Recommendations
Resilience to attack
These security principles are designed to make cloud-based solutions more resilient to attack by decreasing the amount of time needed to prevent, detect, contain, and respond to real and potential Internet-based security threats, thereby increasing the security of related services.
Identities
Identities should be kept up-to-date and managed for changes, additions, and removals. Ensure that only qualified individuals are made administrators. In addition, consider creating a unique user group to manage and log identities.
2FA and passwords
Enable multi-factor authentication functionality for both cloud and on-premises applications. Establish strong password policies to manage user accounts … It is important that passwords and secrets be securely generated and changed at regular intervals to prevent password guessing and brute force attacks.
Role based and alert
Role-based access control (RBAC) features can be used to restrict access and permissions for specific cloud resources. To help detect suspicious access, Azure Active Directory offers reports that provide alerts about anomalous activity, such as a user logging in from an unknown device.
Certificates
A certificate is a form of identification for websites and web applications that is used to verify authenticity. Websites rely on TLS and Secure Socket Layer (SSL) to encrypt data communications. To securely configure TLS or SSL for an application requires a TLS or SSL certificate. Self-signed certificates can be acceptable in some restricted use cases (dev and test). However, a signed and authorized certificate that is issued by a certification authority (CA) or a trusted third-party who issues certificates for this purpose is recommended.
Tracking for certificates
Data protection
Staff training