0% found this document useful (0 votes)
15 views111 pages

Security Compass Presentation

The Azure Security Compass is a workshop designed to enhance Azure security posture by providing best practices and guidance for securely operating workloads on Azure. It involves various stakeholders, including leadership and technical teams, and focuses on actionable strategies for governance, risk, compliance, and security operations. The document outlines the importance of evolving security roles, responsibilities, and architectures in the context of cloud adoption and security management.
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
15 views111 pages

Security Compass Presentation

The Azure Security Compass is a workshop designed to enhance Azure security posture by providing best practices and guidance for securely operating workloads on Azure. It involves various stakeholders, including leadership and technical teams, and focuses on actionable strategies for governance, risk, compliance, and security operations. The document outlines the importance of evolving security roles, responsibilities, and architectures in the context of cloud adoption and security management.
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 111

N

Azure Security Compass


Cybersecurity Solutions Group

https://aka.ms/AzureSecurityCompass Version 1.1 – September 2019


Microsoft Azure Security Compass
Workshop
TYPICAL SCHEDULE TYPICAL STAKEHOLDERS
Executive Summary + Your goals and
Leadership Kickoff and Closeout
strategy
Chief Information Security Officer (CISO), Others
as needed
Azure Security Basics
OPTIONAL PARTICIPATION

Best Practices &


Design Decisions
Architecture & Technical Team Stakeholders
Azure Security Center Security Architect(s), Cloud
Demo (Optional) Architects/Engineers, Server
Architect(s)/Engineer(s), Network Security
Engineer, Endpoint Engineer, Endpoint
Planning Next Security Engineer, Risk and Compliance
Steps Team(s), Governance Teams, Operations
Teams, and Business Stakeholders

WORKSHOP OBJECTIVE:
Learn how to securely operate your workloads on Azure
N

Azure Security Compass - Purpose

Designed to rapidly increase your Azure security posture

Make the right security decisions with best practices, choices and
context/recommendations

Increase familiarity with Azure Platform Security and Azure Security Center

• Mix of old & new - Bring your experience and knowledge, but expect changes
Tips • You can’t learn everything - Cloud capabilities evolve too fast to master them all,
prioritization is critical
Guidance Structure
Actionable and Prioritized
CRITICAL GENERAL

This meets one or more of criteria Valid and valuable


for: Best practices security best
1. On-premises parity - Microsoft practices and
Required to meet equivalent recommendations
recommends a that are important,
security posture of a (typical) single approach
on-premises environment but shouldn’t slow
down most
2. Hard to change - Difficult or organizations
expensive to change later from adopting
Choices the cloud
3. High risk - Required to
mitigate attack patterns that Microsoft recommends
incur high impact/likelihood of (one or more of)
business risk several possible
Primary focus of approaches
guidance
Get you quickly to the
security benefits of Azure
Note: These represent
platformMicrosoft’s default opinion based on our experience and knowledge. Your
organization may prioritize risk and mitigations differently based on your unique business needs,
business risks, or other factors.
Executive Summary
TRACKING SPREADSHEET
OVERALL GUIDANCE
Critical General

Governance, Risk,
16 10
and Compliance

Administration 12 2

Network Security &


12 6
Containment

Information
Protection & 3 0
Storage

Identity & Access


5 4
Management

Security
4 4
Operations

Total 42 26
COMPLIANT ≠ SECURE
NT = Meets a specific standard at point in time (e.g. not negligent)
Lowers business risk to acceptable level by disrupting attacker return
n investment (ROI)

SECURE

LEVEL OF
ACCEPTABLE
RISK

COMPLIANT
Whiteboard – Your Journey and Goals

Current Cloud & Azure


Usage Geographic Goals and
• Which workloads / business
purpose?
Presence Plans
• SaaS? IaaS? PaaS? where you operate for Azure usage

Security Focus Compliance


Areas – & regulatory requirements
What do you want to focus
on?
Azure Security Compass
BASICS SECURITY GUIDANCE

AZ URE
COM PON EN TS SECURITY
TRANSFORMING & M ODEL S CEN TER ( ASC)
TOOLS, SKILLS, &
PRACTICES

S T R AT E G I E S &
T H R E AT S E VO LV E

G OV E R N A N C E ,
SECURITY IDENTITY
RISK, &
O P E R AT I O N S
COMPLIANCE
AZURE REGIONS
& SERVICES

A D M I N I S T R AT I O INFO
NETWORK PROTECTION &
MICROSOFT SECURITY C O N TA I N M E N T N
STORAGE
PRACTICES
Ransomware:
$66 upfront
Attack services are inexpensive Or
30% of the profit (affiliate
model)
0days price ATTACKS AGAINST THE PC ATTACKS AGAINST
range varies from THE EMPLOYEES AND CUSTOMERS
$5,000 to
$350,000
Loads (compromised
device) average price
Spearphishing
ranges
services
• PC - $0.13 to $0.89
range from $100 to
• Mobile - from $0.82 to
$1,000 per successful
$2.78
account take over
Denial of Service
(DOS) average
prices
day: $102.05 Compromised
week: $327.00 accounts
month: $766.67 As low as $150 for
Proxy services to SERVICES AIDING
400M. Averages $0.97
evade IP geolocation THE “CASH OUT” per 1k.
prices vary ATTACKER
As low as $100 per INFRASTRUCTURE
week for 100,000
proxies. COLLECTIVE KNOWLEDGE
M AIN

Transforming from Legacy to Cloud


M EN
U

Evolving architecture, tools, skills, & practices Risk


Patchi Sandboxi
Scannin ng
ng Segmentation
g
EncryptionSecure Development
ForensiLifecycle
Threat
cs &
Logging Protection
Orchestration &
Automation
SIEM
Analytics
WAFs Vulnerability FirewallsTLS
Management
Architectures change, but principles & outcomes remain the same
Information
Protection
Threat Intelligence

Roles, responsibilities, and skillsets will evolve

Same Changed New

Controls, tools, and processes will evolve

Note: Legacy ‘technical debt’ persists with legacy workloads/applications in IaaS


Your enterprise in transformation
Requires a modern identity and access security perimeter
Cloud Technology

SaaS adoption

Modern Enterprise
Perimeter

Infrastructure as a Platform as a
Service Service

1st class mobile


Internet of Things experience

ENGAGE EMPOWER OPTIMIZE TRANSFORM


YOUR CUSTOMERS YOUR EMPLOYEES YOUR OPERATIONS YOUR PRODUCTS
Running Dual Perimeters

ATTACKERS USING IDENTITY TACTICS

SECURING MODERN SCENARIOS (CLOUD, MOBILE, IOT)

MODERN PERIMETER
(Identity Controls)

CLASSIC PERIMETER
(Network Controls)
Evolution of Roles and Responsibilities
Modern
MODERN PERIMETER
(Identity Controls)
Architectures &
CLASSIC PERIMETER
Legacy Operating Models
(Network Controls)
Architectures &
Operating
Models
“STOP THE PRESSES!” CONTINUOUS VALIDATION

Security roles will change with architectural/operational models

Manual Resource Administration Administration Author & Govern Automation

Containment at all layers


Containment with Network Network  Containment (Net, App, Identity, Data, etc.)

Quality Check Before Release Development Security SME in DevOps process

Project based Engagement Architecture Continuous Engagement & Improvement


Common cloud adoption strategy
Future
No
1 Prefer SaaS Investment

Take advantage of productivity


workloads provided in the cloud Yes

2 New Development to PaaS Saas


No
offering
New development and modern available
applications
Yes
move to PaaS.
New applications optimized for cloud
Saas Passes Passes IaaS
computing. Evaluation
Build
PaaS
No
Evaluation
No
3 Existing workloads  IaaS (Build/buy
decision)
Evaluatio
Existing applications move to IaaS n
Buy Yes Yes
using a ‘lift and shift’ strategy
3
a  Convert to
PaaS
Plan to refactor
applications into PaaS SaaS PaaS IaaS Private Cloud
Hotel room Furnished apartmentRental apartment Private House
M AIN

Shared Responsibility and Key Strategies M EN


U

On-
pre
Responsibility SaaSPaaS IaaS m

Information and Data

Devices (Mobile and PCs)


ESTABLISH A MODERN PERIMETER
Accounts and Identities

Identity and directory infrastructure

Applications MODERNIZE INFRASTRUCTURE


SECURITY
Network Controls

Operating system

Physical hosts
“TRUST BUT VERIFY” EACH CLOUD
Physical network PROVIDER
Physical datacenter

Microsof Custome
t r
IaaS and PaaS Application Models
Standalone Applications or Components of Larger Solutions

Legacy Transition New


IaaS Applications IaaS+ Applications PaaS Applications
Typically lift/shift Refactoring has begun! Typically New Development
workloads
Application Code – Typically light
Application Code - Can be heavy (includes all dependencies) or lighter
code hosted on App Service Web Apps

Azure Services – App functions


Virtual Machines – App functions hosted on full Operating System +
provided by Azure Services
Middleware
(Security profile is similar to SaaS)

Other Components – Services/databases on-premises or on a 3rd party cloud, IoT devices, etc.

Shared Elements (Storage, Identity, Network)


M AIN

Security Responsibilities Transfer to Cloud


M EN
U

Responsibility PaaS IaaS


Transferred for PaaS
Information and Data Security Patches
Devices (Mobile and PCs)
Feature Upgrades
VMs/Containers security –
Accounts and Identities OS and Middleware
Installation, Maintenance, Azure
Identity and directory infrastructure troubleshooting, etc. Marketplace fits
Application
PaaS or IaaS model

Network controls

Operating system
Transferred for IaaS and PaaS
Denial of Service*
Physical hosts Attacks on
Racking/Stacking Servers,
Delays in Adding Capacity • Physical Attacks
Physical network
Fabric/Virtualization Patching, • Virtualization Fabric
Physical datacenter Maintenance & Troubleshooting • Hardware/Firmware
Fabric Availability / Uptime • Network Infrastructure
Microsof Custome  SLA from Microsoft
t r
M AIN

Azure Threats – Mix of Old & New…


M EN
U

PaaS IaaS
EXISTING TECHNIQUES (AT COMPARABLE
LEVELS)
EXPLOIT/ENTER TRAVERSAL MONETIZATION
CREDENTIAL THEFT &
SOCIAL ENGINEERING ABUSE (HASHES, RANSOMWARE
SSH…)
TARGETED DATA
PHISHING SCAN & EXPLOIT
THEFT
GEO-FILTERING
COMMODITY
EVASION WITH
BOTNET/DDOS/ETC
PROXY

New Techniques ( PIVOT


ACQUIRE ) orTOVery
ON
High CRYPTOMINERS
Usage ( ) –
TENANT KEYS
PREMISES FROM (WEBSERVERS,
FROM
CLOUD VISITORS)
GITHUB/ETC
RDP/SSH
PASSWORD
SPRAY & BRUTE
FORCE
Azure

54 Azure
regions 100K+
& subsea
cable
150+ 200+
Miles of fiber Edge
sites
ExpressRoute
partners
Microsoft protecting Microsoft
Hardening (Physical, OS
Continual Scanning
App/Data, etc.)
Penetration Testing
Whitelisting Red Team Ops
Auto-Patching Bug Bounties
and more… One Hunt

Traditional Attackers View


Defenses Corporate Infrastructure Cloud Infrastructure

Automated Assessments Continuous Logging


People Least Privilege
Secure DevOps toolkit & Monitoring
Background Checks Least Privilege Access and more…
Security Training Just-in-time Access Incident Response
Conferences and more… CDOC (24x7 SOC)
Security Monitoring &
Authentication Privileged Access Workstations Development Vigilance
Multi-factor Auth Secure Access Workstations Lifecycle
Anomaly Detection isolation from web/email risks

Rigorous Security
For Privileged Access
The Microsoft Intelligent Security Graph
+1B Windows
devices
Extensive machine learning to: updated &
• Reduce manual effort scanned
• Reduce wasted effort 450B monthly
on false positives authentications
• Speed up detection

18+ billion
web pages scanned

400B e-mails
930M threats analyzed
detected on devices
every month

Unparalleled cybersecurity visibility and insight


Inside The Intelligent Security Graph

Office 365
Windows
Microsoft Azure
Malicious
Bing Products instrumented to
Defender
AV
Software
Removal Tool
strict
Sample Dark Threat Sinkholes and Detonation Services IR
zoos markets feeds honeypots and sandboxes intelligence
PRODUCT AND SERVICE TELEMETRY privacy/compliance standards
[ Privacy/Compliance See Microsoft Trust Center
boundary ]

Analytics help fuel


DATA COLLECTION AND ANALYSIS new discoveries

Collection and Analytics { Publish to


Products send data to graph
Normalization
}
(Machine Learning,
detonation,
Internal
behavior) APIs Products use Interflow APIs
to access results

Azure
Office 365 Products generate data
Azure Advanced
Security Active Windows Threat which feeds back into the
Center
(ASC)
Directory
Identity
Azure
Advanced
Defender
Advanced Threat
Protection
(ATP)
Microsoft
Cloud
graph
Operations
Protection Threat Protection (ATP) Applicatio
Hunters Hunters identify attacks,
Protectio Exchange n Security
Manageme
nt Suite
Microsoft n (ATP) Online (MCAS) improve analytics, feed
Defender
(OMS)
Accounts
Anti-malware
Protection
(EOP)
back into product design
Technical Details on Azure internal
architecture
Most current information in documentation
https://docs.microsoft.com/en-us/azure/security/azur
e-security-infrastructure
3rd party validated information in Service Trust
Portal (STP) -
https://servicetrust.microsoft.com/ - Requires NDA

Most frequently requested information is:


• Azure & Azure Government SOC 2 Type 2 Report (in STP)
• Azure - FedRAMP Moderate System Security Plan (in STP)
• Cloud Security Alliance (CSA) STAR Self-Assessment
https://www.microsoft.com/en-us/trustcenter/compliance/
csa-self-assessment
• CIS Benchmark -
https://azure.microsoft.com/en-us/resources/cis-microsoft
-azure-foundations-security-benchmark/

Azure for AWS Professionals


• https://docs.microsoft.com/en-us/azure/architecture/aws-profession
al
Azure compliance coverage extends across
most industries and geographies
 CSA STAR Attestation  ISO 22301  ISO 27018
Global  CSA STAR Certification  ISO 27001  SOC 1 Type 2
 CSA STAR Self-  ISO 27017  SOC 2 Type 2
Assessment

U.S.  CJIS  FedRAMP  ITAR


 DoD DISA SRG Level 2  FIPS 140-2  Moderate JAB P-ATO
Governme
 DoD DISA SRG Level 4  High JAB P-ATO  Section 508 VPAT
nt  DoD DISA SRG Level 5  IRS 1075  SP 800-171

Industry  CDSA  FISC Japan  IG Toolkit UK


 FACT UK  GLBA  MARS-E
 FERPA  GxP 21 CFR Part 11  MPAA
 FFIEC  HIPAA / HITECH  PCI DSS Level 1
 HITRUST  Shared Assessments

Regional  Argentina PDPA  ENISA IAF  Japan My Number


 Australia IRAP/CCSL  EU Model Clauses Act
 Canada Privacy Laws  EU-US Privacy Shield  New Zealand GCIO
 China DJCP  Germany IT  Singapore MTCS
 China GB 18030 Grundschutz  Spain DPA
 China TRUCS  India MeitY  Spain ENS
 Japan CS Mark Gold  UK G-Cloud
Security Operations Center (SOC) Software as a Service
Microsoft Threat Incident Response, Recovery, & CyberOps
Cybersecurity Reference
Experts Services Architecture Office 365
Azure Sentinel – Cloud Native SIEM and SOAR (Preview) Secure Score
April 2019 – https://aka.ms/MCRA | Video Recording |
Strategies Customer
Vuln Cloud App Azure Microsoft
Office Azure
Security This is interactive! Roadmaps and Lockbox
Mgmt Security Defender 365
Center
1. Present Slide
Guidance Dynamics 365
MSSP Advanced Threat Protection (ATP)
2. Hover for Description 1. Securing Privileged Access Identity & Access
Graph Security API – 3 Party Integrationrd 3. Click for more information 2. Office 365 Security Information Azure Active
3. Rapid Cyberattacks (
Alert & Log
Wannacrypt/Petya)
Protection Directory
Integration
Conditional Access – Identity Perimeter
Management
Clients Hybrid Cloud Infrastructure Cloud App
Azure AD
Security
Unmanaged & On Premises Datacenter(s) 3rd party Microsoft Identity
Mobile Devices IaaS Azure Information Protection
Azure Protection (AIP)

Classification Labels
Leaked cred
Azure Security Center – Cross Platform Visibility, Protection, and Threat Detection
Configuration Hygiene Discover protection
Just in Time VM Access Classify Behavioral
Azure AD PIMAnalytics

Azure Security Adaptive App Control Protect


NGFW Multi-Factor
Extranet

Intune MDM/MAM Firewall Appliance Monitor Authentication


Edge s Hold Your Own Key
DLP
SSL (HYOK) Azure AD B2B
Managed Clients Azure Policy
Proxy AIP Scanner
Azure Key Vault Azure AD B2C
IPS/IDS
Express Route Hello for
Azure WAF
Business
System Center Windows Server 2019 Security Azure
Office 365 MIM PAM
Configuration Manager Window 10 + Just Enough Admin, Hyper-V Containers, Nano server, and Antimalware
Application & • Data Loss Protecti
more… on
Intranet
Servers

Microsoft Defender Shielded Network Security


• Data Governance Azure ATP
ATP VMs Groups
VMs • eDiscovery
Azure Backup & Site
Stack Recovery Azure SQL Active Directory
Secur Threat Threat Detection
e Analyti Privileged Access Workstations Disk & Storage SQL Encryption ESAE Admin
Score cs (PAWs) Encryption & Forest
Confidential Data Masking
Windows 10 Enterprise Included Azure SQL Info
IoT and Operational Technology Computing
Protection
Security with DDoS attack
Network protection App control Azure
Credential protectionIsolation Mitigation+Monit Microsoft Defender
Windows 10 IoT IoT Security Maturity (VMs/etc
Exploit protection Antivirus
Model
or ATP
Reputation analysis Behavior monitoring Azure .)
Azure IoT Premium
Full Disk Encryption Sphere IoT Security
Security Security
Attack surface Architecture Compliance Manager
reduction Feature
S Mode
Security Development Lifecycle (SDL) Intelligent Security
Trust Center
Graph
Azure Security Reference Model
Governance, Risk, &
Compliance
Administration

Security operations

Virtual
Application Code (Security Development Lifecycle)
On prem Machines
& other Infrastructure App Machine
cloud Azure Logic Event IoT Containe
as a Service Service - Learnin
workload (IaaS) SQL Apps Hubs services rs
Web Apps g
s

Identity & Access Management

Network Security & Containment

Storage & Information Protection

Azure Foundation Security


Example - Securing Privileged Access is a
team sport
Mitigating some risks requires action across multiple disciplines

Administration
Day to day use of privileged access accounts

Security Operations
Monitor for anomalies to “normal” admin operations

Governance (& Architecture)


Standard Setting and Structure
Ongoing refinement and improvement to reduce potential risks
Reference Design - Azure Administration
Model
Azure Enrollment Enterprise Tenant

Azure AD Enterprise Directory


Identity & B2B (Optional) Additional Directories and/or
B2B/B2C

Management Root Management Group (Group of Subscriptions) – Enterprise-wide Policies, Permissions, & Tags
Groups
Segmentation Additional Segment(s)
Core Services
Strategy
Shared Multi-App Single App
Segment(s) Segment(s) Development Stage
Services (&
Edge Security) Segments
Core Services Segment 1 Segment 2 Segment 3 Segment 4 Segment 5

Subscription Segment Segment Segment Segment Segment


Core Services 3
s 1 2 4 5

Resource
Groups &
Resources

Application( Application(
Virtual Primary Primary PaaS Apps Pro
Intranet Extranet s) s) Dev Test
Networks Dev  Test Prod Dev  Test  Prod
d
Dev
DevTest
Test Prod
Prod
Understanding Azure Roles and RBAC
Azure Active Directory Tenant
Active
Directory
Global Administrator (Use sparingly)
Azure AD is
typically
synched with Enterprise Groups and Users
on prem AD
(though Admin
accounts Built-in
should be roles
separate)
Intune Office 365 Azure Tenant
Privileged Role (Enrollment)
Exchange Root management
Administrator group
Admin
App admin
Message Center
Billing admin Reader
Password Admin Management group


Azure RBAC roles
Owner
Contributor Account
Other Apps Intune Office 365 Reader admin
Subscriptions
Other Built-in Roles

Resource group

Service
admin
Notes Resource

• Azure AD resides in an Azure Subscription


• Global Admin can self-assign permission to manage
Azure
• Service & Account Admins are assigned on each
Azure Security Documentation
https://aka.ms/MyASIS

Azure Security
Documentation Site
has extensive
information on
security topics
N

Governance, Risk, & Compliance

Architecture guidance on this topic can be found at

https://docs.microsoft.com/en-us/azure/architecture/security/governance
Governance, Risk, and Compliance (GRC)

Key Capabilities Azure Governance Site has extensive


• Azure Security Center – Identify & prioritize documentation to help with risk
security hygiene issues (Secure Score), provide management
recommendations for meeting compliance with https://docs.microsoft.com/en-us/azure/governance/
CIS,
PCI, SOC and ISO
• Management Groups – Consistent
management
across subscriptions and resources.
• Azure Policy – Audits and enforce policy across
all Azure Resources (or a subset).
• Azure Blueprints – Creates consistent,
repeatable environments including resources,
policies, role assignments, and more.
GRC – Managed Tenants & Subscriptions
CRITICAL BEST PRACTICES

MANAGE CONNECTED TENANTS

• What – Ensure security


organization(s) has visibility into
all subscriptions connected to
your enterprise environment (via
ExpressRoute or
Site-Site VPN) Managed Unmanaged Independent
• Why – Visibility is required to & Connected & Connected Un/Managed
assess risk and to identify Ideal configuration tr
This high-risk This “lab” tr
model can
whether the policies of the is for subscriptions configuration has be useful for
organization and any regulatory to be centrally unmanaged Azure learning
requirements are being followed. controlled and environments and testing, but
managed connected to ensure to
• How – Ensure all Azure
environments that connect to corporate appropriately protect
your production network/resources any production data
environment/network apply or code in it
governance controls.
See http://aka.ms/magicbutton
on how to discover existing
connected subscriptions
GRC – Key Responsible Parties
CRITICAL BEST PRACTICES

Network Security Typically existing network security team


CLEAR LINES OF Configuration and maintenance of Azure Firewall, Network Virtual
RESPONSIBILITY Appliances (and associated routing), WAFs, NSGs, ASGs, etc.

• What – Designate the parties Network Typically existing network operations team
responsible for specific functions Management Enterprise-wide virtual network and subnet allocation

Server Endpoint Typically IT operations, security, or jointly


in Azure Security Monitor and remediate server security (patching, configuration,
endpoint security, etc.)
• Why – Consistency helps avoid
confusion that can lead to Incident Monitoring Typically security operations team
human and automation errors and Response Investigate and remediate security incidents in SIEM or source
that create security risk. console:
• Azure Security Center
• How – Designate groups • Azure AD Identity Protection
(or individual roles) that will
Policy Management Typically GRC team + Architecture
be responsible for key Set direction for use of Roles Based Access Control (RBAC), Azure
centralized functions Security Center, Administrator protection strategy, and Azure
Most organizations map these closely Policy to govern Azure resources
to current on premises models.
Identity Security Typically Security Team + Identity Team Jointly
Document and Socialize this and Standards Set direction for Azure AD directories, PIM/PAM usage, MFA,
Tip widely with all teams working
on Azure
password/synchronization configuration, Application Identity
Standards
GRC – Segmentation BEST PRACTICE
CHOIC
E

CRITICAL CHOICE

SEGMENTATION STRATEGY

• What – Identify security segments that are


needed
for your organization to contain risk A GOOD SEGMENTATION STRATEGY:
• Why – A clear and simple segmentation
strategy enables stakeholders (IT, Security, 1.Enables Operations – Minimizes operation friction by
Business Units) can understand and support aligning to business practices and applications
it. This clarity reduces the risk of human
2.Contains Risk - Adds cost and friction to attackers by
errors and automation failures that can lead
to security vulnerabilities, operational o Isolating sensitive workloads from compromise of
downtime, or both other assets
• How – Select the segmentation approaches o Isolating high exposure systems from being used as a
from pivot to other systems
the reference design and assign permissions 3.Is Monitored – Security Operations should monitor for
and network controls as appropriate. potential violations of the integrity of the segments
Minimize Complexity - Always consider (account usage, unexpected traffic, etc.)
whether a segment is needed or whether
Tip security monitoring provides enough risk
mitigation
(each segments adds friction and overhead)
GRC – Management Groups Azure Administration
Model
Management Groups
CRITICAL BEST PRACTICES

ROOT MANAGEMENT GROUP TOP LEVEL MANAGEMENT MANAGEMENT GROUP DEPTH


GROUPS
• What – Use the Root • What – Limit management
Management Group (MG) for • What –Align top level of group depth
enterprise consistency management groups (MGs) with • Why – Too much complexity
• Why – This enables you to apply segmentation strategy creates confusion that impedes
governance elements like • Why – This provides a point for both operations and security.
policies and tags consistently control and policy consistency This was illustrated by overly
across multiple subscriptions. within each segment as this complex Organizational Unit
• How – Assign enterprise-wide management group will affect all (OU) and Group Policy Objects
elements that apply to all Azure subscriptions in it (GPO) designs for Active
assets such as: Directory
• How – Create a single MG for
 Policy (Azure Policy) each segment under the root MG • How – Limit to 2 levels if
 Resource Tags and do not create any other MGs possible and 3 only if needed.
 Sovereignty Policy for under (e.g. finance department has a
Data/Services the root. See reference segment with both extremely
administration model for more sensitive applications and others
See next slide for “Root MG details. that aren’t)
Usage” guidance and Using all 4 levels of depth
MG documentation (including root) is not
recommended unless absolutely
required.
GRC – Root MG Usage BEST PRACTICE
CHOIC
E

CRITICAL BEST PRACTICES

USE OF ROOT MANAGEMENT GROUP (MG) PLAN & TEST ROOT MG CHANGES

• What – Carefully select what items to apply to the • What – Carefully plan and test all
entire enterprise with the root management group. enterprise-wide changes on the root
• How – Ensure root MG elements have a clear management group before applying
requirement to be applied across every resource • How – Test all changes to Root MG in a:
and/or low impact • Test Lab - Representative lab tenant
Good candidates include or lab segment in production tenant
 Regulatory requirements with clear business • Production Pilot - Segment MG or
risk/impact (e.g. restrictions related to data Designated subset in subscription(s) /
sovereignty) MG
 Near-zero potential negative impact on Testing should include manual changes,
operations such as policy with audit effect, Tag scripted changes, and implementation of
assignment, RBAC permissions assignments that Azure Blueprints
have been carefully reviewed.

• Why – Changes in the root management group can affect every resource on Azure. While this is
a powerful way to ensure consistency across the enterprise, errors or incorrect usage can negatively
impact production operations.
GRC – Top Risk BEST PRACTICE
CHOIC
E

CRITICAL GUIDANCE

UNPATCHED VM DIRECT INTERNET COMMON INCIDENT

VIRTUAL MACHINE (VM) SECURITY VM DIRECT INTERNET CONNECTIVITY


UPDATES
• What – Monitor and restrict direct internet connectivity
• What – Rapidly apply security updates to • How – Use one or more of the following methods
virtual machines
• Enterprise-wide prevention - Prevent inadvertent
• How – Enable Azure Security Center to exposure via network routing/security + RBAC Permissions
identify missing security updates (in this guidance)
https://docs.microsoft.com/en-us/azure/security-center/secur
ity-center-apply-system-updates • Identify and Remediate exposed VMs with
Azure Security Center
Apply updates using enterprise patch • Restrict management ports (RDP, SSH) using
management or Azure Update Management Just in Time access
Why – Attackers constantly scan public cloud IP ranges for open management ports and attempt “easy”
attacks that exploit common passwords and unpatched vulnerabilities
GRC – Security Incident Notification BEST PRACTICE
CHOIC
E

CRITICAL GUIDANCE

INCIDENT NOTIFICATION

• What – Ensure a security contact


receives Azure incident
notifications from Microsoft
(typically a notification that your
resource is compromised and/or
attacking another customer)
• Why – Enables security operations
to rapidly respond to potential
security risks and remediate them.
• How – Ensure administrator
contact information in the Azure
enrollment portal includes contact
information that will notify security
operations (directly or rapidly via See online service terms “Security Incident Notification” section
an internal process) for specific contractual commitments
GRC – Access Reviews BEST PRACTICE
CHOIC
E

CRITICAL GUIDANCE

REGULARLY REVIEW CRITICAL


ACCESS

• What – Regularly review privileges


with a business-critical impact
• Why – Access requirements
change over time but technical
privileges typically only grow
(accruing significant risk).
• How – Set up a recurring review
pattern
• Manual Process
• Automated - Using Azure AD
access reviews for all groups with
critical business impact
https://docs.microsoft.com/en-us/azure/ac
See tive-directory/governance/create-access-r
administration section for guidance
on identifying
eview roles with a critical
business impact
GRC – Security Posture Improvement BEST PRACTICE
CHOIC
E

CRITICAL GUIDANCE

MONITOR AZURE SECURE SCORE REMEDIATE IDENTIFIED RISKS


• What – Monitor the security posture of
• What – Use Secure Score in Azure Security
machines, networks, storage and data services,
Center to identify key recommendations and and applications to discover potential security
monitor progress issues.
• How – Review your Azure secure score to see • How – Follow the security recommendations in
the recommendations resulting from the Azure Azure Security Center starting with the highest
policies and initiatives built into Azure Security priority items. The remediations can frequently
center. These include top risks such as security be initiated from within the console.
updates, endpoint protection, encryption,
security configurations, missing WAF, internet https://docs.microsoft.com/en
connected VMs, and many more. -us/azure/security-center/security-center-
recommendations
https://docs.microsoft.com/en
-us/azure/security-center/
security-center-secure-score

Why – Rapidly identifying and remediating common security hygiene risks can significantly reduce overall
risk
Governance – Access for Security
Personnel
CRITICAL BEST PRACTICES

SECURITY TEAM VISIBILITY AZURE SECURITY CENTER


ACCESS
• What – Provide security teams
security visibility to all Azure • What – Provide access to Azure
resources Security Center (ASC) for teams
• Why – Security requires visibility using this tool to remediate risk
in Azure
in order to assess and report on
risk • Why – Azure Security Center
• How – Assign security teams allows teams to quickly identify
and remediate security risks
with Azure responsibilities to the
Security Readers role using • How – Assign teams requiring
either: access to ASC to the security
• Root management group admins role
(MG) – for teams responsible • Set/enforce policies
for all Azure resources • Take actions to
• Segment MG – for teams remediate recommendations
with limited scope • This can be assigned at the the
(commonly because of root management group or
regulatory or other segment management group(s)
organizational boundaries) depending on the scope of
GRC – Insecure Legacy Protocols BEST PRACTICE
CHOIC
E

BEST PRACTICE

DISABLE INSECURE PROTOCOLS

• What – Discover and disable the use


of SMBv1, LM/NTLMv1, wDigest,
Unsigned LDAP Binds, and Weak
ciphers in Kerberos.
• Why – Authentication protocols are
critical to nearly all security
assurances. Attackers with access to
your network can exploit weaknesses
in older versions of these protocols.
• How –
• Discover usage by reviewing logs
with Azure Sentinel
Insecure Protocol Dashboard or 3rd
party tools
• Restrict or Disable use of these
protocols (recommend
pilot/testing).
Guidance for SMB, NTLM, WDigest
GRC – Compliance
GUIDANCE

REGULATORY COMPLIANCE AZURE BLUEPRINTS

• What – Use Azure Security Center to report • What – Use Azure Blueprints to rapidly and
on compliance with regulatory standards consistently deploy compliant workloads
• How – Azure Blueprint Service automates
deployment of environments including RBAC
roles, policies, resources
(VM/Net/Storage/etc.), and more. Several
Security and Compliance Blueprints
templates are available

• How –
https://docs.microsoft.com/en-us/azure/secu
rity-center/security-center-compliance-dash
board
Why – These capabilities help you stay compliant with regulatory standards
GRC – Benchmarks
GUIDANCE

EVALUATE USING BENCHMARKS

• What – Benchmark your


organization’s Azure security against
external sources

• Why – External comparisons help


validate and enrich your team’s
security strategy.

• How – Compare your configuration to


guidance like Center for Internet
Security (CIS) Benchmarks

Benchmark -
https://www.cisecurity.org/benchm
ark/azure/

ASC Compliance Check


https://docs.microsoft.com/en-us/a
zure/security-center/security-cente
r-compliance-dashboard
GRC – Azure Policy
GENERAL BEST PRACTICE

IMPLEMENT AZURE POLICY

• What – Use Azure policy to


monitor and enforce your
organization’s security policy
• Why – Ensure compliance with
your security strategy and/or
regulatory security requirements
across your Azure workloads.

• How – Follow the instructions in


the Azure Policy documentation
to plan and create policies
https://docs.microsoft.com/en-
us/azure/governance/policy/tu
torials/create-and-manage
GRC – Elevated Security Capabilities BEST PRACTICE
CHOIC
E

GENERAL GUIDANCE

Azure Customer Lockbox


Determine whether your personnel are required to review and approve or reject access requests from Microsoft
support engineers where your data must be accessed to resolve a support issue.
https://docs.microsoft.com/en-us/azure/security/fundamentals/customer-lockbox-overview

A small number of regulatory bodies explicitly require specialized security measures.


While broadly available, these capabilities often increase overhead and cost.

Dedicated Hardware Security Modules (HSMs)


Identify whether you need to utilize dedicated Hardware Security Modules (HSMs) to meet regulatory or security
requirements
https://docs.microsoft.com/en-us/azure/dedicated-hsm/

Confidential Computing
Identify whether you need to utilize Confidential Computing to meet regulatory or security requirements
https://azure.microsoft.com/en-us/blog/azure-confidential-computing/
GRC BEST PRACTICE
CHOIC
E

GENERAL GUIDANCE

Monitor Azure AD Risk Reports


Monitor your Azure AD Risk Reports for
 Risky sign-in
 Risky users
https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-risk
-events

Penetration Testing
Use Penetration Testing or Red Team activities to validate security defenses
https://technet.microsoft.com/en-us/mt784683
N

Security Operations

Architecture guidance on this topic can be found at

https://docs.microsoft.com/en-us/azure/architecture/security/security-operations
Microsoft’s approach
The First Big (from
Challenge our SOC)
of every SOC
Enforce Quality + Apply
Overwhelming SignalTechnology
& Limited Human Capacity

Detect Respond
Billions of events per
month

CONCERN 1
CONCERN 2
Miss real detections
Attackers operate freely
while chasing false positives Enforce 90% true positive until remediated
on alert feeds
Machine Learning
(Artificial Intelligence)

Focus on time to acknowledge and


Behavioral Analytics remediate
(UEBA) Security Orchestration,
(User and Entity) Automation,
and Remediation (SOAR)

Hundreds of
investigations
SIEM Integration
Existing SIEM AZURE SENTINEL
Microsoft provides APIs and connectors Built-in 1st & 3rd party connectors

GRAPH SECURITY API


Alert Integration & Actions

Office 365
Log & Alert Integration
Azure, Office 365, Azure
Azure Advanced Threat Prot
ection (ATP),
Microsoft Security Tools
Microsoft Defender ATP,
Microsoft Cloud App Security

FIREWALL, NETWORK, AND MORE


Built in
connectors
varies
depending on
SIEM vendor

CEF/Syslog/API
Integrated toolset for
rapid threat remediation SOC Reference
Architecture
Breadth
Microsoft Threat Protection • Unified Alert Queue
• Customized Alerts

Cloud Native SIEM + SOAR - Azure Sentinel


Built on Azure Monitor, Logic Apps, and Microsoft’s UEBA/ML Technology

NETWOR SERVERS IAAS OTHE


ENDPOINT IDENTITY SaaS AZURE KEvent Log Data from Devices, Services, R
Windows Defender Azure ATP + Azure Office 365 Advanced Azure Security and Security Tools (3rd party and
ATP Endpoint AD Identity Threat Protection Center Microsoft)
Detection & Protection (ATP) + Cloud App
Response (EDR) Security

Depth
• High quality alerts
• End to end investigation and remediation
Centralized Visibility
Azure Security Center Azure Sentinel
IDENTIFY PROTECT DETECT RESPOND RECOVER

GRC IT / Security SOC


Professional Professional Analyst
Assess Risk Implement Primary Console
& Compliance Protections Alerts, Investigation

Log
Flow

Generate
Alerts

Identity Endpoin Cloud Network and


t more
Security Operations – Azure Alerts BEST PRACTICE
CHOIC
E

CRITICAL GUIDANCE

Azure Security Center


ASC BUILT IN SECURITY ALERTS Alerts
Virtual Machine Behavioral
• What – Enable Azure Security Analysis (VMBA)
SQL Database & Data
Center security Alerts Warehouse Analysis​
• Why – Azure Security Center
provides actionable detections for
Contextual Information
common attack methods (Alert List
depicted on this slide), which can
save your team significant effort on
query development. Network Analysis
These alerts are focused on high
true positive rate by leveraging
Microsoft’s
extensive threat intelligence,
advanced machine learning, industry
leading Endpoint Detection &
Response (EDR) (MITRE report), and
other approaches.
• How – Enable Azure Security Center
(Recommend Standard Tier)
https://docs.microsoft.com/en-us/azu
Security Operations – Alert & Log
Integration
GENERAL GUIDANCE
NOW - ALERT INTEGRATION LATER - ADDITIONAL LOGS
• What – When required,
• What – Integrate Alerts from integrate additional Azure
Azure Security Center into your
service logs for Azure
existing SIEM (if you are
currently using one). platform and services into
your SIEM
• Why – Organizations use SIEMs NOW - CRITICAL LOGS
as a central clearinghouse for • Why – Additional Logs may
• What – Integrate Azure logs with
security alerts that require an
your SIEM (or archive logs if no
be required for investigation
analyst to respond and for generating
SIEM)
• How – Follow these instructions customized alerts for
• Why – These logs enable security
https://docs.microsoft.com/en-us
incident investigation and enable applications and Azure
/azure/security-center/security-c service usage.
enter-export-data-to-siem you to query data prior to the
online log retention period of the • How – Follow these
• Alternately, you can use Azure
service. instructions and guidance to
Security Center for central
security dashboard function if • How – Use Azure Monitor to gather onboard appropriate logs
• You don’t have a SIEM
logs
https://docs.microsoft.com/
• Your teams desire/require a console en-us/azure/security/azure-l
focused on Azure resources C R I T I C A L LO G S AZURE MONITOR og-audit
Security Operations – Journey to Cloud
Analytics
CRITICAL CHOICE
Benefits of native cloud
CLOUD ANALYTICS STRATEGY
3. Cloud Native Architecture analytics may also accelerate
transition plans (advanced
Security analytics and storage use native capabilities, simplified
• What – Choose when and how to cloud services.
management, etc.)
integrate cloud-based security 2. Side by Side Architecture
analytics/SIEM (such as Azure Separate event log stores and analytics
Sentinel, ELK stack, etc.) engines Can be Native Cloud Analytics
• Why – As more enterprise (recommended) or
• On premises for local resources
services generate security data in Infrastructure as a Service (IaaS)
• Cloud based analytics for cloud SIEM. Native is recommended
the cloud, hauling this data back
resources over IaaS because of reduced
to on premises becomes
expensive and inefficient. This ‘ Integration can be done at the level of infrastructure management
Data Gravity’ will increasingly • Alerts – using
require security analytics to be Microsoft Graph Security API Hybrid Architecture can
hosted in the cloud as you • Function as either a
Incidents – using case management
migrate workloads. tooling
• How – Ensure your strategy for
1. On-Premises SIEM • Transition State

security analytics & SIEM plans Architecture • Permanent State


for this transition and includes Classic model with on-premises analytics &
thresholds & timing for database
progression into each phase.
Security Operations BEST PRACTICE
CHOIC
E

GENERAL GUIDANCE

Have analysts learn new authentication flows


Many analysts may be unfamiliar with how newer authentication protocols like OAuth, SAML, and WS-Federation
work. Ensure analysts get familiar with these protocols as they are different than on premises protocols like
NTLM and Kerberos

Prioritize critical impact admin accounts


Ensure your SOC processes prioritize attacks on critical impact admins that could have a significant business
impact if compromised. Prioritization should include admin only elements like Azure AD PIM as well as
prioritizing general detections that include admin users like leaked credentials, behavior analytics, etc.
https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-integrate-activity-logs-with-su
mologic

On-Premises Identity Attack Detection


Attackers frequently use pass the hash/ticket/password and other credential theft/impersonation attacks which
can affect Infrastructure as a Service (IaaS) Virtual Machines (VMs). Azure Security Center includes some
detections on Azure, but you should also consider specialized identity security tools such as Azure ATP or a 3rd
party solution (which can also protect on-premises components).
N

Identity and Access Management

Architecture guidance on this topic can be found at

https://docs.microsoft.com/en-us/azure/architecture/security/identity
Identity as the Control Plane
Single Sign-On and Zero Trust Access Control Across Your Enterprise

Partner
Customerss

Commercial
IdPs BYOD
Azure
Consumer Active Directory
IdPs

Windows Server Azure AD


Active Directory Connect

On-
premises
Cloud
Managed identities for Azure resources

 Simplifies Azure VM
Azure Service
authentication/security for Your code 3 (e.g. ARM, Azure
Storage)
developers (vs. service
principals) 1

 Authenticate to services without Azure Active Directory


http://localhost/oauth2/token
inserting credentials into code
 Target Service must support Azure AD
MSI VM 2
authentication Extension
 E.g. Allow (code running on) a specific
Credentials
VM to access Azure Key Vault, Storage
Account, Azure SQL, etc.
https://docs.microsoft.com/en-us/azure/active-dir
Azure (inject and roll credentials)
ectory/managed-identities-azure-resources/overv
iew
Top 3 Attacks

lllllllll
Password Spray
200,000 accounts compromised in Aug 2018
(Primarily via legacy AuthN protocols)

Phishing
5B emails blocked in 2018
44M risk events in Aug 2018

lllllllll
Breach Replay
650,000 accounts with leaked credentials in 2018
[email protected] Password123
[email protected] Password123
Password Spray [email protected] Password123
[email protected] Password123
[email protected] Password123
[email protected] Password123
[email protected] Password123
[email protected] Password123
[email protected] Password123
[email protected] Password123
Typical Attack [email protected] Password123
m Password123
1. Attempt a common password
[email protected] Password123
used against many, many [email protected] Password123
accounts. [email protected] Password123
(stay below account lockout
[email protected] Password123
threshold)
[email protected] Password123
2. After successful login, dump [email protected] Password123
the GAL. [email protected] Password123
3. Start pivoting in environment. m
Password123
Identity – Consistency
CRITICAL BEST PRACTICES

SINGLE ENTERPRISE SYNCHRONIZE WITH ACTIVE AZURE AD FOR APPLICATIONS


DIRECTORY DIRECTORY & IDENTITY
SYSTEMS
• What – For new development,
• What – Establish a single use Azure AD for consistent
enterprise Azure Active Directory • What – Synchronize Azure AD authentication
(Azure AD) instance with your existing on-premises • How – Use appropriate
• How – Designate a single Azure AD capabilities to support
AD directory as the authoritative • How – Leverage Azure AD authentication needs :
source for connect to synchronize with on • Azure AD – Employees
corporate/organizational premises AD and any identity • Azure AD B2B – Partners
accounts. management systems
• Azure AD B2C -
https://docs.microsoft.com/en-us/azure Customers/citizens
/active-directory/connect/active-direct
ory-aadconnect
• Why – Consistency and single authoritative sources will increase clarity and reduce security risk from human errors
and configuration/automation complexity.
Identity
CRITICAL BEST PRACTICES

BLOCK LEGACY AUTHENTICATION DON’T SYNCH AD ADMINS

• What – Block legacy authentication protocols for • What – Don’t synchronize accounts to Azure AD
Azure AD that have high privileges in your existing Active
• Why – Weaknesses in older protocols are actively Directory
exploited by attackers daily, particularly for • Why – This mitigates the risk of adversaries
bypassing MFA and for password spray attacks pivoting from cloud to on premises assets
(majority use legacy auth) (creating a potential major incident).
• How – Configure Conditional Access to block legacy • How – This is blocked by default. Do not change
protocols the default Azure AD Connect configuration that
filters out these accounts
https://techcommunity.microsoft.com/t5/Azure-Ac
tive-Directory-Identity/Azure-AD-Conditional-Acce
ss-support-for-blocking-legacy-auth-is/ba-p/24541 See also the converse guidance in Administration
7 section:
• Critical Impact Admin - Account
• Critical Impact Admin - Workstation
For more information
https://www.youtube.com/watch?v=wGk0J4z90G
I
Identity – Password Synchronization
CRITICAL BEST PRACTICE

SYNCHRONIZE PASSWORD B. Check


Azure AD Azure AD
HASHES Risk Report Identity
Admin Protection
Leaked A, Identify matches
Credential with leaked
Database credentials
• What – Synchronize your user
password hashes from on-premises
Active Directory instance to Azure 1. Request unicodePWD via MS-DRSR
7. String + salt + iteration count (SSL)
Active Directory (Azure AD). 2. Encrypted unicodePWD via MS-DRSR

• Why – This increases both Windows Server 2016


Domain Controller
Azure AD
Connect Server
Azure Active
Directory
8a. If conditional
access enabled
and password
• Security - Protects against leaked matches leaked
credentials being replayed from previous Processing credential, force
user to change
3. Decrypts envelope to retrieve MD4 hash
attacks 4. Convert to 64-byte binary Conditional
password
5. Add 10-byte salt (including MFA
Access
• Reliability - Customers affected by 6. PBKDF2 + 1,000 iterations of HMAC-SHA256 validation)

(Not)Petya attacks were able to continue


business operations when password
hashes were synced to Azure AD (vs.
near zero IT functionality for customers 8. User signs into Azure AD. If their
hashed password matches the
who did not) stored password then the user is
User Devices authenticated.

• How – Configure Azure AD Connect


to synchronize password hashes
https://docs.microsoft.com/azure/active-director
y/connect/active-directory-aadconnectsync-impl
ement-password-hash-synchronization
Identity – Password Protection from Cloud
CRITICAL BEST PRACTICES

2. Automatic Enforcement
AZURE AD PASSWORD
PROTECTION Automatically remediate high risk passwords with Conditional Access
(leveraging Azure AD Identity Protection risk assessments)
https://docs.microsoft.com/en-us/azure/active-directory/identity-protectio
• What – Choose the level of n/overview
password protection in Azure
Active Directory
• Why – Static on-premises 1. Report & Remediate
defenses capabilities can no View reports and manually remediate accounts
longer protect password-based • Azure AD reporting - Risk events are part of Azure AD's security
accounts.
reports. For more information, see the users at risk security report
• Microsoft - and the risky sign-ins security report.
https://www.microsoft.com/en-us/re •
search/publication/password-guidan Azure AD Identity Protection - Risk events are also part of the
ce/ reporting capabilities of Azure Active Directory Identity Protection.
• Use the Identity Protection risk events API to gain programmatic
• NIST - access to security detections using Microsoft Graph.
https://pages.nist.gov/800-63-3/sp8
00-63b.html

Passwordless solutions are ideal


0. Do Nothing (Not Recommended)
and MFA can help, but password-
Identity BEST PRACTICE
CHOIC
E

GENERAL GUIDANCE

AZURE AD FOR LINUX LOGIN


Use Azure Active Directory for authenticating to Linux VMs to simplify management and security
https://docs.microsoft.com/en-us/azure/virtual-machines/linux/login-using-aad

CLOUD PROTECTION FOR ON PREMISES ACTIVE DIRECTORY


Protect passwords in your on-premises AD using Azure AD
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad-on-premises
N

Administration

Architecture guidance on this topic can be found at

https://docs.microsoft.com/en-us/azure/architecture/security/critical-impact-accounts
Highest Protection for Highest Privileges

Critical Impact Accounts in Most guidance in this section refers to


Azure
1. Administrative Privileges
protecting IT Admin accounts

• Global Azure AD Admins + Azure Tenant You should consider applying similar
Admins procedures to other admins as well
2. Data Access
• Groups & Accounts with
read/write/delete access to business-
critical data
3. Operational Access
• Groups & Accounts with control
of business-critical systems
*Owners & Admins of Management Groups
MGs/Subscriptions containing
• Shared Services
• Business Critical Apps
Admin – Quantity BEST PRACTICE
CHOIC
E

CRITICAL BEST PRACTICES

LEAST NUMBER OF CRITICAL IMPACT ADMINS

• What – Grant the fewest How –


number of accounts to groups • Assign at least 2 accounts for business
with critical business impact continuity

• Why – Each admin account


represents potential attack • When 2+ accounts, provide justification for
surface and business risk each

• Regularly review members & justification


• Grant only required privileges (using built in RBAC roles) vs. global admin and segment
Tips owner roles
• For people outside your organization, use AAD B2B Collaboration instead of personal or
corporate accounts
Admin – Accounts
CHOIC
BEST PRACTICE
E

CRITICAL BEST PRACTICE

MANAGED ACCOUNTS FOR ADMINS SEPARATE ACCOUNTS FOR ADMINS

• What – Ensure all critical impact • What – Ensure all critical impact
admins are managed Azure AD admins have a separate account for
accounts administrative tasks
• Why – This provides enterprise • Why – Adversaries regularly use
visibility into whether the policies of phishing and web browser attacks to
the organization and any regulatory compromise administrative accounts.
requirements are followed. • How – Create a separate administrative
• How – Ensure all critical impact account for critical privileges. For these
admins are in your enterprise Azure accounts, block productivity tools like
AD. Remove any consumer accounts Office 365 email (remove license) and
from these roles (e.g. Microsoft arbitrary web browsing (with proxy
accounts like @Hotmail.com, and/or application controls if available)
@live.com, @outlook.com, etc.)
Admin – Emergency Access
CRITICAL BEST PRACTICE

BREAK GLASS ACCESS

• What – Ensure you have a mechanism


for obtaining emergency
administrative access
• Why – Provide access in the event of
where normal administrative accounts
can’t be used (federation unavailable,
etc.)
• How – Follow the instructions at
Managing emergency access administr
ative accounts in Azure AD
and ensure that security operations
monitors these accounts carefully
See identity section for

Admin – Attack Pivot Risk


converse guidance “Don’t
Synch AD Admins”

CRITICAL BEST PRACTICE

CRITICAL IMPACT ADMIN - ACCOUNT CRITICAL IMPACT ADMIN - WORKSTATION


• What – For critical impact accounts, carefully • What – For critical impact accounts, choose
choose the account type and directory whether the admin workstation they use will be
managed by cloud services or existing on-premises
processes
• Why – Leveraging existing management and identity de/provisioning processes can decrease some risk, but can
also create
risk of an attacker compromising an on-premises account and pivoting to the cloud. You may choose a different
strategy for different roles (e.g. IT admins vs. business unit admins)

DEFAULT
RECOMMENDATION Native Cloud Management & Protection
Native Azure AD Accounts
• Join to Azure AD & Manage/Patch with Intune/other
Create Native Azure AD Accounts that are not
• Protect and Monitor with Windows Defender
synchronized with on-premises Active Directory
ATP/other

Manage with Existing Systems


Synchronize from On Premises Active Directory
Join AD domain & leverage existing
Leverage existing administrative roles
management/security
Administration – Account protection BEST PRACTICE
CHOIC
E

CRITICAL BEST PRACTICES

PASSWORDLESS OR MULTI-FACTOR AUTHENTICATION FOR NO STANDING ACCESS


ADMINS
• What – No standing access for
• What – Require all critical impact admins to be passwordless critical impact admins
(preferred) or require MFA. • Why – Permanent privileges
• Why – Passwords cannot protect accounts against common increase business risk by increasing
attacks. attack surface of accounts (time)
https://channel9.msdn.com/events/Ignite/Microsoft-Ignite-Orlando-2017/BRK3016
• How –
• How –
• Just in Time - Enable Azure AD PIM or
• Passwordless (Windows Hello) 3rd party solution) for all of these
http://aka.ms/HelloForBusiness accounts
• Passwordless (Authenticator App) • Break glass – Process for accounts
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentic
ation-phone-sign-in (preferred for low use accounts like
global admin)
• Multifactor Authentication
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-users
tates

Note: Text Message based MFA is now relatively inexpensive for attackers to bypass, so focus on passwordless
&• stronger
3rd PartyMFA
MFA Solution
Admin – Workstation Security
CRITICAL BEST PRACTICES

ADMIN WORKSTATION USERS


SECURITY
ROLES DEVELOPERS

IT OPERATION S / AD M IN S
• What – For critical impact
Enhanced Secured
Low Security High Security Specialized
admins, choose what admin PROFILES Workstation
Security
Workstation Workstation
Workstation –aka
Workstation PAW
workstation security level to • Productivity • Low Security • Enhanced • High Security • High Security
start with (and when you will Apps Plus… Security Plus… Plus…

progress to full admin SECURITY • Application


and browser
• Centrally
Managed
Plus…
• No Local
• Restricted
applications
• No
productivity
workstations) CONTROL activity Policies Admin • Restricted applications
monitored • Defender ATP browsing • Restricted
S • User Managed browsing
• Why – Attack vectors that use policies • Separate
browsing and email (like • Antivirus identity

phishing) are cheap and


common. Isolating critical
impact admins from these will
Secure Workstation
significantly lower your risk of a Documentation
major incident OR Overview- http://aka.ms/SWoverview
Implementation -
• How – Choose level of admin http://aka.ms/secureworkstation
Virtualization Physical Separation
workstation security (using
either Microsoft security
capabilities or equivalent from
3rd party security providers)
Admin – Conditional access BEST PRACTICE
CHOIC
E

CRITICAL BEST PRACTICE

ENFORCE ACCESS SECURITY

• What – Choose security requirements to


enforce for admins managing Azure
• Why – Attackers compromising Azure
Admin accounts can cause significant
harm. Conditional Access can
significantly reduce that risk by
enforcing security hygiene before
allowing access to Azure management
• How – Configure
Conditional Access policy for Azure man
agement
that meets your organizations risk
appetite and operational needs
• Require Multifactor Authentication and/or
More information on Conditional Access:
connection from designated work network https://docs.microsoft.com/en-us/azure/active-directo
• Require Device ry/conditional-access/overview
integrity with Windows Defender ATP (Strong
Assurance)
Admin – Simplify Permissions
CRITICAL BEST PRACTICES

USE BUILT IN ROLES AVOID GRANULAR AND CUSTOM PERMISSIONS

• What – Use built-in roles for • What – Avoid permissions specifically referencing resources or
assigning permissions users
• Why – Customization leads • Why – Specific permissions create unneeded complexity and
to complexity that inhibits confusion, accumulating into a “legacy” configuration that is
human understanding, difficult to fix (without fear of “breaking something”)
security, automation, and • How –
governance.
Avoid Resource specific permissions – Instead, you should
• How – Evaluate the use
built-in roles designed to
Management Groups for enterprise wide permissions
cover most common
Resource groups for permissions within subscriptions
scenarios.

Avoid user specific permissions – Instead, you should


Custom roles are a powerful
Assign access to groups in Azure AD.
and sometimes useful
If there isn’t an appropriate group, work with the identity team to create one
capability, but they should be
This allows you to add and remove group members externally to Azure and ensure
reserved for cases when built permissions are current, while also allowing the group to be used for other purposes such as
in roles won’t work mailing lists.
Admin – Account Lifecycle
GENERAL GUIDANCE

Automatic deprovisioning
Ensure you have a process for disabling or deleting administrative accounts when
admin personnel leave the organization (or leave administrative positions)
See also “Regularly Review Critical Access” in Governance, Risk, and Compliance
section
Attack Simulation
Regularly test administrative users using current attack techniques to educate
and empower them. You can use Office 365 Attack Simulation capabilities or a 3 rd
party offering
https://docs.microsoft.com/en-us/office365/securitycompliance/attack-simulator
N

Network Security & Containment

Architecture guidance on this topic can be found at

https://docs.microsoft.com/en-us/azure/architecture/security/network-security-containment
Azure Networking Services

Virtual Network DDoS Protection

Virtual WAN Firewall

ExpressRoute Network Security Groups

VPN Web Application Firewall

DNS Virtual Network Endpoints

CDN
Network Watcher
Front Door
ExpressRoute Monitor
Traffic Manager
Azure Monitor
Application Gateway
Virtual Network TAP
Load Balancer
Network protection services

NSG

DDoS Web Application Azure Network Service Security


protection Firewall Firewall Security Groups Endpoints Appliances

DDOS protection Centralized Centralized Distributed Restrict access Leverage your


tuned to your inbound web outbound and inbound to Azure service existing skillsets,
application application inbound (non- and outbound resources (PaaS) processes, and
traffic patterns protection from HTTP/S) network network (L3-L4) to only your licenses by adding
common exploits and application traffic filtering on Virtual Network technologies from
and vulnerabilities (L3-L7) filtering VM, Container the Azure
or subnet Marketplace

Application protection Segmentation And more…


Physical vs. Software Defined Networking
Intercept points Controls on groups of assets

NSG

12

Internet

NSG NSG
4 5
Physical vs. Software Defined Networking
Intercept points Controls on groups of assets

Azure Firewall

1
Public IP

Firewall
Virtual Network
2
Internet Subnet

NSG
Subnet

Network NSG NSG


Subnet Subnet
Security Group
(NSG)

6
Web App Firewalls

Azure Firewall

1
Public IP

Firewall
Virtual Network
2
Internet Subnet

NSG
Subnet

Public IP

Web Application
Firewall

Network NSG NSG


Subnet Subnet
Security Group
(NSG)

6
Distributed Denial of Service (DDoS)
protection
Basic Protection Built in + Available Advanced Protection
Azure Firewall

1
Public IP

Firewall
Virtual Network
2
Internet Subnet

NSG
DDoS Subnet
Protection
Public IP

Web Application
Firewall

Network NSG NSG


Subnet Subnet
Security Group
(NSG)

6
Connecting to On Premises Resources
ExpressRoute or VPN provides connectivity

Azure Firewall

1
Public IP

Firewall
Virtual Network
2
Internet Subnet

NSG
DDoS Subnet
Protection
Public IP

Web Application
Firewall
NSG
Gateway Subnet
On Premises ExpressRoute
Network(s) ExpressRo
ute
Gateway

Network NSG NSG


Subnet Subnet
Security Group
(NSG)

6
Reference Configuration with Native Controls
zure Firewall + Application Gateway with Web App Firewall (WAF)
Core Services

Core Services Subscription


Azure Firewall

1
Public IP

Firewall
Virtual Network
2
Internet Subnet

NSG
DDoS Subnet
Protection
Public IP

Web Application
Firewall
NSG
Gateway Subnet
On Premises ExpressRoute
Network(s) ExpressRo
ute
Gateway

Network NSG NSG


Subnet Subnet
Security Group
(NSG)

6
Reference Configuration with Virtual
Next Generation Firewall with Integrated WAF/Proxy
Appliance(s) Core Services

Core Services Subscription

Public IP
Virtual Network
2
Internet
DMZ DMZ
Popular Next Generation outside N
I
C
NVA N
I
C
inside NSG
Subnet
Firewalls available in Azure Availability
set
Marketplace DDoS
N
NVA N
Protection Load balancer NS
I
C
I
C NS

Load balancer enables


G G

scalability and availability


NSG
Gateway Subnet
DDoS Protection Standard
On Premises
can be applied to public IP Network(s) ExpressRo
ute
ExpressRoute
Gateway

addresses.
More Information online Network NSG
Subnet
NSG
Subnet
Security Group
https://docs.microsoft.com/en-us/a (NSG)
zure/architecture/reference-archite
ctures/hybrid-networking/shared-s
ervices

6
Reference Enterprise Design - Azure
Network Security
Hybrid Cloud Infrastructure – Network Architecture

Microsoft Azure
Additional
3rd party IaaS On Core Services
Premises Segment(s)
Development
Shared Services Segment(s)
Datacenter( Stage Segments
Edge Segment
s)
Security Organization
Public
IP Extranet
DDoS Applications
Extrane

Mitigation
Load
Balancer
(Optional)
t

NS
Firewall G Dev
NSG NSG

ExpressRoute Gateway
ExpressRoute Gateway subnet NSG

VNET PEERING
Domain Management &
Controllers Security
Test
Legend
NS NS
Intranet

G G
Subscription
Enterprise
Others as needed
Applications
Virtual Network
Subnet
NS NS
G G
Network Security
NSG
Group Application Prod

HUB – SHARED SERVICE VIRTUAL NETWORK SPOKE(S) - ALIGNED TO SEGMENT MODEL


Network Visibility
Security Information and
Investigation Workflow Analytics
Event Management (SIEM)

Azure Monitor Network Watcher Virtual Tap (Preview)


Log Aggregation Advanced Functions Raw Traffic Access

Virtual Network
2

NSG WAF Azure NSG Packet Capture


Diagnostic Firewall Flow Logs (Point in Time)
Logs
Accessing Azure Services
Internet

Azure Network
(uses public IP address space)
Native PaaS Apps
(App Service Web
App, API, etc.)

Azure Tenant VM VM VM

ExpressRoute
ExpressRoute Gateway VM VM VM

IaaS App
On-premises​ Azure Services
Storage Account,
Event Hub, Database,
App or etc.
Component VM VM VM

VM VM VM
Networks & Containment – Enterprise
Consistency
CRITICAL BEST PRACTICES

SEGMENTATION ALIGNMENT CENTRAL NETWORK CENTRALIZED NETWORK


MANAGEMENT SECURITY
• What - Align network model
with overall segmentation and • What – Centralize governance
administrative model • What – Centralize management
and of network security
of core network functions like elements such as Network
• Why – A straightforward unified
ExpressRoute, virtual network virtual appliances functions like
security strategy leads to less and subnet provisioning, IP
errors as it increases human ExpressRoute, virtual network
addressing, and related items. and subnet provisioning, IP
understanding and automation
reliability. • How – Recommend using an addressing, etc.
• How – Build your designs based existing on premises process if • How – Recommend using an
applicable. This is typically a existing on premises process if
on the reference models in this
central networking group or a applicable. This is typically a
guidance
council of key stakeholder central networking group or a
groups from business units. council of key stakeholder
groups from business units.
ADMINISTRATIV • Why – Inconsistent strategy and management of these core functions can
E create significant security risks that an attacker can exploit
NETWORK SECURITY
Networks and Containment
PRAGMATIC CONTAINMENT STRATEGY

Network Security Groups (NSGs) for subnets


Use Network Security Groups to protect against unsolicited
• What – Build a risk containment traffic into Azure Subnets (replaces/supplements East-West
strategy that blends the best traffic controls)
available approaches
• Existing controls and practices Choose host-based firewall strategy
Choose whether to continue existing practices for host-
• Native controls available in
based firewalls in Azure or discontinue their use.
Azure Zero Trust approach for new micro/segmentation
initiatives
• Zero trust approaches to
Adopt Zero-trust based approaches for new initiatives that
continuous validate
validate trust at access time (instead of static network
• Why – Containment of attack IP/Port controls)
vectors within an environment is 1. Conditional Access to resources based on device,
critical, but traditional approaches identity, assurance, network location, and more.
aren’t enough and must evolve. More Info
Consistency of controls across on- 2. Just in Time Management Port Access –
premises and cloud infrastructure is using Azure Security Center to enable access only after
important, but defenses are more workflow approval
effective and manageable when
3. Just in Time Administrative Privileges – using
leveraging native azure security
Azure AD PIM or a 3rd party PIM/PAM solution
controls, dynamic (just in time)
4. Just in Time Local Admin Account Access – using
approaches, and integrated
identity/password controls (e.g. zero Local Admin Password Solution (LAPS) or a 3rd party
trust / continuous validation) PIM/PAM solution
Networks and Containment
CRITICAL BEST PRACTICES

INTERNET EDGE STRATEGY

• What – Choose whether to use


Native Azure Controls or 3rd party
Network Virtual Appliances
AZURE NATIVE CONTROLS 3RD PARTY CAPABILITIES
(NVAs) for internet edge security
(North-South) Basic capabilities with simple Advanced security capabilities
integration & management from existing vendors
• Why – Legacy workloads require
network protection from internet
sources and there are advantages Azure Firewall + Web App Next Generation Firewall
to using either 1st or 3rd party Firewall (in Application (NGFW) and other 3rd party
controls to provide this. Gateway) offerings
• How – Select a strategy using the These offer basic security that is Network virtual appliances in the
comparison information  good enough for some scenarios Azure Marketplace include
with a fully stateful firewall as a familiar security tools that
Note – Some organizations choose a
hybrid configuration where some
service, built-in high availability, provide enhanced network
VNets use advanced 3rd party controls unrestricted cloud scalability, security capabilities
and others use native controls FQDN filtering, support for Configuration is more complex,
OWASP core rule sets, and simple but allows you to leverage
setup and configuration existing capabilities, and skillets
Networks
CRITICAL CHOICE

EXPRESSROUTE TERMINATION

• What – Identify where to terminate ExpressRoute


private peering (or Site to Site VPN) in existing
(on-premises) network
• Why – The termination point can affect firewall
capacity, scalability, reliability, and network
traffic visibility
• How –
• Terminate outside the firewall (DMZ
Paradigm) If you require visibility into the
traffic, continue an existing practice of isolating
datacenters, or if you are solely putting https://docs.microsoft.com/en-us/azure/express
extranet resources on Azure. route/expressroute-introduction
• Terminate inside the firewall (Network
Extension Paradigm - Default
Recommendation) In all other cases,
recommend treating Azure as a Nth datacenter
Network – Deprecating Legacy Technology
CRITICAL CHOICES

CLASSIC NETWORK INTRUSION NETWORK DATA


DETECTION/PREVENTION SYSTEMS LOSS PREVENTION (DLP)
(NIDS/NIPS)
• What – Choose whether to add Network
• What – Choose whether to add existing DLP capabilities on Azure
NIDS/NIPS capabilities on Azure • Why – Network DLP is increasingly
• Why – The Azure platform already filters ineffective at identifying both inadvertent
malformed packets and most classic and deliberate data loss. This is because
NIDS/NIPS solutions are typically based on most modern protocols and most attackers
outdated signature-based approaches which use encryption (most available attacker
are easily evaded by attackers and typically toolkits have encryption built in)
produce high rate of false positives. • How –
• How – • Do Not Add (Default Recommendation)
• Do Not Add (Default Recommendation) • Add to Azure tenant
• Add to Azure tenant
Networks and Containment – Subnet & NSG
Design
DESIGN VIRTUAL APPLICATION SECURITY AVOID FULLY OPEN ALLOW
NETWORKS & SUBNETS GROUPS (ASGS) RULES
FOR GROWTH
• What – Simplify NSG rule • What – Don’t assign allow rules
• What – Avoid provisioning small management by defining with extremely broad ranges
virtual networks and subnets application security groups ( (e.g. allow 0.0.0.0 -
ASGs) 255.255.255.255)
• Why – Most organizations add
more resources than initially • Why – While their use is not • Why – These lead to a false
planned on top of VNets and required, defining ASGs allow sense of security and are
subnets, triggering a labor- you to simplify setup and frequently found and exploited
intensive re-allocation of maintenance of NSG rules. by red teams.
addresses. There is limited • How – Define an ASG for lists of • How – Ensure your
security value in small subnet IP addresses that you expect troubleshooting procedures
size + increased overhead to may discourage or ban these “fully
map an NSG to each. open” allow rules
• Change in the future
• How – Define subnets broadly to
• Be used across many NSGs Discover these issues with
ensure that you have flexibility Network Security Watcher and
for growth. A rule of thumb is to Ensure to name them clearly for correct them
assume you will migrate all others to understand their
enterprise resources to Azure as content/purpose. https://docs.microsoft.com/en-us/azur
e/network-watcher/network-watcher-
an end state. nsg-auditing-powershell
Networks and Containment – DDoS
Mitigations
GENERAL GUIDANCE

DDOS MITIGATIONS

• What – Enable DDoS Mitigations


for all business-critical web
applications, and services
• Why – DDoS attacks are
prevalent and are very
inexpensive to access on the
dark markets
• How – Evaluate and select the
best option for protecting your
critical applications and services
• Azure DDoS basic
• Azure DDoS standard
• 3rd party service
Networks and Containment –
Egress/Ingress
GENERAL GUIDANCE

NETWORK INGRESS/EGRESS SECURITY

• What – Choose whether to route Azure


ingress/egress traffic through on-premises
network edge security or via security hosted
on Azure
• Why – Routing all internet traffic for Azure
through on-premises ingress/egress points
can add significant cost and latency at
scale.
• How – Choose
On Premises Azure
Direct Internet (Default
recommendation) - Route traffic
directly to internet using Azure hosted Traffic hairpin approach fits a Datacenter Expansion paradigm
network edge security. and works well for a quick proof of concept, but scales poorly
because of the increased traffic load/latency and cost.
“Hairpin” (Not recommended) -
Route all traffic through existing network Direct Internet approach fits a Nth Datacenter paradigm and
edge security on premises. with forced scales much better for an enterprise deployment as it removes
tunneling on Azure ExpressRoute or unnecessary hops.
Site-to-Site VPN
Network – Advanced Visibility BEST PRACTICE
CHOIC
E

GENERAL GUIDANCE

Network Logs
As required, integrate network logs into SIEM / analytics platform using Azure Monitor
• NSG Logs
• WAF Logs
• Azure Firewall Logs

NSG Flow Logs


If you do this today, Integrate NSG flow logs and packet capture (via Network Watcher) into your investigation
workflow

Virtual TAP
If required, integrate virtual TAP into existing network monitoring program/analytics capability
N

Information Protection
& Storage

Architecture guidance on this topic can be found at

https://docs.microsoft.com/en-us/azure/architecture/security/storage-data-encryption
Azure Storage
REST REST REST REST SMB 3.1

Azure Cloud Storage:


• Object based, durable, massively scalable storage Blob/Disk Table Queue File Share
• Designed from ground up by Microsoft Endpoint Endpoint Endpoint Endpoint
• Presents as Blobs, Disks, Tables, Queues and Files
• Accessed via REST APIs, Client Libraries and Tools Massive Scale Out & Auto Load Balancing Index
Layer
Access Control
• Azure Active Directory (Azure AD)
• Symmetric Shared Key Authentication Distributed Replication Layer
• Shared Access Signature (SAS)

Notable Security Attributes


• All data is encrypted by the service
• No read without write (mitigate cross-tenant data More Information
leaks)
• Maintains 3 Synchronous copies of data Storage Syst
Azure Stora
• Virtual storage, not dedicated disks em
ge Managed
• Detailed activity logging availability (Opt in) Design and
Disks
• Data will remain only in the region you choose Architecture
:
Azure Storage Firewalls
Configured on each Storage
Account Enterprise
Network
Other network
traffic
(prompt during creation)
Internet
 Controls network access using
ACLs
 Enforced on all network protocols
 If not configured, all networks
can access

Firewall
Authentication is still required Subnet Storage Access
to access storage (Azure AD, SAS Virtual
Control

tokens, etc.) Network

Access by Azure Services


must be configured to allow Storage
connection (checkbox) Account
Microsoft
 VM Access to VM Disks not Azure
affected by storage firewall
 https://docs.microsoft.com/en-us/a
Advanced Threat Protection for Azure
Storage
 Alerts on anomalous access
& potential data exfiltration
 Investigation & remediation guidance

 Alerts in Azure Security Center


Attacker
(2) Possible threat to
access / breach data
User

Apps Azure Storage

Diagnostic Advanced
Log Threat Protection
https://docs.microsoft.com/en-us/a Developer
zure/storage/common/storage-adv (1) Turn on Advanced
anced-threat-protection Threat Protection
(3) Real-time
actionable alerts
Encryption
Azure Data Encryption is not a
panacea

Layers (and why each is important)


Encryption Technologies
Encrypt Documents and unstructured data
• Regulatory requirements • Azure Information Protection (AIP) or 3rd party
• Data Leakage (malicious or inadvertent) solutions

Application Layer Encryption • BYO Encryption - .NET Libraries, client-side


• Meet regulatory requirements encryption, etc.
• Mitigate against attacks on cloud provider/infrastructure
• SQL Transparent Data Encryption, Always Encrypted
>
Azure Service Encryption • HDInsight Encryption
• Same as application layer • Azure Backup Encrypted at Rest,
• Near zero management effort (for Microsoft managed key) Encrypted VM support
• Azure Disk Encryption - <BitLocker [Windows],
Virtual Machine / Operating Systems DM-Crypt [Linux]>
• Partner Volume Encryption – <CloudLink®
• Mitigate against loss/leakage of VM Disks from storage SecureVM, Vormetric, etc.>
account • BYO Encryption – <Customer provided>
Storage System
• Azure Storage Service Encryption (server side
• Mitigate against attacks on cloud provider/infrastructure encryption) <AES-256, Block, Append, and page
• On by default and unable to disable Blobs>
Storage and Encryption BEST PRACTICE
CHOIC
E

CRITICAL GUIDANCE

USE AZURE AD FOR STORAGE ENABLE VM DISK ENCRYPTION ENABLE ENCRYPTION IN


AUTH AZURE AND CLOUD SERVICES
• What – Enable disk encryption
• What – Use Azure AD for on • What – Enable built in
authenticating access to storage all IaaS VMs encryption features for any
unless another method is • Why – This provides mitigation Azure services as
required and there is no other against data leakage from a VM well as 3rd party services you call
option disk being downloaded directly
• Why – Azure AD provides from storage (because of from Azure applications.
flexible role-based access configuration error, etc.) • Why – Typically near zero
control while providing • How – Configure disk encryption overhead for using integrated
accountability on all Windows and Linux VMs encryption features
• How – Configure Storage objects https://docs.microsoft.com/en-us/ • How – See the table in the link
to use Azure AD Authentication azure/security/azure-security-dis below for which services offer
https://docs.microsoft.com/en-us/ k-encryption-overview encryption:
azure/storage/common/storage-a https://docs.microsoft.com/en-us/
uth-aad azure/security/azure-security-enc
ryption-atrest
Azure Security Center - Remediation
Microsoft and CIS Partnership

Goal
Simplify and drive consistency in
our customers’ efforts to securely
deploy workloads to Azure

Benefits
CIS brings independence and
consensus driven approach
Benchmarks informed by
Microsoft’s experience & best
practices
What are CIS Benchmarks?

Consensus Based Best


Practices
Over 100 benchmarks
covering 14 technology
groups
Examples:
 Ensure Multi-factor Auth is
Enabled
 Ensure SSH access is restricted
https://azure.microsoft.com/en-us/resources
 /cis-microsoft-azure-foundations-security-be
Ensure that 'Data disks' are
encrypted
nchmark/
What's inside a CIS benchmark?

What it applies to…


What to do…
Why to do it…
How to audit…

How to fix…
M AIN
Summary of CIS Controls v1.0 M EN
U

Control
Section Recommendations
Count
Identity & Access
Setting the appropriate IAM policies 23
Mgmt.
Azure Security Center Configuration and use of Azure Security Center 19

Storage Accounts Setting storage account policies 7

Azure SQL Services Securing Azure SQL Servers 8

Azure SQL Databases Securing Azure SQL Databases 8

Logging/Monitoring Setting logging & monitoring policies on Azure subscriptions 13

Networking Securely configuring Azure networking settings and policies 5


Setting security policies for Azure compute services, specifically virtual
Virtual Machines 6
machines

General security and operational controls, including those related to


Other 3
Azure Key Vault and Resource Locks

Total Recommendations 92

You might also like