Azure Contributor role

Azure Lighthouse limitations

So we tried to implement by the book the recently released Azure Lighthouse in order to centrally manage multiple Azure customers. The recommended Contributor role that is highest Azure role you can use with Lighthouse, has some very interesting limitations, especially around what you can do with the Azure Policies: Microsoft.Authorization/*/Delete and Microsoft.Authorization/*/Write operations are actually prohibited, so you cannot actually deploy any Azure Policies to a customer subscriptions.

Azure Contributor role
Azure Contributor role

There is a way to bypass this limitation of the Contributor role, by adding another role to the on-boarding process: Security Admin.

Azure Security Admin role
Azure Security Admin role

Azure Security Threats are the same and different…

Many attack vectors are seen at about the same rate as on-premises including social engineering, phishing and ransomware. Microsoft has observed some differences from traditional on premises attacks including:

  • Theft and Abuse of Keys – Many cloud access can accept keys for authentication (storage, services, etc.). Many developers are unfamiliar with security best practices for key management and embed these keys directly into their code. This source code is then frequently posted publicly to services like GitHub where attackers can find them and use them to illicitly access those resources. 
  • RDP/SSH Password Spray and Brute Force – The technique of scanning for open RDP/SSH ports and trying common passwords has been around for some time. This attack requires extra attention in Azure because the public IP address ranges of cloud providers are scanned with a very high intensity and there is a higher chance of misconfiguring network security because of unfamiliarity with the controls
  • Pivot to on premises from cloud – An attack vector that didn’t exist before the cloud is that attackers who have compromised a resource can pivot to Azure from on-premises and vice-versa. Because cloud infrastructure is effectively just another datacenter in your enterprise estate, you need to ensure the security is equal to or greater than your on premises posture.
  • Cryptominers – While the rise of cryptominer attacks is likely not due to the cloud itself, these attacks have become prevalent recently. This typically takes the form of compromising an internet facing web server and using that server to mine cryptocurrencies or embedding code into the website to perform the mining on browsers/clients that visit the site.
Azure Security Threats are the same and different

Azure Security best practice: Consider Retiring Legacy Security Approaches

This is Part#10 of our series of articles about best security practices that you can apply to an Azure environment. Please note that all the articles have been compiled from various official Microsoft sources.

You may want to deprecate and then discontinue some legacy security approaches as you move to Azure. You can continue to use these technologies in Azure if you see value, but many organizations are not migrating these solutions to Azure, so these choices are explicitly surfaced.

Classic Network Intrusion Detection/Prevention Systems (NIDS/NIPS)

What : Choose whether to add existing NIDS/NIPS capabilities on Azure Why : The Azure platform already filters malformed packets and most classic NIDS/NIPS solutions are typically based on outdated signature-based approaches which are easily evaded by attackers and typically produce high rate of false positives.

How :

  • Do Not Add (Default Recommendation)
  • Add to Azure tenant

Network Data Loss Prevention (DLP)

What : Choose whether to add Network DLP capabilities on Azure

Why : Network DLP is increasingly ineffective at identifying both inadvertent and deliberate data loss. This is because most modern protocols and most attackers use encryption (most available attacker toolkits have encryption built in)

How :

  • Do Not Add (Default Recommendation)
  • Add to Azure tenant
Azure DDoS protection

Azure Security best practice: Mitigate DDoS Attacks

This is Part#9 of our series of articles about best security practices that you can apply to an Azure environment. Please note that all the articles have been compiled from various official Microsoft sources.

Enable DDoS protection beyond the default free tier

What : Enable DDoS Mitigations for all business-critical web applications, and services

Why : DDoS attacks are prevalent and are very inexpensive to access on the dark markets

How : Evaluate and select the best option for protecting your critical applications and services

  • Azure DDoS standard
  • 3rd party service

Azure includes basic Distributed Denial of Service (DDoS) protection, which can be upgraded to the Standard offering

The basic capabilities apply to all workloads in Azure as this protection is applied to all Microsoft properties on our network (which also include services like Office 365, Windows Update, Xbox Live, etc.)

The standard offering adds local visibility and control for your workloads with:

  • Advanced protection for your virtual network resources
  • Automatic mitigation for 60+ network layer attacks
  • Adaptive tuning via application traffic profiling and machine learning algorithm
  • Real time monitoring and alerting in Azure Monitor
  • Integration with WAF application layer protection
Azure DDoS protection
Azure DDoS protection
web application firewalls

Azure Security best practice: Implement Web Application Firewalls (WAFs)

This is Part#8 of our series of articles about best security practices that you can apply to an Azure environment. Please note that all the articles have been compiled from various official Microsoft sources.

Use Web App Firewall on All Internet Facing Applications

What : Configure web application firewalls (WAFs) to protect all internet facing applications

Why : Common security vulnerability types are often exploited by attackers targeting applications (either as an ingress point to the environment or as the ultimate objective).
WAFs are a critical mitigation for these attacks if you don’t have a mature security development lifecycle (SDL) to find/fix these vulnerabilities. WAFs also serve as an important safety measure even if you don’t have a mature SDL (much like a parachute in a plane).

How : Microsoft includes WAF capabilities in Azure Application Gateway and many vendors offer these capabilities as standalone security appliances or as part of next generation firewalls.

Web Application Firewall
Web Application Firewall

Azure Security best practice: Assign and publish roles and responsibilities

This is Part#6 of our series of articles about best security practices that you can apply to an Azure environment. Please note that all the articles have been compiled from various official Microsoft sources.

Define Clear Lines of Responsibility

What : Designate the parties responsible for specific functions
in Azure

Why : Consistency helps avoid confusion that can lead to human and automation errors that create security risk.

How : Designate groups (or individual roles) that will be responsible for key centralized functions

Network Security Typically existing network security team
Configuration and maintenance of Azure Firewall, Network Virtual Appliances (and associated routing), WAFs, NSGs, ASGs, etc.
Network Management Typically existing network operations team
Enterprise-wide virtual network and subnet allocation
Server Endpoint Security Typically IT operations, security, or jointly
Monitor and remediate server security (patching, configuration, endpoint security, etc.)
Incident Monitoring and Response Typically security operations team
Investigate and remediate security incidents in SIEM or source console:
•Azure Security Center
•Azure AD Identity Protection
Policy Management Typically GRC team + Architecture
Set direction for use of Roles Based Access Control (RBAC), Azure Security Center, Administrator protection strategy, and Azure Policy to govern Azure resources
Identity Security and Standards Typically Security Team + Identity Team Jointly
Set direction for Azure AD directories, PIM/PAM usage, MFA, password/synchronization configuration, Application Identity Standards
Reference Azure Firewall Configuration with native controls

Azure Security best practice: Choose and Implement a Firewall Strategy

This is Part#7 of our series of articles about best security practices that you can apply to an Azure environment. Please note that all the articles have been compiled from various official Microsoft sources.

Internet EDGE Strategy: For your core services segment you can choose between native controls and 3rd party capabilities for internet traffic filtering.

What : Choose whether to use Native Azure Controls or 3rd party Network Virtual Appliances (NVAs) for internet edge security (North-South)

Why : Legacy workloads require network protection from internet sources and there are advantages to using either 1st or 3rd party controls to provide this.

How : Select a strategy using the comparison information below

AZURE NATIVE CONTROLS
Basic capabilities with simple  integration & management
3rd Party Capabilities
Advanced security capabilities
from existing vendors
Azure Firewall + Web App Firewall (in Application Gateway)
These offer basic security that is good enough for some scenarios with a fully stateful firewall as a service, built-in high availability, unrestricted cloud scalability, FQDN filtering, support for OWASP core rule sets, and simple setup and configuration
Next Generation Firewall (NGFW) and other 3rd party offerings
Network virtual appliances in the Azure Marketplace include familiar security tools that provide enhanced network security capabilities
Configuration is more complex, but allows you to leverage existing capabilities, and skillets
Reference Azure Firewall Configuration with Native Controls


Reference Azure Firewall Configuration with Native Controls
Reference Azure Firewall Configuration with 3rd party capabilities
Reference Azure Firewall Configuration with 3rd party capabilities
securing devops

Azure Security best practice: Follow DevOps security guidance

This is Part#5 of our series of articles about best security practices that you can apply to an Azure environment. Please note that all the articles have been compiled from various official Microsoft sources.

DevOps
DevOps

What : Integrate guidance and automation for securing applications on the cloud

Why : Using resources and lessons learned by external organizations that are early adopters of these models can accelerate the improvement of an organization’s security posture with less expenditure of effort and resources.

How : Secure your application development / DevOps process by integrating existing guidance such as:

  • Microsoft Secure DevOps Toolkit
  • Organization for Web App Security Project (OWASP) DevOps Pipeline security
Securing DevOps
Securing DevOps

Azure Security best practice: Monitor for Potential Attacks

This is Part#4 of our series of articles about best security practices that you can apply to an Azure environment. Please note that all the articles have been compiled from various official Microsoft sources.

Security Operations – Azure Alerts

What : Enable Azure Security Center security Alerts

Why : Azure Security Center provides actionable detections for common attack methods which can save your team significant effort on query development.

These alerts are focused on high true positive rate by leveraging Microsoft’s extensive threat intelligence, advanced machine learning, industry leading Endpoint Detection & Response (EDR) (MITRE report), and other approaches. 

How : Enable Azure Security Center (We recommend Standard Tier to gain full control over all the security options)

Azure Security Center Alerts
Azure Security Center Alerts

Security Operations – Centralized Visibility

Use Azure Security Center and Azure Sentinel to create your own Security Dashboard.

Azure Security Center is focused on protection and governance of Azure Workloads  by assessing risk to them, reducing attack surface, and generating alerts on potential threats using advanced threat detection technologies. The roles who use ASC will typically include security engineers and GRC Professionals that report risk to the CISO.

Azure Sentinel is focused on monitoring All Environments by SOC analysts. Azure Sentinel allows for monitoring alerts and security related events from any source (Microsoft security solutions, 3rd party, custom rules). Azure Sentinel is built for security analysts and SOC managers to make their work easier and more effective. Azure Sentinel is designed to simplify the application of advanced technologies like Machine Learning, User and Entity Behavior Analytics (UEBA), to the variety of data-sets you monitor and is complemented by other Microsoft Threat Protection solutions that provide specialized investigation of hosts, email, identity attacks, and more.

 Azure Security Operations – Centralized Visibility


Azure Security Operations – Centralized Visibility

Azure Security best practice: Enterprise segmentation & Zero Trust preparation

This is Part#3 of our series of articles about best security practices that you can apply to an Azure environment. Please note that all the articles have been compiled from various official Microsoft sources.

Align segmentation strategy & teams by unifying network, identity, app, etc. into a single enterprise segmentation strategy (as you migrate to Azure).

SEGMENTATION STRATEGY

What : Identify security segments that are needed
for your organization to contain risk

Why : A clear and simple segmentation strategy enables stakeholders (IT, Security, Business Units) can understand and support it. This clarity reduces the risk of human errors and automation failures that can lead to security vulnerabilities, operational downtime, or both

How : Select the segmentation approaches from
the reference design and assign permissions and network controls as appropriate.

A Good Segmentation Strategy:

1.Enables Operations – Minimizes operation friction by aligning to business practices and applications

2.Contains Risk – Adds cost and friction to attackers by

  • Isolating sensitive workloads from compromise of other assets
  • Isolating high exposure systems from being used as a pivot to other systems

3.Is Monitored – Security Operations should monitor for potential violations of the integrity of the segments (account usage, unexpected traffic, etc.)