Security Recommendations for Hybrid Cloud Environments


If you run DocProStar® on-premise, and it must communicate with local applications as well as Azure-based applications, this is called a Hybrid Cloud Environment. Securing both your on-premises and Cloud parts of it, as well as communication between those parts is crucial for protecting sensitive data and maintaining the integrity of your infrastructure.

First, how secure is Azure? Microsoft, as a global tech leader, recognizes its appeal to cybercriminals. To thwart them, Microsoft invests $1 billion annually in Azure security.

Azure's security measures include but are not limited to:

  1. Automatic encryption for all data within Azure.
  2. Smart traffic monitoring to detect and deflect unusual threats.
  3. Hardware and firmware protection with threat detection.
  4. Support for Trusted Execution Environments (TEEs) for data encryption.
  5. A dedicated team of about 3,500 cybersecurity experts.
  6. Suport for encrypted VPN with or without ExpressRoute.

Azure adheres to the most rigorous security and compliance standards in the world such as ISO 27001, ISO 27018, SOC 1, SOC 2, SOC3, FedRAMP, HITRUST, MTCS, IRAP, and ENS, and undergoes regular independent audits to confirm those certifications. It also complies with numerous regional and industry-specific standards.

All of this means that the Azure part of your hybrid environment is likely to be inherently more secure than you on-premise part. Yet, any system is as strong as its weakest link and even the Azure part can be easy to attack if you do not pull your share of the weight. Here are some recommendations to ensure security for your entire configuration:


Basic


Use the Virtual Private Network

Isolate both your Azure resources and your on-premises network from public Internet and establish a site-to-site VPN connection between them.

People who must connect to your apps (on-premises-based or Azure-based) from devices that are not part of your on-premises network must do so via a point-to-site VPN connection. The VPN gateway must authenticate point-to-site users against Azure Active Directory, taking advantage of MFA and conditional access.

This is really the most important recommendation. Even if this is the only one you follow, this will already make your system very hard to break into. It is however industry-standard practice to make your security policy multi-layered by following at least the other Basic recommendations, and ideally some or even all of the Advanced recommendations listed below.

Network Security Groups (NSG)

Implement Network Security Groups to control inbound and outbound traffic to and from your Azure resources. Define rules that allow only necessary traffic and block all other traffic. This will decrease your internal attack surface, making it harder for malicious agents to penetrate deeper into your network even if some of its resources got compromised.

Identity and Access Management (IAM)

Use Azure Active Directory (Azure AD) to manage user identities both for logging into your applications and for establishing connections.

Enforce strong authentication methods: Multi-Factor Authentication (MFA) and conditional access.

Apply the principle of least privilege when assigning roles and permissions to users and applications in Azure.

Secure your On-Premises Environment

Ensure that your on-premises network is secure. Isolate it from the Internet (at least from any incoming connections) as already mentioned, leaving the VPN gateway to be the only point of contact.

Keep all software and systems up to date with security patches.

Encryption at rest

Use encryption for data at rest. Azure provides services like Azure Disk Encryption and Azure SQL Database Transparent Data Encryption to ensure that even if your data is scraped off storage, it will be of no use to the attacker.

Use HTTPS

Configure your applications (including DocProStar®) to use HTTPS for communication between their own services and between each other. If your network gets compromised and a malicious agent finds a way to snoop on your internal traffic, your data is still safe because it is encrypted in transit.

Use SMB 3.0

If your applications communicate with each other and/or the users via hotfolders on one of more network file shares, make sure that the file shares are only accessible through an secure protocol such as SMB 3.1.1 that uses AES encryption. Here is an article discussing SMB and comparing it to other shared access protocols.

Azure File Shares offer both SMB and NFS protocols and enable you to pick the one that is the best fit for your workload; use SMB whenever possible.

Use SFTP

If your applications communicate with each other and/or the users by writing and reading files to/from an FTP server, be sure to use Secure FTP (SFTP). Azure Storage Accounts support SFTP for connections to its blob storage endpoints.

Backup and Disaster Recovery

Implement regular data backups and disaster recovery strategies in the Cloud part of your environment, but also in the on-premises part, to ensure data availability and business continuity in case of a security breach or system failure.

Monitoring and Logging

Implement robust monitoring and logging solutions. For the Azure part of your environment, use Azure Monitor and, as an advanced measure, Microsoft Defender for Cloud (formerly Azure Security Center) to detect and respond to security threats and anomalies.


Advanced


Azure Firewall or Application Gateway

Depending on your use case, Azure Firewall or Azure Application Gateway may provide an additional layer of security and traffic management for your applications.

Customer-Managed Keys

Azure can encrypt data using its own ("platform-managed", PMK) or your ("customer-managed", CMK) encryption keys. They are used to secure data in transit and at rest at Azure storage, Azure SQL and many other resources.

For the vast majority of applications, using PMKs makes a lot of sense because they are very trustworthy and there is a number of other benefits (ease of management, high availability, automatic rotation, compliance, backup and recovery, audit trails and more). Use CMKs only if the nature of your data is such that you absolutely cannot afford your encryption key be managed by any third party. Keep in mind though that Azure's own security procedures are of very high standard, which means that the likelihood of your own key getting mismanaged on your side could be higher than the chances of PMK leakage.

Regular Auditing and Compliance

Conduct regular security audits and assessments to ensure compliance with security standards and regulations relevant to your industry.

Data Classification and Protection

Classify your data based on sensitivity and apply appropriate data protection mechanisms, such as Azure Information Protection, Azure Rights Management, and Data Loss Prevention (DLP) policies.

Incident Response Plan

Develop an incident response plan to quickly respond to and mitigate security incidents. Test this plan to ensure its effectiveness.

Third-party Security Assessment

If you are using third-party applications or services, ensure they meet your security requirements and undergo regular security assessments.

Security Training

Train your staff and users about security best practices, including how to recognize and respond to phishing attempts and other security threats.

Compliance with Azure Security Best Practices

Follow Azure's security best practices and stay updated with Azure Security Center recommendations for improving the security of your resources.

By following these recommendations, you can establish a robust security posture for your on-premises application communicating with Azure resources, reducing the risk of security breaches and data leaks. Remember that security is an ongoing process, and you should regularly review and update your security measures to adapt to evolving threats and best practices.