes and storage accounts must be tagged with approved data sensitivity classification (e.g. “Sensitive”, “Non-sensitive”, “HIPAA”).

This will aid in auditing to ensure appropriate data access and backup controls are in place.

Software Updates and Patching

Apply critical security patches within seven days of publishing and all other security patches within 90 days.

The Update Management solution in Azure Automation can manage operating system updates for your Windows and Linux computers in Azure.

VM Operating Systems

Use only Windows Server operating systems or Linux distributions endorsed by Azure.

Cost Optimization

Account owners should review account charges regularly to mitigate the risk of unauthorized or unintended use of cloud resources.

The Azure Billing and Cost Management Dashboard in Cloudcheckr provides access to billing reports for Northwestern Azure subscriptions.

Additionally, account owners should review the Azure Advisor service, available within the Azure portal, for cost optimization recommendations.

Account owners should leverage the Azure Hybrid Use Benefit for reduced cost on Windows server instances. This benefit allows the campus-wide license for Windows Server to be used for Azure instances.