| 1 |
1 |
AM-1 |
Asset Management |
Customer |
Ensure security team has visibility into risks for assets |
Ensure security teams are granted Security Reader permissions in your Azure tenant and subscriptions so they can monitor for security risks using Azure Security Center.
Depending on how security team responsibilities are structured, monitoring for security risks could be the responsibility of a central security team or a local team. That said, security insights and risks must always be aggregated centrally within an organization.
Security Reader permissions can be applied broadly to an entire tenant (Root Management Group) or scoped to management groups or specific subscriptions.
Note: Additional permissions might be required to get visibility into workloads and services.
Overview of Security Reader Role: https://docs.microsoft.com/azure/role-based-access-control/built-in-roles#security-reader
Overview of Azure Management Groups: https://docs.microsoft.com/azure/governance/management-groups/overview |
Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint
Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-secur |
| 2 |
2 |
AM-2 |
Asset Management |
Customer |
Ensure security team has access to asset inventory and metadata |
Ensure that security teams have access to a continuously updated inventory of assets on Azure. Security teams often need this inventory to evaluate their organization's potential exposure to emerging risks, and as an input to continuously security improvements.
The Azure Security Center inventory feature and Azure Resource Graph can query for and discover all resources in your subscriptions, including Azure services, applications, and network resources.
Logically organize assets according to your organization’s taxonomy using Tags as well as other metadata in Azure (Name, Description, and Category).
How to create queries with Azure Resource Graph Explorer: https://docs.microsoft.com/azure/governance/resource-graph/first-query-portal
Azure Security Center asset inventory management: https://docs.microsoft.com/azure/security-center/asset-inventory
For more information about tagging assets, see the resource naming and tagging decision guide: https://docs.microsoft.com/azure/cloud-adoption-framework/decision-guides/resource-tagging/?toc=/azure/azure-resource-manager/management/toc.json |
Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint
Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-secur |
| 3 |
3 |
AM-3 |
Asset Management |
Customer |
Use only approved Azure services |
Use Azure Policy to audit and restrict which services users can provision in your environment. Use Azure Resource Graph to query for and discover resources within their subscriptions. You can also use Azure Monitor to create rules to trigger alerts when a non-approved service is detected.
Configure and manage Azure Policy: https://docs.microsoft.com/azure/governance/policy/tutorials/create-and-manage
How to deny a specific resource type with Azure Policy: https://docs.microsoft.com/azure/governance/policy/samples/not-allowed-resource-types
How to create queries with Azure Resource Graph Explorer: https://docs.microsoft.com/azure/governance/resource-graph/first-query-portal |
Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management
Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-manageme |
| 4 |
4 |
AM-4 |
Asset Management |
Customer |
Ensure security of asset lifecycle management |
Establish or update security policies that address asset lifecycle management processes for potentially high impact modifications. These modifications include changes to: identity providers and access, data sensitivity, network configuration, and administrative privilege assignment.
Remove Azure resources when they are no longer needed.
Delete Azure resource group and resource: https://docs.microsoft.com/azure/azure-resource-manager/management/delete-resource-group |
Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint
Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture- |
| 5 |
5 |
AM-5 |
Asset Management |
Customer |
Limit users' ability to interact with Azure Resource Manager |
Use Azure AD Conditional Access to limit users' ability to interact with Azure Resource Manager by configuring "Block access" for the "Microsoft Azure Management" App.
How to configure Conditional Access to block access to Azure Resources Manager: https://docs.microsoft.com/azure/role-based-access-control/conditional-access-azure-management |
Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructur |
| 6 |
6 |
AM-6 |
Asset Management |
Customer |
Use only approved applications in compute resources |
Ensure that only authorized software executes, and all unauthorized software is blocked from executing on Azure Virtual Machines.
Use Azure Security Center (ASC) adaptive application controls to discover and generate an application allow list. You can also use ASC adaptive application controls to ensure that only authorized software executes and all unauthorized software is blocked from executing on Azure Virtual Machines.
Use Azure Automation Change Tracking and Inventory to automate the collection of inventory information from your Windows and Linux VMs. Software name, version, publisher, and refresh time are available from the Azure Portal. To get the software installation date and other information, enable guest-level diagnostics and direct the Windows Event Logs to Log Analytics workspace.
Depending on the type of scripts, you can use operating system-specific configurations or third-party resources to limit users' ability to execute scripts in Azure compute resources.
You can also use a third-party solution to discover and identify unapproved software.
How to use Azure Security Center adaptive application controls: https://docs.microsoft.com/azure/security-center/security-center-adaptive-application
Understand Azure Automation Change Tracking and Inventory: https://docs.microsoft.com/azure/automation/change-tracking
How to control PowerShell script execution in Windows environments: https://docs.microsoft.com/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-6 |
Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint
Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture- |
| 7 |
7 |
BR-1 |
Backup and Recovery |
Customer |
Ensure regular automated backups |
Ensure you are backing up systems and data to maintain business continuity after an unexpected event. This should be defined by any objectives for Recovery Point Objective (RPO) and Recovery Time Objective (RTO).
Enable Azure Backup and configure the backup source (e.g. Azure VMs, SQL Server, HANA databases, or File Shares), as well as the desired frequency and retention period.
For a higher level of protection, you can enable geo-redundant storage option to replicate backup data to a secondary region and recover using cross region restore.
Enterprise-scale business continuity and disaster recovery: https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/business-continuity-and-disaster-recovery
How to enable Azure Backup: https://docs.microsoft.com/azure/backup/
How to enable cross region restore: https://docs.microsoft.com/azure/backup/backup-azure-arm-restore-vms#cross-region-restore |
Policy and standards: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-policy-standards
Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
Infrastructure |
| 8 |
8 |
BR-2 |
Backup and Recovery |
Customer |
Encrypt backup data |
Ensure your backups are protected against attacks. This should include encryption of the backups to protect against loss of confidentiality.
For on-premises backups using Azure Backup, encryption-at-rest is provided using the passphrase you provide. For regular Azure service backups, backup data is automatically encrypted using Azure platform-managed keys. You can choose to encrypt the backups using customer managed key. In this case, ensure this customer-managed key in the key vault is also in the backup scope.
Use role-based access control in Azure Backup, Azure Key Vault, or other resources to protect backups and customer managed keys. Additionally, you can enable advanced security features to require MFA before backups can be altered or deleted.
Overview of security features in Azure Backup: https://docs.microsoft.com/azure/backup/security-overview
Encryption of backup data using customer-managed keys: https://docs.microsoft.com/azure/backup/encryption-at-rest-with-cmk
How to backup Key Vault keys in Azure: https://docs.microsoft.com/powershell/module/azurerm.keyvault/backup-azurekeyvaultkey?view=azurermps-6.13.0
Security features to help protect hybrid backups from attacks: https://docs.microsoft.com/azure/backup/backup-azure-security-feature#prevent-attacks |
Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-e |
| 9 |
9 |
BR-3 |
Backup and Recovery |
Customer |
Validate all backups including customer-managed keys |
Periodically perform data restoration of your backup. Ensure that you can restore backed-up customer-managed keys.
How to recover files from Azure Virtual Machine backup: https://docs.microsoft.com/azure/backup/backup-azure-restore-files-from-vm
How to restore Key Vault keys in Azure: https://docs.microsoft.com/powershell/module/azurerm.keyvault/restore-azurekeyvaultkey?view=azurermps-6.13.0 |
Incident preparation: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation
Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-complianc |
| 10 |
10 |
BR-4 |
Backup and Recovery |
Customer |
Mitigate risk of lost keys |
Ensure you have measures in place to prevent and recover from loss of keys. Enable soft delete and purge protection in Azure Key Vault to protect keys against accidental or malicious deletion.
How to enable soft delete and purge protection in Key Vault: https://docs.microsoft.com/azure/storage/blobs/storage-blob-soft-delete?tabs=azure-portal |
Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
Incident preparation: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation
Data |
| 11 |
11 |
DP-1 |
Data Protection |
Shared |
Discovery, classify and label sensitive data |
Discover, classify, and label your sensitive data so that you can design the appropriate controls to ensure sensitive information is stored, processed, and transmitted securely by the organization's technology systems.
Use Azure Information Protection (and its associated scanning tool) for sensitive information within Office documents on Azure, on-premises, on Office 365, and in other locations.
You can use Azure SQL Information Protection to assist in the classification and labeling of information stored in Azure SQL Databases.
Tag sensitive information using Azure Information Protection: https://docs.microsoft.com/azure/information-protection/what-is-information-protection
How to implement Azure SQL Data Discovery: https://docs.microsoft.com/azure/sql-database/sql-database-data-discovery-and-classification |
Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
Data Security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-data-securi |
| 12 |
12 |
DP-2 |
Data Protection |
Shared |
Protect sensitive data |
Protect sensitive data by restricting access using Azure Role Based Access Control (Azure RBAC), network-based access controls, and specific controls in Azure services (such as encryption in SQL and other databases).
To ensure consistent access control, all types of access control should be aligned to your enterprise segmentation strategy. The enterprise segmentation strategy should also be informed by the location of sensitive or business critical data and systems.
For the underlying platform, which is managed by Microsoft, Microsoft treats all customer content as sensitive and guards against customer data loss and exposure. To ensure customer data within Azure remains secure, Microsoft has implemented some default data protection controls and capabilities.
Azure Role Based Access Control (RBAC): https://docs.microsoft.com/azure/role-based-access-control/overview
Understand customer data protection in Azure: https://docs.microsoft.com/azure/security/fundamentals/protection-customer-data |
Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
Data Security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-data-securi |
| 13 |
13 |
DP-3 |
Data Protection |
Shared |
Monitor for unauthorized transfer of sensitive data |
Monitor for unauthorized transfer of data to locations outside of enterprise visibility and control. This typically involves monitoring for anomalous activities (large or unusual transfers) that could indicate unauthorized data exfiltration.
Azure Storage Advanced Threat Protection (ATP) and Azure SQL ATP can alert on anomalous transfer of information that might indicate unauthorized transfers of sensitive information.
Azure Information protection (AIP) provides monitoring capabilities for information that has been classified and labelled.
If required for compliance of data loss prevention (DLP), you can use a host-based DLP solution to enforce detective and/or preventative controls to prevent data exfiltration.
Enable Azure SQL ATP: https://docs.microsoft.com/azure/azure-sql/database/threat-detection-overview
Enable Azure Storage ATP: https://docs.microsoft.com/azure/storage/common/storage-advanced-threat-protection?tabs=azure-security-center |
Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security
Application security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
Infr |
| 14 |
14 |
DP-4 |
Data Protection |
Shared |
Encrypt sensitive information in transit |
To complement access controls, data in transit should be protected against ‘out of band’ attacks (e.g. traffic capture) using encryption to ensure that attackers cannot easily read or modify the data.
While this is optional for traffic on private networks, this is critical for traffic on external and public networks. For HTTP traffic, ensure that any clients connecting to your Azure resources can negotiate TLS v1.2 or greater. For remote management, use SSH (for Linux) or RDP/TLS (for Windows) instead of an unencrypted protocol. Obsoleted SSL, TLS, and SSH versions and protocols, and weak ciphers should be disabled.
By default, Azure provides encryption for data in transit between Azure data centers.
Understand encryption in transit with Azure: https://docs.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit
Information on TLS Security: https://docs.microsoft.com/security/engineering/solving-tls1-problem
Double encryption for Azure data in transit: https://docs.microsoft.com/azure/security/fundamentals/double-encryption#data-in-transit |
Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-e |
| 15 |
15 |
DP-5 |
Data Protection |
Shared |
Encrypt sensitive data at rest |
To complement access controls, data at rest should be protected against ‘out of band’ attacks (such as accessing underlying storage) using encryption. This helps ensure that attackers cannot easily read or modify the data.
Azure provides encryption for data at rest by default. For highly sensitive data, you have options to implement additional encryption at rest on all Azure resources where available. Azure manages your encryption keys by default, but Azure provides options to manage your own keys (customer managed keys) for certain Azure services.
Understand encryption at rest in Azure: https://docs.microsoft.com/azure/security/fundamentals/encryption-atrest#encryption-at-rest-in-microsoft-cloud-services
How to configure customer managed encryption keys: https://docs.microsoft.com/azure/storage/common/storage-encryption-keys-portal
Encryption model and key management table: https://docs.microsoft.com/azure/security/fundamentals/encryption-models
Data at rest double encryption in Azure: https://docs.microsoft.com/azure/security/fundamentals/double-encryption#data-at-rest |
Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-e |
| 16 |
16 |
ES-1 |
Endpoint Security |
Customer |
Use Endpoint Detection and Response (EDR) |
Enable Endpoint Detection and Response (EDR) capabilities for servers and clients and integrate with SIEM and Security Operations processes.
Microsoft Defender Advanced Threat Protection provides EDR capability as part of an enterprise endpoint security platform to prevent, detect, investigate, and respond to advanced threats.
Microsoft Defender Advanced Threat Protection Overview: https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection
Microsoft Defender ATP service for Windows servers: https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints
Microsoft Defender ATP service for non-Windows servers: https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows |
Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security
Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence
Security C |
| 17 |
17 |
ES-2 |
Endpoint Security |
Customer |
Use centrally managed modern anti-malware software |
Use a centrally managed endpoint anti-malware solution capable of real time and periodic scanning
Azure Security Center can automatically identify the use of a number of popular anti-malware solutions for your virtual machines and report the endpoint protection running status and make recommendations.
Microsoft Antimalware for Azure Cloud Services is the default anti-malware for Windows virtual machines (VMs). For Linux VMs, use third-party antimalware solution. Also, you can use Azure Security Center's Threat detection for data services to detect malware uploaded to Azure Storage accounts.
How to configure Microsoft Antimalware for Cloud Services and Virtual Machines:
https://docs.microsoft.com/azure/security/fundamentals/antimalware
Supported endpoint protection solutions:
https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions- |
Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security
Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence
Security C |
| 18 |
18 |
ES-3 |
Endpoint Security |
Customer |
Ensure anti-malware software and signatures are updated |
Ensure anti-malware signatures are updated rapidly and consistently.
Follow recommendations in Azure Security Center: "Compute & Apps" to ensure all endpoints are up to date with the latest signatures. Microsoft Antimalware will automatically install the latest signatures and engine updates by default. For Linux, use third-party antimalware solution.
How to deploy Microsoft Antimalware for Azure Cloud Services and Virtual Machines: https://docs.microsoft.com/azure/security/fundamentals/antimalware
Endpoint
protection assessment and recommendations in Azure Security Center:https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection |
Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security
Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence
Security C |
| 19 |
19 |
GS-1 |
Governance and Strategy |
Customer |
Define asset management and data protection strategy |
Ensure you document and communicate a clear strategy for continuous monitoring and protection of systems and data. Prioritize discovery, assessment, protection, and monitoring of business-critical data and systems.
This strategy should include documented guidance, policy, and standards for the following elements:
- Data classification standard in accordance with the business risks
- Security organization visibility into risks and asset inventory
- Security organization approval of Azure services for use
- Security of assets through their lifecycle
- Required access control strategy in accordance with organizational data classification
- Use of Azure native and third party data protection capabilities
- Data encryption requirements for in-transit and at-rest use cases
- Appropriate cryptographic standards
For more information, see the following references:
Azure Security Architecture Recommendation - Storage, data, and encryption: https://docs.microsoft.com/azure/architecture/framework/security/storage-data-encryption?toc=/security/compass/toc.json&bc=/security/compass/breadcrumb/toc.json
Azure Security Fundamentals - Azure Data security, encryption, and storage: https://docs.microsoft.com/azure/security/fundamentals/encryption-overview
Cloud Adoption Framework - Azure data security and encryption best practices: https://docs.microsoft.com/azure/security/fundamentals/data-encryption-best-practices?toc=/azure/cloud-adoption-framework/toc.json&bc=/azure/cloud-adoption-framework/_bread/toc.json
Azure Security Benchmark - Asset management: https://docs.microsoft.com/azure/security/benchmarks/security-benchmark-v2-asset-management
Azure Security Benchmark - Data Protection: https://docs.microsoft.com/azure/security/benchmarks/security-benchmark-v2-data-protection |
All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions |
| 20 |
20 |
GS-2 |
Governance and Strategy |
Customer |
Define enterprise segmentation strategy |
Establish an enterprise-wide strategy to segmenting access to assets using a combination of identity, network, application, subscription, management group, and other controls.
Carefully balance the need for security separation with the need to enable daily operation of the systems that need to communicate with each other and access data.
Ensure that the segmentation strategy is implemented consistently across control types including network security, identity and access models, and application permission/access models, and human process controls.
Guidance on segmentation strategy in Azure (video):
https://docs.microsoft.com/en-us/security/compass/microsoft-security-compass-introduction#azure-components-and-reference-model-2151
Guidance on segmentation strategy in Azure (document):
https://docs.microsoft.com/en-us/security/compass/governance#enterprise-segmentation-strategy
Align network segmentation with enterprise segmentation strategy:
https://docs.microsoft.com/en-us/security/compass/network-security-containment#align-network-segmentation-with-enterprise-segmentation-strategy |
All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions |
| 21 |
21 |
GS-3 |
Governance and Strategy |
Customer |
Define security posture management strategy |
Continuously measure and mitigate risks to your individual assets and the environment they are hosted in. Prioritize high value assets and highly-exposed attack surfaces, such as published applications, network ingress and egress points, user and administrator endpoints, etc.
Azure Security Benchmark - Posture and vulnerability management: https://docs.microsoft.com/azure/security/benchmarks/security-benchmark-v2-posture-vulnerability-management |
All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions |
| 22 |
22 |
GS-4 |
Governance and Strategy |
Customer |
Align organization roles, responsibilities, and accountabilities |
Ensure you document and communicate a clear strategy for roles and responsibilities in your security organization. Prioritize providing clear accountability for security decisions, educating everyone on the shared responsibility model, and educate technical teams on technology to secure the cloud.
Azure Security Best Practice 1 – People: Educate Teams on Cloud Security Journey: https://aka.ms/AzSec1
Azure Security Best Practice 2 - People: Educate Teams on Cloud Security Technology: https://aka.ms/AzSec2
Azure Security Best Practice 3 - Process: Assign Accountability for Cloud Security Decisions: https://aka.ms/AzSec3 |
All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions |
| 23 |
23 |
GS-5 |
Governance and Strategy |
Customer |
Define network security strategy |
Establish an Azure network security approach as part of your organization’s overall security access control strategy.
This strategy should include documented guidance, policy, and standards for the following elements:
- Centralized network management and security responsibility
- Virtual network segmentation model aligned with the enterprise segmentation strategy
- Remediation strategy in different threat and attack scenarios
- Internet edge and ingress and egress strategy
- Hybrid cloud and on-premises interconnectivity strategy
- Up-to-date network security artifacts (e.g. network diagrams, reference network architecture)
For more information, see the following references:
Azure Security Best Practice 11 - Architecture. Single unified security strategy: https://aka.ms/AzSec11
Azure Security Benchmark - Network Security: https://docs.microsoft.com/azure/security/benchmarks/security-benchmark-v2-network-security
Azure network security overview: https://docs.microsoft.com/azure/security/fundamentals/network-overview
Enterprise network architecture strategy: https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/architecture |
All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions |
| 24 |
24 |
GS-6 |
Governance and Strategy |
Customer |
Define identity and privileged access strategy |
Establish an Azure identity and privileged access approaches as part of your organization’s overall security access control strategy.
This strategy should include documented guidance, policy, and standards for the following elements:
- A centralized identity and authentication system and its interconnectivity with other internal and external identity systems
- Strong authentication methods in different use cases and conditions
- Protection of highly privileged users
- Anomaly user activities monitoring and handling
- User identity and access review and reconciliation process
For more information, see the following references:
Azure Security Benchmark - Identity management: https://docs.microsoft.com/azure/security/benchmarks/security-benchmark-v2-identity-management
Azure Security Benchmark - Privileged access: https://docs.microsoft.com/azure/security/benchmarks/security-benchmark-v2-privileged-access
Azure Security Best Practice 11 - Architecture. Single unified security strategy: https://aka.ms/AzSec11
Azure identity management security overview: https://docs.microsoft.com/azure/security/fundamentals/identity-management-overview |
All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions |
| 25 |
25 |
GS-7 |
Governance and Strategy |
Customer |
Define logging and threat response strategy |
Establish a logging and threat response strategy to rapidly detect and remediate threats while meeting compliance requirements. Prioritize providing analysts with high quality alerts and seamless experiences so that they can focus on threats rather than integration and manual steps.
This strategy should include documented guidance, policy, and standards for the following elements:
- The security operations (SecOps) organization’s role and responsibilities
- A well-defined incident response process aligning with NIST or another industry framework
- Log capture and retention to support threat detection, incident response, and compliance needs
- Centralized visibility of and correlation information about threats, using SIEM, native Azure capabilities, and other sources
- Communication and notification plan with your customers, suppliers, and public parties of interest
- Use of Azure native and third-party platforms for incident handling, such as logging and threat detection, forensics, and attack remediation and eradication
- Processes for handling incidents and post-incident activities, such as lessons learned and evidence retention
For more information, see the following references:
Azure Security Benchmark - Logging and threat detection: https://docs.microsoft.com/azure/security/benchmarks/security-benchmark-v2-logging-threat-detection
Azure Security Benchmark - Incident response: https://docs.microsoft.com/azure/security/benchmarks/security-benchmark-v2-incident-response
Azure Security Best Practice 4 - Process. Update Incident Response Processes for Cloud: https://aka.ms/AzSec4
Azure Adoption Framework, logging, and reporting decision guide: https://docs.microsoft.com/azure/cloud-adoption-framework/decision-guides/logging-and-reporting/
Azure enterprise scale, management, and monitoring: https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/management-and-monitoring |
All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions |
| 26 |
26 |
GS-8 |
Governance and Strategy |
Customer |
Define backup and recovery strategy |
Establish an Azure backup and recovery strategy for your organization.
This strategy should include documented guidance, policy, and standards for the following elements:
- Recovery time objective (RTO) and recovery point objective (RPO) definitions in accordance with your business resiliency objectives
- Redundancy design in your applications and infrastructure setup
- Protection of backup using access control and data encryption
For more information, see the following references:
Azure Security Benchmark - Backup and recovery: https://docs.microsoft.com/azure/security/benchmarks/security-benchmark-v2-backup-recovery
Azure Well-Architecture Framework - Backup and disaster recover for Azure applications: https://docs.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery
Azure Adoption Framework - business continuity and disaster recovery: https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/business-continuity-and-disaster-recovery |
All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions |
| 27 |
27 |
IM-1 |
Identity Management |
Customer |
Standardize Azure Active Directory as the central identity and authentication system |
Azure Active Directory (Azure AD) is Azure's default identity and access management service. You should standardize on Azure AD to govern your organization’s identity and access management in:
- Microsoft cloud resources, such as the Azure portal, Azure Storage, Azure Virtual Machines (Linux and Windows), Azure Key Vault, PaaS, and SaaS applications.
- Your organization's resources, such as applications on Azure or your corporate network resources.
Securing Azure AD should be a high priority in your organization’s cloud security practice. Azure AD provides an identity secure score to help you assess your identity security posture relative to Microsoft’s best practice recommendations. Use the score to gauge how closely your configuration matches best practice recommendations, and to make improvements in your security posture.
Note: Azure AD supports external identity providers, which allow users without a Microsoft account to sign in to their applications and resources with their external identity.
Tenancy in Azure AD: https://docs.microsoft.com/azure/active-directory/develop/single-and-multi-tenant-apps
How to create and configure an Azure AD instance: https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-access-create-new-tenant
Define Azure AD tenants: https://azure.microsoft.com/resources/securing-azure-environments-with-azure-active-directory/
Use external identity providers for an application: https://docs.microsoft.com/azure/active-directory/b2b/identity-providers
What is the identity secure score in Azure AD: https://docs.microsoft.com/azure/active-directory/fundamentals/identity-secure-score |
Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys
Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
Applicatio |
| 28 |
28 |
IM-2 |
Identity Management |
Customer |
Manage application identities securely and automatically |
For non-human accounts such as services or automation, use Azure managed identities, instead of creating a more powerful human account to access resources or execute code. Azure managed identities can authenticate to Azure services and resources that support Azure AD authentication. Authentication is enabled through pre-defined access grant rules, avoiding hard-coded credentials in source code or configuration files.
For services that do not support managed identities, use Azure AD to create a service principal with restricted permissions at the resource level instead. It is recommended to configure service principals with certificate credentials and fall back to client secrets. In both cases, Azure Key Vault can be used in conjunction with Azure managed identities, so that the runtime environment (such as an Azure function) can retrieve the credential from the key vault.
Azure managed identities: https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview
Services that support managed identities for Azure resources: https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/services-support-managed-identities
Azure service principal: https://docs.microsoft.com/powershell/azure/create-azure-service-principal-azureps
Create a service principal with certificates: https://docs.microsoft.com/azure/active-directory/develop/howto-authenticate-service-principal-powershell
Use Azure Key Vault for security principal registration: https://docs.microsoft.com/azure/key-vault/general/authentication#security-principal-registration |
Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys
Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application |
| 29 |
29 |
IM-3 |
Identity Management |
Customer |
Use Azure AD single sign-on (SSO) for application access |
Azure AD provides identity and access management to Azure resources, cloud applications, and on-premises applications. Identity and access management applies to enterprise identities such as employees, as well as external identities such as partners, vendors, and suppliers.
Use Azure AD single sign-on (SSO) to manage and secure access to your organization’s data and resources on-premises and in the cloud. Connect all your users, applications, and devices to Azure AD for seamless, secure access, and greater visibility and control.
Understand application SSO with Azure AD: https://docs.microsoft.com/azure/active-directory/manage-apps/what-is-single-sign-on |
Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys
Applicatio |
| 30 |
30 |
IM-4 |
Identity Management |
Customer |
Use strong authentication controls for all Azure Active Directory based access |
Azure AD supports strong authentication controls through multi-factor authentication (MFA) and strong passwordless methods.
- Multi-factor authentication: Enable Azure AD MFA and follow Azure Security Center identity and access management recommendations for your MFA setup. MFA can be enforced on all users, select users, or at the per-user level based on sign-in conditions and risk factors.
- Passwordless authentication: Three passwordless authentication options are available: Windows Hello for Business, Microsoft Authenticator app, and on-premises authentication methods such as smart cards.
For administrator and privileged users, ensure the highest level of the strong authentication method is used, followed by rolling out the appropriate strong authentication policy to other users.
If legacy password-based authentication is still used for Azure AD authentication, please be aware that cloud-only accounts (user accounts created directly in Azure) have a default baseline password policy. And hybrid accounts (user accounts that come from on-premises Active Directory) follow the on-premises password policies. When using password-based authentication, Azure AD provides a password protection capability that prevents users from setting passwords that are easy to guess. Microsoft provides a global list of banned passwords that is updated based on telemetry, and customers can augment the list based on their needs (e.g. branding, cultural references, etc.). This password protection can be used for cloud-only and hybrid accounts.
Note: Authentication based on password credentials alone is susceptible to popular attack methods. For higher security, use strong authentication such as MFA and a strong password policy. For third-party applications and marketplace services that may have default passwords, you should change them during initial service setup.
How to enable MFA in Azure: https://docs.microsoft.com/azure/active-directory/authentication/howto-mfa-getstarted
Introduction to passwordless authentication options for Azure Active Directory: https://docs.microsoft.com/azure/active-directory/authentication/concept-authentication-passwordless
Azure AD default password policy: https://docs.microsoft.com/azure/active-directory/authentication/concept-sspr-policy#password-policies-that-only-apply-to-cloud-user-accounts
Eliminate bad passwords using Azure AD Password Protection: https://docs.microsoft.com/azure/active-directory/authentication/concept-password-ban-bad |
Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys
Applicatio |
| 31 |
31 |
IM-5 |
Identity Management |
Customer |
Monitor and alert on account anomalies |
Azure AD provides the following data sources:
- Sign-ins – The sign-ins report provides information about the usage of managed applications and user sign-in activities.
- Audit logs - Provides traceability through logs for all changes made through various features in Azure AD. Examples of logged changes audit logs include adding or removing users, apps, groups, roles, and policies.
- Risky sign-ins - A risky sign-in is an indicator for a sign-in attempt that might have been performed by someone who is not the legitimate owner of a user account.
- Users flagged for risk - A risky user is an indicator for a user account that might have been compromised.
These data sources can be integrated with Azure Monitor, Azure Sentinel or third party SIEM systems.
Azure Security Center can also alert on certain suspicious activities such as an excessive number of failed authentication attempts, and deprecated accounts in the subscription.
Azure Advanced Threat Protection (ATP) is a security solution that can use on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions.
Audit activity reports in Azure AD: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-audit-logs
How to view Azure AD risky sign-ins: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-risky-sign-ins
How to identify Azure AD users flagged for risky activity: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-user-at-risk
How to monitor users' identity and access activity in Azure Security Center: https://docs.microsoft.com/azure/security-center/security-center-identity-access
Alerts in Azure Security Center's threat intelligence protection module: https://docs.microsoft.com//azure/security-center/alerts-reference
How to integrate Azure activity logs into Azure Monitor: https://docs.microsoft.com/azure/active-directory/reports-monitoring/howto-integrate-activity-logs-with-log-analytics
Connect data from Azure AD Identity Protection: https://docs.microsoft.com/azure/sentinel/connect-azure-ad-identity-protection
Azure Advanced Threat Protection: https://docs.microsoft.com/azure-advanced-threat-protection/what-is-atp |
Application security and DevSecOps: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
Posture management: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/cloud- |
| 32 |
32 |
IM-6 |
Identity Management |
Customer |
Restrict Azure resource access based on conditions |
Use Azure AD conditional access for more granular access control based on user-defined conditions, such as requiring user logins from certain IP ranges to use MFA. A granular authentication session management can also be used through Azure AD conditional access policy for different use cases.
Azure Conditional Access overview: https://docs.microsoft.com/azure/active-directory/conditional-access/overview
Common Conditional Access policies: https://docs.microsoft.com/azure/active-directory/conditional-access/concept-conditional-access-policy-common
Configure authentication session management with Conditional Access: https://docs.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime |
Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys
Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application |
| 33 |
33 |
IM-7 |
Identity Management |
Customer |
Eliminate unintended credential exposure |
Implement Azure DevOps Credential Scanner to identify credentials within the code. Credential Scanner also encourages moving discovered credentials to more secure locations such as Azure Key Vault.
For GitHub, you can use native secret scanning feature to identify credentials or other form of secrets within the code.
How to setup Credential Scanner: https://secdevtools.azurewebsites.net/helpcredscan.html
GitHub secret scanning: https://docs.github.com/github/administering-a-repository/about-secret-scanning |
Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-pos |
| 34 |
34 |
IM-8 |
Identity Management |
Customer |
Secure user access to legacy applications |
Ensure you have modern access controls and session monitoring for legacy applications and the data they store and process. While VPNs are commonly used to access legacy applications, they often have only basic access control and limited session monitoring.
Azure AD Application Proxy enables you to publish legacy on-premises applications to remote users with single sign-on (SSO) while explicitly validating the trustworthiness of both remote users and devices with Azure AD Conditional Access.
Alternatively, Microsoft Cloud App Security is a cloud access security broker (CASB) service that can provide controls for monitoring a user’s application sessions and blocking actions (for both legacy on-premises applications and cloud software as a service (SaaS) applications).
Azure AD Application Proxy: https://docs.microsoft.com/azure/active-directory/manage-apps/application-proxy#what-is-application-proxy
Microsoft Cloud App Security best practices: https://docs.microsoft.com/cloud-app-security/best-practices |
Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
Ap |
| 35 |
35 |
IR-1 |
Incident Response |
Customer |
Preparation – update incident response process for Azure |
Ensure your organization has processes to respond to security incidents, has updated these processes for Azure, and is regularly exercising them to ensure readiness.
Implement security across the enterprise environment: https://aka.ms/AzSec4
Incident response reference guide: https://docs.microsoft.com/microsoft-365/downloads/IR-Reference-Guide.pdf |
Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center
Incident preparation: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation
T |
| 36 |
36 |
IR-2 |
Incident Response |
Customer |
Preparation – setup incident notification |
Set up security incident contact information in Azure Security Center. This contact information is used by Microsoft to contact you if the Microsoft Security Response Center (MSRC) discovers that your data has been accessed by an unlawful or unauthorized party. You also have options to customize incident alert and notification in different Azure services based on your incident response needs.
How to set the Azure Security Center security contact: https://docs.microsoft.com/azure/security-center/security-center-provide-security-contact-details |
Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center
Incident preparation: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation |
| 37 |
37 |
IR-3 |
Incident Response |
Customer |
Detection and analysis – create incidents based on high quality alerts |
Ensure you have a process to create high quality alerts and measure the quality of alerts. This allows you to learn lessons from past incidents and prioritize alerts for analysts, so they don’t waste time on false positives.
High quality alerts can be built based on experience from past incidents, validated community sources, and tools designed to generate and clean up alerts by fusing and correlating diverse signal sources.
Azure Security Center provides high quality alerts across many Azure assets. You can use the ASC data connector to stream the alerts to Azure Sentinel. Azure Sentinel lets you create advanced alert rules to generate incidents automatically for an investigation.
Export your Azure Security Center alerts and recommendations using the export feature to help identify risks to Azure resources. Export alerts and recommendations either manually or in an ongoing, continuous fashion.
How to configure export: https://docs.microsoft.com/azure/security-center/continuous-export
How to stream alerts into Azure Sentinel: https://docs.microsoft.com/azure/sentinel/connect-azure-security-center |
Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center
Incident preparation: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation
T |
| 38 |
38 |
IR-4 |
Incident Response |
Customer |
Detection and analysis – investigate an incident |
Ensure analysts can query and use diverse data sources as they investigate potential incidents, to build a full view of what happened. Diverse logs should be collected to track the activities of a potential attacker across the kill chain to avoid blind spots. You should also ensure insights and learnings are captured for other analysts and for future historical reference.
The data sources for investigation include the centralized logging sources that are already being collected from the in-scope services and running systems, but can also include:
- Network data – use network security groups' flow logs, Azure Network Watcher, and Azure Monitor to capture network flow logs and other analytics information.
- Snapshots of running systems:
- Use Azure virtual machine's snapshot capability to create a snapshot of the running system's disk.
- Use the operating system's native memory dump capability to create a snapshot of the running system's memory.
- Use the snapshot feature of the Azure services or your software's own capability to create snapshots of the running systems.
Azure Sentinel provides extensive data analytics across virtually any log source and a case management portal to manage the full lifecycle of incidents. Intelligence information during an investigation can be associated with an incident for tracking and reporting purposes.
Snapshot a Windows machine's disk: https://docs.microsoft.com/azure/virtual-machines/windows/snapshot-copy-managed-disk
Snapshot a Linux machine's disk: https://docs.microsoft.com/azure/virtual-machines/linux/snapshot-copy-managed-disk
Microsoft Azure Support diagnostic information and memory dump collection: https://azure.microsoft.com/support/legal/support-diagnostic-information-collection/
Investigate incidents with Azure Sentinel: https://docs.microsoft.com/azure/sentinel/tutorial-investigate-cases |
Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center
Incident preparation: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation
T |
| 39 |
39 |
IR-5 |
Incident Response |
Customer |
Detection and analysis – prioritize incidents |
Provide context to analysts on which incidents to focus on first based on alert severity and asset sensitivity.
Azure Security Center assigns a severity to each alert to help you prioritize which alerts should be investigated first. The severity is based on how confident Security Center is in the finding or the analytic used to issue the alert, as well as the confidence level that there was malicious intent behind the activity that led to the alert.
Additionally, mark resources using tags and create a naming system to identify and categorize Azure resources, especially those processing sensitive data. It is your responsibility to prioritize the remediation of alerts based on the criticality of the Azure resources and environment where the incident occurred.
Security alerts in Azure Security Center: https://docs.microsoft.com/azure/security-center/security-center-alerts-overview
Use tags to organize your Azure resources: https://docs.microsoft.com/azure/azure-resource-manager/resource-group-using-tags |
Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center
Incident preparation: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation
T |
| 40 |
40 |
IR-6 |
Incident Response |
Customer |
Containment, eradication and recovery – automate the incident handling |
Automate manual repetitive tasks to speed up response time and reduce the burden on analysts. Manual tasks take longer to execute, slowing each incident and reducing how many incidents an analyst can handle. Manual tasks also increase analyst fatigue, which increases the risk of human error that causes delays, and degrades the ability of analysts to focus effectively on complex tasks.
Use workflow automation features in Azure Security Center and Azure Sentinel to automatically trigger actions or run a playbook to respond to incoming security alerts. The playbook takes actions, such as sending notifications, disabling accounts, and isolating problematic networks.
Configure workflow automation in Security Center: https://docs.microsoft.com/azure/security-center/workflow-automation
Set up automated threat responses in Azure Security Center: https://docs.microsoft.com/azure/security-center/tutorial-security-incident#triage-security-alerts
Set up automated threat responses in Azure Sentinel: https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook |
Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center
Incident preparation: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation
T |
| 41 |
41 |
LT-1 |
Logging and Threat Detection |
Customer |
Enable threat detection for Azure resources |
Ensure you are monitoring different types of Azure assets for potential threats and anomalies. Focus on getting high quality alerts to reduce false positives for analysts to sort through. Alerts can be sourced from log data, agents, or other data.
Use the Azure Security Center built-in threat detection capability, which is based on monitoring Azure service telemetry and analyzing service logs. Data is collected using the Log Analytics agent, which reads various security-related configurations and event logs from the system and copies the data to your workspace for analysis.
In addition, use Azure Sentinel to build analytics rules, which hunt threats that match specific criteria across your environment. The rules generate incidents when the criteria are matched, so that you can investigate each incident. Azure Sentinel can also import third party threat intelligence to enhance its threat detection capability.
Threat protection in Azure Security Center: https://docs.microsoft.com/azure/security-center/threat-protection
Azure Security Center security alerts reference guide: https://docs.microsoft.com/azure/security-center/alerts-reference
Create custom analytics rules to detect threats: https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom
Cyber threat intelligence with Azure Sentinel: https://docs.microsoft.com/azure/architecture/example-scenario/data/sentinel-threat-intelligence |
Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint
Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operati |
| 42 |
42 |
LT-2 |
Logging and Threat Detection |
Customer |
Enable threat detection for Azure identity and access management |
Azure AD provides the following user logs that can be viewed in Azure AD reporting or integrated with Azure Monitor, Azure Sentinel or other SIEM/monitoring tools for more sophisticated monitoring and analytics use cases:
- Sign-ins – The sign-ins report provides information about the usage of managed applications and user sign-in activities.
- Audit logs - Provides traceability through logs for all changes done by various features within Azure AD. Examples of audit logs include changes made to any resources within Azure AD like adding or removing users, apps, groups, roles and policies.
- Risky sign-ins - A risky sign-in is an indicator for a sign-in attempt that might have been performed by someone who is not the legitimate owner of a user account.
- Users flagged for risk - A risky user is an indicator for a user account that might have been compromised.
Azure Security Center can also alert on certain suspicious activities such as an excessive number of failed authentication attempts, and deprecated accounts in the subscription. In addition to the basic security hygiene monitoring, Azure Security Center’s Threat Protection module can also collect more in-depth security alerts from individual Azure compute resources (such as virtual machines, containers, app service), data resources (such as SQL DB and storage), and Azure service layers. This capability allows you to see account anomalies inside the individual resources.
Audit activity reports in Azure AD: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-audit-logs
Enable Azure Identity Protection: https://docs.microsoft.com/azure/active-directory/identity-protection/overview-identity-protection
Threat protection in Azure Security Center: https://docs.microsoft.com/azure/security-center/threat-protection |
Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint
Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operati |
| 43 |
43 |
LT-3 |
Logging and Threat Detection |
Customer |
Enable logging for Azure network activities |
Enable and collect network security group (NSG) resource logs, NSG flow logs, Azure Firewall logs, and Web Application Firewall (WAF) logs for security analysis to support incident investigations, threat hunting, and security alert generation. You can send the flow logs to an Azure Monitor Log Analytics workspace and then use Traffic Analytics to provide insights.
Ensure you are collecting DNS query logs to assist in correlating other network data.
How to enable network security group flow logs: https://docs.microsoft.com/azure/network-watcher/network-watcher-nsg-flow-logging-portal
Azure Firewall logs and metrics: https://docs.microsoft.com/azure/firewall/logs-and-metrics
How to enable and use Traffic Analytics: https://docs.microsoft.com/azure/network-watcher/traffic-analytics
Monitoring with Network Watcher: https://docs.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview
Azure networking monitoring solutions in Azure Monitor: https://docs.microsoft.com/azure/azure-monitor/insights/azure-networking-analytics
Gather insights about your DNS infrastructure with the DNS Analytics solution: https://docs.microsoft.com/azure/azure-monitor/insights/dns-analytics |
Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint
Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operati |
| 44 |
44 |
LT-4 |
Logging and Threat Detection |
Shared |
Enable logging for Azure resources |
Enable logging for Azure resources to meet the requirements for compliance, threat detection, hunting, and incident investigation.
You can use Azure Security Center and Azure Policy to enable resource logs and log data collecting on Azure resources for access to audit, security, and resource logs. Activity logs, which are automatically available, include event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.
Understand logging and different log types in Azure: https://docs.microsoft.com/azure/azure-monitor/platform/platform-logs-overview
Understand Azure Security Center data collection: https://docs.microsoft.com/azure/security-center/security-center-enable-data-collection
Enable and configure antimalware monitoring: https://docs.microsoft.com/azure/security/fundamentals/antimalware#enable-and-configure-antimalware-monitoring-using-powershell-cmdlets |
Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center
Infrastructure and endpoint security
Application security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/orga |
| 45 |
45 |
LT-5 |
Logging and Threat Detection |
Customer |
Centralize security log management and analysis |
Centralize logging storage and analysis to enable correlation. For each log source, ensure you have assigned a data owner, access guidance, storage location, what tools are used to process and access the data, and data retention requirements.
Ensure you are integrating Azure activity logs into your central logging. Ingest logs via Azure Monitor to aggregate security data generated by endpoint devices, network resources, and other security systems. In Azure Monitor, use Log Analytics workspaces to query and perform analytics, and use Azure Storage accounts for long term and archival storage.
In addition, enable and onboard data to Azure Sentinel or a third-party SIEM.
Many organizations choose to use Azure Sentinel for “hot” data that is used frequently and Azure Storage for “cold” data that is used less frequently.
How to collect platform logs and metrics with Azure Monitor: https://docs.microsoft.com/azure/azure-monitor/platform/diagnostic-settings
How to onboard Azure Sentinel: https://docs.microsoft.com/azure/sentinel/quickstart-onboard |
Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security- |
| 46 |
46 |
LT-6 |
Logging and Threat Detection |
Customer |
Configure log storage retention |
Configure your log retention according to your compliance, regulation, and business requirements.
In Azure Monitor, you can set your Log Analytics workspace retention period according to your organization's compliance regulations. Use Azure Storage, Data Lake or Log Analytics workspace accounts for long-term and archival storage.
Change the data retention period in Log Analytics: https://docs.microsoft.com/azure/azure-monitor/platform/manage-cost-storage#change-the-data-retention-period
How to configure retention policy for Azure Storage account logs: https://docs.microsoft.com/azure/storage/common/storage-monitor-storage-account#configure-logging
Azure Security Center alerts and recommendations export: https://docs.microsoft.com/azure/security-center/continuous-export |
Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security- |
| 47 |
47 |
LT-7 |
Logging and Threat Detection |
Shared |
Use approved time synchronization sources |
Microsoft maintains time sources for most Azure PaaS and SaaS services. For your virtual machines, use Microsoft default NTP server for time synchronization unless you have a specific requirement. If you need to stand up your own network time protocol (NTP) server, ensure you secure the UDP service port 123.
All logs generated by resources within Azure provide time stamps with the time zone specified by default.
How to configure time synchronization for Azure Windows compute resources: https://docs.microsoft.com/azure/virtual-machines/windows/time-sync
How to configure time synchronization for Azure Linux compute resources: https://docs.microsoft.com/azure/virtual-machines/linux/time-sync
How to disable inbound UDP for Azure services: https://support.microsoft.com/help/4558520/how-to-disable-inbound-udp-for-azure-services |
Policy and standards: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-policy-standards
Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-securi |
| 48 |
48 |
NS-1 |
Network Security |
Customer |
Implement security for internal traffic |
Ensure that all Azure virtual networks follow an enterprise segmentation principle that aligns to the business risks. Any system that could incur higher risk for the organization should be isolated within its own virtual network and sufficiently secured with either a network security group (NSG) and/or Azure Firewall.
Based on your applications and enterprise segmentation strategy, restrict or allow traffic between internal resources based on network security group rules. For specific well-defined applications (such as a 3-tier app), this can be a highly secure "deny by default, permit by exception" approach. This might not scale well if you have many applications and endpoints interacting with each other. You can also use Azure Firewall in circumstances where central management is required over a large number of enterprise segments or spokes (in a hub/spoke topology).
Use Azure Security Center Adaptive Network Hardening to recommend network security group configurations that limit ports and source IPs based with the reference to external network traffic rules.
Use Azure Sentinel to discover the use of legacy insecure protocols such as SSL/TLSv1, SMBv1, LM/NTLMv1, wDigest, Unsigned LDAP Binds, and weak ciphers in Kerberos.
How to create a network security group with security rules: https://docs.microsoft.com/azure/virtual-network/tutorial-filter-network-traffic
How to deploy and configure Azure Firewall: https://docs.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal
Adaptive Network Hardening in Azure Security Center: https://docs.microsoft.com/azure/security-center/security-center-adaptive-network-hardening
Azure Sentinel insecure protocols workbook:https://docs.microsoft.com/azure/sentinel/quickstart-get-visibility#use-built-in-workbooks |
Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
Application |
| 49 |
49 |
NS-2 |
Network Security |
Customer |
Connect private networks together |
Use Azure ExpressRoute or Azure virtual private network (VPN) to create private connections between Azure datacenters and on-premises infrastructure in a colocation environment. ExpressRoute connections do not go over the public internet , and they offer more reliability, faster speeds, and lower latencies than typical internet connections. For point-to-site VPN and site-to-site VPN, you can connect on-premises devices or networks to a virtual network using any combination of these VPN options and Azure ExpressRoute.
To connect two or more virtual networks in Azure together, use virtual network peering or Private Link. Network traffic between peered virtual networks is private and is kept on the Azure backbone network.
What are the ExpressRoute connectivity models: https://docs.microsoft.com/azure/expressroute/expressroute-connectivity-models
Azure VPN overview: https://docs.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpngateways
Virtual network peering: https://docs.microsoft.com/azure/virtual-network/virtual-network-peering-overview
Azure Private Link: https://docs.microsoft.com/azure/private-link/private-link-service-overview |
Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
Application S |
| 50 |
50 |
NS-3 |
Network Security |
Customer |
Establish private network access to Azure services |
Use Azure Private Link to enable private access to Azure services from your virtual networks, without crossing the internet. In situations where Azure Private Link is not yet available, use Azure Virtual Network service endpoints. Azure Virtual Network service endpoints provide secure access to services via an optimized route over the Azure backbone network.
Private access is an additional defense in depth measure in addition to authentication and traffic security offered by Azure services.
Understand Azure Private Link: https://docs.microsoft.com/azure/private-link/private-link-overview
Understand Virtual Network service endpoints: https://docs.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview |
Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
Application S |
| 51 |
51 |
NS-4 |
Network Security |
Customer |
Protect applications and services from external network attacks |
Protect Azure resources against attacks from external networks, including distributed denial of service (DDoS) Attacks, application specific attacks, and unsolicited and potentially malicious internet traffic. Azure includes native capabilities for this:
- Use Azure Firewall to protect applications and services against potentially malicious traffic from the internet and other external locations.
- Use Web Application Firewall (WAF) capabilities in Azure Application Gateway, Azure Front Door, and Azure Content Delivery Network (CDN) to protect your applications, services, and APIs against application layer attacks.
- Protect your assets against DDoS attacks by enabling DDoS standard protection on your Azure virtual networks.
- Use Azure Security Center to detect misconfiguration risks related to the above.
Azure Firewall Documentation: https://docs.microsoft.com/azure/firewall/
How to deploy Azure WAF: https://docs.microsoft.com/azure/web-application-firewall/overview
Manage Azure DDoS Protection Standard using the Azure portal: https://docs.microsoft.com/azure/virtual-network/manage-ddos-protection |
Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
Application S |
| 52 |
52 |
NS-5 |
Network Security |
Customer |
Deploy intrusion detection/intrusion prevention systems (IDS/IPS) |
Use Azure Firewall threat intelligence-based filtering to alert on and/or block traffic to and from known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. When payload inspection is required, you can deploy a third-party intrusion detection/intrusion prevent system (IDS/IPS) from Azure Marketplace with payload inspection capabilities. Alternately you can use host-based IDS/IPS or a host-based endpoint detection and response (EDR) solution in conjunction with or instead of network-based IDS/IPS.
Note: If you have a regulatory or other requirement for IDS/IPS use, ensure that it is always tuned to provide high quality alerts to your SIEM solution.
How to deploy Azure Firewall: https://docs.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal
Azure Marketplace includes third party IDS capabilities: https://azuremarketplace.microsoft.com/marketplace?search=IDS
Microsoft Defender ATP EDR capability: https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response |
Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
Application S |
| 53 |
53 |
NS-6 |
Network Security |
Customer |
Simplify network security rules |
Simplify network security rules by leveraging service tags and application security groups (ASGs).
Use Virtual Network service tags to define network access controls on network security groups or Azure Firewall. You can use service tags in place of specific IP addresses when creating security rules. By specifying the service tag name in the source or destination field of a rule, you can allow or deny the traffic for the corresponding service. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change.
You can also use application security groups to help simplify complex security configuration. Instead of defining policy based on explicit IP addresses in network security groups, application security groups enable you to configure network security as a natural extension of an application's structure, allowing you to group virtual machines and define network security policies based on those groups.
Understand and use service tags: https://docs.microsoft.com/azure/virtual-network/service-tags-overview
Understand and use application security groups: https://docs.microsoft.com/azure/virtual-network/security-overview#application-security-groups |
Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
Application S |
| 54 |
54 |
NS-7 |
Network Security |
Customer |
Secure Domain Name Service (DNS) |
Follow the best practices for DNS security to mitigate against common attacks like dangling DNS, DNS amplifications attacks, DNS poisoning and spoofing, etc.
When Azure DNS is used as your authoritative DNS service, ensure DNS zones and records are protected from accidental or malicious modification using Azure RBAC and resource locks.
Azure DNS overview: https://docs.microsoft.com/azure/dns/dns-overview
Secure Domain Name System (DNS) Deployment Guide: https://csrc.nist.gov/publications/detail/sp/800-81/2/final
Prevent dangling DNS entries and avoid subdomain takeover: https://docs.microsoft.com/azure/security/fundamentals/subdomain-takeover |
Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
Application S |
| 55 |
55 |
PA-1 |
Privileged Access |
Customer |
Protect and limit highly privileged users |
Limit the number of highly privileged user accounts, and protect these accounts at an elevated level.
The most critical built-in roles in Azure AD are Global Administrator and the Privileged Role Administrator, because users assigned to these two roles can delegate administrator roles. With these privileges, users can directly or indirectly read and modify every resource in your Azure environment:
- Global Administrator / Company Administrator: Users with this role have access to all administrative features in Azure AD, as well as services that use Azure AD identities.
- Privileged Role Administrator: Users with this role can manage role assignments in Azure AD, as well as within Azure AD Privileged Identity Management (PIM). In addition, this role allows management of all aspects of PIM and administrative units.
Note: You may have other critical roles that need to be governed if you use custom roles with certain privileged permissions assigned. And you may also want to apply similar controls to the administrator account of critical business assets.
You can enable just-in-time (JIT) privileged access to Azure resources and Azure AD using Azure AD Privileged Identity Management (PIM). JIT grants temporary permissions to perform privileged tasks only when users need it. PIM can also generate security alerts when there is suspicious or unsafe activity in your Azure AD organization.
Administrator role permissions in Azure AD: https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles
Use Azure Privileged Identity Management security alerts: https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts
Securing privileged access for hybrid and cloud deployments in Azure AD: https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-admin-roles-secure |
Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys
Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
Security C |
| 56 |
56 |
PA-2 |
Privileged Access |
Customer |
Restrict administrative access to business-critical systems |
Isolate access to business-critical systems by restricting which accounts are granted privileged access to the subscriptions and management groups they are in.
Ensure that you also restrict access to the management, identity, and security systems that have administrative access to your business critical assets, such as Active Directory Domain Controllers (DCs), security tools, and system management tools with agents installed on business critical systems. Attackers who compromise these management and security systems can immediately weaponize them to compromise business critical assets.
All types of access controls should be aligned to your enterprise segmentation strategy to ensure consistent access control.
Ensure to assign separate privileged accounts that are distinct from the standard user accounts used for email, browsing, and productivity tasks.
Azure Components and Reference model: https://docs.microsoft.com/security/compass/microsoft-security-compass-introduction#azure-components-and-reference-model-2151
Management Group Access: https://docs.microsoft.com/azure/governance/management-groups/overview#management-group-access
Azure subscription administrators: https://docs.microsoft.com/azure/cost-management-billing/manage/add-change-subscription-administrator |
Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys
Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-mana |
| 57 |
57 |
PA-3 |
Privileged Access |
Customer |
Review and reconcile user access regularly |
Review user accounts and access assignment regularly to ensure the accounts and their level of access are valid. You can use Azure AD access reviews to review group memberships, access to enterprise applications, and role assignments. Azure AD reporting can provide logs to help discover stale accounts. You can also use Azure AD Privileged Identity Management to create an access review report workflow that facilitates the review process.
In addition, Azure Privileged Identity Management can be configured to alert when an excessive number of administrator accounts are created, and to identify administrator accounts that are stale or improperly configured.
Note: Some Azure services support local users and roles that aren't managed through Azure AD. You must manage these users separately.
Create an access review of Azure resource roles in Privileged Identity Management(PIM): https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-resource-roles-start-access-review
How to use Azure AD identity and access reviews: https://docs.microsoft.com/azure/active-directory/governance/access-reviews-overview |
Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys
Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application |
| 58 |
58 |
PA-4 |
Privileged Access |
Customer |
Set up emergency access in Azure AD |
To prevent being accidentally locked out of your Azure AD organization, set up an emergency access account for access when normal administrative accounts cannot be used. Emergency access accounts are usually highly privileged, and they should not be assigned to specific individuals. Emergency access accounts are limited to emergency or "break glass"' scenarios where normal administrative accounts can't be used.
You should ensure that the credentials (such as password, certificate, or smart card) for emergency access accounts are kept secure and known only to individuals who are authorized to use them only in an emergency.
Manage emergency access accounts in Azure AD: https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-emergency-access |
Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys
Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application |
| 59 |
59 |
PA-5 |
Privileged Access |
Customer |
Automate entitlement management |
Use Azure AD entitlement management features to automate access request workflows, including access assignments, reviews, and expiration. Dual or multi-stage approval is also supported.
What are Azure AD access reviews: https://docs.microsoft.com/azure/active-directory/governance/access-reviews-overview
What is Azure AD entitlement management: https://docs.microsoft.com/azure/active-directory/governance/entitlement-management-overview |
Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys
Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application |
| 60 |
60 |
PA-6 |
Privileged Access |
Customer |
Use privileged access workstations |
Secured, isolated workstations are critically important for the security of sensitive roles like administrators, developers, and critical service operators. Use highly secured user workstations and/or Azure Bastion for administrative tasks. Use Azure Active Directory, Microsoft Defender Advanced Threat Protection (ATP), and/or Microsoft Intune to deploy a secure and managed user workstation for administrative tasks. The secured workstations can be centrally managed to enforce secured configuration, including strong authentication, software and hardware baselines, and restricted logical and network access.
Understand privileged access workstations: https://docs.microsoft.com/azure/active-directory/devices/concept-azure-managed-workstation
Deploy a privileged access workstation: https://docs.microsoft.com/azure/active-directory/devices/howto-azure-managed-workstation |
Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
Security Operations (SecOps): https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/cl |
| 61 |
61 |
PA-7 |
Privileged Access |
Customer |
Follow just enough administration (least privilege principle) |
Azure role-based access control (Azure RBAC) allows you to manage Azure resource access through role assignments. You can assign these roles to users, group service principals, and managed identities. There are pre-defined built-in roles for certain resources, and these roles can be inventoried or queried through tools such as Azure CLI, Azure PowerShell, and the Azure portal. The privileges you assign to resources through Azure RBAC should always be limited to what's required by the roles. Limited privileges complement the just in time (JIT) approach of Azure AD Privileged Identity Management (PIM), and those privileges should be reviewed periodically.
Use built-in roles to allocate permission and only create custom role when required.
What is Azure role-based access control (Azure RBAC): https://docs.microsoft.com/azure/role-based-access-control/overview
How to configure Azure RBAC: https://docs.microsoft.com/azure/role-based-access-control/role-assignments-portal
How to use Azure AD identity and access reviews: https://docs.microsoft.com/azure/active-directory/governance/access-reviews-overview |
Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud- |
| 62 |
62 |
PA-8 |
Privileged Access |
Customer |
Choose approval process for Microsoft support |
In support scenarios where Microsoft needs to access customer data, Customer Lockbox provides a capability for you to explicitly review and approve or reject each customer data access request.
Understand Customer Lockbox:
https://docs.microsoft.com/azure/security/fundamentals/customer-lockbox-overview |
Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud- |
| 63 |
63 |
PV-1 |
Posture and Vulnerability Management |
Customer |
Establish secure configurations for Azure services |
Define security guardrails for infrastructure and DevOps teams by making it easy to securely configure the Azure services they use.
Start your security configuration of Azure services with the service baselines in the Azure Security Benchmark and customize as needed for your organization.
Use Azure Security Center to configure Azure Policy to audit and enforce configurations of your Azure resources.
You can use Azure Blueprints to automate deployment and configuration of services and application environments, including Azure Resource Manager templates, Azure RBAC controls, and policies, in a single blueprint definition.
Illustration of guardrails implementation in enterprise-scale landing zone: https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/architecture#landing-zone-expanded-definition
Working with security policies in Azure Security Center: https://docs.microsoft.com/azure/security-center/tutorial-security-policy
Create and manage policies to enforce compliance: https://docs.microsoft.com/azure/governance/policy/tutorials/create-and-manage
Azure Blueprints: https://docs.microsoft.com/azure/governance/blueprints/overview |
Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructu |
| 64 |
64 |
PV-2 |
Posture and Vulnerability Management |
Customer |
Sustain secure configurations for Azure services |
Use Azure Security Center to monitor your configuration baseline and use Azure Policy [deny] and [deploy if not exist] rule to enforce secure configuration across Azure compute resources, including VMs, containers, and others.
Understand Azure Policy effects: https://docs.microsoft.com/azure/governance/policy/concepts/effects
Create and manage policies to enforce compliance: https://docs.microsoft.com/azure/governance/policy/tutorials/create-and-manage |
Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructu |
| 65 |
65 |
PV-3 |
Posture and Vulnerability Management |
Customer |
Establish secure configurations for compute resources |
Use Azure Security Center and Azure Policy to establish secure configurations on all compute resources, including VMs, containers, and others. Additionally, you can use custom operating system images or Azure Automation State configuration to establish the security configuration of the operating system required by your organization.
How to monitor Azure Security Center recommendations: https://docs.microsoft.com/azure/security-center/security-center-recommendations
Security recommendations - a reference guide: https://docs.microsoft.com/azure/security-center/recommendations-reference
Azure Automation State Configuration overview: https://docs.microsoft.com/azure/automation/automation-dsc-overview
Upload a VHD and use it to create new Windows VMs in Azure: https://docs.microsoft.com/azure/virtual-machines/windows/upload-generalized-managed
Create a Linux VM from a custom disk with the Azure CLI: https://docs.microsoft.com/azure/virtual-machines/linux/upload-vhd |
Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructu |
| 66 |
66 |
PV-4 |
Posture and Vulnerability Management |
Shared |
Sustain secure configurations for compute resources |
Use Azure Security Center and Azure Policy to regularly assess and remediate configuration risks on your Azure compute resources, including VMs, containers, and others. In addition, you can use Azure Resource Manager templates, custom operating system images, or Azure Automation State Configuration to maintain the security configuration of the operating system required by your organization. Microsoft VM templates in conjunction with Azure Automation State Configuration can assist in meeting and maintaining security requirements.
Also, note that Azure Marketplace VM images published by Microsoft are managed and maintained by Microsoft.
Azure Security Center can also scan vulnerabilities in container images and perform continuous monitoring of your Docker configuration in containers, based on the CIS Docker Benchmark. You can use the Azure Security Center recommendations page to view recommendations and remediate issues.
How to implement Azure Security Center vulnerability assessment recommendations: https://docs.microsoft.com/azure/security-center/security-center-vulnerability-assessment-recommendations
How to create an Azure virtual machine from an ARM template: https://docs.microsoft.com/azure/virtual-machines/windows/ps-template
Azure Automation State Configuration overview: https://docs.microsoft.com/azure/automation/automation-dsc-overview
Create a Windows virtual machine in the Azure portal: https://docs.microsoft.com/azure/virtual-machines/windows/quick-create-portal
Information on how to download template for a VM: https://docs.microsoft.com/azure/virtual-machines/windows/download-template
Sample script to upload a VHD to Azure and create a new VM: https://docs.microsoft.com/azure/virtual-machines/scripts/virtual-machines-windows-powershell-upload-generalized-script
Container security in Azure Security Center: https://docs.microsoft.com/azure/security-center/container-security |
Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructu |
| 67 |
67 |
PV-5 |
Posture and Vulnerability Management |
Customer |
Securely store custom operating system and container images |
Use Azure role-based access control (Azure RBAC) to ensure that only authorized users can access your custom images. Use an Azure Shared Image Gallery you can share your images to different users, service principals, or AD groups within your organization. Store container images in Azure Container Registry and use RBAC to ensure that only authorized users have access.
Understand Azure RBAC: https://docs.microsoft.com/azure/role-based-access-control/rbac-and-directory-admin-roles
Understand Azure RBAC for Container Registry: https://docs.microsoft.com/azure/container-registry/container-registry-roles
How to configure Azure RBAC: https://docs.microsoft.com/azure/role-based-access-control/quickstart-assign-role-user-portal
Shared Image Gallery overview: https://docs.microsoft.com/azure/virtual-machines/windows/shared-image-galleries |
Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructu |
| 68 |
68 |
PV-6 |
Posture and Vulnerability Management |
Customer |
Perform software vulnerability assessments |
Follow recommendations from Azure Security Center for performing vulnerability assessments on your Azure virtual machines, container images, and SQL servers. Azure Security Center has a built-in vulnerability scanner for virtual machine scan.
Use a third-party solution for performing vulnerability assessments on network devices and web applications. When conducting remote scans, do not use a single, perpetual, administrative account. Consider implementing JIT (Just In Time) provisioning methodology for the scan account. Credentials for the scan account should be protected, monitored, and used only for vulnerability scanning.
Export scan results at consistent intervals and compare the results with previous scans to verify that vulnerabilities have been remediated. When using vulnerability management recommendations suggested by Azure Security Center, you can pivot into the selected scan solution's portal to view historical scan data.
How to implement Azure Security Center vulnerability assessment recommendations: https://docs.microsoft.com/azure/security-center/security-center-vulnerability-assessment-recommendations
Integrated vulnerability scanner for virtual machines: https://docs.microsoft.com/azure/security-center/built-in-vulnerability-assessment
SQL vulnerability assessment: https://docs.microsoft.com/azure/azure-sql/database/sql-vulnerability-assessment
Exporting Azure Security Center vulnerability scan results: https://docs.microsoft.com/azure/security-center/built-in-vulnerability-assessment#exporting-results |
Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructu |
| 69 |
69 |
PV-7 |
Posture and Vulnerability Management |
Customer |
Rapidly and automatically remediate software vulnerabilities |
Rapidly deploy software updates to remediate software vulnerabilities in operating systems and applications.
Use a common risk scoring program (for example, Common Vulnerability Scoring System) or the default risk ratings provided by your third-party scanning tool and tailor to your environment, taking into account which applications present a high security risk and which ones require high uptime.
Use Azure Automation Update Management or a third-party solution to ensure that the most recent security updates are installed on your Windows and Linux VMs. For Windows VMs, ensure Windows Update has been enabled and set to update automatically.
For third-party software, use a third-party patch management solution or System Center Updates Publisher for Configuration Manager.
How to configure Update Management for virtual machines in Azure: https://docs.microsoft.com/azure/automation/automation-update-management
Manage updates and patches for your Azure VMs: https://docs.microsoft.com/azure/automation/automation-tutorial-update-management |
Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructu |
| 70 |
70 |
PV-8 |
Posture and Vulnerability Management |
Shared |
Conduct regular attack simulation |
As required, conduct penetration testing or red team activities on your Azure resources and ensure remediation of all critical security findings.
Follow the Microsoft Cloud Penetration Testing Rules of Engagement to ensure your penetration tests are not in violation of Microsoft policies. Use Microsoft's strategy and execution of Red Teaming and live site penetration testing against Microsoft-managed cloud infrastructure, services, and applications.
Penetration testing in Azure: https://docs.microsoft.com/azure/security/fundamentals/pen-testing
Penetration Testing Rules of Engagement: https://www.microsoft.com/msrc/pentest-rules-of-engagement?rtc=1
Microsoft Cloud Red Teaming: https://gallery.technet.microsoft.com/Cloud-Red-Teaming-b837392e |
Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructu |
