There are several security measures you can enable when hosting a SpreadsheetWeb server on Azure to help protect your application and data. Here are some options:
Firewall or Web Application Firewall (WAF):
Azure Firewall and Azure Front Door are both cloud-based security services offered by Microsoft Azure. Azure Firewall is a network security service that provides firewall capabilities for your Azure Virtual Network resources. It allows you to create, enforce, and log application and network connectivity policies across multiple subscriptions and virtual networks. Azure Firewall can help protect your Azure environment from threats and unauthorized access by filtering traffic based on source and destination IP addresses, ports, and protocols.
On the other hand, Azure Front Door is a global, scalable, and secure entry point for web applications that provide traffic routing, load balancing, and application delivery features. It allows you to optimize the user experience for your web applications by providing a fast and reliable access to your web content. Azure Front Door can also help improve the security of your web applications by providing features such as SSL offloading, application layer security, and DDoS protection. We suggest enabling the WAF protection on the Front door and deploying Top OWASP Rules and Managed WAF Rules.
Antivirus and Ransomware Protection:
We suggest deploying enterprise-grade antivirus and anti-ransomware solutions such as Sophos, Trend Micro, McAfee, Symantec, Microsoft Defender.
Network Security Groups (NSGs):
NSGs allow you to create rules to filter inbound and outbound traffic to your virtual machines. You can use them to control traffic by IP address, protocol, and port. We strongly recommend using NSG rules if you don’t use Azure Firewall or Azure Front Door WAF in your environment.
VPN / RDP Protection:
The server should not be exposed to internet directly for RDP using NSG. You can use Azure VPN to create a secure connection between your on-premises network and your web server in Azure. This can help protect your data in transit and ensure secure access to your web server.
SSL/TLS Encryption:
Azure supports SSL/TLS encryption for your web server traffic. We suggest disabling TLS1.0 , TLS 1.1 and weak chippers for SSL on your Azure Virtual Server.
Azure VLAN:
Azure VLAN (Virtual Local Area Network) is a type of virtual network that allows you to create isolated network segments within a larger Azure virtual network. A VLAN can span across multiple virtual machines, subnets, or network interfaces, and can be used to logically group resources based on specific requirements or security needs.
With Azure VLANs, you can segment your virtual network to provide isolation and control over network traffic between different parts of your environment. You can also use VLANs to implement security policies and control access to resources within your virtual network.
We recommend configuring Azure VNET and Private Link If SpreadsheetWeb is installed on multiple servers for web and SQL servers.
Azure DDoS Protection:
Azure DDoS Protection helps protect your web server from distributed denial of service (DDoS) attacks. It provides automatic detection and mitigation of DDoS attacks in real-time.
Monitoring:
Azure Sentinel is a cloud-native security information and event management (SIEM) service that provides advanced threat detection and response capabilities. It can help you detect and respond to security threats across your enterprise using machine learning and artificial intelligence.
Azure Monitor is a cloud-based monitoring solution that provides visibility into the performance and availability of your applications and infrastructure. It can help you monitor security-related events and logs in your environment to detect security threats.
Azure Logging is a feature in Microsoft Azure that allows you to collect and store log data generated by various Azure services and resources. It provides a centralized and scalable way to collect, store, and analyze log data from your Azure environment. Azure Logging can be used to collect and store log data from a variety of Azure services, including virtual machines, storage accounts, and Azure Active Directory. You can use Azure Logging to monitor and troubleshoot your Azure environment, as well as to meet compliance and regulatory requirements.
SQL Server:
Implement strong access controls, such as RBAC, to limit access to the database to only authorized users. Enable encryption of sensitive data both in transit and at rest using SSL/TLS and TDE, respectively. Ensure that the network security of the database server is robust by implementing firewall rules and VPN connections to control access from untrusted networks. Regularly apply security patches and updates to protect against known vulnerabilities. Implement auditing and logging to monitor activity on the database server and identify security threats. Develop and test a backup and recovery plan to ensure that data can be restored in case of a security breach or disaster. Finally, regularly review and update your security measures to ensure that they remain effective against evolving security threats.
Microsoft Defender for Cloud:
Microsoft Defender for Cloud (formerly known as Microsoft Defender for Identity and Microsoft Defender for Identity and Access) is a cloud-based security solution from Microsoft that helps organizations protect their cloud assets and data against advanced threats.
Microsoft Defender for Cloud is designed to provide visibility and protection for various cloud services, and SaaS applications. It uses advanced behavioral analytics, machine learning, and threat intelligence to identify and remediate security threats across these services.
Selecting the best security measures to protect your SpreadsheetWeb server on Azure is crucial to ensure the safety of your data and protect your organization from security threats. When choosing the security measures to implement, it is important to consider the potential security risks, regulatory compliance requirements, and Azure’s security services.
It is important to note that security is an ongoing process and not a one-time event. As such, you should continuously monitor and assess the security of your server, update your security measures accordingly, and stay up-to-date with the latest security trends and best practices. By taking a proactive approach to security, you can help mitigate potential security risks and ensure the safety and security of your SpreadsheetWeb server and data on Azure.