Our organization is moving toward a hybrid model, connecting our on-premises data center to Azure via ExpressRoute. Since we are integrating sensitive legacy databases with the public cloud, what is the best way to maintain a "Zero Trust" posture? We want our cloud technology stack to be as secure as our physical servers, specifically regarding identity management and lateral movement protection within the virtual network.
3 answers
Implementing Zero Trust in a hybrid Azure environment starts with Azure AD (now Microsoft Entra ID) and Conditional Access policies. You should treat the ExpressRoute connection as "untrusted" by default, even though it's a private line. Use Azure Private Link to ensure that your traffic to PaaS services like SQL Database never traverses the public internet. In 2023, my team successfully rolled out Micro-segmentation using Azure Firewall and NSGs to ensure that even if one web server is compromised, the attacker cannot pivot to our on-premise core banking systems.
Are you planning to use Microsoft Sentinel for your SIEM? How do you intend to ingest logs from your on-premises servers into the cloud without incurring massive data ingestion costs that blow your security budget?
Don't overlook the physical security of your ExpressRoute provider's edge location. Security is only as strong as the weakest link in the connection path.
Great point, Justin. We actually audited our provider last year and found some gaps in their access control that we had to address before going live.
Tyler, we are looking at using the Azure Monitor Agent with Log Analytics workspaces. To keep costs down, we’re only sending high-fidelity security events rather than raw logs. Sentinel's "Commitment Tiers" seem to be the way to go for us since we can predict our log volume within a 10% margin. It’s a delicate balance between visibility and cost, but having that unified view across both environments is non-negotiable for our compliance team.