Governance, Risk, & Compliance – Clear Lines of Responsibility in Azure

Consistent procedures will avoid confusion that can lead to human and automation errors which increases an organization’s security risk. Having clear roles defined to identify the parties responsible for specific functions in Azure can streamline all the Security operations.

Network Security:

Typically existing network security team

Configuration and maintenance of Azure Firewall, Network Virtual Appliances (and associated routing), WAFs, NSGs, ASGs, etc.

Network Management:

Typically existing network operations team

Enterprise-wide virtual network and subnet allocation

Server Endpoint Security:

Typically IT operations, security, or jointly

Monitor and remediate server security (patching, configuration, endpoint security, etc.)

Incident Monitoring and Response:

Typically security operations team

Investigate and remediate security incidents in SIEM
or source console:

  • Azure Security Center
  • Azure AD Identity Protection

Policy Management:

Typically GRC team + Architecture

Set Direction for use of Roles Based Access Control (RBAC), Azure Security Center, Administrator protection strategy, and Azure Policy to govern Azure resources

Identity Security and Standards:

Typically Security Team + Identity Team Jointly

Set direction for Azure AD directories, PIM/PAM usage, MFA, password/synchronization configuration, Application Identity Standards

The above suggestions are based on the Azure Security Compass document.

Governance, Risk, & Compliance - Clear Lines of Responsibility in Azure
Azure Contributor role

Azure Lighthouse limitations

So we tried to implement by the book the recently released Azure Lighthouse in order to centrally manage multiple Azure customers. The recommended Contributor role that is highest Azure role you can use with Lighthouse, has some very interesting limitations, especially around what you can do with the Azure Policies: Microsoft.Authorization/*/Delete and Microsoft.Authorization/*/Write operations are actually prohibited, so you cannot actually deploy any Azure Policies to a customer subscriptions.

Azure Contributor role
Azure Contributor role

There is a way to bypass this limitation of the Contributor role, by adding another role to the on-boarding process: Security Admin.

Azure Security Admin role
Azure Security Admin role
Azure Security Threats are the same and different...

Azure Security Threats are the same and different…

Many attack vectors are seen at about the same rate as on-premises including social engineering, phishing and ransomware. Microsoft has observed some differences from traditional on premises attacks including:

  • Theft and Abuse of Keys – Many cloud access can accept keys for authentication (storage, services, etc.). Many developers are unfamiliar with security best practices for key management and embed these keys directly into their code. This source code is then frequently posted publicly to services like GitHub where attackers can find them and use them to illicitly access those resources. 
  • RDP/SSH Password Spray and Brute Force – The technique of scanning for open RDP/SSH ports and trying common passwords has been around for some time. This attack requires extra attention in Azure because the public IP address ranges of cloud providers are scanned with a very high intensity and there is a higher chance of misconfiguring network security because of unfamiliarity with the controls
  • Pivot to on premises from cloud – An attack vector that didn’t exist before the cloud is that attackers who have compromised a resource can pivot to Azure from on-premises and vice-versa. Because cloud infrastructure is effectively just another datacenter in your enterprise estate, you need to ensure the security is equal to or greater than your on premises posture.
  • Cryptominers – While the rise of cryptominer attacks is likely not due to the cloud itself, these attacks have become prevalent recently. This typically takes the form of compromising an internet facing web server and using that server to mine cryptocurrencies or embedding code into the website to perform the mining on browsers/clients that visit the site.
Azure Security Threats are the same and different

Azure Security best practice: Consider Retiring Legacy Security Approaches

This is Part#10 of our series of articles about best security practices that you can apply to an Azure environment. Please note that all the articles have been compiled from various official Microsoft sources.

You may want to deprecate and then discontinue some legacy security approaches as you move to Azure. You can continue to use these technologies in Azure if you see value, but many organizations are not migrating these solutions to Azure, so these choices are explicitly surfaced.

Classic Network Intrusion Detection/Prevention Systems (NIDS/NIPS)

Azure Security best practice: Consider Retiring Legacy Security Approaches

What : Choose whether to add existing NIDS/NIPS capabilities on Azure Why : The Azure platform already filters malformed packets and most classic NIDS/NIPS solutions are typically based on outdated signature-based approaches which are easily evaded by attackers and typically produce high rate of false positives.

How :

  • Do Not Add (Default Recommendation)
  • Add to Azure tenant

Network Data Loss Prevention (DLP)

Azure Security best practice: Consider Retiring Legacy Security Approaches

What : Choose whether to add Network DLP capabilities on Azure

Why : Network DLP is increasingly ineffective at identifying both inadvertent and deliberate data loss. This is because most modern protocols and most attackers use encryption (most available attacker toolkits have encryption built in)

How :

  • Do Not Add (Default Recommendation)
  • Add to Azure tenant
Azure DDoS protection

Azure Security best practice: Mitigate DDoS Attacks

This is Part#9 of our series of articles about best security practices that you can apply to an Azure environment. Please note that all the articles have been compiled from various official Microsoft sources.

Enable DDoS protection beyond the default free tier

What : Enable DDoS Mitigations for all business-critical web applications, and services

Why : DDoS attacks are prevalent and are very inexpensive to access on the dark markets

How : Evaluate and select the best option for protecting your critical applications and services

  • Azure DDoS standard
  • 3rd party service

Azure includes basic Distributed Denial of Service (DDoS) protection, which can be upgraded to the Standard offering

The basic capabilities apply to all workloads in Azure as this protection is applied to all Microsoft properties on our network (which also include services like Office 365, Windows Update, Xbox Live, etc.)

The standard offering adds local visibility and control for your workloads with:

  • Advanced protection for your virtual network resources
  • Automatic mitigation for 60+ network layer attacks
  • Adaptive tuning via application traffic profiling and machine learning algorithm
  • Real time monitoring and alerting in Azure Monitor
  • Integration with WAF application layer protection
Azure DDoS protection
Azure DDoS protection
web application firewalls

Azure Security best practice: Implement Web Application Firewalls (WAFs)

This is Part#8 of our series of articles about best security practices that you can apply to an Azure environment. Please note that all the articles have been compiled from various official Microsoft sources.

Use Web App Firewall on All Internet Facing Applications

What : Configure web application firewalls (WAFs) to protect all internet facing applications

Why : Common security vulnerability types are often exploited by attackers targeting applications (either as an ingress point to the environment or as the ultimate objective).
WAFs are a critical mitigation for these attacks if you don’t have a mature security development lifecycle (SDL) to find/fix these vulnerabilities. WAFs also serve as an important safety measure even if you don’t have a mature SDL (much like a parachute in a plane).

How : Microsoft includes WAF capabilities in Azure Application Gateway and many vendors offer these capabilities as standalone security appliances or as part of next generation firewalls.

Web Application Firewall
Web Application Firewall

Azure Security best practice: Assign and publish roles and responsibilities

This is Part#6 of our series of articles about best security practices that you can apply to an Azure environment. Please note that all the articles have been compiled from various official Microsoft sources.

Define Clear Lines of Responsibility

What : Designate the parties responsible for specific functions
in Azure

Why : Consistency helps avoid confusion that can lead to human and automation errors that create security risk.

How : Designate groups (or individual roles) that will be responsible for key centralized functions

Network Security Typically existing network security team
Configuration and maintenance of Azure Firewall, Network Virtual Appliances (and associated routing), WAFs, NSGs, ASGs, etc.
Network Management Typically existing network operations team
Enterprise-wide virtual network and subnet allocation
Server Endpoint Security Typically IT operations, security, or jointly
Monitor and remediate server security (patching, configuration, endpoint security, etc.)
Incident Monitoring and Response Typically security operations team
Investigate and remediate security incidents in SIEM or source console:
•Azure Security Center
•Azure AD Identity Protection
Policy Management Typically GRC team + Architecture
Set direction for use of Roles Based Access Control (RBAC), Azure Security Center, Administrator protection strategy, and Azure Policy to govern Azure resources
Identity Security and Standards Typically Security Team + Identity Team Jointly
Set direction for Azure AD directories, PIM/PAM usage, MFA, password/synchronization configuration, Application Identity Standards
Reference Azure Firewall Configuration with native controls

Azure Security best practice: Choose and Implement a Firewall Strategy

This is Part#7 of our series of articles about best security practices that you can apply to an Azure environment. Please note that all the articles have been compiled from various official Microsoft sources.

Internet EDGE Strategy: For your core services segment you can choose between native controls and 3rd party capabilities for internet traffic filtering.

What : Choose whether to use Native Azure Controls or 3rd party Network Virtual Appliances (NVAs) for internet edge security (North-South)

Why : Legacy workloads require network protection from internet sources and there are advantages to using either 1st or 3rd party controls to provide this.

How : Select a strategy using the comparison information below

AZURE NATIVE CONTROLS
Basic capabilities with simple  integration & management
3rd Party Capabilities
Advanced security capabilities
from existing vendors
Azure Firewall + Web App Firewall (in Application Gateway)
These offer basic security that is good enough for some scenarios with a fully stateful firewall as a service, built-in high availability, unrestricted cloud scalability, FQDN filtering, support for OWASP core rule sets, and simple setup and configuration
Next Generation Firewall (NGFW) and other 3rd party offerings
Network virtual appliances in the Azure Marketplace include familiar security tools that provide enhanced network security capabilities
Configuration is more complex, but allows you to leverage existing capabilities, and skillets
Reference Azure Firewall Configuration with Native Controls


Reference Azure Firewall Configuration with Native Controls
Reference Azure Firewall Configuration with 3rd party capabilities
Reference Azure Firewall Configuration with 3rd party capabilities
securing devops

Azure Security best practice: Follow DevOps security guidance

This is Part#5 of our series of articles about best security practices that you can apply to an Azure environment. Please note that all the articles have been compiled from various official Microsoft sources.

DevOps
DevOps

What : Integrate guidance and automation for securing applications on the cloud

Why : Using resources and lessons learned by external organizations that are early adopters of these models can accelerate the improvement of an organization’s security posture with less expenditure of effort and resources.

How : Secure your application development / DevOps process by integrating existing guidance such as:

  • Microsoft Secure DevOps Toolkit
  • Organization for Web App Security Project (OWASP) DevOps Pipeline security
Securing DevOps
Securing DevOps