Boosting Azure web app security

Russ Huntington at I-Finity explains how to disable weak TLS cipher suites

 

Disabling weaker TLS cipher suites on Azure web apps can boost security on multi-tenant premium app service plans. 

 

As Azure cloud service consultants, I-Finity’s team noted the update to the Premium SKU app service plans that has largely gone under the radar. 

 

The previous way to disable the weaker TLS (Transport Layer Security certificates) cipher suites was to host the web apps in either Azure Front Door or an App Service Environment (ASE). However, the update now means any customers using the public multi-tenant footprint can simply disable the weaker ciphers. These weaker cipher suites are usually ones using DES, RC4, and MD5.

 

This will lead to higher levels of security during the TLS handshake, which establishes that a secure connection is in place before a data transfer occurs. 

 

Boost security and protect data

By disabling weak TLS cipher suites, you will boost the security of your Azure applications, while protecting sensitive data from potential attacks. It also means you’re maintaining compliance with industry standards, regulations and passing pen tests which are mandatory for FCA regulated businesses. It also helps build trust with your customers by demonstrating a commitment to security.

 

Taking these steps not only boosts your current security posture but also prepares you to tackle future challenges more effectively.

 

Using cipher suites to boost security

To secure communication between clients and servers, it’s important to choose the right cipher suite - a combination of encryption, key exchange, and authentication algorithms used to secure network connections. 

 

When a client (like a web browser) connects to a server, they agree on a cipher suite to use for encrypting the data sent between them​​.

 

However, in the current set up, the TLS cipher suite feature - previously known as Secure Socket Layer (SSL) certificates - is provided in a set order. This means that if the weaker cipher suites are at the top of the priority list, you risk leaving your apps exposed to security breaches. The update means you can now simply turn off these weaker suites, allowing the stronger and more secure suites to rise up the priority ladder. 

 

How to disable weaker TLS cipher suites

To disable weaker cipher suites, customers need to update the site config through API calls. The minimum TLS cipher suite feature is currently not yet supported on the Azure Portal.

 

To disable TLS cipher suites for web apps on a Multi-tenant Premium App Service Plan in Azure, we suggest following these steps:

 

1.  Access the Azure Portal

Sign in to the Azure portal (Figure 1).