Best practices for securely moving workloads to Microsoft Azure
Credit to Author: Jenny Erie| Date: Mon, 26 Feb 2018 17:00:04 +0000
Azure is Microsofts cloud computing environment. It offers customers three primary service delivery models including infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS). Adopting cloud technologies requires a shared responsibility model for security, with Microsoft responsible for certain controls and the customer others, depending on the service delivery model chosen. To ensure that a customers cloud workloads are protected, it is important that they carefully consider and implement the appropriate architecture and enable the right set of configuration settings.
Microsoft has developed a set of Azure security guidelines and best practices for our customers to follow. These guides can be found in theAzure security best practices and patterns documentation. In addition, were excited to announce the availability of the Center for Internet Securitys (CIS) Microsoft Azure Foundations Security Benchmark, developed in partnership with Microsoft. CIS is a non-profit entity focused on developing global standards and recognized best practices for securing IT systems and data against the most pervasive attacks.
The CIS Microsoft Azure Foundations Security Benchmark provides prescriptive guidance for establishing a secure baseline configuration for Microsoft Azure. Its scope is designed to assist organizations in establishing the foundation level of security for anyone adopting the Microsoft Azure cloud. The benchmark should not be considered as an exhaustive list of all possible security configurations and architecture but as a starting point. Each organization must still evaluate their specific situation, workloads, and compliance requirements and tailor their environment accordingly.
The CIS benchmark contains two levels, each with slightly different technical specifications:
- Level 1 Recommended, minimum security settings that should be configured on any system and should cause little or no interruption of service or reduced functionality.
- Level 2 Recommended security settings for highly secure environments and could result in some reduced functionality.
The CIS Microsoft Azure Foundations Security Benchmark is divided into the following sections:
Section
| Description |
No. of Rec. Controls
|
Identity and Access Management
| Recommendations related to setting the appropriate identity and access management policies. |
23
|
Azure Security Center
| Recommendations related to the configuration and use of Azure Security Center. |
19
|
Storage Accounts
| Recommendations for setting storage account policies. |
7
|
Azure SQL Services
| Recommendations for securing Azure SQL Servers. |
8
|
Azure SQL Databases
| Recommendations for securing Azure SQL Databases. |
8
|
Logging and Monitoring
| Recommendations for setting logging and monitoring policies on your Azure subscriptions. |
13
|
Networking
| Recommendations for securely configuring Azure networking settings and policies. |
5
|
Virtual Machines
| Recommendations for setting security policies for Azure compute services, specifically virtual machines. |
6
|
Other Security Considerations
| Recommendations regarding general security and operational controls, including those related to Azure Key Vault and Resource Locks. |
3
|
Total Recommendations
|
92
|
Each recommendation contains several sections, including a recommendation identification number, title, and description; level or profile applicability; rationale; instructions for auditing the control; remediation steps; impact of implementing the control; default value; and references. As an example, the first control contained in the benchmark is under the Identity and Access Management section and is titled: 1.1 Ensure that multi-factor authentication is enabled for all privileged users (Scored). A control is marked as Scored or Not Scored based on whether it can be programmatically tested. In this case, recommendation 1.1 can be audited leveraging the Microsoft Graph and PowerShell commandlet. The specific steps for auditing the control are contained in the “Audit” section for this specific recommendation. This recommendation is listed as a Level 1 control because it is only applied to Azure administrative users and would not have a company-wide impact or produce less functionality for users. The rationale for recommendation 1.1 is that Azure administrative accounts need to be protected due to their powerful privileges, and with multiple factors for authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk to the Azure tenant.
The benchmark is freely available in PDF format on the CIS website.
You can also find more information on Azure Security Center and on Azure Active Directory. Both are critical solutions to securely deploying and monitoring Azure workloads and are covered in the new CIS benchmark.