Azure Cloud security is a shared responsibility

Azure Cloud security is a shared responsibility

Azure Cloud security is a shared responsibility
Shared responsibility model for Azure Cloud Security

Security controls are designed to ensure technology solutions are built and maintained in ways that ensure function and security successfully coexist. This ideal holds strong in Azure where Microsoft is constantly vetting and monitoring the implementation of their security controls, as well as watching their service teams continue to innovate new functionality in the cloud environment. With that said, the cloud presents a spectrum of responsibilities based on what types of services and/or features a customer may be consuming. This is unlike more traditional on-premises information systems where most, if not all, security is implemented by the same owner.

As organizations move from IaaS, to PaaS and then to SaaS, you’ll find that they are responsible for less and the cloud service provider is responsible for more.

The figure below describes how shared responsibility works across the cloud service models.

How shared responsibility works across the cloud service models.
How shared responsibility works across the cloud service models.

Make sure you understand you role in this complex paradigm that is cloud computing and don’t assume the Cloud provider will manage all security aspects of your environment!

CIS 1.1.0 security controls for Azure

CIS 1.1.0 security controls for Azure

CIS Microsoft Azure Foundations Benchmark security controls are listed below (please note that although this is the complete list of all the controls specified by the CIS standard, only 48 of them have been enabled for automatic auditing in Azure and very few of them have any automated remediation available, most of them require manual steps and need a regular review to make sure any changes done to existing resources and the new resources added to the environment still comply with them- our Managed Azure Security Service solves all those problems!):

CIS 1.1.0 security controls for Azure
Domain Nr Security Control Name
Identity and Access Management 1.1 Ensure that multi-factor authentication is enabled for all privileged users
1.2Ensure that multi-factor authentication is enabled for all non-privileged users
1.3Ensure that there are no guest users
1.4Ensure that ‘Allow users to remember multi-factor authentication on devices they trust’ is ‘Disabled’
1.5Ensure that ‘Number of methods required to reset’ is set to ‘2’
1.6Ensure that ‘Number of days before users are asked to re-confirm their authentication information’ is not set to “0”
1.7Ensure that ‘Notify users on password resets?’ is set to ‘Yes’
1.8Ensure that ‘Notify all admins when other admins reset their password?’ is set to ‘Yes’
1.9Ensure that ‘Users can consent to apps accessing company data on their behalf’ is set to ‘No’
1.1Ensure that ‘Users can add gallery apps to their Access Panel’ is set to ‘No’
1.11Ensure that ‘Users can register applications’ is set to ‘No’
1.12Ensure that ‘Guest user permissions are limited’ is set to ‘Yes’
1.13Ensure that ‘Members can invite’ is set to ‘No’
1.14Ensure that ‘Guests can invite’ is set to ‘No’
1.15Ensure that ‘Restrict access to Azure AD administration portal’ is set to ‘Yes’
1.16Ensure that ‘Self-service group management enabled’ is set to ‘No’
1.17Ensure that ‘Users can create security groups’ is set to ‘No’
1.18Ensure that ‘Users who can manage security groups’ is set to ‘None’
1.19Ensure that ‘Users can create Office 365 groups’ is set to ‘No’
1.20Ensure that ‘Users who can manage Office 365 groups’ is set to ‘None’
1.21Ensure that ‘Enable “All Users” group’ is set to ‘Yes’
1.22Ensure that ‘Require Multi-Factor Auth to join devices’ is set to ‘Yes’
1.23Ensure that no custom subscription owner roles are created
DomainNr Security Control Name
Security Center2.1 Ensure that standard pricing tier is selected
2.2Ensure that ‘Automatic provisioning of monitoring agent’ is set to ‘On’
2.3Ensure ASC Default policy setting “Monitor System Updates” is not “Disabled”
2.4Ensure ASC Default policy setting “Monitor OS Vulnerabilities” is not “Disabled”
2.5Ensure ASC Default policy setting “Monitor Endpoint Protection” is not “Disabled”
2.6Ensure ASC Default policy setting “Monitor Disk Encryption” is not “Disabled”
2.7Ensure ASC Default policy setting “Monitor Network Security Groups” is not “Disabled”
2.8Ensure ASC Default policy setting “Monitor Web Application Firewall” is not “Disabled”
2.9Ensure ASC Default policy setting “Enable Next Generation Firewall(NGFW) Monitoring” is not “Disabled”
2.10Ensure ASC Default policy setting “Monitor Vulnerability Assessment” is not “Disabled”
2.11Ensure ASC Default policy setting “Monitor Storage Blob Encryption” is not “Disabled”
2.12Ensure ASC Default policy setting “Monitor JIT Network Access” is not “Disabled”
2.13Ensure ASC Default policy setting “Monitor Adaptive Application Whitelisting” is not “Disabled”
2.14Ensure ASC Default policy setting “Monitor SQL Auditing” is not “Disabled”
2.15Ensure ASC Default policy setting “Monitor SQL Encryption” is not “Disabled”
2.16Ensure that ‘Security contact emails’ is set
2.17Ensure that security contact ‘Phone number’ is set
2.18Ensure that ‘Send email notification for high severity alerts’ is set to ‘On’
2.19Ensure that ‘Send email also to subscription owners’ is set to ‘On’
DomainNr Security Control Name
Storage Accounts3.1 Ensure that ‘Secure transfer required’ is set to ‘Enabled’
3.2Ensure that storage account access keys are periodically regenerated
3.3Ensure Storage logging is enabled for Queue service for read, write, and delete requests
3.4Ensure that shared access signature tokens expire within an hour
3.5Ensure that shared access signature tokens are allowed only over https
3.6Ensure that ‘Public access level’ is set to Private for blob containers
3.7Ensure default network access rule for Storage Accounts is set to deny
3.8Ensure ‘Trusted Microsoft Services’ is enabled for Storage Account access
DomainNr Security Control Name
Database Services4.1 Ensure that ‘Auditing’ is set to ‘On’
4.2Ensure that ‘AuditActionGroups’ in ‘auditing’ policy for a SQL server is set properly
4.3Ensure that ‘Auditing’ Retention is ‘greater than 90 days’
4.4Ensure that ‘Advanced Data Security’ on a SQL server is set to ‘On’
4.5Ensure that ‘Threat Detection types’ is set to ‘All’
4.6Ensure that ‘Send alerts to’ is set
4.7Ensure that ‘Email service and co-administrators’ is ‘Enabled’
4.8Ensure that Azure Active Directory Admin is configured
4.9Ensure that ‘Data encryption’ is set to ‘On’ on a SQL Database
4.1Ensure SQL server’s TDE protector is encrypted with BYOK (Use your own key)
4.11Ensure ‘Enforce SSL connection’ is set to ‘ENABLED’ for MySQL Database Server
4.12Ensure server parameter ‘log_checkpoints’ is set to ‘ON’ for PostgreSQL Database Server
4.13Ensure ‘Enforce SSL connection’ is set to ‘ENABLED’ for PostgreSQL Database Server
4.14Ensure server parameter ‘log_connections’ is set to ‘ON’ for PostgreSQL Database Server
4.15Ensure server parameter ‘log_disconnections’ is set to ‘ON’ for PostgreSQL Database Server
4.16Ensure server parameter ‘log_duration’ is set to ‘ON’ for PostgreSQL Database Server
4.17Ensure server parameter ‘connection_throttling’ is set to ‘ON’ for PostgreSQL Database Server
4.18Ensure server parameter ‘log_retention_days’ is greater than 3 days for PostgreSQL Database Server
4.19Ensure that Azure Active Directory Admin is configured
DomainNr Security Control Name
Configuring Log Profile 5.1.1 Ensure that a Log Profile exists
5.1.2Ensure that Activity Log Retention is set 365 days or greater
5.1.3Ensure audit profile captures all the activities
5.1.4Ensure the log profile captures activity logs for all regions including global
5.1.5Ensure the storage container storing the activity logs is not publicly accessible
5.1.6Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key)
5.1.7Ensure that logging for Azure KeyVault is ‘Enabled’
Monitoring using Activity Log Alerts 5.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment
5.2.2Ensure that Activity Log Alert exists for Create or Update Network Security Group
5.2.3Ensure that Activity Log Alert exists for Delete Network Security Group
5.2.4Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule
5.2.5Ensure that activity log alert exists for the Delete Network Security Group Rule
5.2.6Ensure that Activity Log Alert exists for Create or Update Security Solution
5.2.7Ensure that Activity Log Alert exists for Delete Security Solution
5.2.8Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule
5.2.9Ensure that Activity Log Alert exists for Update Security Policy
DomainNr Security Control Name
Networking 6.1 Ensure that RDP access is restricted from the internet
6.2Ensure that SSH access is restricted from the internet
6.3Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP)
6.4Ensure that Network Security Group Flow Log retention period is ‘greater than 90 days’
6.5Ensure that Network Watcher is ‘Enabled’
Virtual Machines 7.1 Ensure that ‘OS disk’ are encrypted
7.2Ensure that ‘Data disks’ are encrypted
7.3Ensure that ‘Unattached disks’ are encrypted
7.4Ensure that only approved extensions are installed
7.5Ensure that the latest OS Patches for all Virtual Machines are applied
7.6Ensure that the endpoint protection for all Virtual Machines is installed
Other Security Considerations 8.1 Ensure that the expiration date is set on all keys
8.2Ensure that the expiration date is set on all Secrets
8.3Ensure that Resource Locks are set for mission critical Azure resources
8.4Ensure the key vault is recoverable
8.5Enable role-based access control (RBAC) within Azure Kubernetes Services
AppService 9.1 Ensure App Service Authentication is set on Azure App Service
9.2Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service
9.3Ensure web app is using the latest version of TLS encryption
9.4Ensure the web app has ‘Client Certificates (Incoming client certificates)’ set to ‘On’
9.5Ensure that Register with Azure Active Directory is enabled on App Service
9.6Ensure that ‘.Net Framework’ version is the latest, if used as a part of the web app
9.7Ensure that ‘PHP version’ is the latest, if used to run the web app
9.8Ensure that ‘Python version’ is the latest, if used to run the web app
9.9Ensure that ‘Java version’ is the latest, if used to run the web app
9.10Ensure that ‘HTTP Version’ is the latest, if used to run the web app

NIST 800-53 controls mapped to Azure services and features

The NIST 800-53 standard has over 400 controls that span a multitude of domains, from Access Control to System and Information Integrity:

  • AC.Access Control
  • AT.Awareness and Training
  • AU.Audit and Accountability
  • CA.Security Assessment and Authorization
  • CM.Configuration Management
  • CP.Contingency Planning
  • IA.Identification and Authentication
  • IR.Incident Response
  • MA.Maintenance
  • MP.Media Protection
  • PE.Physical and Environmental Protection
  • PL.Planning
  • PS.Personnel Security
  • RA.Risk Assessment
  • SA.System and Services Acquisition
  • SC.System and Communications Protection
  • SI.System and Information Integrity

At this time not all the security controls can be mapped one-to-one to an Azure service or feature and the list below could change at any given time, as more features and services are added to Azure.

Here is a list of controls that can be mapped, according to the official Microsoft Azure documentation (the remediation of any violation/non-compliance controls is mostly a manual process prone to errors, but our managed security services solve this problem!)

AC-2 Account Management

This control helps you review accounts that may not comply with your organization’s account management requirements. This security control deals with the auditing of external accounts with read, write and owner permissions on a subscription and deprecated accounts. By reviewing the accounts audited, you can take appropriate action to ensure account management requirements are met.

  • Deprecated accounts should be removed from your subscription
  • Deprecated accounts with owner permissions should be removed from your subscription
  • External accounts with owner permissions should be removed from your subscription
  • External accounts with read permissions should be removed from your subscription
  • External accounts with write permissions should be removed from your subscription

AC-2 (7) Account Management | Role-Based Schemes

Azure implements role-based access control (RBAC) to help you manage who has access to resources in Azure. Using the Azure portal, you can review who has access to Azure resources and their permissions. This control is auditing the use of Azure Active Directory authentication for SQL Servers and Service Fabric. Using Azure Active Directory authentication enables simplified permission management and centralized identity management of database users and other Microsoft services. Additionally, this control is auditing the use of custom RBAC rules. Understanding where custom RBAC rules are implemented can help you verify need and proper implementation, as custom RBAC rules are error prone.

  • An Azure Active Directory administrator should be provisioned for SQL servers
  • Audit usage of custom RBAC rules
  • Service Fabric clusters should only use Azure Active Directory for client authentication

AC-2 (12) Account Management | Account Monitoring / Atypical Usage

Just-in-time (JIT) virtual machine access locks down inbound traffic to Azure virtual machines, reducing exposure to attacks while providing easy access to connect to VMs when needed. All JIT requests to access virtual machines are logged in the Activity Log allowing you to monitor for atypical usage. This control helps you audit the monitoring of virtual machines that can support just-in-time access but have not yet been configured.

  • Just-In-Time network access control should be applied on virtual machines

AC-4 Information Flow Enforcement

Cross origin resource sharing (CORS) can allow App Services resources to be requested from an outside domain. Microsoft recommends that you allow only required domains to interact with your API, function, and web applications. This control helps you audit the monitoring of CORS resources access restrictions in Azure Security Center. Understanding CORS implementations can help you verify that information flow controls are implemented.

  • CORS should not allow every resource to access your Web Application

AC-5 Separation of Duties

Having only one Azure subscription owner doesn’t allow for administrative redundancy. Conversely, having too many Azure subscription owners can increase the potential for a breach via a compromised owner account. This control helps you maintain an appropriate number of Azure subscription owners by auditing the number of owners for Azure subscriptions. This control also help you control membership of the Administrators group on Windows virtual machines. Managing subscription owner and virtual machine administrator permissions can help you implement appropriate separation of duties.

  • A maximum of 3 owners should be designated for your subscription
  • Audit Windows VMs in which the Administrators group contains any of the specified members
  • Audit Windows VMs in which the Administrators group does not contain all of the specified members
  • There should be more than one owner assigned to your subscription

AC-6 (7) Least Privilege | Review of User Privileges

Azure implements role-based access control (RBAC) to help you manage who has access to resources in Azure. Using the Azure portal, you can review who has access to Azure resources and their permissions. This control is auditing the accounts that should be prioritized for review. Reviewing these account indicators can help you ensure least privilege controls are implemented.

  • A maximum of 3 owners should be designated for your subscription
  • Audit Windows VMs in which the Administrators group contains any of the specified members
  • Audit Windows VMs in which the Administrators group does not contain all of the specified members

AC-16 Security Attributes

The data discovery and classification capability of advanced data security for Azure SQL Database provides capabilities for discovering, classifying, labeling, and protecting the sensitive data in your databases. It can be used to provide visibility into your database classification state, and to track the access to sensitive data within the database and beyond its borders. Advanced data security can help you ensure information as associated with the appropriate security attributes for your organization. This control is used to monitor the use of advanced data security on SQL server.

  • Advanced data security should be enabled on your managed instances
  • Advanced data security should be enabled on your SQL servers

AC-17 (1) Remote Access | Automated Monitoring / Control

This controls helps you monitor and control remote access by auditing that remote debugging for Azure App Service application is turned off. The controls also is auditing Linux virtual machines that allow remote connections from accounts without passwords. Additionally, the control helps you monitor unrestricted access to storage accounts. Monitoring these indicators can help you ensure remote access methods comply with your security policy.

  • Audit Linux VMs that allow remote connections from accounts without passwords
  • Audit unrestricted network access to storage accounts
  • Remote debugging should be turned off for API App
  • Remote debugging should be turned off for Function App
  • Remote debugging should be turned off for Web Application

AU-3 (2) Content of Audit Records | Centralized Management of Planned Audit Record Content

Log data collected by Azure Monitor is stored in a Log Analytics workspace enabling centralized configuration and management. This control helps you ensure events are logged by auditing the deployment of the Log Analytics agent on Azure virtual machines.

  • Audit Log Analytics Agent Deployment – VM Image (OS) unlisted
  • Audit Log Analytics Agent Deployment in VMSS – VM Image (OS) unlisted
  • Audit Log Analytics Workspace for VM – Report Mismatch

AU-5 Response to Audit Processing Failures

This control is auditing event logging configurations. Monitoring these configurations can provide an indicator of an audit system failure or misconfiguration and help you take corrective action.

  • Audit diagnostic setting
  • Audit SQL server level Auditing settings
  • Advanced data security should be enabled on your managed instances
  • Advanced data security should be enabled on your SQL servers

AU-6 (4) Audit Review, Analysis, and Reporting | Central Review and Analysis

Log data collected by Azure Monitor is stored in a Log Analytics workspace enabling centralized reporting and analysis. This control helps you ensure events are logged by auditing the Log Analytics agent on Azure virtual machines.

  • Audit Log Analytics Agent Deployment – VM Image (OS) unlisted
  • Audit Log Analytics Agent Deployment in VMSS – VM Image (OS) unlisted
  • Audit Log Analytics Workspace for VM – Report Mismatch

AU-12 Audit Generation

This control helps you ensure system events are logged by auditing log settings on Azure resources. Also auditing the deployment of the Log Analytics agent on Azure virtual machines and configuration of audit settings for other Azure resource types. It also audits configuration of diagnostic logs to provide insight into operations that are performed within Azure resources. Additionally, is auditing that the Advanced Data Security is configured on SQL servers.

  • Audit Log Analytics Agent Deployment – VM Image (OS) unlisted
  • Audit Log Analytics Agent Deployment in VMSS – VM Image (OS) unlisted
  • Audit Log Analytics Workspace for VM – Report Mismatch
  • Audit diagnostic setting
  • Audit SQL server level Auditing settings
  • Advanced data security should be enabled on your managed instances
  • Advanced data security should be enabled on your SQL servers

CM-7 (2) Least Functionality | Prevent Program Execution

Adaptive application control in Azure Security Center is an intelligent, automated end-to-end application whitelisting solution that can block or prevent specific software from running on your virtual machines. Application control can run in an enforcement mode that prohibits non-approved application from running. This control helps you monitor virtual machines where an application whitelist is recommended but has not yet been configured.

  • Adaptive Application Controls should be enabled on virtual machines

CM-7 (5) Least Functionality | Authorized Software / Whitelisting

Adaptive application control in Azure Security Center is an intelligent, automated end-to-end application whitelisting solution that can block or prevent specific software from running on your virtual machines. Application control helps you create approved application lists for your virtual machines. This control helps you monitor virtual machines where an application whitelist is recommended but has not yet been configured.

  • Adaptive Application Controls should be enabled on virtual machines

CM-11 User-Installed Software

Adaptive application control in Azure Security Center is an intelligent, automated end-to-end application whitelisting solution that can block or prevent specific software from running on your virtual machines. Application control can help you enforce and monitor compliance with software restriction policies. This control helps you monitor virtual machines where an application whitelist is recommended but has not yet been configured.

  • Adaptive Application Controls should be enabled on virtual machines

CP-7 Alternate Processing Site

Azure Site Recovery replicates workloads running on virtual machines from a primary location to a secondary location. If an outage occurs at the primary site, the workload fails over the secondary location. This control audits virtual machines without disaster recovery configured. Monitoring this indicator can help you ensure necessary contingency controls are in place.

  • Audit virtual machines without disaster recovery configured

IA-2 (1) Identification and Authentication (Organizational Users) | Network Access to Privileged Accounts

This control helps you restrict and control privileged access by auditing accounts with owner and/or write permissions that don’t have multi-factor authentication enabled. Multi-factor authentication helps keep accounts secure even if one piece of authentication information is compromised. By monitoring accounts without multi-factor authentication enabled, you can identify accounts that may be more likely to be compromised.

  • MFA should be enabled on accounts with owner permissions on your subscription
  • MFA should be enabled on accounts with write permissions on your subscription

IA-2 (2) Identification and Authentication (Organizational Users) | Network Access to Non-Privileged Accounts

This control is auditing accounts with read permissions that don’t have multi-factor authentication enabled. Multi-factor authentication helps keep accounts secure even if one piece of authentication information is compromised. By monitoring accounts without multi-factor authentication enabled, you can identify accounts that may be more likely to be compromised.

  • MFA should be enabled on accounts with read permissions on your subscription

IA-5 Authenticator Management

This control is auditing Linux virtual machines that allow remote connections from accounts without passwords and/or have incorrect permissions set on the passwd file. This control also is auditing the configuration of the password encryption type for Windows virtual machines. Monitoring these indicators helps you ensure that system authenticators comply with your organization’s identification and authentication policy.

  • Audit Linux VMs that do not have the passwd file permissions set to 0644
  • Audit Linux VMs that have accounts without passwords
  • Audit Windows VMs that do not store passwords using reversible encryption

IA-5 (1) Authenticator Management | Password-Based Authentication

This control helps you enforce strong passwords by auditing Windows virtual machines that don’t enforce minimum strength and other password requirements. Awareness of virtual machines in violation of the password strength policy helps you take corrective actions to ensure passwords for all virtual machine user accounts comply with your organization’s password policy.

  • Audit Windows VMs that allow re-use of the previous 24 passwords
  • Audit Windows VMs that do not have a maximum password age of 70 days
  • Audit Windows VMs that do not have a minimum password age of 1 day
  • Audit Windows VMs that do not have the password complexity setting enabled
  • Audit Windows VMs that do not restrict the minimum password length to 14 characters
  • Audit Windows VMs that do not store passwords using reversible encryption

RA-5 Vulnerability Scanning

This control helps you manage information system vulnerabilities by monitoring operating system vulnerabilities, SQL vulnerabilities, and virtual machine vulnerabilities in Azure Security Center. Azure Security Center provides reporting capabilities that enable you to have real-time insight into the security state of deployed Azure resources. This control is auditing the Advanced Data Security on SQL servers. Advanced data security included vulnerability assessment and advanced threat protection capabilities to help you understand vulnerabilities in your deployed resources.

  • Advanced data security should be enabled on your managed instances
  • Advanced data security should be enabled on your SQL servers
  • Vulnerabilities in security configuration on your virtual machine scale sets should be remediated
  • Vulnerabilities in security configuration on your virtual machines should be remediated
  • Vulnerabilities on your SQL databases should be remediated
  • Vulnerabilities should be remediated by a Vulnerability Assessment solution

SC-5 Denial of Service Protection

Azure’s distributed denial of service (DDoS) standard tier provides additional features and mitigation capabilities over the basic service tier. These additional features include Azure Monitor integration and the ability to review post-attack mitigation reports. This control audits if the DDoS standard tier is enabled. Understanding the capability difference between the service tiers can help you select the best solution to address denial of service protections for your Azure environment.

  • DDoS Protection Standard should be enabled

SC-7 Boundary Protection

This control helps you manage and control the system boundary by monitoring for network security group hardening recommendations in Azure Security Center. Azure Security Center analyzes traffic patterns of Internet facing virtual machines and provides network security group rule recommendations to reduce the potential attack surface. Additionally, this blueprint also assigns policy definitions that monitor unprotected endpoints, applications, and storage accounts. Endpoints and applications that aren’t protected by a firewall, and storage accounts with unrestricted access can allow unintended access to information contained within the information system.

  • Network Security Group Rules for Internet facing virtual machines should be hardened
  • Access through Internet facing endpoint should be restricted
  • The NSGs rules for web applications on IaaS should be hardened
  • Audit unrestricted network access to storage accounts

SC-7 (3) Boundary Protection | Access Points

Just-in-time (JIT) virtual machine access locks down inbound traffic to Azure virtual machines, reducing exposure to attacks while providing easy access to connect to VMs when needed. JIT virtual machine access helps you limit the number of external connections to your resources in Azure. This control helps you monitor virtual machines that can support just-in-time access but have not yet been configured.

  • Just-In-Time network access control should be applied on virtual machines

SC-7 (4) Boundary Protection | External Telecommunications Services

Just-in-time (JIT) virtual machine access locks down inbound traffic to Azure virtual machines, reducing exposure to attacks while providing easy access to connect to VMs when needed. JIT virtual machine access helps you manage exceptions to your traffic flow policy by facilitating the access request and approval processes. This control helps you monitor virtual machines that can support just-in-time access but have not yet been configured.

  • Just-In-Time network access control should be applied on virtual machines

SC-8 (1) Transmission Confidentiality and Integrity | Cryptographic or Alternate Physical Protection

This control helps you protect the confidential and integrity of transmitted information by monitoring cryptographic mechanism implemented for communications protocols. Ensuring communications are properly encrypted can help you meet your organization’s requirements or protecting information from unauthorized disclosure and modification.

  • API App should only be accessible over HTTPS
  • Audit Windows web servers that are not using secure communication protocols
  • Function App should only be accessible over HTTPS
  • Only secure connections to your Redis Cache should be enabled
  • Secure transfer to storage accounts should be enabled
  • Web Application should only be accessible over HTTPS

SC-28 (1) Protection of Information at Rest | Cryptographic Protection

This control helps you enforce your policy on the use of cryptograph controls to protect information at rest by auditing specific cryptograph controls and audit use of weak cryptographic settings. Understanding where your Azure resources may have non-optimal cryptographic configurations can help you take corrective actions to ensure resources are configured in accordance with your information security policy.

  • Advanced data security should be enabled on your managed instances
  • Advanced data security should be enabled on your SQL servers
  • Disk encryption should be applied on virtual machines
  • Require encryption on Data Lake Store accounts
  • Transparent Data Encryption on SQL databases should be enabled

SI-2 Flaw Remediation

This control helps you manage information system flaws by monitoring missing system updates, operating system vulnerabilities, SQL vulnerabilities, and virtual machine vulnerabilities in Azure Security Center. Azure Security Center provides reporting capabilities that enable you to have real-time insight into the security state of deployed Azure resources.

  • Require automatic OS image patching on Virtual Machine Scale Sets
  • System updates on virtual machine scale sets should be installed
  • System updates should be installed on your virtual machines
  • Vulnerabilities in security configuration on your virtual machine scale sets should be remediated
  • Vulnerabilities in security configuration on your virtual machines should be remediated
  • Vulnerabilities on your SQL databases should be remediated
  • Vulnerabilities should be remediated by a Vulnerability Assessment solution

SI-3 Malicious Code Protection

This control helps you manage endpoint protection, including malicious code protection, by auditing for missing endpoint protection on virtual machines in Azure Security Center.

  • Endpoint protection solution should be installed on virtual machine scale sets
  • Monitor missing Endpoint Protection in Azure Security Center

SI-3 (1) Malicious Code Protection | Central Management

This control helps you manage endpoint protection, including malicious code protection, by auditing for missing endpoint protection on virtual machines in Azure Security Center. Azure Security Center provides centralized management and reporting capabilities that enable you to have real-time insight into the security state of deployed Azure resources.

  • Endpoint protection solution should be installed on virtual machine scale sets
  • Monitor missing Endpoint Protection in Azure Security Center

SI-4 Information System Monitoring

This control helps you monitor your system by auditing logging and data security across Azure resources. Specifically, the control audits the deployment of the Log Analytics agent, and enhanced security settings for SQL databases, storage accounts and network resources. These capabilities can help you detect anomalous behavior and indicators of attacks so you can take appropriate action.

  • Audit Log Analytics Agent Deployment – VM Image (OS) unlisted
  • Audit Log Analytics Agent Deployment in VMSS – VM Image (OS) unlisted
  • Audit Log Analytics Workspace for VM – Report Mismatch
  • Advanced data security should be enabled on your managed instances
  • Advanced data security should be enabled on your SQL servers

SI-4 (18) Information System Monitoring | Analyze Traffic / Covert Exfiltration

Advanced Threat Protection for Azure Storage detects unusual and potentially harmful attempts to access or exploit storage accounts. Protection alerts include anomalous access patterns, anomalous extracts/uploads, and suspicious storage activity. These indicators can help you detect covert exfiltration of information.

  • Audit the deployment of Advanced Threat Protection on Storage Accounts

Azure Security Compliance components

Just with two essential Azure components, you can enable security auditing for your Azure environment, using established security standards like Azure CIS, NIST 800-53, ISO 27001, PCI DSS.

Azure Security Compliance components

The remediation of the failed security controls identified by the audit, are a completely different ball-game: a lot of manual tasks are required to make your environment secure as dictated by security standards. We provide managed services that can take care of those tasks, so talk to us!

NIST 800-53

The US National Institute of Standards and Technology (NIST) publishes a catalog of security and privacy controls, Special Publication (SP) 800-53, for all federal information systems in the United States (except those related to national security). It provides a process for selecting controls to protect organizations against cyberattacks, natural disasters, structural failures, and other threats.

For US government entities and others with compliance requirements based on NIST SP 800-53, the Azure implementation of this standard helps you proactively manage and monitor compliance of your Azure environments. This standard provides governance guardrails to help organization assess specific NIST SP 800-53 R4 controls, and it enables you to use a core set of policies for any Azure-deployed architecture that must implement these controls.

These control mappings include:

  • Account management. Helps with the review of accounts of that may not comply with an organization’s account management requirements.
  • Separation of duties. Helps in maintaining an appropriate number of Azure subscription owners.
  • Least privilege. Audits accounts that should be prioritized for review.
  • Remote access. Helps with monitoring and control of remote access.
  • Audit review, analysis, and reporting. Helps ensure that events are logged and enforces deployment of the Log Analytics agent on Azure virtual machines.
  • Least functionality. Helps monitor virtual machines where an application white list is recommended but has not yet been configured.
  • Identification and authentication. Helps restrict and control privileged access.
  • Vulnerability scanning. Helps with the management of information system vulnerabilities.
  • Denial of service protection. Audits if the Azure DDoS Protection standard tier is enabled.
  • Boundary protection. Helps with the management and control of the system boundary.
  • Transmission confidentiality and integrity. Helps protect the confidentiality and integrity of transmitted information.
  • Flaw remediation. Helps with the management of information system flaws.
  • Malicious code protection. Helps the management of endpoint protection, including malicious code protection.
  • Information system monitoring. Helps with monitoring a system by auditing and enforcing logging across Azure resources.

Each control category listed above is associated with one or more Azure Policy definitions. These policies may help you assess compliance with the control; however, there often is not a 1:1 or complete match between a control and one or more policies. As such, Compliant refers only to the Azure policies themselves; this doesn’t ensure you’re fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren’t addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status.

NIST 800-53

CIS Microsoft Azure Foundations Benchmark

CIS® (Center for Internet Security, Inc.) is a forward-thinking, non-profit entity that harnesses the power of a global IT community to safeguard private and public organizations against cyber threats.

The CIS Controls® and CIS Benchmarks™ are the global standard and recognized best practices for securing IT systems and data against the most pervasive attacks. These proven guidelines are continuously refined and verified by a volunteer, global community of experienced IT professionals.

The CIS Microsoft Azure Foundations Security Benchmark provides prescriptive guidance for establishing a secure baseline configuration for Microsoft Azure. Its scope is designed to assist organizations in establishing the foundation level of security for anyone adopting the Microsoft Azure cloud. 

The following configuration profiles are defined by this Benchmark:

  • Level 1 Items in this profile intend to:
    • be practical and prudent;
    • provide a clear security benefit; and
    • not inhibit the utility of the technology beyond acceptable means.
  • Level 2 This profile extends the “Level 1” profile. Items in this profile exhibit one or more of the following characteristics:
    • are intended for environments or use cases where security is paramount
    • acts as defense in depth measure
    • may negatively inhibit the utility or performance of the technology.

Our Managed Azure Compliance Services are focused mostly at Level 1.

For a list of all the CIS security controls, please see the official site.

PCI DSS

PCI DSS is a set of network security and business best practices guidelines adopted by the PCI Security Standards Council to establish a “minimum security standard” to protect customers’ payment card information. The scope of the PCI DSS includes all systems, networks, and applications that process, store, or transmit cardholder data, and also systems that are used to secure and log access to the systems in scope.

  • If you’re a Level 1 merchant, your environment must be validated by a Qualified Security Assessor (QSA). A QSA is a firm or an individual that is approved by the PCI Security Standards Council to validate PCI environments and give the seal of approval. Please note that NovaQuantum is NOT a QSA at this time.
  • If you’re a Level 2 merchant or lower, you can validate your environment by filling out the Self-Assessment Questionnaire.

ISO 27001

The ISO/IEC 27000 family of standards helps organizations keep information assets secure. ISO/IEC 27001 is a security standard that outlines and provides the requirements for an information security management system (ISMS). It specifies a set of best practices and details a list of security controls concerning the management of information risks.

While the 27001 standard does not mandate specific information security controls, the framework and checklist of controls it lays out allows NovaQuantum to ensure a comprehensive and continually improving model for security management for our Managed Azure Security customers.

FAQ

Azure Security Compliance FAQ

Q: What are the costs related with the implementation of the Azure Security Compliance Policies?

A: Azure Security Compliance costs are based on the following paid Azure services:

  • The enabling of the Compliance Policies in Azure is a service free of charge, but in order to make use of all the features and act upon the remediation tasks required for becoming compliant, Azure Security Center Standard tier needs to be enabled on your subscription.

Sample monthly pricing for an environment running 24×7:

Number of VMs 5 10 20 50 100
Number of SQL servers 1 3 5 7 10
Storage Accounts transactions 20k 60k 150k 300k 1000k
Total cost per month ($CAD) $114.6 $250.2 $505.2 $1,095.3 $2,144.4
  • Another cost to take in consideration is the number of alerts for policy violations and resource health.

Sample monthly pricing for an environment running 24×7:

Security Alerts 100 policy alerts 100 policy alerts 200 policy alerts
Health Alerts 20 100 500
Total cost per month ($CAD) $15.36 $25.6 $89.6
  • Initial deployment and configuration of your custom security policies – This is the effort associated with the initial creation of the security framework that you want to be compliant with: not all the security policies available in Azure by default would make sense for your particular environment as some of them could impede your normal management operations, for example. Creation of all the alerts for policy violations and other health alerts for your critical services. Creating and implementing the remediation plan for any policy violations. Novaquantum provides support for the full development life-cycle of security policies and remediation tasks involved in securing your environment.
  • On-going management – This is the effort required for daily support of the Azure Security Compliance service, monitoring of log sources, policy violations and on-going alerts tune-up and is covered by monthly management fee charged by managed Azure providers like us.  

Q: Can you guarantee 100% compliance with the above mentioned standards?

A: We will enable and remediate (if agreed by the customer) all the security controls available in Azure for the compliance framework(s) that you choose. Most of the security compliance frameworks have not only technical components, but business processes and procedures that need to be compliant as well, for which the customer alone is responsible. One notable exception is Azure CIS that has only technical controls which we can control 100%.

Each security control is associated with one or more Azure feature/service. These features/services may help you assess compliance with the control; however, there often is not a 1:1 or complete match between a control and one or more platform feature. As such, Compliant in Azure refers only to the policies themselves; this doesn’t ensure you’re fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren’t addressed by any Azure platform features at this time. Therefore, compliance in Azure is only a partial view of your overall compliance status.

Q: I don’t need or understand what those security standards are, so why should I care about them?

A: Many small and medium businesses don’t need to be compliant with any of the mentioned standards, but the compliance will enable your Azure environment to be very secure and protected. The enablement and continuous monitoring of those security controls will give you confidence that your data is secure in the Cloud! As a best practice, we recommend to anyone having any workloads running in a public cloud like Azure, to use the CIS 1.1.0 security standard as a baseline for securing their environment.

Q: I am interested in the initial assessment and enablement of those security controls, but I am not interested in the ongoing maintenance of the compliance: can you offer me only this service?

A: Short answer: Yes, but…without ongoing maintenance of your security compliance, your Azure environment will be very fast exposed to a lot of security risks. Cloud environments are very dynamic with resources and services/features being added, removed and modified quite often, so without keeping pace with all those changes, your initial security controls that we enabled will not be very effective.

Q: Could you perform a security assessment and remediation of any security flaws for the applications that we have running in Azure?

A: Not at this time, but we are always adding new services to our portfolio!

Q: Our environment is a hybrid environment with resources located on-premise and in Azure, would you be able to audit and propose a remediation plan for all the resources?

A: Short answer: Yes, we can. Long answer: enabling non-Azure resources for security auditing using native Azure services, requires the installation of local agents on those resources. We can assist and provide guidance in this situations, but the installation and distribution of the agents is your responsibility entirely.

Q: All the remediation tasks that are required to enable the security controls for any given standard, might disrupt our normal business or operational procedures that we have in place: how can we avoid any downtime and disruption of those procedures?

A: Our experienced security consultants will advise you if any of the changes required will require an outage or not. You will always have the final say as to when or if those changes are acceptable to the business. You can choose as well to perform the changes yourself. Our proposal for remediation of the non-compliant resources will include a priority list and a risk score, so you will always know where you should focus your technical resources.