Security Information

How Magnitude offers protection of your computer systems and networks.

Infrastructure Security

Virtual Machine

·       Enabled OS vulnerabilities for virtual machines. When this setting is enabled, it analyses operating system configurations daily to determine issues that could make the virtual machine vulnerable to attack. The policy also recommends configuration changes to correct these vulnerabilities.

·       Enabled endpoint protection for virtual machines. When this setting is enabled, Azure Security Centre recommends endpoint protection be provisioned for all Windows virtual machines to help identify and remove viruses, spyware, and other malicious software.

·       Enabled disk encryption on virtual machines. Encrypting the IaaS VM’s data disks (non-boot volume) ensures that its entire content is fully unrecoverable without a key and protects the volume from unwarranted read

Latest OS Patches for virtual machines. Windows and Linux virtual machines should be kept updated to:

        1. Address a specific bug or flaw
        2. Improve an OS or application’s general stability
        3. Fix a security vulnerability

SQL Services

·       Enabled auditing on SQL Servers. Auditing tracks database events and writes them to an audit log in Azure storage account. It also helps to maintain regulatory compliance, understand database activity, and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations.

·       Enabled threat detection on SQL Servers. SQL Threat Detection provides a new layer of security, which enables to detect and respond to potential threats as they occur by providing security alerts on anomalous activities. We receive an alert upon suspicious database activities, potential vulnerabilities, and SQL injection attacks, as well as anomalous database access patterns. SQL Threat Detection alerts provide details of suspicious activity and recommend action on how to investigate and mitigate the threat.

·       Enabled Transparent data encryption helps protect against the threat of malicious activity by performing real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.

Storage accounts

·       Enabled data encryption in transit. The secure transfer option enhances the security of the storage account by only allowing requests to the storage account via a secure connection.

·       Enabled data encryption at rest for blobs. Storage service encryption protects the data at rest. Azure storage encrypts the data as it is written in its data centers, and automatically decrypts it for you as you access it.

Identify and Access Management

·       Enabled multi-factor authentication for all user credentials who have access to the Azure portal. Multi-factor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. Multi-factor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multi-factor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk.

·       Restricted access to Azure AD administration portal to administrators only. Azure AD administrative portal has sensitive data. We restricted all non-administrators from accessing any Azure AD data in the administration portal to avoid exposure.

·       Enabled role-based access control (Azure RBAC) is a system that provides fine-grained access management of Azure resources. Using Azure RBAC, we can segregate duties within the team and grant only the amount of access to users that they need to perform their jobs

Network Security

·       Enabled NSG Rules on network access When this setting is enabled, the azure locks down inbound traffic to the network by creating an NSG rule. We select the ports to which inbound traffic should be locked down. Just-in-time VM access can be used to lock down inbound traffic to Azure VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed.

·       Disabled unrestricted access on Network Security Groups (i.e. 0.0.0.0/0) on TCP port and restrict access to only those IP addresses that require it to implement the principle of least privilege and reduce the possibility of a breach.

Application Security

·       Enabled SSL Certificate in an application. It helps to establish a secure connection between the client and the server through the secure protocol HTTPS. SSL is a simple yet secure channel to transmit the data securely. It is valuable to both customers and businesses considering the level of security it brings to their cloud-based transactions. An SSL certificate helps to protect sensitive information such as logins, passwords, account details, and other information for websites during Internet communication.

·       Enabled Web Application Firewall in azure for application. It is a feature of Azure Application Gateway that protects web applications that use an application gateway for standard Application Delivery Control (ADC) functions. Web application firewall does this by protecting them against most of the OWASP top 10 common web vulnerabilities

A centralized web application firewall to protect against web attacks makes security management much simpler and gives better assurance to the application against the threats of intrusions. A WAF solution also reacts to a security threat faster by patching a known vulnerability at a central location versus securing each of individual web applications. Existing application gateways can be converted to an application gateway with a web application firewall easily.