N

Azure Security Compass

Cybersecurity Solutions Group

https://aka.ms/AzureSecurityCompass Version 1.1 – September 2019

Microsoft Azure Security Compass
Workshop
TYPICAL SCHEDULE TYPICAL STAKEHOLDERS
Executive Summary + Your goals and
Leadership Kickoff and Closeout
strategy
Chief Information Security Officer (CISO), Others
as needed
Azure Security Basics
OPTIONAL PARTICIPATION

Best Practices &

Design Decisions
Architecture & Technical Team Stakeholders
Azure Security Center Security Architect(s), Cloud
Demo (Optional) Architects/Engineers, Server
Architect(s)/Engineer(s), Network Security
Engineer, Endpoint Engineer, Endpoint
Planning Next Security Engineer, Risk and Compliance
Steps Team(s), Governance Teams, Operations
Teams, and Business Stakeholders

WORKSHOP OBJECTIVE:
Learn how to securely operate your workloads on Azure
N

Azure Security Compass - Purpose

Designed to rapidly increase your Azure security posture

Make the right security decisions with best practices, choices and
context/recommendations

Increase familiarity with Azure Platform Security and Azure Security Center

• Mix of old & new - Bring your experience and knowledge, but expect changes
Tips • You can’t learn everything - Cloud capabilities evolve too fast to master them all,
prioritization is critical
Guidance Structure
Actionable and Prioritized
CRITICAL GENERAL

This meets one or more of criteria Valid and valuable

for: Best practices security best
1. On-premises parity - Microsoft practices and
Required to meet equivalent recommendations
recommends a that are important,
security posture of a (typical) single approach
on-premises environment but shouldn’t slow
down most
2. Hard to change - Difficult or organizations
expensive to change later from adopting
Choices the cloud
3. High risk - Required to
mitigate attack patterns that Microsoft recommends
incur high impact/likelihood of (one or more of)
business risk several possible
Primary focus of approaches
guidance
Get you quickly to the
security benefits of Azure
Note: These represent
platformMicrosoft’s default opinion based on our experience and knowledge. Your
organization may prioritize risk and mitigations differently based on your unique business needs,
business risks, or other factors.
 Executive Summary
TRACKING SPREADSHEET
OVERALL GUIDANCE
Critical General

Governance, Risk,
16 10
and Compliance

Administration 12 2

Network Security &

12 6
Containment

Information
Protection & 3 0
Storage

Identity & Access

5 4
Management

Security
4 4
Operations

Total 42 26
 COMPLIANT ≠ SECURE
NT = Meets a specific standard at point in time (e.g. not negligent)
Lowers business risk to acceptable level by disrupting attacker return
n investment (ROI)

SECURE

LEVEL OF
ACCEPTABLE
RISK

COMPLIANT
Whiteboard – Your Journey and Goals

Current Cloud & Azure

Usage Geographic Goals and
• Which workloads / business
purpose?
Presence Plans
• SaaS? IaaS? PaaS? where you operate for Azure usage

Security Focus Compliance

Areas – & regulatory requirements
What do you want to focus
on?
Azure Security Compass
BASICS SECURITY GUIDANCE

AZ URE
COM PON EN TS SECURITY
TRANSFORMING & M ODEL S CEN TER ( ASC)
TOOLS, SKILLS, &
PRACTICES

S T R AT E G I E S &
T H R E AT S E VO LV E

G OV E R N A N C E ,
SECURITY IDENTITY
RISK, &
O P E R AT I O N S
COMPLIANCE
AZURE REGIONS
& SERVICES

A D M I N I S T R AT I O INFO
NETWORK PROTECTION &
MICROSOFT SECURITY C O N TA I N M E N T N
STORAGE
PRACTICES
 Ransomware:
$66 upfront
Attack services are inexpensive Or
30% of the profit (affiliate
model)
0days price ATTACKS AGAINST THE PC ATTACKS AGAINST
range varies from THE EMPLOYEES AND CUSTOMERS
$5,000 to
$350,000
Loads (compromised
device) average price
Spearphishing
ranges
services
• PC - $0.13 to $0.89
range from $100 to
• Mobile - from $0.82 to
$1,000 per successful
$2.78
account take over
Denial of Service
(DOS) average
prices
day: $102.05 Compromised
week: $327.00 accounts
month: $766.67 As low as $150 for
Proxy services to SERVICES AIDING
400M. Averages $0.97
evade IP geolocation THE “CASH OUT” per 1k.
prices vary ATTACKER
As low as $100 per INFRASTRUCTURE
week for 100,000
proxies. COLLECTIVE KNOWLEDGE
 M AIN

Transforming from Legacy to Cloud

M EN
U

Evolving architecture, tools, skills, & practices Risk

Patchi Sandboxi
Scannin ng
ng Segmentation
g
EncryptionSecure Development
ForensiLifecycle
Threat
cs &
Logging Protection
Orchestration &
Automation
SIEM
Analytics
WAFs Vulnerability FirewallsTLS
Management
Architectures change, but principles & outcomes remain the same
Information
Protection
Threat Intelligence

Roles, responsibilities, and skillsets will evolve

Same Changed New

Controls, tools, and processes will evolve

Note: Legacy ‘technical debt’ persists with legacy workloads/applications in IaaS

 Your enterprise in transformation
Requires a modern identity and access security perimeter
Cloud Technology

SaaS adoption

Modern Enterprise
Perimeter

Infrastructure as a Platform as a
Service Service

1st class mobile

Internet of Things experience

ENGAGE EMPOWER OPTIMIZE TRANSFORM

YOUR CUSTOMERS YOUR EMPLOYEES YOUR OPERATIONS YOUR PRODUCTS
Running Dual Perimeters

ATTACKERS USING IDENTITY TACTICS

SECURING MODERN SCENARIOS (CLOUD, MOBILE, IOT)

MODERN PERIMETER
(Identity Controls)

CLASSIC PERIMETER
(Network Controls)
Evolution of Roles and Responsibilities
Modern
MODERN PERIMETER
(Identity Controls)
Architectures &
CLASSIC PERIMETER
Legacy Operating Models
(Network Controls)
Architectures &
Operating
Models
“STOP THE PRESSES!” CONTINUOUS VALIDATION

Security roles will change with architectural/operational models

Manual Resource Administration Administration Author & Govern Automation

Containment at all layers

Containment with Network Network  Containment (Net, App, Identity, Data, etc.)

Quality Check Before Release Development Security SME in DevOps process

Project based Engagement Architecture Continuous Engagement & Improvement

Common cloud adoption strategy
Future
No
1 Prefer SaaS Investment

Take advantage of productivity

workloads provided in the cloud Yes

2 New Development to PaaS Saas

No
offering
New development and modern available
applications
Yes
move to PaaS.
New applications optimized for cloud
Saas Passes Passes IaaS
computing. Evaluation
Build
PaaS
No
Evaluation
No
3 Existing workloads  IaaS (Build/buy
decision)
Evaluatio
Existing applications move to IaaS n
Buy Yes Yes
using a ‘lift and shift’ strategy
3
a  Convert to
PaaS
Plan to refactor
applications into PaaS SaaS PaaS IaaS Private Cloud
Hotel room Furnished apartmentRental apartment Private House
 M AIN

Shared Responsibility and Key Strategies M EN

U

On-
pre
Responsibility SaaSPaaS IaaS m

Information and Data

Devices (Mobile and PCs)

ESTABLISH A MODERN PERIMETER
Accounts and Identities

Identity and directory infrastructure

Applications MODERNIZE INFRASTRUCTURE

SECURITY
Network Controls

Operating system

Physical hosts
“TRUST BUT VERIFY” EACH CLOUD
Physical network PROVIDER
Physical datacenter

Microsof Custome
t r
IaaS and PaaS Application Models
Standalone Applications or Components of Larger Solutions

Legacy Transition New

IaaS Applications IaaS+ Applications PaaS Applications
Typically lift/shift Refactoring has begun! Typically New Development
workloads
Application Code – Typically light
Application Code - Can be heavy (includes all dependencies) or lighter
code hosted on App Service Web Apps

Azure Services – App functions

Virtual Machines – App functions hosted on full Operating System +
provided by Azure Services
Middleware
(Security profile is similar to SaaS)

Other Components – Services/databases on-premises or on a 3rd party cloud, IoT devices, etc.

Shared Elements (Storage, Identity, Network)

 M AIN

Security Responsibilities Transfer to Cloud

M EN
U

Responsibility PaaS IaaS

Transferred for PaaS
Information and Data Security Patches
Devices (Mobile and PCs)
Feature Upgrades
VMs/Containers security –
Accounts and Identities OS and Middleware
Installation, Maintenance, Azure
Identity and directory infrastructure troubleshooting, etc. Marketplace fits
Application
PaaS or IaaS model

Network controls

Operating system
Transferred for IaaS and PaaS
Denial of Service*
Physical hosts Attacks on
Racking/Stacking Servers,
Delays in Adding Capacity • Physical Attacks
Physical network
Fabric/Virtualization Patching, • Virtualization Fabric
Physical datacenter Maintenance & Troubleshooting • Hardware/Firmware
Fabric Availability / Uptime • Network Infrastructure
Microsof Custome  SLA from Microsoft
t r
 M AIN

Azure Threats – Mix of Old & New…

M EN
U

PaaS IaaS
EXISTING TECHNIQUES (AT COMPARABLE
LEVELS)
EXPLOIT/ENTER TRAVERSAL MONETIZATION
CREDENTIAL THEFT &
SOCIAL ENGINEERING ABUSE (HASHES, RANSOMWARE
SSH…)
TARGETED DATA
PHISHING SCAN & EXPLOIT
THEFT
GEO-FILTERING
COMMODITY
EVASION WITH
BOTNET/DDOS/ETC
PROXY

New Techniques ( PIVOT

ACQUIRE ) orTOVery
ON
High CRYPTOMINERS
Usage ( ) –
TENANT KEYS
PREMISES FROM (WEBSERVERS,
FROM
CLOUD VISITORS)
GITHUB/ETC
RDP/SSH
PASSWORD
SPRAY & BRUTE
FORCE
Azure

54 Azure
regions 100K+
& subsea
cable
150+ 200+
Miles of fiber Edge
sites
ExpressRoute
partners
Microsoft protecting Microsoft
Hardening (Physical, OS
Continual Scanning
App/Data, etc.)
Penetration Testing
Whitelisting Red Team Ops
Auto-Patching Bug Bounties
and more… One Hunt

Traditional Attackers View

Defenses Corporate Infrastructure Cloud Infrastructure

Automated Assessments Continuous Logging

People Least Privilege
Secure DevOps toolkit & Monitoring
Background Checks Least Privilege Access and more…
Security Training Just-in-time Access Incident Response
Conferences and more… CDOC (24x7 SOC)
Security Monitoring &
Authentication Privileged Access Workstations Development Vigilance
Multi-factor Auth Secure Access Workstations Lifecycle
Anomaly Detection isolation from web/email risks

Rigorous Security
For Privileged Access
The Microsoft Intelligent Security Graph
+1B Windows
devices
Extensive machine learning to: updated &
• Reduce manual effort scanned
• Reduce wasted effort 450B monthly
on false positives authentications
• Speed up detection

18+ billion
web pages scanned

400B e-mails
930M threats analyzed
detected on devices
every month

Unparalleled cybersecurity visibility and insight

Inside The Intelligent Security Graph

Office 365
Windows
Microsoft Azure
Malicious
Bing Products instrumented to
Defender
AV
Software
Removal Tool
strict
Sample Dark Threat Sinkholes and Detonation Services IR
zoos markets feeds honeypots and sandboxes intelligence
PRODUCT AND SERVICE TELEMETRY privacy/compliance standards
[ Privacy/Compliance See Microsoft Trust Center
boundary ]

Analytics help fuel

DATA COLLECTION AND ANALYSIS new discoveries

Collection and Analytics { Publish to

Products send data to graph
Normalization
}
(Machine Learning,
detonation,
Internal
behavior) APIs Products use Interflow APIs
to access results

Azure
Office 365 Products generate data
Azure Advanced
Security Active Windows Threat which feeds back into the
Center
(ASC)
Directory
Identity
Azure
Advanced
Defender
Advanced Threat
Protection
(ATP)
Microsoft
Cloud
graph
Operations
Protection Threat Protection (ATP) Applicatio
Hunters Hunters identify attacks,
Protectio Exchange n Security
Manageme
nt Suite
Microsoft n (ATP) Online (MCAS) improve analytics, feed
Defender
(OMS)
Accounts
Anti-malware
Protection
(EOP)
back into product design
Technical Details on Azure internal
architecture
Most current information in documentation
https://docs.microsoft.com/en-us/azure/security/azur
e-security-infrastructure
3rd party validated information in Service Trust
Portal (STP) -
https://servicetrust.microsoft.com/ - Requires NDA

Most frequently requested information is:

• Azure & Azure Government SOC 2 Type 2 Report (in STP)
• Azure - FedRAMP Moderate System Security Plan (in STP)
• Cloud Security Alliance (CSA) STAR Self-Assessment
https://www.microsoft.com/en-us/trustcenter/compliance/
csa-self-assessment
• CIS Benchmark -
https://azure.microsoft.com/en-us/resources/cis-microsoft
-azure-foundations-security-benchmark/

Azure for AWS Professionals

• https://docs.microsoft.com/en-us/azure/architecture/aws-profession
al
Azure compliance coverage extends across
most industries and geographies
 CSA STAR Attestation  ISO 22301  ISO 27018
Global  CSA STAR Certification  ISO 27001  SOC 1 Type 2
 CSA STAR Self-  ISO 27017  SOC 2 Type 2
Assessment

U.S.  CJIS  FedRAMP  ITAR

 DoD DISA SRG Level 2  FIPS 140-2  Moderate JAB P-ATO
Governme
 DoD DISA SRG Level 4  High JAB P-ATO  Section 508 VPAT
nt  DoD DISA SRG Level 5  IRS 1075  SP 800-171

Industry  CDSA  FISC Japan  IG Toolkit UK

 FACT UK  GLBA  MARS-E
 FERPA  GxP 21 CFR Part 11  MPAA
 FFIEC  HIPAA / HITECH  PCI DSS Level 1
 HITRUST  Shared Assessments

Regional  Argentina PDPA  ENISA IAF  Japan My Number

 Australia IRAP/CCSL  EU Model Clauses Act
 Canada Privacy Laws  EU-US Privacy Shield  New Zealand GCIO
 China DJCP  Germany IT  Singapore MTCS
 China GB 18030 Grundschutz  Spain DPA
 China TRUCS  India MeitY  Spain ENS
 Japan CS Mark Gold  UK G-Cloud
Security Operations Center (SOC) Software as a Service
Microsoft Threat Incident Response, Recovery, & CyberOps
Cybersecurity Reference
Experts Services Architecture Office 365
Azure Sentinel – Cloud Native SIEM and SOAR (Preview) Secure Score
April 2019 – https://aka.ms/MCRA | Video Recording |
Strategies Customer
Vuln Cloud App Azure Microsoft
Office Azure
Security This is interactive! Roadmaps and Lockbox
Mgmt Security Defender 365
Center
1. Present Slide
Guidance Dynamics 365
MSSP Advanced Threat Protection (ATP)
2. Hover for Description 1. Securing Privileged Access Identity & Access
Graph Security API – 3 Party Integrationrd 3. Click for more information 2. Office 365 Security Information Azure Active
3. Rapid Cyberattacks (
Alert & Log
Wannacrypt/Petya)
Protection Directory
Integration
Conditional Access – Identity Perimeter
Management
Clients Hybrid Cloud Infrastructure Cloud App
Azure AD
Security
Unmanaged & On Premises Datacenter(s) 3rd party Microsoft Identity
Mobile Devices IaaS Azure Information Protection
Azure Protection (AIP)

Classification Labels
Leaked cred
Azure Security Center – Cross Platform Visibility, Protection, and Threat Detection
Configuration Hygiene Discover protection
Just in Time VM Access Classify Behavioral
Azure AD PIMAnalytics

Azure Security Adaptive App Control Protect

NGFW Multi-Factor
Extranet

Intune MDM/MAM Firewall Appliance Monitor Authentication

Edge s Hold Your Own Key
DLP
SSL (HYOK) Azure AD B2B
Managed Clients Azure Policy
Proxy AIP Scanner
Azure Key Vault Azure AD B2C
IPS/IDS
Express Route Hello for
Azure WAF
Business
System Center Windows Server 2019 Security Azure
Office 365 MIM PAM
Configuration Manager Window 10 + Just Enough Admin, Hyper-V Containers, Nano server, and Antimalware
Application & • Data Loss Protecti
more… on
Intranet
Servers

Microsoft Defender Shielded Network Security

• Data Governance Azure ATP
ATP VMs Groups
VMs • eDiscovery
Azure Backup & Site
Stack Recovery Azure SQL Active Directory
Secur Threat Threat Detection
e Analyti Privileged Access Workstations Disk & Storage SQL Encryption ESAE Admin
Score cs (PAWs) Encryption & Forest
Confidential Data Masking
Windows 10 Enterprise Included Azure SQL Info
IoT and Operational Technology Computing
Protection
Security with DDoS attack
Network protection App control Azure
Credential protectionIsolation Mitigation+Monit Microsoft Defender
Windows 10 IoT IoT Security Maturity (VMs/etc
Exploit protection Antivirus
Model
or ATP
Reputation analysis Behavior monitoring Azure .)
Azure IoT Premium
Full Disk Encryption Sphere IoT Security
Security Security
Attack surface Architecture Compliance Manager
reduction Feature
S Mode
Security Development Lifecycle (SDL) Intelligent Security
Trust Center
Graph
Azure Security Reference Model
Governance, Risk, &
Compliance
Administration

Security operations

Virtual
Application Code (Security Development Lifecycle)
On prem Machines
& other Infrastructure App Machine
cloud Azure Logic Event IoT Containe
as a Service Service - Learnin
workload (IaaS) SQL Apps Hubs services rs
Web Apps g
s

Identity & Access Management

Network Security & Containment

Storage & Information Protection

Azure Foundation Security

 Example - Securing Privileged Access is a
team sport
Mitigating some risks requires action across multiple disciplines

Administration
Day to day use of privileged access accounts

Security Operations
Monitor for anomalies to “normal” admin operations

Governance (& Architecture)

Standard Setting and Structure
Ongoing refinement and improvement to reduce potential risks
Reference Design - Azure Administration
Model
Azure Enrollment Enterprise Tenant

Azure AD Enterprise Directory

Identity & B2B (Optional) Additional Directories and/or
B2B/B2C

Management Root Management Group (Group of Subscriptions) – Enterprise-wide Policies, Permissions, & Tags
Groups
Segmentation Additional Segment(s)
Core Services
Strategy
Shared Multi-App Single App
Segment(s) Segment(s) Development Stage
Services (&
Edge Security) Segments
Core Services Segment 1 Segment 2 Segment 3 Segment 4 Segment 5

Subscription Segment Segment Segment Segment Segment

Core Services 3
s 1 2 4 5

Resource
Groups &
Resources

Application( Application(
Virtual Primary Primary PaaS Apps Pro
Intranet Extranet s) s) Dev Test
Networks Dev  Test Prod Dev  Test  Prod
d
Dev
DevTest
Test Prod
Prod
Understanding Azure Roles and RBAC
Azure Active Directory Tenant
Active
Directory
Global Administrator (Use sparingly)
Azure AD is
typically
synched with Enterprise Groups and Users
on prem AD
(though Admin
accounts Built-in
should be roles
separate)
Intune Office 365 Azure Tenant
Privileged Role (Enrollment)
Exchange Root management
Administrator group
Admin
App admin
Message Center
Billing admin Reader
Password Admin Management group
…
…
Azure RBAC roles
Owner
Contributor Account
Other Apps Intune Office 365 Reader admin
Subscriptions
Other Built-in Roles
…
Resource group

Service
admin
Notes Resource

• Azure AD resides in an Azure Subscription

• Global Admin can self-assign permission to manage
Azure
• Service & Account Admins are assigned on each
 Azure Security Documentation
https://aka.ms/MyASIS

Azure Security
Documentation Site
has extensive
information on
security topics
 N

Governance, Risk, & Compliance

Architecture guidance on this topic can be found at

https://docs.microsoft.com/en-us/azure/architecture/security/governance
Governance, Risk, and Compliance (GRC)

Key Capabilities Azure Governance Site has extensive

• Azure Security Center – Identify & prioritize documentation to help with risk
security hygiene issues (Secure Score), provide management
recommendations for meeting compliance with https://docs.microsoft.com/en-us/azure/governance/
CIS,
PCI, SOC and ISO
• Management Groups – Consistent
management
across subscriptions and resources.
• Azure Policy – Audits and enforce policy across
all Azure Resources (or a subset).
• Azure Blueprints – Creates consistent,
repeatable environments including resources,
policies, role assignments, and more.
 GRC – Managed Tenants & Subscriptions
CRITICAL BEST PRACTICES

MANAGE CONNECTED TENANTS

• What – Ensure security

organization(s) has visibility into
all subscriptions connected to
your enterprise environment (via
ExpressRoute or
Site-Site VPN) Managed Unmanaged Independent
• Why – Visibility is required to & Connected & Connected Un/Managed
assess risk and to identify Ideal configuration tr
This high-risk This “lab” tr
model can
whether the policies of the is for subscriptions configuration has be useful for
organization and any regulatory to be centrally unmanaged Azure learning
requirements are being followed. controlled and environments and testing, but
managed connected to ensure to
• How – Ensure all Azure
environments that connect to corporate appropriately protect
your production network/resources any production data
environment/network apply or code in it
governance controls.
See http://aka.ms/magicbutton
on how to discover existing
connected subscriptions
 GRC – Key Responsible Parties
CRITICAL BEST PRACTICES
CLEAR LINES OF
RESPONSIBILITY
• What – Designate the parties
responsible for specific functions
in Azure
• Why – Consistency helps avoid
confusion that can lead to
human and automation errors
that create security risk.
• How – Designate groups
(or individual roles) that will
be responsible for key
centralized functions
Most organizations map these closely
to current on premises models.
Document and Socialize this
Tip widely with all teams working
on Azure
Network Security Typically existing network security team
Configuration and maintenance of Azure Firewall, Network Virtual
Appliances (and associated routing), WAFs, NSGs, ASGs, etc.
Network Typically existing network operations team
Management Enterprise-wide virtual network and subnet allocation
Server Endpoint Typically IT operations, security, or jointly
Security Monitor and remediate server security (patching, configuration,
endpoint security, etc.)
Incident Monitoring Typically security operations team
and Response Investigate and remediate security incidents in SIEM or source
console:
• Azure Security Center
• Azure AD Identity Protection
Policy Management Typically GRC team + Architecture
Set direction for use of Roles Based Access Control (RBAC), Azure
Security Center, Administrator protection strategy, and Azure
Policy to govern Azure resources
Identity Security Typically Security Team + Identity Team Jointly
and Standards Set direction for Azure AD directories, PIM/PAM usage, MFA,
password/synchronization configuration, Application Identity
Standards
GRC – Segmentation BEST PRACTICE
CHOIC
E

CRITICAL CHOICE

SEGMENTATION STRATEGY

• What – Identify security segments that are

needed
for your organization to contain risk A GOOD SEGMENTATION STRATEGY:
• Why – A clear and simple segmentation
strategy enables stakeholders (IT, Security, 1.Enables Operations – Minimizes operation friction by
Business Units) can understand and support aligning to business practices and applications
it. This clarity reduces the risk of human
2.Contains Risk - Adds cost and friction to attackers by
errors and automation failures that can lead
to security vulnerabilities, operational o Isolating sensitive workloads from compromise of
downtime, or both other assets
• How – Select the segmentation approaches o Isolating high exposure systems from being used as a
from pivot to other systems
the reference design and assign permissions 3.Is Monitored – Security Operations should monitor for
and network controls as appropriate. potential violations of the integrity of the segments
Minimize Complexity - Always consider (account usage, unexpected traffic, etc.)
whether a segment is needed or whether
Tip security monitoring provides enough risk
mitigation
(each segments adds friction and overhead)
 GRC – Management Groups
CRITICAL BEST PRACTICES
ROOT MANAGEMENT GROUP
• What – Use the Root
Management Group (MG) for
enterprise consistency
• Why – This enables you to apply
governance elements like
policies and tags consistently
across multiple subscriptions.
• How – Assign enterprise-wide
elements that apply to all Azure
assets such as:
 Policy (Azure Policy)
 Resource Tags
 Sovereignty Policy for
Data/Services
See next slide for “Root MG
Usage” guidance and
MG documentation
TOP LEVEL MANAGEMENT
GROUPS
• What –Align top level of
management groups (MGs) with
segmentation strategy
• Why – This provides a point for
control and policy consistency
within each segment as this
management group will affect all
subscriptions in it
• How – Create a single MG for
each segment under the root MG
and do not create any other MGs
under
the root. See reference
administration model for more
details.
Azure Administration
Model
Management Groups
MANAGEMENT GROUP DEPTH
• What – Limit management
group depth
• Why – Too much complexity
creates confusion that impedes
both operations and security.
This was illustrated by overly
complex Organizational Unit
(OU) and Group Policy Objects
(GPO) designs for Active
Directory
• How – Limit to 2 levels if
possible and 3 only if needed.
(e.g. finance department has a
segment with both extremely
sensitive applications and others
that aren’t)
Using all 4 levels of depth
(including root) is not
recommended unless absolutely
required.
 GRC – Root MG Usage
CRITICAL BEST PRACTICES
USE OF ROOT MANAGEMENT GROUP (MG)
• What – Carefully select what items to apply to the
entire enterprise with the root management group.
• How – Ensure root MG elements have a clear
requirement to be applied across every resource
and/or low impact
Good candidates include
 Regulatory requirements with clear business
risk/impact (e.g. restrictions related to data
sovereignty)
 Near-zero potential negative impact on
operations such as policy with audit effect, Tag
assignment, RBAC permissions assignments that
have been carefully reviewed.
• Why – Changes in the root management group can affect every resource on Azure. While this is
a powerful way to ensure consistency across the enterprise, errors or incorrect usage can negatively
impact production operations.
BEST PRACTICE
CHOIC
E
PLAN & TEST ROOT MG CHANGES
• What – Carefully plan and test all
enterprise-wide changes on the root
management group before applying
• How – Test all changes to Root MG in a:
• Test Lab - Representative lab tenant
or lab segment in production tenant
• Production Pilot - Segment MG or
Designated subset in subscription(s) /
MG
Testing should include manual changes,
scripted changes, and implementation of
Azure Blueprints
GRC – Top Risk BEST PRACTICE
CHOIC
E

CRITICAL GUIDANCE

UNPATCHED VM DIRECT INTERNET COMMON INCIDENT

VIRTUAL MACHINE (VM) SECURITY VM DIRECT INTERNET CONNECTIVITY

UPDATES
• What – Monitor and restrict direct internet connectivity
• What – Rapidly apply security updates to • How – Use one or more of the following methods
virtual machines
• Enterprise-wide prevention - Prevent inadvertent
• How – Enable Azure Security Center to exposure via network routing/security + RBAC Permissions
identify missing security updates (in this guidance)
https://docs.microsoft.com/en-us/azure/security-center/secur
ity-center-apply-system-updates • Identify and Remediate exposed VMs with
Azure Security Center
Apply updates using enterprise patch • Restrict management ports (RDP, SSH) using
management or Azure Update Management Just in Time access
Why – Attackers constantly scan public cloud IP ranges for open management ports and attempt “easy”
attacks that exploit common passwords and unpatched vulnerabilities
GRC – Security Incident Notification BEST PRACTICE
CHOIC
E

CRITICAL GUIDANCE

INCIDENT NOTIFICATION

• What – Ensure a security contact

receives Azure incident
notifications from Microsoft
(typically a notification that your
resource is compromised and/or
attacking another customer)
• Why – Enables security operations
to rapidly respond to potential
security risks and remediate them.
• How – Ensure administrator
contact information in the Azure
enrollment portal includes contact
information that will notify security
operations (directly or rapidly via See online service terms “Security Incident Notification” section
an internal process) for specific contractual commitments
GRC – Access Reviews BEST PRACTICE
CHOIC
E

CRITICAL GUIDANCE

REGULARLY REVIEW CRITICAL

ACCESS

• What – Regularly review privileges

with a business-critical impact
• Why – Access requirements
change over time but technical
privileges typically only grow
(accruing significant risk).
• How – Set up a recurring review
pattern
• Manual Process
• Automated - Using Azure AD
access reviews for all groups with
critical business impact
https://docs.microsoft.com/en-us/azure/ac
See tive-directory/governance/create-access-r
administration section for guidance
on identifying
eview roles with a critical
business impact
GRC – Security Posture Improvement
CRITICAL GUIDANCE
MONITOR AZURE SECURE SCORE
• What – Use Secure Score in Azure Security
Center to identify key recommendations and
monitor progress
• How – Review your Azure secure score to see
the recommendations resulting from the Azure
policies and initiatives built into Azure Security
center. These include top risks such as security
updates, endpoint protection, encryption,
security configurations, missing WAF, internet
connected VMs, and many more.
https://docs.microsoft.com/en
-us/azure/security-center/
security-center-secure-score
Why – Rapidly identifying and remediating common security hygiene risks can significantly reduce overall
risk
BEST PRACTICE
CHOIC
E
REMEDIATE IDENTIFIED RISKS
• What – Monitor the security posture of
machines, networks, storage and data services,
and applications to discover potential security
issues.
• How – Follow the security recommendations in
Azure Security Center starting with the highest
priority items. The remediations can frequently
be initiated from within the console.
https://docs.microsoft.com/en
-us/azure/security-center/security-center-
recommendations
Governance – Access for Security
Personnel
CRITICAL BEST PRACTICES
SECURITY TEAM VISIBILITY
• What – Provide security teams
security visibility to all Azure
resources
• Why – Security requires visibility
in order to assess and report on
risk
• How – Assign security teams
with Azure responsibilities to the
Security Readers role using
either:
• Root management group
(MG) – for teams responsible
for all Azure resources
• Segment MG – for teams
with limited scope
(commonly because of
regulatory or other
organizational boundaries)
AZURE SECURITY CENTER
ACCESS
• What – Provide access to Azure
Security Center (ASC) for teams
using this tool to remediate risk
in Azure
• Why – Azure Security Center
allows teams to quickly identify
and remediate security risks
• How – Assign teams requiring
access to ASC to the security
admins role
• Set/enforce policies
• Take actions to
remediate recommendations
• This can be assigned at the the
root management group or
segment management group(s)
depending on the scope of
GRC – Insecure Legacy Protocols BEST PRACTICE
CHOIC
E

BEST PRACTICE

DISABLE INSECURE PROTOCOLS

• What – Discover and disable the use

of SMBv1, LM/NTLMv1, wDigest,
Unsigned LDAP Binds, and Weak
ciphers in Kerberos.
• Why – Authentication protocols are
critical to nearly all security
assurances. Attackers with access to
your network can exploit weaknesses
in older versions of these protocols.
• How –
• Discover usage by reviewing logs
with Azure Sentinel
Insecure Protocol Dashboard or 3rd
party tools
• Restrict or Disable use of these
protocols (recommend
pilot/testing).
Guidance for SMB, NTLM, WDigest
GRC – Compliance
GUIDANCE

REGULATORY COMPLIANCE AZURE BLUEPRINTS

• What – Use Azure Security Center to report
on compliance with regulatory standards
• What – Use Azure Blueprints to rapidly and
consistently deploy compliant workloads
• How – Azure Blueprint Service automates
deployment of environments including RBAC
roles, policies, resources
(VM/Net/Storage/etc.), and more. Several
Security and Compliance Blueprints
templates are available

• How –
https://docs.microsoft.com/en-us/azure/secu
rity-center/security-center-compliance-dash
board
Why – These capabilities help you stay compliant with regulatory standards
GRC – Benchmarks
GUIDANCE

EVALUATE USING BENCHMARKS

• What – Benchmark your

organization’s Azure security against
external sources

• Why – External comparisons help

validate and enrich your team’s
security strategy.

• How – Compare your configuration to

guidance like Center for Internet
Security (CIS) Benchmarks

Benchmark -
https://www.cisecurity.org/benchm
ark/azure/

ASC Compliance Check

https://docs.microsoft.com/en-us/a
zure/security-center/security-cente
r-compliance-dashboard
 GRC – Azure Policy
GENERAL BEST PRACTICE

IMPLEMENT AZURE POLICY

• What – Use Azure policy to

monitor and enforce your
organization’s security policy
• Why – Ensure compliance with
your security strategy and/or
regulatory security requirements
across your Azure workloads.

• How – Follow the instructions in

the Azure Policy documentation
to plan and create policies
https://docs.microsoft.com/en-
us/azure/governance/policy/tu
torials/create-and-manage
GRC – Elevated Security Capabilities BEST PRACTICE
CHOIC
E

GENERAL GUIDANCE

Azure Customer Lockbox

Determine whether your personnel are required to review and approve or reject access requests from Microsoft
support engineers where your data must be accessed to resolve a support issue.
https://docs.microsoft.com/en-us/azure/security/fundamentals/customer-lockbox-overview

A small number of regulatory bodies explicitly require specialized security measures.

While broadly available, these capabilities often increase overhead and cost.

Dedicated Hardware Security Modules (HSMs)

Identify whether you need to utilize dedicated Hardware Security Modules (HSMs) to meet regulatory or security
requirements
https://docs.microsoft.com/en-us/azure/dedicated-hsm/

Confidential Computing
Identify whether you need to utilize Confidential Computing to meet regulatory or security requirements
https://azure.microsoft.com/en-us/blog/azure-confidential-computing/
GRC BEST PRACTICE
CHOIC
E

GENERAL GUIDANCE

Monitor Azure AD Risk Reports

Monitor your Azure AD Risk Reports for
 Risky sign-in
 Risky users
https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-risk
-events

Penetration Testing
Use Penetration Testing or Red Team activities to validate security defenses
https://technet.microsoft.com/en-us/mt784683
 N

Security Operations

Architecture guidance on this topic can be found at

https://docs.microsoft.com/en-us/azure/architecture/security/security-operations
Microsoft’s approach
The First Big (from
Challenge our SOC)
of every SOC
Enforce Quality + Apply
Overwhelming SignalTechnology
& Limited Human Capacity

Detect Respond
Billions of events per
month

CONCERN 1
CONCERN 2
Miss real detections
Attackers operate freely
while chasing false positives Enforce 90% true positive until remediated
on alert feeds
Machine Learning
(Artificial Intelligence)

Focus on time to acknowledge and

Behavioral Analytics remediate
(UEBA) Security Orchestration,
(User and Entity) Automation,
and Remediation (SOAR)

Hundreds of
investigations
SIEM Integration
Existing SIEM AZURE SENTINEL
Microsoft provides APIs and connectors Built-in 1st & 3rd party connectors

GRAPH SECURITY API

Alert Integration & Actions

Office 365
Log & Alert Integration
Azure, Office 365, Azure
Azure Advanced Threat Prot
ection (ATP),
Microsoft Security Tools
Microsoft Defender ATP,
Microsoft Cloud App Security

FIREWALL, NETWORK, AND MORE

Built in
connectors
varies
depending on
SIEM vendor

CEF/Syslog/API
Integrated toolset for
rapid threat remediation SOC Reference
Architecture
Breadth
Microsoft Threat Protection • Unified Alert Queue
• Customized Alerts

Cloud Native SIEM + SOAR - Azure Sentinel

Built on Azure Monitor, Logic Apps, and Microsoft’s UEBA/ML Technology

NETWOR SERVERS IAAS OTHE

ENDPOINT IDENTITY SaaS AZURE KEvent Log Data from Devices, Services, R
Windows Defender Azure ATP + Azure Office 365 Advanced Azure Security and Security Tools (3rd party and
ATP Endpoint AD Identity Threat Protection Center Microsoft)
Detection & Protection (ATP) + Cloud App
Response (EDR) Security

Depth
• High quality alerts
• End to end investigation and remediation
Centralized Visibility
Azure Security Center Azure Sentinel
IDENTIFY PROTECT DETECT RESPOND RECOVER

GRC IT / Security SOC

Professional Professional Analyst
Assess Risk Implement Primary Console
& Compliance Protections Alerts, Investigation

Log
Flow

Generate
Alerts

Identity Endpoin Cloud Network and

t more
Security Operations – Azure Alerts BEST PRACTICE
CHOIC
E

CRITICAL GUIDANCE

Azure Security Center

ASC BUILT IN SECURITY ALERTS Alerts
Virtual Machine Behavioral
• What – Enable Azure Security Analysis (VMBA)
SQL Database & Data
Center security Alerts Warehouse Analysis​
• Why – Azure Security Center
provides actionable detections for
Contextual Information
common attack methods (Alert List
depicted on this slide), which can
save your team significant effort on
query development. Network Analysis
These alerts are focused on high
true positive rate by leveraging
Microsoft’s
extensive threat intelligence,
advanced machine learning, industry
leading Endpoint Detection &
Response (EDR) (MITRE report), and
other approaches.
• How – Enable Azure Security Center
(Recommend Standard Tier)
https://docs.microsoft.com/en-us/azu
Security Operations – Alert & Log
Integration
GENERAL GUIDANCE
NOW - ALERT INTEGRATION
• What – Integrate Alerts from
Azure Security Center into your
existing SIEM (if you are
currently using one).
• Why – Organizations use SIEMs
as a central clearinghouse for
security alerts that require an
analyst to respond
• How – Follow these instructions
https://docs.microsoft.com/en-us
/azure/security-center/security-c
enter-export-data-to-siem
• Alternately, you can use Azure
Security Center for central
security dashboard function if
• You don’t have a SIEM
• Your teams desire/require a console
focused on Azure resources
NOW - CRITICAL LOGS
• What – Integrate Azure logs with
your SIEM (or archive logs if no
SIEM)
• Why – These logs enable security
incident investigation and enable
you to query data prior to the
online log retention period of the
service.
• How – Use Azure Monitor to gather
logs
C R I T I C A L LO G S AZURE MONITOR
LATER - ADDITIONAL LOGS
• What – When required,
integrate additional Azure
service logs for Azure
platform and services into
your SIEM
• Why – Additional Logs may
be required for investigation
and for generating
customized alerts for
applications and Azure
service usage.
• How – Follow these
instructions and guidance to
onboard appropriate logs
https://docs.microsoft.com/
en-us/azure/security/azure-l
og-audit
Security Operations – Journey to Cloud
Analytics
CRITICAL CHOICE
CLOUD ANALYTICS STRATEGY
• What – Choose when and how to
integrate cloud-based security
analytics/SIEM (such as Azure
Sentinel, ELK stack, etc.)
• Why – As more enterprise
services generate security data in
the cloud, hauling this data back
to on premises becomes
expensive and inefficient. This ‘
Data Gravity’ will increasingly
require security analytics to be
hosted in the cloud as you
migrate workloads.
• How – Ensure your strategy for
3. Cloud Native Architecture
Security analytics and storage use native
cloud services.
2. Side by Side Architecture
Separate event log stores and analytics
engines
• On premises for local resources
• Cloud based analytics for cloud
resources
Integration can be done at the level of
• Alerts – using
Microsoft Graph Security API
• Function as either a
Incidents – using case management
tooling
1. On-Premises SIEM
Benefits of native cloud
analytics may also accelerate
transition plans (advanced
capabilities, simplified
management, etc.)
Can be Native Cloud Analytics
(recommended) or
Infrastructure as a Service (IaaS)
SIEM. Native is recommended
over IaaS because of reduced
infrastructure management
Hybrid Architecture can
• Transition State

security analytics & SIEM plans Architecture • Permanent State

for this transition and includes Classic model with on-premises analytics &
thresholds & timing for database
progression into each phase.
Security Operations BEST PRACTICE
CHOIC
E

GENERAL GUIDANCE

Have analysts learn new authentication flows

Many analysts may be unfamiliar with how newer authentication protocols like OAuth, SAML, and WS-Federation
work. Ensure analysts get familiar with these protocols as they are different than on premises protocols like
NTLM and Kerberos

Prioritize critical impact admin accounts

Ensure your SOC processes prioritize attacks on critical impact admins that could have a significant business
impact if compromised. Prioritization should include admin only elements like Azure AD PIM as well as
prioritizing general detections that include admin users like leaked credentials, behavior analytics, etc.
https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-integrate-activity-logs-with-su
mologic

On-Premises Identity Attack Detection

Attackers frequently use pass the hash/ticket/password and other credential theft/impersonation attacks which
can affect Infrastructure as a Service (IaaS) Virtual Machines (VMs). Azure Security Center includes some
detections on Azure, but you should also consider specialized identity security tools such as Azure ATP or a 3rd
party solution (which can also protect on-premises components).
 N

Identity and Access Management

Architecture guidance on this topic can be found at

https://docs.microsoft.com/en-us/azure/architecture/security/identity
Identity as the Control Plane
Single Sign-On and Zero Trust Access Control Across Your Enterprise

Partner
Customerss

Commercial
IdPs BYOD
Azure
Consumer Active Directory
IdPs

Windows Server Azure AD

Active Directory Connect

On-
premises
Cloud
 Managed identities for Azure resources

 Simplifies Azure VM
Azure Service
authentication/security for Your code 3 (e.g. ARM, Azure
Storage)
developers (vs. service
principals) 1

 Authenticate to services without Azure Active Directory

http://localhost/oauth2/token
inserting credentials into code
 Target Service must support Azure AD
MSI VM 2
authentication Extension
 E.g. Allow (code running on) a specific
Credentials
VM to access Azure Key Vault, Storage
Account, Azure SQL, etc.
https://docs.microsoft.com/en-us/azure/active-dir
Azure (inject and roll credentials)
ectory/managed-identities-azure-resources/overv
iew
Top 3 Attacks

lllllllll
Password Spray
200,000 accounts compromised in Aug 2018
(Primarily via legacy AuthN protocols)

Phishing
5B emails blocked in 2018
44M risk events in Aug 2018

lllllllll
Breach Replay
650,000 accounts with leaked credentials in 2018
 [email protected] Password123
[email protected] Password123
Password Spray [email protected] Password123
[email protected] Password123
[email protected] Password123
[email protected] Password123
[email protected] Password123
[email protected] Password123
[email protected] Password123
[email protected] Password123
Typical Attack [email protected] Password123
m Password123
1. Attempt a common password
[email protected] Password123
used against many, many [email protected] Password123
accounts. [email protected] Password123
(stay below account lockout
[email protected] Password123
threshold)
[email protected] Password123
2. After successful login, dump [email protected] Password123
the GAL. [email protected] Password123
3. Start pivoting in environment. m
Password123
Identity – Consistency
CRITICAL BEST PRACTICES

SINGLE ENTERPRISE SYNCHRONIZE WITH ACTIVE AZURE AD FOR APPLICATIONS

DIRECTORY DIRECTORY & IDENTITY
SYSTEMS
• What – For new development,
• What – Establish a single use Azure AD for consistent
enterprise Azure Active Directory • What – Synchronize Azure AD authentication
(Azure AD) instance with your existing on-premises • How – Use appropriate
• How – Designate a single Azure AD capabilities to support
AD directory as the authoritative • How – Leverage Azure AD authentication needs :
source for connect to synchronize with on • Azure AD – Employees
corporate/organizational premises AD and any identity • Azure AD B2B – Partners
accounts. management systems
• Azure AD B2C -
https://docs.microsoft.com/en-us/azure Customers/citizens
/active-directory/connect/active-direct
ory-aadconnect
• Why – Consistency and single authoritative sources will increase clarity and reduce security risk from human errors
and configuration/automation complexity.
Identity
CRITICAL BEST PRACTICES

BLOCK LEGACY AUTHENTICATION DON’T SYNCH AD ADMINS

• What – Block legacy authentication protocols for • What – Don’t synchronize accounts to Azure AD
Azure AD that have high privileges in your existing Active
• Why – Weaknesses in older protocols are actively Directory
exploited by attackers daily, particularly for • Why – This mitigates the risk of adversaries
bypassing MFA and for password spray attacks pivoting from cloud to on premises assets
(majority use legacy auth) (creating a potential major incident).
• How – Configure Conditional Access to block legacy • How – This is blocked by default. Do not change
protocols the default Azure AD Connect configuration that
filters out these accounts
https://techcommunity.microsoft.com/t5/Azure-Ac
tive-Directory-Identity/Azure-AD-Conditional-Acce
ss-support-for-blocking-legacy-auth-is/ba-p/24541 See also the converse guidance in Administration
7 section:
• Critical Impact Admin - Account
• Critical Impact Admin - Workstation
For more information
https://www.youtube.com/watch?v=wGk0J4z90G
I
 Identity – Password Synchronization
CRITICAL BEST PRACTICE

SYNCHRONIZE PASSWORD B. Check

Azure AD Azure AD
HASHES Risk Report Identity
Admin Protection
Leaked A, Identify matches
Credential with leaked
Database credentials
• What – Synchronize your user
password hashes from on-premises
Active Directory instance to Azure 1. Request unicodePWD via MS-DRSR
7. String + salt + iteration count (SSL)
Active Directory (Azure AD). 2. Encrypted unicodePWD via MS-DRSR

• Why – This increases both Windows Server 2016

Domain Controller
Azure AD
Connect Server
Azure Active
Directory
8a. If conditional
access enabled
and password
• Security - Protects against leaked matches leaked
credentials being replayed from previous Processing credential, force
user to change
3. Decrypts envelope to retrieve MD4 hash
attacks 4. Convert to 64-byte binary Conditional
password
5. Add 10-byte salt (including MFA
Access
• Reliability - Customers affected by 6. PBKDF2 + 1,000 iterations of HMAC-SHA256 validation)

(Not)Petya attacks were able to continue

business operations when password
hashes were synced to Azure AD (vs.
near zero IT functionality for customers 8. User signs into Azure AD. If their
hashed password matches the
who did not) stored password then the user is
User Devices authenticated.

• How – Configure Azure AD Connect

to synchronize password hashes
https://docs.microsoft.com/azure/active-director
y/connect/active-directory-aadconnectsync-impl
ement-password-hash-synchronization
Identity – Password Protection from Cloud
CRITICAL BEST PRACTICES

2. Automatic Enforcement
AZURE AD PASSWORD
PROTECTION Automatically remediate high risk passwords with Conditional Access
(leveraging Azure AD Identity Protection risk assessments)
https://docs.microsoft.com/en-us/azure/active-directory/identity-protectio
• What – Choose the level of n/overview
password protection in Azure
Active Directory
• Why – Static on-premises 1. Report & Remediate
defenses capabilities can no View reports and manually remediate accounts
longer protect password-based • Azure AD reporting - Risk events are part of Azure AD's security
accounts.
reports. For more information, see the users at risk security report
• Microsoft - and the risky sign-ins security report.
https://www.microsoft.com/en-us/re •
search/publication/password-guidan Azure AD Identity Protection - Risk events are also part of the
ce/ reporting capabilities of Azure Active Directory Identity Protection.
• Use the Identity Protection risk events API to gain programmatic
• NIST - access to security detections using Microsoft Graph.
https://pages.nist.gov/800-63-3/sp8
00-63b.html

Passwordless solutions are ideal

0. Do Nothing (Not Recommended)
and MFA can help, but password-
Identity BEST PRACTICE
CHOIC
E

GENERAL GUIDANCE

AZURE AD FOR LINUX LOGIN

Use Azure Active Directory for authenticating to Linux VMs to simplify management and security
https://docs.microsoft.com/en-us/azure/virtual-machines/linux/login-using-aad

CLOUD PROTECTION FOR ON PREMISES ACTIVE DIRECTORY

Protect passwords in your on-premises AD using Azure AD
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad-on-premises
 N

Administration

Architecture guidance on this topic can be found at

https://docs.microsoft.com/en-us/azure/architecture/security/critical-impact-accounts
Highest Protection for Highest Privileges

Critical Impact Accounts in Most guidance in this section refers to

Azure
1. Administrative Privileges
protecting IT Admin accounts

• Global Azure AD Admins + Azure Tenant You should consider applying similar
Admins procedures to other admins as well
2. Data Access
• Groups & Accounts with
read/write/delete access to business-
critical data
3. Operational Access
• Groups & Accounts with control
of business-critical systems
*Owners & Admins of Management Groups
MGs/Subscriptions containing
• Shared Services
• Business Critical Apps
Admin – Quantity BEST PRACTICE
CHOIC
E

CRITICAL BEST PRACTICES

LEAST NUMBER OF CRITICAL IMPACT ADMINS

• What – Grant the fewest How –

number of accounts to groups • Assign at least 2 accounts for business
with critical business impact continuity

• Why – Each admin account

represents potential attack • When 2+ accounts, provide justification for
surface and business risk each

• Regularly review members & justification

• Grant only required privileges (using built in RBAC roles) vs. global admin and segment
Tips owner roles
• For people outside your organization, use AAD B2B Collaboration instead of personal or
corporate accounts
Admin – Accounts
CRITICAL BEST PRACTICE
MANAGED ACCOUNTS FOR ADMINS
• What – Ensure all critical impact
admins are managed Azure AD
accounts
• Why – This provides enterprise
visibility into whether the policies of
the organization and any regulatory
requirements are followed.
• How – Ensure all critical impact
admins are in your enterprise Azure
AD. Remove any consumer accounts
from these roles (e.g. Microsoft
accounts like @Hotmail.com,
@live.com, @outlook.com, etc.)
CHOIC
BEST PRACTICE
E
SEPARATE ACCOUNTS FOR ADMINS
• What – Ensure all critical impact
admins have a separate account for
administrative tasks
• Why – Adversaries regularly use
phishing and web browser attacks to
compromise administrative accounts.
• How – Create a separate administrative
account for critical privileges. For these
accounts, block productivity tools like
Office 365 email (remove license) and
arbitrary web browsing (with proxy
and/or application controls if available)
Admin – Emergency Access
CRITICAL BEST PRACTICE

BREAK GLASS ACCESS

• What – Ensure you have a mechanism

for obtaining emergency
administrative access
• Why – Provide access in the event of
where normal administrative accounts
can’t be used (federation unavailable,
etc.)
• How – Follow the instructions at
Managing emergency access administr
ative accounts in Azure AD
and ensure that security operations
monitors these accounts carefully
 See identity section for

Admin – Attack Pivot Risk

converse guidance “Don’t
Synch AD Admins”

CRITICAL BEST PRACTICE

CRITICAL IMPACT ADMIN - ACCOUNT CRITICAL IMPACT ADMIN - WORKSTATION

• What – For critical impact accounts, carefully • What – For critical impact accounts, choose
choose the account type and directory whether the admin workstation they use will be
managed by cloud services or existing on-premises
processes
• Why – Leveraging existing management and identity de/provisioning processes can decrease some risk, but can
also create
risk of an attacker compromising an on-premises account and pivoting to the cloud. You may choose a different
strategy for different roles (e.g. IT admins vs. business unit admins)

DEFAULT
RECOMMENDATION Native Cloud Management & Protection
Native Azure AD Accounts
• Join to Azure AD & Manage/Patch with Intune/other
Create Native Azure AD Accounts that are not
• Protect and Monitor with Windows Defender
synchronized with on-premises Active Directory
ATP/other

Manage with Existing Systems

Synchronize from On Premises Active Directory
Join AD domain & leverage existing
Leverage existing administrative roles
management/security
Administration – Account protection BEST PRACTICE
CHOIC
E

CRITICAL BEST PRACTICES

PASSWORDLESS OR MULTI-FACTOR AUTHENTICATION FOR NO STANDING ACCESS

ADMINS
• What – No standing access for
• What – Require all critical impact admins to be passwordless critical impact admins
(preferred) or require MFA. • Why – Permanent privileges
• Why – Passwords cannot protect accounts against common increase business risk by increasing
attacks. attack surface of accounts (time)
https://channel9.msdn.com/events/Ignite/Microsoft-Ignite-Orlando-2017/BRK3016
• How –
• How –
• Just in Time - Enable Azure AD PIM or
• Passwordless (Windows Hello) 3rd party solution) for all of these
http://aka.ms/HelloForBusiness accounts
• Passwordless (Authenticator App) • Break glass – Process for accounts
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentic
ation-phone-sign-in (preferred for low use accounts like
global admin)
• Multifactor Authentication
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-users
tates

Note: Text Message based MFA is now relatively inexpensive for attackers to bypass, so focus on passwordless
&• stronger
3rd PartyMFA
MFA Solution
Admin – Workstation Security
CRITICAL BEST PRACTICES

ADMIN WORKSTATION USERS

SECURITY
ROLES DEVELOPERS

IT OPERATION S / AD M IN S
• What – For critical impact
Enhanced Secured
Low Security High Security Specialized
admins, choose what admin PROFILES Workstation
Security
Workstation Workstation
Workstation –aka
Workstation PAW
workstation security level to • Productivity • Low Security • Enhanced • High Security • High Security
start with (and when you will Apps Plus… Security Plus… Plus…

progress to full admin SECURITY • Application

and browser
• Centrally
Managed
Plus…
• No Local
• Restricted
applications
• No
productivity
workstations) CONTROL activity Policies Admin • Restricted applications
monitored • Defender ATP browsing • Restricted
S • User Managed browsing
• Why – Attack vectors that use policies • Separate
browsing and email (like • Antivirus identity

phishing) are cheap and

common. Isolating critical
impact admins from these will
Secure Workstation
significantly lower your risk of a Documentation
major incident OR Overview- http://aka.ms/SWoverview
Implementation -
• How – Choose level of admin http://aka.ms/secureworkstation
Virtualization Physical Separation
workstation security (using
either Microsoft security
capabilities or equivalent from
3rd party security providers)
Admin – Conditional access BEST PRACTICE
CHOIC
E

CRITICAL BEST PRACTICE

ENFORCE ACCESS SECURITY

• What – Choose security requirements to

enforce for admins managing Azure
• Why – Attackers compromising Azure
Admin accounts can cause significant
harm. Conditional Access can
significantly reduce that risk by
enforcing security hygiene before
allowing access to Azure management
• How – Configure
Conditional Access policy for Azure man
agement
that meets your organizations risk
appetite and operational needs
• Require Multifactor Authentication and/or
More information on Conditional Access:
connection from designated work network https://docs.microsoft.com/en-us/azure/active-directo
• Require Device ry/conditional-access/overview
integrity with Windows Defender ATP (Strong
Assurance)
Admin – Simplify Permissions
CRITICAL BEST PRACTICES
USE BUILT IN ROLES
• What – Use built-in roles for
assigning permissions
• Why – Customization leads
to complexity that inhibits
human understanding,
security, automation, and
governance.
• How – Evaluate the
built-in roles designed to
cover most common
scenarios.
Custom roles are a powerful
and sometimes useful
capability, but they should be
reserved for cases when built
in roles won’t work
AVOID GRANULAR AND CUSTOM PERMISSIONS
• What – Avoid permissions specifically referencing resources or
users
• Why – Specific permissions create unneeded complexity and
confusion, accumulating into a “legacy” configuration that is
difficult to fix (without fear of “breaking something”)
• How –
Avoid Resource specific permissions – Instead, you should
use
Management Groups for enterprise wide permissions
Resource groups for permissions within subscriptions
Avoid user specific permissions – Instead, you should
Assign access to groups in Azure AD.
If there isn’t an appropriate group, work with the identity team to create one
This allows you to add and remove group members externally to Azure and ensure
permissions are current, while also allowing the group to be used for other purposes such as
mailing lists.
Admin – Account Lifecycle
GENERAL GUIDANCE

Automatic deprovisioning
Ensure you have a process for disabling or deleting administrative accounts when
admin personnel leave the organization (or leave administrative positions)
See also “Regularly Review Critical Access” in Governance, Risk, and Compliance
section
Attack Simulation
Regularly test administrative users using current attack techniques to educate
and empower them. You can use Office 365 Attack Simulation capabilities or a 3 rd
party offering
https://docs.microsoft.com/en-us/office365/securitycompliance/attack-simulator
 N

Network Security & Containment

Architecture guidance on this topic can be found at

https://docs.microsoft.com/en-us/azure/architecture/security/network-security-containment
Azure Networking Services

Virtual Network DDoS Protection

Virtual WAN Firewall

ExpressRoute Network Security Groups

VPN Web Application Firewall

DNS Virtual Network Endpoints

CDN
Network Watcher
Front Door
ExpressRoute Monitor
Traffic Manager
Azure Monitor
Application Gateway
Virtual Network TAP
Load Balancer
Network protection services

NSG

DDoS Web Application Azure Network Service Security

protection Firewall Firewall Security Groups Endpoints Appliances

DDOS protection Centralized Centralized Distributed Restrict access Leverage your

tuned to your inbound web outbound and inbound to Azure service existing skillsets,
application application inbound (non- and outbound resources (PaaS) processes, and
traffic patterns protection from HTTP/S) network network (L3-L4) to only your licenses by adding
common exploits and application traffic filtering on Virtual Network technologies from
and vulnerabilities (L3-L7) filtering VM, Container the Azure
or subnet Marketplace

Application protection Segmentation And more…

 Physical vs. Software Defined Networking
Intercept points Controls on groups of assets

NSG

12

Internet

NSG NSG
4 5
Physical vs. Software Defined Networking
Intercept points Controls on groups of assets

Azure Firewall

1
Public IP

Firewall
Virtual Network
2
Internet Subnet

NSG
Subnet

Network NSG NSG

Subnet Subnet
Security Group
(NSG)

6
Web App Firewalls

Azure Firewall

1
Public IP

Firewall
Virtual Network
2
Internet Subnet

NSG
Subnet

Public IP

Web Application
Firewall

Network NSG NSG

Subnet Subnet
Security Group
(NSG)

6
Distributed Denial of Service (DDoS)
protection
Basic Protection Built in + Available Advanced Protection
Azure Firewall

1
Public IP

Firewall
Virtual Network
2
Internet Subnet

NSG
DDoS Subnet
Protection
Public IP

Web Application
Firewall

Network NSG NSG

Subnet Subnet
Security Group
(NSG)

6
Connecting to On Premises Resources
ExpressRoute or VPN provides connectivity

Azure Firewall

1
Public IP

Firewall
Virtual Network
2
Internet Subnet

NSG
DDoS Subnet
Protection
Public IP

Web Application
Firewall
NSG
Gateway Subnet
On Premises ExpressRoute
Network(s) ExpressRo
ute
Gateway

Network NSG NSG

Subnet Subnet
Security Group
(NSG)

6
 Reference Configuration with Native Controls
zure Firewall + Application Gateway with Web App Firewall (WAF)
Core Services

Core Services Subscription

Azure Firewall

1
Public IP

Firewall
Virtual Network
2
Internet Subnet

NSG
DDoS Subnet
Protection
Public IP

Web Application
Firewall
NSG
Gateway Subnet
On Premises ExpressRoute
Network(s) ExpressRo
ute
Gateway

Network NSG NSG

Subnet Subnet
Security Group
(NSG)

6
 Reference Configuration with Virtual
Next Generation Firewall with Integrated WAF/Proxy
Appliance(s) Core Services

Core Services Subscription

Public IP
Virtual Network
2
Internet
DMZ DMZ
Popular Next Generation outside N
I
C
NVA N
I
C
inside NSG
Subnet
Firewalls available in Azure Availability
set
Marketplace DDoS
N
NVA N
Protection Load balancer NS
I
C
I
C NS

Load balancer enables

G G

scalability and availability

NSG
Gateway Subnet
DDoS Protection Standard
On Premises
can be applied to public IP Network(s) ExpressRo
ute
ExpressRoute
Gateway

addresses.
More Information online Network NSG
Subnet
NSG
Subnet
Security Group
https://docs.microsoft.com/en-us/a (NSG)
zure/architecture/reference-archite
ctures/hybrid-networking/shared-s
ervices

6
Reference Enterprise Design - Azure
Network Security
Hybrid Cloud Infrastructure – Network Architecture

Microsoft Azure
Additional
3rd party IaaS On Core Services
Premises Segment(s)
Development
Shared Services Segment(s)
Datacenter( Stage Segments
Edge Segment
s)
Security Organization
Public
IP Extranet
DDoS Applications
Extrane

Mitigation
Load
Balancer
(Optional)
t

NS
Firewall G Dev
NSG NSG

ExpressRoute Gateway
ExpressRoute Gateway subnet NSG

VNET PEERING
Domain Management &
Controllers Security
Test
Legend
NS NS
Intranet

G G
Subscription
Enterprise
Others as needed
Applications
Virtual Network
Subnet
NS NS
G G
Network Security
NSG
Group Application Prod

HUB – SHARED SERVICE VIRTUAL NETWORK SPOKE(S) - ALIGNED TO SEGMENT MODEL

Network Visibility
Security Information and
Investigation Workflow Analytics
Event Management (SIEM)

Azure Monitor Network Watcher Virtual Tap (Preview)

Log Aggregation Advanced Functions Raw Traffic Access

Virtual Network
2

NSG WAF Azure NSG Packet Capture

Diagnostic Firewall Flow Logs (Point in Time)
Logs
Accessing Azure Services
Internet

Azure Network
(uses public IP address space)
Native PaaS Apps
(App Service Web
App, API, etc.)

Azure Tenant VM VM VM

ExpressRoute
ExpressRoute Gateway VM VM VM

IaaS App
On-premises​ Azure Services
Storage Account,
Event Hub, Database,
App or etc.
Component VM VM VM

VM VM VM
Networks & Containment – Enterprise
Consistency
CRITICAL BEST PRACTICES
SEGMENTATION ALIGNMENT
• What - Align network model
with overall segmentation and
administrative model
• Why – A straightforward unified
security strategy leads to less
errors as it increases human
understanding and automation
reliability.
• How – Build your designs based
on the reference models in this
guidance
ADMINISTRATIV
E create significant security risks that an attacker can exploit
NETWORK SECURITY
CENTRAL NETWORK CENTRALIZED NETWORK
MANAGEMENT SECURITY
• What – Centralize governance
• What – Centralize management
and of network security
of core network functions like elements such as Network
ExpressRoute, virtual network virtual appliances functions like
and subnet provisioning, IP
ExpressRoute, virtual network
addressing, and related items. and subnet provisioning, IP
• How – Recommend using an addressing, etc.
existing on premises process if • How – Recommend using an
applicable. This is typically a existing on premises process if
central networking group or a applicable. This is typically a
council of key stakeholder central networking group or a
groups from business units. council of key stakeholder
groups from business units.
• Why – Inconsistent strategy and management of these core functions can
Networks and Containment
PRAGMATIC CONTAINMENT STRATEGY
• What – Build a risk containment
strategy that blends the best
available approaches
• Existing controls and practices
• Native controls available in
Azure
• Zero trust approaches to
continuous validate
• Why – Containment of attack
vectors within an environment is
critical, but traditional approaches
aren’t enough and must evolve.
Consistency of controls across on-
premises and cloud infrastructure is
important, but defenses are more
effective and manageable when
leveraging native azure security
controls, dynamic (just in time)
approaches, and integrated
identity/password controls (e.g. zero
trust / continuous validation)
Network Security Groups (NSGs) for subnets
Use Network Security Groups to protect against unsolicited
traffic into Azure Subnets (replaces/supplements East-West
traffic controls)
Choose host-based firewall strategy
Choose whether to continue existing practices for host-
based firewalls in Azure or discontinue their use.
Zero Trust approach for new micro/segmentation
initiatives
Adopt Zero-trust based approaches for new initiatives that
validate trust at access time (instead of static network
IP/Port controls)
1. Conditional Access to resources based on device,
identity, assurance, network location, and more.
More Info
2. Just in Time Management Port Access –
using Azure Security Center to enable access only after
workflow approval
3. Just in Time Administrative Privileges – using
Azure AD PIM or a 3rd party PIM/PAM solution
4. Just in Time Local Admin Account Access – using
Local Admin Password Solution (LAPS) or a 3rd party
PIM/PAM solution
Networks and Containment
CRITICAL BEST PRACTICES

INTERNET EDGE STRATEGY

• What – Choose whether to use

Native Azure Controls or 3rd party
Network Virtual Appliances
(NVAs) for internet edge security
(North-South)
• Why – Legacy workloads require
network protection from internet
sources and there are advantages
to using either 1st or 3rd party
controls to provide this.
• How – Select a strategy using the
comparison information 
Note – Some organizations choose a
hybrid configuration where some
VNets use advanced 3rd party controls
and others use native controls
AZURE NATIVE CONTROLS
Basic capabilities with simple
integration & management
Azure Firewall + Web App
Firewall (in Application
Gateway)
These offer basic security that is
good enough for some scenarios
with a fully stateful firewall as a
service, built-in high availability,
unrestricted cloud scalability,
FQDN filtering, support for
OWASP core rule sets, and simple
setup and configuration
3RD PARTY CAPABILITIES
Advanced security capabilities
from existing vendors
Next Generation Firewall
(NGFW) and other 3rd party
offerings
Network virtual appliances in the
Azure Marketplace include
familiar security tools that
provide enhanced network
security capabilities
Configuration is more complex,
but allows you to leverage
existing capabilities, and skillets
Networks
CRITICAL CHOICE

EXPRESSROUTE TERMINATION

• What – Identify where to terminate ExpressRoute

private peering (or Site to Site VPN) in existing
(on-premises) network
• Why – The termination point can affect firewall
capacity, scalability, reliability, and network
traffic visibility
• How –
• Terminate outside the firewall (DMZ
Paradigm) If you require visibility into the
traffic, continue an existing practice of isolating
datacenters, or if you are solely putting https://docs.microsoft.com/en-us/azure/express
extranet resources on Azure. route/expressroute-introduction
• Terminate inside the firewall (Network
Extension Paradigm - Default
Recommendation) In all other cases,
recommend treating Azure as a Nth datacenter
Network – Deprecating Legacy Technology
CRITICAL CHOICES
CLASSIC NETWORK INTRUSION
DETECTION/PREVENTION SYSTEMS
(NIDS/NIPS)
• What – Choose whether to add existing
NIDS/NIPS capabilities on Azure
• Why – The Azure platform already filters
malformed packets and most classic
NIDS/NIPS solutions are typically based on
outdated signature-based approaches which
are easily evaded by attackers and typically
produce high rate of false positives.
• How –
• Do Not Add (Default Recommendation)
• Add to Azure tenant
NETWORK DATA
LOSS PREVENTION (DLP)
• What – Choose whether to add Network
DLP capabilities on Azure
• Why – Network DLP is increasingly
ineffective at identifying both inadvertent
and deliberate data loss. This is because
most modern protocols and most attackers
use encryption (most available attacker
toolkits have encryption built in)
• How –
• Do Not Add (Default Recommendation)
• Add to Azure tenant
Networks and Containment – Subnet & NSG
Design
DESIGN VIRTUAL
NETWORKS & SUBNETS
FOR GROWTH
• What – Avoid provisioning small
virtual networks and subnets
• Why – Most organizations add
more resources than initially
planned on top of VNets and
subnets, triggering a labor-
intensive re-allocation of
addresses. There is limited
security value in small subnet
size + increased overhead to
map an NSG to each.
• How – Define subnets broadly to
ensure that you have flexibility
for growth. A rule of thumb is to
assume you will migrate all
enterprise resources to Azure as
an end state.
APPLICATION SECURITY
GROUPS (ASGS)
• What – Simplify NSG rule
management by defining
application security groups (
ASGs)
• Why – While their use is not
required, defining ASGs allow
you to simplify setup and
maintenance of NSG rules.
• How – Define an ASG for lists of
IP addresses that you expect
may
• Change in the future
• Be used across many NSGs
Ensure to name them clearly for
others to understand their
content/purpose.
AVOID FULLY OPEN ALLOW
RULES
• What – Don’t assign allow rules
with extremely broad ranges
(e.g. allow 0.0.0.0 -
255.255.255.255)
• Why – These lead to a false
sense of security and are
frequently found and exploited
by red teams.
• How – Ensure your
troubleshooting procedures
discourage or ban these “fully
open” allow rules
Discover these issues with
Network Security Watcher and
correct them
https://docs.microsoft.com/en-us/azur
e/network-watcher/network-watcher-
nsg-auditing-powershell
Networks and Containment – DDoS
Mitigations
GENERAL GUIDANCE

DDOS MITIGATIONS

• What – Enable DDoS Mitigations

for all business-critical web
applications, and services
• Why – DDoS attacks are
prevalent and are very
inexpensive to access on the
dark markets
• How – Evaluate and select the
best option for protecting your
critical applications and services
• Azure DDoS basic
• Azure DDoS standard
• 3rd party service
 Networks and Containment –
Egress/Ingress
GENERAL GUIDANCE

NETWORK INGRESS/EGRESS SECURITY

• What – Choose whether to route Azure

ingress/egress traffic through on-premises
network edge security or via security hosted
on Azure
• Why – Routing all internet traffic for Azure
through on-premises ingress/egress points
can add significant cost and latency at
scale.
• How – Choose
On Premises Azure
Direct Internet (Default
recommendation) - Route traffic
directly to internet using Azure hosted Traffic hairpin approach fits a Datacenter Expansion paradigm
network edge security. and works well for a quick proof of concept, but scales poorly
because of the increased traffic load/latency and cost.
“Hairpin” (Not recommended) -
Route all traffic through existing network Direct Internet approach fits a Nth Datacenter paradigm and
edge security on premises. with forced scales much better for an enterprise deployment as it removes
tunneling on Azure ExpressRoute or unnecessary hops.
Site-to-Site VPN
Network – Advanced Visibility BEST PRACTICE
CHOIC
E

GENERAL GUIDANCE

Network Logs
As required, integrate network logs into SIEM / analytics platform using Azure Monitor
• NSG Logs
• WAF Logs
• Azure Firewall Logs

NSG Flow Logs

If you do this today, Integrate NSG flow logs and packet capture (via Network Watcher) into your investigation
workflow

Virtual TAP
If required, integrate virtual TAP into existing network monitoring program/analytics capability
 N

Information Protection
& Storage

Architecture guidance on this topic can be found at

https://docs.microsoft.com/en-us/azure/architecture/security/storage-data-encryption
Azure Storage
REST REST REST REST SMB 3.1

Azure Cloud Storage:

• Object based, durable, massively scalable storage Blob/Disk Table Queue File Share
• Designed from ground up by Microsoft Endpoint Endpoint Endpoint Endpoint
• Presents as Blobs, Disks, Tables, Queues and Files
• Accessed via REST APIs, Client Libraries and Tools Massive Scale Out & Auto Load Balancing Index
Layer
Access Control
• Azure Active Directory (Azure AD)
• Symmetric Shared Key Authentication Distributed Replication Layer
• Shared Access Signature (SAS)

Notable Security Attributes

• All data is encrypted by the service
• No read without write (mitigate cross-tenant data More Information
leaks)
• Maintains 3 Synchronous copies of data Storage Syst
Azure Stora
• Virtual storage, not dedicated disks em
ge Managed
• Detailed activity logging availability (Opt in) Design and
Disks
• Data will remain only in the region you choose Architecture
:
Azure Storage Firewalls
Configured on each Storage
Account Enterprise
Network
Other network
traffic
(prompt during creation)
Internet
 Controls network access using
ACLs
 Enforced on all network protocols
 If not configured, all networks
can access

Firewall
Authentication is still required Subnet Storage Access
to access storage (Azure AD, SAS Virtual
Control

tokens, etc.) Network

Access by Azure Services

must be configured to allow Storage
connection (checkbox) Account
Microsoft
 VM Access to VM Disks not Azure
affected by storage firewall
 https://docs.microsoft.com/en-us/a
Advanced Threat Protection for Azure
Storage
 Alerts on anomalous access
& potential data exfiltration
 Investigation & remediation guidance

 Alerts in Azure Security Center

Attacker
(2) Possible threat to
access / breach data
User

Apps Azure Storage

Diagnostic Advanced
Log Threat Protection
https://docs.microsoft.com/en-us/a
zure/storage/common/storage-adv
anced-threat-protection
Developer
(1) Turn on Advanced
Threat Protection
(3) Real-time
actionable alerts
 Encryption
Azure Data Encryption is not a
panacea

Layers (and why each is important)

Encryption Technologies
Encrypt Documents and unstructured data
• Regulatory requirements • Azure Information Protection (AIP) or 3rd party
• Data Leakage (malicious or inadvertent) solutions

Application Layer Encryption • BYO Encryption - .NET Libraries, client-side

• Meet regulatory requirements encryption, etc.
• Mitigate against attacks on cloud provider/infrastructure
• SQL Transparent Data Encryption, Always Encrypted
>
Azure Service Encryption • HDInsight Encryption
• Same as application layer • Azure Backup Encrypted at Rest,
• Near zero management effort (for Microsoft managed key) Encrypted VM support
• Azure Disk Encryption - <BitLocker [Windows],
Virtual Machine / Operating Systems DM-Crypt [Linux]>
• Partner Volume Encryption – <CloudLink®
• Mitigate against loss/leakage of VM Disks from storage SecureVM, Vormetric, etc.>
account • BYO Encryption – <Customer provided>
Storage System
• Azure Storage Service Encryption (server side
• Mitigate against attacks on cloud provider/infrastructure encryption) <AES-256, Block, Append, and page
• On by default and unable to disable Blobs>
Storage and Encryption
CRITICAL GUIDANCE
USE AZURE AD FOR STORAGE
AUTH
• What – Use Azure AD for
authenticating access to storage
unless another method is
required and there is no other
option
• Why – Azure AD provides
flexible role-based access
control while providing
accountability
• How – Configure Storage objects
to use Azure AD Authentication
https://docs.microsoft.com/en-us/
azure/storage/common/storage-a
uth-aad
ENABLE VM DISK ENCRYPTION
• What – Enable disk encryption
on
all IaaS VMs
• Why – This provides mitigation
against data leakage from a VM
disk being downloaded directly
from storage (because of
configuration error, etc.)
• How – Configure disk encryption
on all Windows and Linux VMs
https://docs.microsoft.com/en-us/
azure/security/azure-security-dis
k-encryption-overview
BEST PRACTICE
CHOIC
E
ENABLE ENCRYPTION IN
AZURE AND CLOUD SERVICES
• What – Enable built in
encryption features for any
Azure services as
well as 3rd party services you call
from Azure applications.
• Why – Typically near zero
overhead for using integrated
encryption features
• How – See the table in the link
below for which services offer
encryption:
https://docs.microsoft.com/en-us/
azure/security/azure-security-enc
ryption-atrest
Azure Security Center - Remediation
Microsoft and CIS Partnership

Goal
Simplify and drive consistency in
our customers’ efforts to securely
deploy workloads to Azure

Benefits
CIS brings independence and
consensus driven approach
Benchmarks informed by
Microsoft’s experience & best
practices
What are CIS Benchmarks?

Consensus Based Best

Practices
Over 100 benchmarks
covering 14 technology
groups
Examples:
 Ensure Multi-factor Auth is
Enabled
 Ensure SSH access is restricted
https://azure.microsoft.com/en-us/resources
 /cis-microsoft-azure-foundations-security-be
Ensure that 'Data disks' are
encrypted
nchmark/
What's inside a CIS benchmark?

What it applies to…

What to do…
Why to do it…
How to audit…

How to fix…
 M AIN
Summary of CIS Controls v1.0 M EN
U

Control
Section Recommendations
Count
Identity & Access
Setting the appropriate IAM policies 23
Mgmt.
Azure Security Center Configuration and use of Azure Security Center 19

Storage Accounts Setting storage account policies 7

Azure SQL Services Securing Azure SQL Servers 8

Azure SQL Databases Securing Azure SQL Databases 8

Logging/Monitoring Setting logging & monitoring policies on Azure subscriptions 13

Networking Securely configuring Azure networking settings and policies 5

Setting security policies for Azure compute services, specifically virtual
Virtual Machines 6
machines

General security and operational controls, including those related to

Other 3
Azure Key Vault and Resource Locks

Total Recommendations 92