Best Practices for Azure DevOps Security

Filed Under: Resources

With advancements in technology, more and more companies are taking the opportunity to achieve higher levels and gain profits and reputation at an international level. Scaling a business to the next level generally requires a ton of computing hardware and software and a maintenance team. Due to the ubiquity of cloud computing vendors, it is easier to get computing services without worrying about setup and maintenance costs. But as with normal computing systems, it is essential to secure your cloud infrastructure from cyber attackers.

According to a report on cloud threats by Aqua Security, at the start of the year 2020, there was a 250% jump in attacks on cloud infrastructures. While it may seem tiresome to secure your cloud infrastructure, here we discuss a few steps that can be taken to amp up your Azure DevOps security.

1. Single Sign-on

Single sign on (SSO) is part of the Azure Active Directory premium service.

With SSO, you can use a single user account to access all the services required to do business. Once signed in, the user will not need to re-authenticate multiple times for each service. Without SSO, users need to devise a unique and secure password for each SASS and web service such as Microsoft 365, Box, Salesforce. 

In the former, as users do not need to create and remember new passwords for each service, password repudiation can be eliminated to make the infrastructure more secure.

2. Reverse Proxy

It is generally a big challenge to deploy various services on site and then provide access to those services for users outside the network. However, with the reverse proxy feature of Azure DevOps it is possible to publish on-premises applications inside the private network and then provide secure access to users outside the private network. Reverse proxy also provides remote access and SSO for on-premises applications.

3. Multi-Factor Authentication

To manage identity authentication better, multi-factor authentication can be implemented. Multi-factor authentication requires use of more than one verification method,thus adding a second layer of security to all transactions.

4. Security Monitoring and Alerts

Azure AD access and usage reports provide security monitoring alerts and machine learning-based reports to identify inconsistent access patterns. With faster detection, administrators can better determine possible security risks.

5. Fine Tune Permissions

If your organization needs more strict permission management then what Azure DevOps provides by default, you can fine tune permission management for your individual needs.

For customizing permissions:

Go to Organization Settings then Security Section and then Permissions.

To customize permissions specific to a project, go to Project Settings then Project Configuration and then select the area or node you want to manage.

Azure Permissions 1

You can select a group or team member to change their permission settings.

In the same way, you can also set permissions on queries or query folders to provide security at the object level.

Azure Permissions 2

6. Conditional Access

Users access organization resources with a variety of devices and apps.

Administrators need to make sure that those devices meet the standards for security and compliance.

To do this, administrators should turn on Conditional Access. One example of this would be to block all legacy authentication protocols that might have weaknesses or vulnerabilities.

7. Enable IP Address-Based Access

You can configure Azure Active Directory Conditional Access Policy Validation to control access from IP address ranges.

8. Microsoft Anti-malware

Administrators can enable free anti-malware for Azure to provide protection against viruses, spyware and other malicious software.

Microsoft Antimalware is designed so that it keeps working in the background without requiring manual monitoring.

Antimalware for Azure can be enabled with default or custom configurations. If required, specific cloud service or virtual machines can be monitored and the anti-malware events catalogued in Azure storage accounts.

To deploy anti-malware while creating a virtual machine using the Azure portal you need to take the following steps:

Step 1: After signing in, navigate to Virtual Machines, then select Add and choose Windows server to start the wizard for the creation of new virtual machine

Step 2: Select the Version of Windows and click on Create.

Azure Anti Malware 3

Step 3: Enter the name, username and password to create a new resource group or select the previously created resource group.

Step 4: Choose suitable virtual machine size and make appropriate choices for the Extensions section.

Step 5: From New Resource, select Microsoft Antimalware and click Create.

Step 6: Select suitable scan options to manually configure in the Install section and click OK.

Step 7: In the create screen, click on OK to finally deploy the virtual machine.

9. Security Policies

There are various configuration options on policies provided by Azure, which can be configured for better access control.

Azure Security Policies 4

10. OAuth

With OAuth, you can authenticate web app users for REST API access without frequently asking for usernames and passwords. Azure DevOps security services use OAuth 2.0 to authenticate and grant a token, which can be used to call REST APIs.

Azure Oauth 5
Azure Oauth 5

OAuth tokens expire after a specific time period to prevent theft of the token. So, access tokens need to be refreshed if they expire.

Conclusion

While creating an Azure DevOps security infrastructure might seem daunting, with proper configuration and policies, it is possible to prevent most cyber attacks against your Azure Cloud infrastructure.

close
Generic selectors
Exact matches only
Search in title
Search in content