Software Defined Security for Microsoft Azure
Challenges in Securing Microsoft Azure
Azure is a comprehensive set of cloud services that developers and IT professionals use to build, deploy, and manage applications through Azure global network of datacenters. Integrated tools, DevOps, and a marketplace support you in efficiently building anything from simple mobile apps to internet-scale solutions.
Azure offers in-built security functions such as Network Security Groups, Application Security Groups and others to secure your infrastructure on Azure, basis the shared responsibility model. However, while accessing various resources on the Azure Cloud, the network security levels are highly limited when using Azure’s own security functions, as it is restricted to IP address and port-based access controls. This limited control is contradictory to the granular identity-based access controls that enterprises typically implement within their infrastructure.
Existing Solutions Have Major Drawbacks
Azure Network Security Groups allow you to limit access to the VMs, Databases, and other such resources based on source IP address. Typically, the source IP address is your own set of public IP addresses. For individuals or companies that do not own any static public IP addresses, this security function provided by Azure is not applicable and hence, they are further exposed to a higher level of risk. Of course, additionally, the Network Security Groups can be defined to restrict access to specific ports.
This limitation of security functions on Azure are typically overcome by using site to site VPN connection to the on-premise data center and then backhauling all user traffic through remote access VPN setup for the users. However, such solutions are at best a patchy workaround and do not fully provide the level of security that is required by enterprises.
The major drawbacks of using legacy solutions are:
- Poor User Experience
- Vulnerable to Attacks
- Highly Complex
Are You Facing These Challenges?
Do you need to create a private network between your different regional VNETs?
Is your Azure Compute / Storage / Databases on public IP addresses accessible to users with a username and password?
Are you facing challenges for your DevOps to securely manage your Azure infrastructure?
Is managing your VPN setup across your IaaS, private cloud and users challenging?
InstaSafe Cloud Access (ICA) – All Your Azure Problems
Encrypted Network with Software-Defined Perimeter
InstaSafe Cloud Access enables you to take complete control of who can access the applications, servers, databases, storage, and other resources on AWS
- Do away with VPN
- Keep all applications, servers, databases, and other resources in a private network
- Give application-level access to specific people or groups of people based on their role
- Ensure that they only get access using pre-authorized devices
- All of this is done from a single central console with the users authenticated using your own directories such as Active Directory or LDAP, RADIUS etc.
Multi-Region VPC Peering Without Any Restrictions
InstaSafe Cloud Access empowers you to create your own customized VPC peering between different regional VPCs
- A single software-defined private network for AWS and your own private cloud or on-premise datacenter
- Granular access control between individual servers on specific ports
- All of this along with Secure Access for user access to the applications is managed from a single central console
Secure Remote Access for Employees and Partners
InstaSafe Cloud Access makes it easy for you to manage the access of employees and partners to specific applications with minimum fuss
- Seamlessly integrate with corporate directories such as Active Directory / LDAP / RADIUS and other sources using OpenID or SAML to manage user authentication
- Partner authentication and access can be managed locally using an in-built directory
- Enable our built-in MFA authentication using OTP for any user accessing sensitive applications
- Granular ‘need-to-know’ access control rules, ensures users can access only specific resources based on their role
Secure Privileged Access for DevOps Teams
DevOps require sysadmin (administrator) access to the resources on AWS. Administrator access is the favorite target of hackers due to the access level that sysadmins enjoy
- Defeat any credential theft attacks by binding the device to the user. Stolen password does not work from any other device thereby greatly improving the security of the administrator’s privileged access
- Combined with a PAM solution, InstaSafe® Cloud Access provides the necessary security controls to completely lockdown all privileged access to any Cloud or on-premise resource
- DevOps teams can manage any of the resources on AWS such as VM, MySQL, MSSQL and other databases, containers, and resources