In our recent webinar “Controlling Your Azure Environment: Governance for the Modern Enterprise” we touched on the five disciplines of cloud governance from Microsoft’s Cloud Adoption Framework. This blog post is the third in the “The Five Disciplines of Cloud Governance” five-part series expanding on those concepts. If you missed the first post in the series around Deployment Acceleration, check it out here.
In this post we are going to dig a little deeper into the discipline of “Security Baseline” and will explore the Azure Security Center and how it can improve your organization’s security posture.
In the Five Disciplines of Cloud Governance Microsoft explains that: “Security is a complex and personal topic, unique to each company. Once security requirements are established, cloud governance policies and enforcement applies those requirements across network, data and asset configurations.”
Why is it important?
In traditional on-premise security, the control plane was the perimeter, the firewall. The security focus was on limiting and restricting access to resources inside the firewall from the various outside threats of the internet. Services inside the firewall were safe and trusted. With the move to hosted cloud service such as Microsoft Azure, this is no longer appropriate. Individuals are using all types of devices at any location. A more complex strategy is required.
Azure Security Center
Azure Security Center is a powerful cloud tool that provides you with a centralized view of your Azure resources and their active security state. It is a monitoring and remediation tool useful to prevent, detect and respond to threats to Azure resources.
Azure Security Center uses security policies, security alerts and a secure score to define your organization’s security priorities, keep you informed of threats and how to prevent them and also helps organize what areas to focus immediate attention to.
A security policy is a definition of a set of controls. These controls are used to provide recommendations for Azure resources. Security policies can be applied to subscriptions or resource groups. Different security policies can be used for workloads that have different security requirements. For example, applications with regulatory requirements can use a different security policy than development environments.
A security policy contains multiple prevention policies which when enabled provide recommendations for different Azure features. The available prevention policies are:
- System updates – daily security and critical updates from Windows Update or Windows Server Update Services (WSUS)
- OS vulnerabilities – daily OS configuration analysis
- Endpoint protection – identifies systems without protection software
- Disk encryption – identifies systems without at rest data protection
- Network security groups – identifies NSGs with configured inbound and outbound traffic to public endpoints, assesses inbound security rules
- Web application firewall – discover deployments for which a Next Generation firewall is recommended and allow you to provision a virtual appliance
- Next Generation firewall – may recommend a next generation firewall from a Microsoft partner
- Vulnerability assessment – identify VMs without vulnerability assessment software
- SQL auditing & threat detection – identifies Azure SQL Databases to enable access auditing and advanced threat detection
- SQL encryption – identify SQL databases to enable encryption at rest
Azure Security Center collects and analyzes log data from Azure resources, the network and partner solutions. When a threat is detected, a security alert is generated. A few examples of the types of security alerts are;
- Compromised VMs communicating with known malicious IP addresses
- Advanced malware detected
- Brute-force attacks against VMs
Alerts contain information about what triggered the alert, the resources targets, and the source of the attack.
Security Center also uses machine learning to combine individual alerts into incidents. Viewing incidents is available in the Standard tier and above. Incidents may contain additional information useful during the threat investigation.
Alerts are generated according to the following categories;
- Virtual machine behavior analysis
- Network analysis
- SQL database and SQL Data Warehouse analysis
- Contextual Information
Custom alert rules in Security Center can also be created. Queries can be used to match criteria from computer security events, computer security logs, or data ingested via API’s.
Managing and Working with Alerts
In the Azure portal, Security Center, Overview page you can view your alerts. The Detection area shows current alerts by severity and shows details below for each alert.
By selecting a given alert you can view more details such as what triggered it and what remediation steps are available.
By clicking on an individual resource, you can get additional information including recommended remediation steps.
Azure Security Center also provides an overall score based on the security recommendations and their severity and preferred practices. To view your secure score, from the Azure portal, select Security Center, Secure Score.
The secure score is calculated based on the ratio of healthy resources to the total number of resources. If all resources are healthy for a recommendation, 50 points are added to the secure score.
You can also view the top three recommendations on the Security Center dashboard.
In addition to Azure Security Policy, Security Alerts and Azure Secure Score, Azure allows flexibility in the securing of Virtual Machine and Web App service with configurable properties such as:
- Identity and access management – simplified identity provider architecture using Azure Active Directory (AD), access based on role (RBAC), Multi-Factor Authentication integration, privileged account protection, cryptographic keys to secure access to storage accounts and other resources/services, Just-In-Time access, Privileged Identity Management, Conditional Access, and other features.
- Endpoint access – in addition to Network Security Groups to protect public endpoints, Azure provides additional access restriction functionality in Azure App Service Access Restrictions and Azure Service Environment IP Access Rules.
- Encryption requirements – Enforcing SSL Connections for MySQL, PostgreSQL, and App Services and requiring latest TLS encryption versions
- Resource locks – Prevent changes to critical resources
- Network Security – Native (integrated) basic DDoS Protection with available Standard tier protections that allow for rich telemetry via Azure Monitor for alerting and custom policies.
- Reporting – Sign-in anomaly detection and Identity Secure Score
- Other –increased Audit logs and log retention, phone/email notifications, etc.
New Signature leverages industry best practices for securing IaaS and PaaS workloads hosted in Azure based on Microsoft Security Baselines, CIS Benchmarks, and real-world experience.
Security is an ever-evolving concern for every organization. As resources are moved into the cloud it’s important to use the right tools to assess and achieve security. Azure Security Center is an integrated tool for all your Azure resources. By specifying security policies, staff can monitor their cloud investment and receive alerts to threats. In addition, Azure Security Center alerts provide steps to help remediate these threats.
Azure Security Center’s secure score helps visualize and quantify an organization’s security posture. It can help analyze and provide a roadmap through recommendations to prevent threats before they occur.
About the Author
Matt Alofs is the Director of Microsoft Business Group’s Centers of Excellence. His role aims to bring together the thought leaders and practice experts from across our organization and work with them to continually improve and enhance their practices, along with helping them to develop the best new services and solutions to help our clients overcome their challenges with progressive technologies.