The Azure cloud is secure - but are you patching your employees?I’m currently traveling back from Seattle where the annual Intelligent Cloud Architect Bootcamp was held. Together with 450 Microsoft employees and 50 close technical partners, we teamed up to immerse ourselves in several different topics covering everything from Azure, Cortana Analytics, DevOps, Power BI, security, and compliance + much more!
On my way home, I’ve had the unfortunate opportunity to be a part of two separate mechanical plane issues that compromised the security of the passengers and held us stranded in Denver, Colorado. As our plane was about to embark from Denver airport we were chased down the runway by firetrucks because of the black smoke that was pouring out of the plane.
Luckily these kinds of miss-happenings are very uncommon. Usually what we see is that the human error is the most common reason for incidents and not the mechanics.
So, what does this have to do with the Azure cloud? Well, a lot! Today, the security of our everyday business is closely connected to the people that use the technology. Microsoft is spending 1BN dollars on security every year, but this doesn’t mean the cloud is safe before you start educating your employees about how to use technology securely.
So, let's all take a step back and start patching our employees and external partners. We need to teach them that they are the last brigade standing in the way of your next datacenter breach:
- If you are outside your office and need to use the Internet, never connect to a network without knowing who is hosting it. If you like me are stranded at an airport, check with the airport personnel which wi-fi is the official one. Many people create wireless networks to lure people into their unprotected network.
- If you’re working from a public location, find a spot with your back against the wall. This way you make sure no one is watching your screen from the behind. Even though pretty much everyone needs to log in using Multi Factory Authentication these days, we still want to guard our private information against leaking.
- Buy your traveling employees a secure privacy filter for the laptop screen. There are cheap ones out there that do the job so don’t be that guy that would rather compromise the company data.
- Educate them about how to find out if an email is coming from a legitimate source or not. Even though Advanced Threat Protection pretty much does this all by itself you still need to educate everyone about being cautious when opening e-mails.
- Socially engineered attacks are everyday food these days, so even though you have all the protective services activated, your employees and partners need to pay extra attention and be selective about who to trust. If you have never met the person before or if the request seems odd you’re probably right! Pick up the phone and call the person. If he is in the same building as you, why not just walk to check the legitimacy.
- Implement a Governance Model that can help your employees by evaluating their decisions before they are executed. Azure Policies and Role Based Access Policies are examples of technologies that must be a part of every solution. What I often see is that employees create virtual machines with default settings and therefore also a public IP with an open RDP port and I’m not kidding you when I tell you there are thousands of brute force attempts to get into these virtual machines.
If you haven’t patched your employees yet, you better start today!
Jens Andersson works as a Senior Consultant and Microsoft Azure specialist. He is specialized in Cloud Platform & Infrastructure and Data Analytics and has worked with a wide variety of customers, ranging from large banks and financial institutions to web shops and logistics companies.