N

Azure Security Compass

Cybersecurity Solutions Group

https://aka.ms/AzureSecurityCompass Version 1.1 – September 2019

Microsoft Azure Security Compass Workshop
TYPICAL SCHEDULE TYPICAL STAKEHOLDERS
Executive Summary + Your goals and strategy
Leadership Kickoff and Closeout
Chief Information Security Officer (CISO), Others as needed
Azure Security Basics
OPTIONAL PARTICIPATION

Best Practices &

Design Decisions
Architecture & Technical Team Stakeholders
Azure Security Center Security Architect(s), Cloud Architects/Engineers, Server
Demo (Optional) Architect(s)/Engineer(s), Network Security Engineer,
Endpoint Engineer, Endpoint Security Engineer, Risk and
Compliance Team(s), Governance Teams, Operations
Planning Next Steps Teams, and Business Stakeholders

WORKSHOP OBJECTIVE:
Learn how to securely operate your workloads on Azure
N

Azure Security Compass - Purpose

Designed to rapidly increase your Azure security posture

Make
Make the
the right
right security
security decisions
decisions with
with best
best practices,
practices, choices
choices and
and context/recommendations
context/recommendations

Increase
Increase familiarity
familiarity with
with Azure
Azure Platform
Platform Security
Security and
and Azure
Azure Security
Security Center
Center

•• Mix
Mix of
of old
old && new
new -- Bring
Bring your
your experience
experience and
and knowledge,
knowledge, but
but expect
expect changes
changes
Tips You
•• You can’t
can’t learn
learn everything
everything -- Cloud
Cloud capabilities
capabilities evolve
evolve too
too fast
fast to
to master
master them
them all,
all, prioritization
prioritization is
is critical
critical
Guidance Structure
Actionable and Prioritized
CRITICAL GENERAL

This
This meets
meets one
one or or more
more of
of criteria
criteria for:
for: Valid
Valid and
and valuable
valuable
1. security
security best
best practices
practices
1. On-premises
On-premises parityparity -- Required
Required to to Best practices
meet and
and recommendations
recommendations
meet equivalent
equivalent security
security posture
posture of of
aa (typical) Microsoft recommends that
that are important,
are important, but
but
(typical) on-premises
on-premises environment
environment
a single approach shouldn’t
shouldn’t slow
slow down
down
2.
2. Hard
Hard toto change
change -- Difficult
Difficult or
or most
most organizations
organizations
expensive
expensive to to change
change later
later from
from adopting
adopting
3.
3. High
High risk
risk -- Required
Required to to mitigate
mitigate the
the cloud
cloud
attack
attack patterns
patterns that
that incur
incur high
high
impact/likelihood
impact/likelihood of of business
business risk
risk Choices
Microsoft recommends
(one or more of) several
Primary focus of guidance possible approaches

Get you quickly to the security

benefits of Azure platform

Note: These represent Microsoft’s default opinion based on our experience and knowledge. Your organization may
prioritize risk and mitigations differently based on your unique business needs, business risks, or other factors.
 Executive Summary
TRACKING
TRACKING SPREADSHEET
SPREADSHEET
OVERALL
OVERALL GUIDANCE
GUIDANCE
Critical General

Governance, Risk, and

16 10
Compliance

Administration 12 2

Network Security &

12 6
Containment

Information Protection
3 0
& Storage

Identity & Access

5 4
Management

Security Operations 4 4

Total 42 26
 COMPLIANT ≠ SECURE
PLIANT = Meets a specific standard at point in time (e.g. not negligent)
RE = Lowers business risk to acceptable level by disrupting attacker return
on investment (ROI)

SECURE

LEVEL OF
ACCEPTABLE RISK

COMPLIANT
Whiteboard – Your Journey and Goals

Current
Current Cloud
Cloud &
& Azure
Azure Usage
Usage Geographic
Geographic Presence
Presence Goals
Goals and
and Plans
Plans
•• Which
Whichworkloads
workloads//business
businesspurpose?
purpose?
where
whereyou
youoperate
operate for
forAzure
Azureusage
usage
•• SaaS?
SaaS?IaaS?
IaaS?PaaS?
PaaS?

Security
Security Focus
Focus Areas
Areas –– Compliance
Compliance
What
Whatdo
doyou
youwant
wantto
tofocus
focuson?
on? &
&regulatory
regulatoryrequirements
requirements
Azure Security Compass
BASICS SECURITY GUIDANCE

CO MPON EN T S AZ UR E S ECU RI T Y
& M OD ELS CE NT ER (ASC )
TRANSFORMING TOOLS,
SKILLS, & PRACTICES

STRATEGIES &
THREATS EVOLVE

G O V E R N A N CE , R I S K , SECURITY IDENTITY
& CO MP LI A N CE OPERATIONS
AZURE REGIONS
& SERVICES

NETWORK A D MI N I S T R A T I O N I N FO P R O T E CT I O N
MICROSOFT SECURITY C O N T A I N ME N T & STORAGE
PRACTICES
 Ransomware:

Attack services are inexpensive $66 upfront

Or
30% of the profit (affiliate model)

ATTACKS AGAINST
0days price range ATTACKS AGAINST THE PC
THE EMPLOYEES AND CUSTOMERS
varies from $5,000
to $350,000

Loads (compromised device)

average price ranges Spearphishing services
• PC - $0.13 to $0.89 range from $100 to
• Mobile - from $0.82 to $2.78 $1,000 per successful
account take over

Denial of Service
(DOS) average prices
day: $102.05
week: $327.00 Compromised accounts
month: $766.67 As low as $150 for 400M.
SERVICES AIDING
Averages $0.97 per 1k.
Proxy services to evade IP THE “CASH OUT”
geolocation prices vary ATTACKER
As low as $100 per week INFRASTRUCTURE
for 100,000 proxies.
COLLECTIVE KNOWLEDGE
 M AI N

Transforming from Legacy to Cloud M EN U

Evolving architecture, tools, skills, & practices Risk

Patching Sandboxing
Scanning Segmentation
Encryption Secure Development Lifecycle
Forensics Threat Protection
Logging & Analytics Orchestration & Automation SIEM
WAFs Vulnerability Management Firewalls TLS

Architectures
Architectures change,
change, but
but principles
principles &
& outcomes
outcomes remain
remain the
the same
same Information Protection Threat Intelligence

Roles,
Roles, responsibilities,
responsibilities, and
and skillsets
skillsets will
will evolve
evolve

Same Changed New

Controls,
Controls, tools,
tools, and
and processes
processes will
will evolve
evolve

Note:
Note: Legacy
Legacy ‘technical
‘technical debt’
debt’ persists
persists with
with legacy
legacy workloads/applications
workloads/applications in
in IaaS
IaaS
 Your enterprise in transformation
Requires a modern identity and access security perimeter
Cloud Technology

SaaS adoption

Modern Enterprise Perimeter

Infrastructure as a Service Platform as a Service

Internet of Things 1st class mobile experience

ENGAGE EMPOWER OPTIMIZE TRANSFORM

YOUR CUSTOMERS YOUR EMPLOYEES YOUR OPERATIONS YOUR PRODUCTS
Running Dual Perimeters

ATTACKERS
ATTACKERSUSING
USINGIDENTITY
IDENTITYTACTICS
TACTICS
SECURING
SECURINGMODERN
MODERNSCENARIOS
SCENARIOS(CLOUD,
(CLOUD,MOBILE,
MOBILE,IOT)
IOT)

MODERN PERIMETER
(Identity Controls)

CLASSIC PERIMETER
(Network Controls)
Evolution of Roles and Responsibilities
Modern
MODERNArchitectures
PERIMETER
(Identity Controls)
& Operating Models
CLASSIC PERIMETER
Legacy Architectures
(Network Controls)
& Operating Models

“STOP THE PRESSES!” CONTINUOUS VALIDATION

Security roles will change with architectural/operational models

Manual Resource Administration Administration

Administration Author & Govern Automation

Containment at all layers

Containment with Network Network
NetworkContainment
Containment (Net, App, Identity, Data, etc.)

Quality Check Before Release Development

Development Security SME in DevOps process

Project based Engagement Architecture

Architecture Continuous Engagement & Improvement
Common cloud adoption strategy
Future
No
1 Prefer SaaS Investment

Take advantage of productivity workloads

provided in the cloud Yes

2 New Development to PaaS Saas offering

No
available
New development and modern applications
move to PaaS.
Yes
New applications optimized for cloud
computing.
Saas Evaluation Passes PaaS Passes IaaS No
Build No
3
(Build/buy decision) Evaluation
Existing workloads  IaaS Evaluation
Existing applications move to IaaS using a ‘lift Buy Yes Yes
and shift’ strategy

3a  Convert to PaaS
Plan to refactor applications
into PaaS
SaaS PaaS IaaS Private Cloud
Hotel room Furnished apartment Rental apartment Private House
Shared Responsibility and Key Strategies M AI N
M E NU

On-
Responsibility SaaS PaaS IaaS prem

Information and Data

Devices (Mobile and PCs) ESTABLISH A MODERN PERIMETER

Accounts and Identities

Identity and directory infrastructure

Applications

Network Controls
MODERNIZE INFRASTRUCTURE SECURITY
Operating system

Physical hosts

Physical network
“TRUST BUT VERIFY” EACH CLOUD PROVIDER
Physical datacenter

Microsoft Customer
IaaS and PaaS Application Models
Standalone Applications or Components of Larger Solutions

Legacy Transition New

IaaS Applications IaaS+ Applications PaaS Applications
Typically lift/shift workloads Refactoring has begun! Typically New Development

Application
Application Code
Code –– Typically
Typically light
light code
code
Application
Application Code
Code -- Can
Can be
be heavy
heavy (includes
(includes all
all dependencies)
dependencies) or
or lighter
lighter hosted
hosted on
on App
App Service
Service Web
Web Apps
Apps

Azure
Azure Services
Services –– App
App functions
functions provided
provided
Virtual
Virtual Machines
Machines –– App
App functions
functions hosted
hosted on
on full
full Operating
Operating System
System +
+ Middleware
Middleware by
by Azure
Azure Services
Services
(Security
(Security profile
profile is
is similar
similar to
to SaaS)
SaaS)

Other
Other Components
Components –– Services/databases
Services/databases on-premises
on-premises or
or on
on aa 33rdrd party
party cloud,
cloud, IoT
IoT devices,
devices, etc.
etc.

Shared
Shared Elements
Elements (Storage,
(Storage, Identity,
Identity, Network)
Network)
 M AI N

Security Responsibilities Transfer to Cloud MENU

Responsibility PaaS IaaS

Transferred for PaaS
Information and Data Security Patches
Feature Upgrades
Devices (Mobile and PCs)
VMs/Containers security –
Accounts and Identities OS and Middleware Installation,
Maintenance, troubleshooting, etc.
Identity and directory infrastructure
Azure Marketplace
fits PaaS or IaaS model
Application

Network controls

Operating system
Transferred for IaaS and PaaS
Denial of Service*
Physical hosts
Attacks on
Racking/Stacking Servers,
Delays in Adding Capacity • Physical Attacks
Physical network
Fabric/Virtualization Patching, • Virtualization Fabric
Physical datacenter Maintenance & Troubleshooting • Hardware/Firmware
Fabric Availability / Uptime • Network Infrastructure
Microsoft Customer  SLA from Microsoft
 M AI N

Azure Threats – Mix of Old & New… MENU

PaaS IaaS
EXISTING TECHNIQUES (AT COMPARABLE LEVELS)
EXPLOIT/ENTER TRAVERSAL MONETIZATION
CREDENTIAL THEFT &
SOCIAL ENGINEERING RANSOMWARE
ABUSE (HASHES, SSH…)

PHISHING SCAN & EXPLOIT TARGETED DATA THEFT

GEO-FILTERING EVASION COMMODITY

WITH PROXY BOTNET/DDOS/ETC

New Techniques ( ) or Very High Usage ( )

ACQUIRE TENANT PIVOT TO ON CRYPTOMINERS –
KEYS FROM PREMISES FROM (WEBSERVERS,
GITHUB/ETC CLOUD VISITORS)

RDP/SSH
PASSWORD SPRAY
& BRUTE FORCE
Azure

54 Azure
regions 100K+
& subsea
cable
150+
Miles of fiber Edge
sites 200+
ExpressRoute
partners
Microsoft protecting Microsoft
Hardening (Physical, OS
Continual Scanning
App/Data, etc.)
Penetration Testing
Whitelisting Red Team Ops
Auto-Patching Bug Bounties
and more… One Hunt

Traditional
Traditional Attackers
AttackersView
View
Defenses
Defenses Corporate Infrastructure Cloud
CloudInfrastructure
Infrastructure

Automated Assessments Continuous Logging

People Least Privilege
Secure DevOps toolkit & Monitoring
Background Checks Least Privilege Access and more…
Security Training Just-in-time Access Incident Response
Conferences and more… CDOC (24x7 SOC)
Security
Security Monitoring &
Authentication Privileged Access Workstations Development
Development Vigilance
Multi-factor Auth Secure Access Workstations Lifecycle
Lifecycle
Anomaly Detection isolation from web/email risks

Rigorous Security
For Privileged Access
The Microsoft Intelligent Security Graph
+1B Windows
devices updated
Extensive machine learning to: & scanned
• Reduce manual effort
• Reduce wasted effort 450B monthly
on false positives authentications
• Speed up detection

18+ billion
web pages scanned

400B e-mails
930M threats detected analyzed
on devices every month

Unparalleled cybersecurity visibility and insight

Inside The Intelligent Security Graph

Office 365 Microsoft Azure Bing Products instrumented to strict

Windows Malicious Software
Defender AV Removal Tool privacy/compliance standards
Sample Dark Threat Sinkholes and Detonation Services IR
PRODUCT AND SERVICE TELEMETRY
zoos markets feeds honeypots and sandboxes intelligence See Microsoft Trust Center
[ Privacy/Compliance boundary ]

Analytics help fuel

DATA
DATA COLLECTION
COLLECTION AND
AND ANALYSIS
ANALYSIS new discoveries
Products send data to graph
Collection and
Normalization
Analytics
(Machine Learning,
detonation, behavior)
{} Publish to
Internal APIs
Products use Interflow APIs
to access results

Products generate data which

Azure Security
Azure Active
Directory Windows Defender Office 365 feeds back into the graph
Center (ASC) Identity Azure Advanced Threat Advanced Threat Microsoft
Protection Advanced Protection (ATP) Protection (ATP) Cloud
Operations Threat Application
Hunters Hunters identify attacks,
Management Protection Exchange Online Security
Suite (OMS)
Microsoft
Accounts
(ATP) Defender Protection (EOP) (MCAS) improve analytics, feed
Anti-malware back into product design
Technical Details on Azure internal architecture
Most
Most current
current information
information in
in documentation
documentation
https://docs.microsoft.com/en-us/azure/security/azure-secu
https://docs.microsoft.com/en-us/azure/security/azure-secu
rity-infrastructure
rity-infrastructure
33rdrd party
party validated
validated information
information in
in Service
ServiceTrust
TrustPortal
Portal(STP)
(STP)--
https://servicetrust.microsoft.com/
https://servicetrust.microsoft.com/ --Requires
RequiresNDA
NDA

Most
Most frequently
frequently requested
requested information
information is:
is:
•• Azure
Azure&&Azure
AzureGovernment
GovernmentSOC
SOC22Type
Type22Report
Report(in
(inSTP)
STP)
•• Azure
Azure--FedRAMP
FedRAMPModerate
ModerateSystem
SystemSecurity
SecurityPlan
Plan(in
(inSTP)
STP)
•• Cloud
CloudSecurity
SecurityAlliance
Alliance(CSA)
(CSA)STAR
STARSelf-Assessment 
Self-Assessment 
https://www.microsoft.com/en-us/trustcenter/compliance/csa-sel
https://www.microsoft.com/en-us/trustcenter/compliance/csa-sel
f-assessment 
f-assessment 
•• CIS
CISBenchmark
Benchmark--
https://azure.microsoft.com/en-us/resources/cis-microsoft-azure-
https://azure.microsoft.com/en-us/resources/cis-microsoft-azure-
foundations-security-benchmark/
foundations-security-benchmark/

Azure
Azurefor
forAWS
AWSProfessionals
Professionals
•• https://docs.microsoft.com/en-us/azure/architecture/aws-professional
https://docs.microsoft.com/en-us/azure/architecture/aws-professional
Azure compliance coverage extends across most
industries and geographies
 CSA STAR Attestation  ISO 22301  ISO 27018
Global
 CSA STAR Certification  ISO 27001  SOC 1 Type 2
 CSA STAR Self-Assessment  ISO 27017  SOC 2 Type 2

U.S.  CJIS  FedRAMP  ITAR

Government  DoD DISA SRG Level 2  FIPS 140-2  Moderate JAB P-ATO
 DoD DISA SRG Level 4  High JAB P-ATO  Section 508 VPAT
 DoD DISA SRG Level 5  IRS 1075  SP 800-171

Industry  CDSA  FISC Japan  IG Toolkit UK

 FACT UK  GLBA  MARS-E
 FERPA  GxP 21 CFR Part 11  MPAA
 FFIEC  HIPAA / HITECH  PCI DSS Level 1
 HITRUST  Shared Assessments

Regional  Argentina PDPA  ENISA IAF  Japan My Number Act

 Australia IRAP/CCSL  EU Model Clauses  New Zealand GCIO
 Canada Privacy Laws  EU-US Privacy Shield  Singapore MTCS
 China DJCP  Germany IT Grundschutz  Spain DPA
 China GB 18030  India MeitY  Spain ENS
 China TRUCS  Japan CS Mark Gold  UK G-Cloud
Security Operations Center (SOC) Software as a Service
Cybersecurity Reference Architecture
Microsoft Threat Experts Incident Response, Recovery, & CyberOps Services
April 2019 – https://aka.ms/MCRA | Video Recording | Strategies
Office 365
Azure Sentinel – Cloud Native SIEM and SOAR (Preview) Secure Score

Vuln Cloud App Azure Microsoft Office 365 Azure Customer Lockbox
Security This is interactive! Roadmaps and Guidance
Mgmt Security Center Defender

Advanced Threat Protection (ATP) 1. Present Slide 1. Securing Privileged Access

Dynamics 365
MSSP
2. Hover for Description
2. Office 365 Security
Identity & Access
Graph Security API – 3rd Party Integration 3. Click for more information
3. Rapid Cyberattacks ( Information Azure Active
Wannacrypt/Petya) Protection Directory
Alert & Log Integration

Conditional Access – Identity Perimeter Management

Clients Hybrid Cloud Infrastructure
Cloud App Security Azure AD Identity
Unmanaged & On Premises Datacenter(s) 3rd party IaaS Microsoft Protection
Mobile Devices Azure Information Leaked cred protection
Azure Protection (AIP) Behavioral Analytics
Azure Security Center – Cross Platform Visibility, Protection, and Threat Detection Configuration Hygiene

Classification Labels
Discover
Just in Time VM Access Classify Azure AD PIM
Azure Security Adaptive App Control Protect
NGFW Multi-Factor
Extranet

Intune MDM/MAM Firewall Appliances Monitor Authentication

Edge DLP Hold Your Own Key (HYOK)
Azure Policy Azure AD B2B
Managed Clients SSL Proxy
AIP Scanner Azure AD B2C
IPS/IDS Azure Key Vault
Express Route Azure WAF Hello for Business
System Center Windows Server 2019 Security Azure Antimalware Office 365 MIM PAM
Configuration Manager
Window 10 + Just Enough Admin, Hyper-V Containers, Nano server, and more… • Data Loss Protection
Application & Network • Data Governance
Intranet
Servers

Microsoft Defender ATP Security Groups Azure ATP

Shielded VMs • eDiscovery
VMs
Backup & Site
Azure Stack
Recovery Azure SQL Active Directory
Secure Threat Threat Detection
Privileged Access Workstations (PAWs) Disk & Storage
Score Analytics SQL Encryption & ESAE Admin Forest
Encryption
Data Masking
Confidential
Windows 10 Enterprise Security Included Azure SQL Info
IoT and Operational Technology Computing
with Azure Protection
Network protection App control (VMs/etc.) DDoS attack
Credential protection Isolation
Windows 10 IoT IoT Security Maturity Model Premium Mitigation+Monitor Microsoft Defender ATP
Exploit protection Antivirus
Reputation analysis Behavior monitoring Security
Full Disk Encryption Azure IoT Security Azure Sphere IoT Security Architecture Feature
Attack surface Compliance Manager
reduction
S Mode
Security Development Lifecycle (SDL)
Trust Center Intelligent Security Graph
Azure Security Reference Model
Governance, Risk, & Compliance

Administration

Security operations

Virtual Application Code (Security Development Lifecycle)

On prem & Machines
other cloud
workloads Infrastructure App Service - Logic Event Machine IoT
Azure SQL Containers
as a Service (IaaS) Web Apps Apps Hubs Learning services

Identity & Access Management

Network Security & Containment

Storage & Information Protection

Azure Foundation Security

Example - Securing Privileged Access is a team sport
Mitigating some risks requires action across multiple disciplines

Administration
Administration
Day
Day to
to day
day use
use of
of privileged
privileged access
access accounts
accounts

Security
Security Operations
Operations
Monitor
Monitor for
for anomalies
anomalies to
to “normal”
“normal” admin
admin operations
operations

Governance
Governance (&
(& Architecture)
Architecture)
Standard
Standard Setting
Setting and
and Structure
Structure
Ongoing
Ongoing refinement
refinement and
and improvement
improvement to
to reduce
reduce potential
potential risks
risks
Reference Design - Azure Administration Model
Azure Enrollment Enterprise Tenant

Azure AD Enterprise Directory & B2B

Identity (Optional) Additional Directories and/or B2B/B2C

Management Root Management Group (Group of Subscriptions) – Enterprise-wide Policies, Permissions, & Tags
Groups Additional Segment(s)
Segmentation Strategy Core Services
Shared Services Multi-App Single App
(& Edge Security) Segment(s) Segment(s) Development Stage Segments

Core Services Segment 1 Segment 2 Segment 3 Segment 4 Segment 5

Subscriptions Core Services Segment 1 Segment 2 Segment 3 Segment 4 Segment 5

Resource
Groups &
Resources

Virtual Primary Primary PaaS Apps

Application(s) Application(s)
Intranet Extranet Dev Test Prod
Networks Dev
Dev Test Prod Dev  Test  Prod
DevTest
Test Prod
Prod
Understanding Azure Roles and RBAC
Azure Active Directory Tenant
Active Directory
Global Administrator (Use sparingly)
Azure
AzureADADisis
typically
typicallysynched
synched
with
withon
onprem
premADAD Enterprise Groups and Users
(though
(thoughAdmin
Admin
accounts
accountsshould
should
be
beseparate)
separate) Built-in
roles
Intune Office 365 Azure Tenant
Privileged Role (Enrollment)
Exchange Admin Root management
Administrator group
App admin Message Center
Reader
Billing admin
… Management group
Password Admin
…
Azure RBAC roles
Owner
Contributor Account
Other Apps Intune Office 365 Reader admin
Subscriptions
Other Built-in Roles
…
Resource group

Service
Notes
Notes Resource admin

•• Azure
Azure AD
AD resides
resides in
in an
an Azure
Azure Subscription
Subscription
•• Global
Global Admin
Admin cancan self-assign
self-assign permission
permission to
to manage
manage Azure
Azure
•• Service
Service &
& Account
Account Admins
Admins are
are assigned
assigned on
on each
each subscription
subscription
Azure Security Documentation
https://aka.ms/MyASIS

Azure
Azure Security
Security
Documentation
Documentation SiteSite has
has
extensive
extensive information
information on
on
security
security topics
topics
 N

Governance, Risk, & Compliance

Architecture guidance on this topic can be found at

https://docs.microsoft.com/en-us/azure/architecture/security/governance
Governance, Risk, and Compliance (GRC)

Key
Key Capabilities
Capabilities Azure Governance Site has extensive
•• Azure documentation to help with risk management
AzureSecurity
SecurityCenter
Center––Identify
Identify&
&prioritize
prioritizesecurity
security
hygiene https://docs.microsoft.com/en-us/azure/governance/
hygieneissues
issues(Secure
(SecureScore),
Score),provide
provide
recommendations
recommendationsfor formeeting
meetingcompliance
compliancewith
with CIS,
CIS,
PCI,
PCI,SOC
SOCand
andISO
ISO
•• Management
ManagementGroups
Groups ––Consistent
Consistentmanagement
management
across subscriptions and resources.
across subscriptions and resources.
•• Azure
AzurePolicy
Policy––Audits
Auditsand
andenforce
enforcepolicy
policyacross
acrossall
all
Azure
AzureResources
Resources(or
(oraasubset).
subset).
•• Azure
AzureBlueprints
Blueprints––Creates
Createsconsistent,
consistent,repeatable
repeatable
environments
environments including resources, policies,role
including resources, policies, role
assignments,
assignments,and
andmore.
more.
GRC – Managed Tenants & Subscriptions
CRITICAL BEST PRACTICES

MANAGE
MANAGECONNECTED
CONNECTEDTENANTS
TENANTS
•• What
What––Ensure
Ensuresecurity
securityorganization(s)
organization(s)
has visibility into all subscriptions
has visibility into all subscriptions
connected
connectedto toyour
yourenterprise
enterprise
environment
environment (via ExpressRouteor
(via ExpressRoute or
Site-Site
Site-SiteVPN)
VPN)
Managed Unmanaged Independent
•• Why
Why––Visibility
Visibilityisisrequired
requiredto
toassess
assess
risk & Connected & Connected Un/Managed
riskand
andto
toidentify
identifywhether
whetherthethe tr tr
policies
policies of the organization andany
of the organization and any Ideal configuration is tr
This high-risk tr can be
This “lab” model
regulatory
regulatoryrequirements
requirementsare arebeing
being for subscriptions to be configuration has useful for learning
followed.
followed. centrally controlled unmanaged Azure and testing, but
and managed environments connected ensure to appropriately
•• How
How––Ensure
Ensureall allAzure
Azureenvironments
environments
that connect to your production to corporate protect any production
that connect to your production network/resources data or code in it
environment/network
environment/networkapply apply
governance controls.
governance controls.
See
Seehttp://aka.ms/magicbutton
http://aka.ms/magicbutton
on
onhow
howtotodiscover
discoverexisting
existing
connected subscriptions
connected subscriptions
GRC – Key Responsible Parties
CRITICAL BEST PRACTICES

Network Security Typically existing network security team

CLEAR
CLEARLINES
LINESOF
OFRESPONSIBILITY
RESPONSIBILITY Configuration and maintenance of Azure Firewall, Network Virtual
Appliances (and associated routing), WAFs, NSGs, ASGs, etc.
•• What
What––Designate
Designatethe theparties
parties
responsible
responsible for specificfunctions
for specific functions Network Management Typically existing network operations team
in Azure
in Azure Enterprise-wide virtual network and subnet allocation
•• Why
Why––Consistency
Consistencyhelps helpsavoid
avoid Server Endpoint Typically IT operations, security, or jointly
confusion
confusion that can lead tohuman
that can lead to human Security Monitor and remediate server security (patching, configuration, endpoint
and
and automation errors thatcreate
automation errors that create security, etc.)
security risk.
security risk. Incident Monitoring Typically security operations team
•• How
How––Designate
Designategroups
groups and Response Investigate and remediate security incidents in SIEM or source console:
(or Azure Security Center
(or individual roles)that
individual roles) thatwill
•
will
be responsible for key • Azure AD Identity Protection
be responsible for key
centralized
centralizedfunctions
functions Policy Management Typically GRC team + Architecture
Most Set direction for use of Roles Based Access Control (RBAC), Azure Security
Mostorganizations
organizationsmap
mapthese
theseclosely
closelyto
to
current on premises models.
current on premises models. Center, Administrator protection strategy, and Azure Policy to govern
Azure resources
Identity Security and Typically Security Team + Identity Team Jointly
Standards Set direction for Azure AD directories, PIM/PAM usage, MFA,
Tip Document
Document and
with all
and Socialize
teams
Socialize this
working on
this widely
widely
Azure
with all teams working on Azure
password/synchronization configuration, Application Identity Standards
GRC – Segmentation BEST PRACTICE CHOICE

CRITICAL CHOICE

SEGMENTATION
SEGMENTATIONSTRATEGY
STRATEGY
•• What
What––Identify
Identifysecurity
securitysegments
segmentsthat thatare
areneeded
needed
for your organization to contain
for your organization to contain risk risk
•• Why AAGOOD
GOODSEGMENTATION
SEGMENTATIONSTRATEGY:
Why––AAclear
clearand
andsimple
simplesegmentation
segmentationstrategy
strategy STRATEGY:
enables
enables stakeholders (IT, Security, BusinessUnits)
stakeholders (IT, Security, Business Units)can
can
understand and support it. This clarity reduces the 1.
1.Enables
EnablesOperations
Operations––Minimizes
Minimizesoperation
operationfriction
frictionby
byaligning
aligningto
to
understand and support it. This clarity reduces the
risk business practices and applications
riskof
ofhuman
humanerrors
errorsand
andautomation
automationfailures
failuresthat
that business practices and applications
can
canlead
leadtotosecurity
securityvulnerabilities,
vulnerabilities,operational
operational 2.
2.Contains
ContainsRisk Risk--Adds
Addscost
costand
andfriction
frictionto
toattackers
attackersby
by
downtime, or both
downtime, or both
oo Isolating
Isolatingsensitive
sensitiveworkloads
workloadsfrom
fromcompromise
compromiseof ofother
otherassets
assets
•• How
How––Select
Selectthe
thesegmentation
segmentationapproaches
approachesfrom from
the oo Isolating
Isolatinghigh
highexposure
exposuresystems
systemsfrom
frombeing
beingused
usedasasaapivot
pivotto
thereference
referencedesign
designandandassign
assignpermissions
permissionsand and to
network controls as appropriate.
network controls as appropriate. other systems
other systems
3.
3.IsIsMonitored
Monitored––Security
SecurityOperations
Operationsshould
shouldmonitor
monitorfor
forpotential
potential
violations of the integrity of the segments (account
violations of the integrity of the segments (account usage,usage,
unexpected
unexpectedtraffic,
traffic,etc.)
etc.)
Minimize
Minimize Complexity
Complexity -- Always
Always consider
consider whether
whether aa

Tip segment is needed

provides enough
or
enough risk
whether
risk mitigation
mitigation
security monitoring
segment is needed or whether security monitoring
provides
(each
(each segments
segments adds
adds friction
friction and
and overhead
overhead))
GRC – Management Groups Azure Administration Model
Management Groups

CRITICAL BEST PRACTICES

ROOT
ROOTMANAGEMENT
MANAGEMENTGROUP
GROUP TOP
TOPLEVEL
LEVELMANAGEMENT
MANAGEMENTGROUPS
GROUPS MANAGEMENT
MANAGEMENTGROUP
GROUPDEPTH
DEPTH
•• What
What––UseUsethe
theRoot
RootManagement
Management •• What
What–Align
–Aligntop
toplevel
levelof
of •• What
What––LimitLimitmanagement
managementgroup group
Group (MG) for enterprise
Group (MG) for enterprise management
management groups (MGs)with
groups (MGs) with depth
depth
consistency
consistency segmentation strategy
segmentation strategy •• Why
Why––Too Toomuchmuchcomplexity
complexitycreates
creates
•• Why
Why––This
Thisenables
enablesyouyouto toapply •• Why confusion that impedes both
apply Why––This
Thisprovides
providesaapoint
pointfor
for confusion that impedes both
governance elements like policies control operations
operationsand andsecurity.
security.This
Thiswas
governance elements like policies controland
andpolicy
policyconsistency
consistencywithin
within was
and
andtags
tagsconsistently
consistentlyacross
acrossmultiple
multiple each segment as this management illustrated by overly complex
illustrated by overly complex
each segment as this management
subscriptions.
subscriptions. group
groupwill
willaffect
affectall
allsubscriptions
subscriptionsininitit Organizational
OrganizationalUnit Unit(OU)
(OU)and andGroup
Group
•• How Policy Objects (GPO) designs
Policy Objects (GPO) designs for for
How––Assign
Assignenterprise-wide
enterprise-wide •• How
How––Create
Createaasingle
singleMG
MGfor
foreach
each Active
elements
elements that applyto
that apply toallallAzure segment ActiveDirectory
Directory
Azure segment under the root MG anddo
under the root MG and do
assets
assetssuch
suchas:
as: not create any other MGs under •• How
How––LimitLimitto to22levels
levelsififpossible
possible
not create any other MGs under
 Policy the
theroot.
root.See
Seereference and
and 3 only if needed. (e.g.finance
3 only if needed. (e.g. finance
Policy(Azure
(AzurePolicy)
Policy) reference
department
 Resource administration
administrationmodel
modelfor
formore
more department has a segmentwith
has a segment withboth
both
ResourceTags
Tags extremely sensitive applications and
 Sovereignty details.
details. extremely sensitive applications and
SovereigntyPolicy
Policyfor
forData/Services
Data/Services others
othersthat
thataren’t)
aren’t)
See Using
Usingall all44levels
levelsof ofdepth
depth(including
Seenext
nextslide
slidefor
for“Root
“RootMG
MGUsage”
Usage” (including
guidance and MG documentation root) is not recommended
root) is not recommended unless unless
guidance and MG documentation
absolutely
absolutelyrequired.
required.
GRC – Root MG Usage BEST PRACTICE CHOICE

CRITICAL BEST PRACTICES

USE
USEOF
OFROOT
ROOTMANAGEMENT
MANAGEMENTGROUP
GROUP(MG)
(MG) PLAN
PLAN&&TEST
TESTROOT
ROOTMG
MGCHANGES
CHANGES
•• What
What––Carefully
Carefullyselect
selectwhat
whatitems
itemsto
toapply
applytotothe
theentire
entire •• What
What––Carefully
Carefullyplan
planand
andtest
testall
allenterprise-
enterprise-
enterprise with the root management group.
enterprise with the root management group. wide
wide changes on the root managementgroup
changes on the root management group
•• How before applying
before applying
How––Ensure
Ensureroot
rootMG
MGelements
elementshave
haveaaclear
clearrequirement
requirementto
to
be applied across every resource and/or low impact
be applied across every resource and/or low impact •• How
How––Test
Testall
allchanges
changestotoRoot
RootMGMGin ina:a:
Good
Goodcandidates
candidatesinclude
include •• Test
TestLab
Lab--Representative
Representativelab
labtenant
tenant
 Regulatory or lab segment in production tenant
or lab segment in production tenant
Regulatoryrequirements
requirementswith withclear
clearbusiness
businessrisk/impact
risk/impact
(e.g. •• Production
ProductionPilot
Pilot--Segment
SegmentMGMGor
(e.g.restrictions
restrictionsrelated
relatedto
todata
datasovereignty)
sovereignty) or
Designated
Designated subset in subscription(s)//MG
subset in subscription(s) MG
 Near-zero
Near-zeropotential
potentialnegative
negativeimpact
impactononoperations
operationssuch
such
as policy with audit effect, Tag assignment, RBAC Testing
Testingshould
shouldinclude
includemanual
manualchanges,
changes,
as policy with audit effect, Tag assignment, RBAC
permissions scripted
scripted changes, and implementationof
changes, and implementation ofAzure
permissionsassignments
assignmentsthatthathave
havebeen
beencarefully
carefullyreviewed.
reviewed. Azure
Blueprints
Blueprints

•• Why
Why––Changes
Changesininthe
theroot
rootmanagement
managementgroup
groupcan
canaffect
affectevery
everyresource
resourceon
onAzure.
Azure.While
Whilethis
thisisis
aapowerful
powerfulway
waytotoensure
ensureconsistency
consistencyacross
acrossthe
theenterprise,
enterprise,errors
errorsor
orincorrect
incorrectusage
usagecan
cannegatively
negatively
impact production operations.
impact production operations.
GRC – Top Risk BEST PRACTICE CHOICE

CRITICAL GUIDANCE

UNPATCHED VM DIRECT INTERNET COMMON INCIDENT

VIRTUAL
VIRTUALMACHINE
MACHINE(VM)
(VM)SECURITY
SECURITYUPDATES
UPDATES VM
VMDIRECT
DIRECTINTERNET
INTERNETCONNECTIVITY
CONNECTIVITY

•• What
What––Rapidly
Rapidlyapply
applysecurity
securityupdates
updatestotovirtual
virtual •• What
What––Monitor
Monitorand
andrestrict
restrictdirect
directinternet
internetconnectivity
connectivity
machines
machines •• How
How––Use
Useone
oneor
ormore
moreofofthe
thefollowing
followingmethods
methods
•• How
How––Enable
EnableAzure
AzureSecurity
SecurityCenter
Centerto
toidentify
identify •• Enterprise-wide
Enterprise-wideprevention
prevention--Prevent
Preventinadvertent
inadvertentexposure
exposurevia
via
missing
missingsecurity
securityupdates
updates network routing/security + RBAC Permissions (in this guidance)
network routing/security + RBAC Permissions (in this guidance)
https://docs.microsoft.com/en-us/azure/security-center/security-cent
https://docs.microsoft.com/en-us/azure/security-center/security-cent
er-apply-system-updates
er-apply-system-updates •• Identify
Identifyand
andRemediate
Remediateexposed
exposedVMs
VMswith
withAzure
AzureSecurity
SecurityCenter
Center
•• Restrict
Restrictmanagement
managementports
ports(RDP,
(RDP,SSH)
SSH)using
usingJust
Justin
inTime
Timeaccess
access
Apply
Applyupdates
updatesusing
usingenterprise
enterprisepatch
patchmanagement
management
or Azure Update Management
or Azure Update Management

Why
Why––Attackers
Attackersconstantly
constantlyscan
scanpublic
publiccloud
cloudIP
IPranges
rangesfor
foropen
openmanagement
managementports
portsand
andattempt
attempt“easy”
“easy”attacks
attacksthat
that
exploit
exploitcommon
commonpasswords
passwordsandandunpatched
unpatchedvulnerabilities
vulnerabilities
GRC – Security Incident Notification BEST PRACTICE CHOICE

CRITICAL GUIDANCE

INCIDENT
INCIDENTNOTIFICATION
NOTIFICATION

•• What
What––Ensure
Ensureaasecurity
securitycontact
contact
receives
receivesAzure
Azureincident
incidentnotifications
notifications
from
from Microsoft (typicallyaanotification
Microsoft (typically notification
that
thatyour
yourresource
resourceisiscompromised
compromised
and/or
and/or attacking anothercustomer)
attacking another customer)
•• Why
Why––Enables
Enablessecurity
securityoperations
operationstoto
rapidly
rapidlyrespond
respondto topotential
potentialsecurity
security
risks and remediate them.
risks and remediate them.
•• How
How––Ensure
Ensureadministrator
administratorcontact
contact
information in the Azure enrollment
information in the Azure enrollment
portal
portalincludes
includescontact
contactinformation
informationthat
that
will
will notify security operations (directlyor
notify security operations (directly or
rapidly via an internal process)
rapidly via an internal process)
See online service terms “Security Incident Notification” section for specific
contractual commitments
GRC – Access Reviews BEST PRACTICE CHOICE

CRITICAL GUIDANCE

REGULARLY
REGULARLYREVIEW
REVIEWCRITICAL
CRITICALACCESS
ACCESS

•• What
What––Regularly
Regularlyreview
reviewprivileges
privilegeswith
with
aabusiness-critical
business-criticalimpact
impact
•• Why
Why––Access
Accessrequirements
requirementschangechangeover
over
time but technical privileges typically
time but technical privileges typically
only
onlygrow
grow(accruing
(accruingsignificant
significantrisk).
risk).
•• How
How––Set
Setupupaarecurring
recurringreview
reviewpattern
pattern
•• Manual
ManualProcess
Process
•• Automated
Automated--UsingUsingAzure
AzureADADaccess
access
reviews for all groups with critical
reviews for all groups with critical
business
businessimpact
impact
https://docs.microsoft.com/en-us/azure/active-
https://docs.microsoft.com/en-us/azure/active-
directory/governance/create-access-review
directory/governance/create-access-review

See
Seeadministration
administrationsection
sectionfor
forguidance
guidanceonon
identifying roles with a critical business impact
identifying roles with a critical business impact
GRC – Security Posture Improvement BEST PRACTICE CHOICE

CRITICAL GUIDANCE

MONITOR
MONITORAZURE
AZURESECURE
SECURESCORE
SCORE REMEDIATE
REMEDIATEIDENTIFIED
IDENTIFIEDRISKSRISKS
•• What
What––Monitor
Monitorthe
thesecurity
securityposture
postureof ofmachines,
machines,
•• What
What––Use UseSecure
SecureScore
ScoreininAzure
AzureSecurity
SecurityCenter
Centerto to networks,
networks,storage
storageand
anddata
dataservices,
services,and
andapplications
applications
identify key recommendations and monitor progress
identify key recommendations and monitor progress to discover potential security issues.
to discover potential security issues.
•• How
How––Review
Reviewyour
yourAzure
Azuresecure
securescore
scoreto
tosee
seethe
the •• How
recommendations How––Follow
Followthe
thesecurity
securityrecommendations
recommendationsin inAzure
Azure
recommendations resulting from the Azure policiesand
resulting from the Azure policies and Security
SecurityCenter
Centerstarting
startingwith
withthe
thehighest
highestpriority
priorityitems.
items.
initiatives built into Azure Security center. These include
initiatives built into Azure Security center. These include The remediations can frequently be initiated from
top The remediations can frequently be initiated from
toprisks
riskssuch
suchasassecurity
securityupdates,
updates,endpoint
endpointprotection,
protection, within
withinthe
theconsole.
console.
encryption,
encryption,security
securityconfigurations,
configurations,missing
missingWAF,
WAF,
internet connected VMs, and many more. https://docs.microsoft.com/en
https://docs.microsoft.com/en
internet connected VMs, and many more.
-us/azure/security-center/security-center-
-us/azure/security-center/security-center-
https://docs.microsoft.com/en
https://docs.microsoft.com/en recommendations
recommendations
-us/azure/security-center/security-center-secure-score
-us/azure/security-center/security-center-secure-score

Why
Why––Rapidly
Rapidlyidentifying
identifyingand
andremediating
remediatingcommon
commonsecurity
securityhygiene
hygienerisks
riskscan
cansignificantly
significantlyreduce
reduceoverall
overallrisk
risk
Governance – Access for Security Personnel
CRITICAL BEST PRACTICES

SECURITY
SECURITYTEAM
TEAMVISIBILITY
VISIBILITY AZURE
AZURESECURITY
SECURITYCENTER
CENTERACCESS
ACCESS

•• What
What––Provide
Providesecurity
securityteams
teams •• What
What––Provide
Provideaccess
accesstotoAzure
Azure
security visibility to all Azure
security visibility to all Azure Security
Security Center (ASC) for teamsusing
Center (ASC) for teams using
resources
resources this
thistool
tooltotoremediate
remediaterisk
riskininAzure
Azure
•• Why
Why––Security
Securityrequires
requiresvisibility
visibilityinin •• Why
Why––Azure
AzureSecurity
SecurityCenter
Centerallows
allows
order
orderto toassess
assessand andreport
reporton onrisk
risk teams to quickly identify
teams to quickly identify andand
•• How remediate
remediatesecurity
securityrisks
risks
How––Assign
Assignsecurity
securityteams
teamswithwith
Azure responsibilities to the Security
Azure responsibilities to the Security •• How
How––Assign
Assignteams
teamsrequiring
requiringaccess
access
Readers
Readersrole roleusing
usingeither:
either: to ASC to the security admins
to ASC to the security admins role role
•• Root
Rootmanagement
managementgroup group(MG)(MG) •• Set/enforce
Set/enforcepolicies
policies
––for teams responsible
for teams responsible for all for all •• Take
Takeactions
actionsto
to
Azure
Azureresources
resources remediate recommendations
remediate recommendations
•• Segment
SegmentMG MG––for forteams
teamswithwith •• This
limited scope (commonly Thiscan
canbe
beassigned
assignedat
atthe
thethe
theroot
root
limited scope (commonly management group or segment
management group or segment
because
becauseof ofregulatory
regulatoryor orother
other management
organizational boundaries) managementgroup(s)
group(s)depending
dependingon on
organizational boundaries) the scope of responsibilities.
the scope of responsibilities.
GRC – Insecure Legacy Protocols BEST PRACTICE CHOICE

BEST PRACTICE

DISABLE
DISABLEINSECURE
INSECUREPROTOCOLS
PROTOCOLS

•• What
What––Discover
Discoverandanddisable
disablethe
theuse
useof
of
SMBv1,
SMBv1,LM/NTLMv1,
LM/NTLMv1,wDigest,
wDigest,Unsigned
Unsigned
LDAP
LDAP Binds, and Weak ciphers inKerberos.
Binds, and Weak ciphers in Kerberos.
•• Why
Why––Authentication
Authenticationprotocols
protocolsare
arecritical
critical
to
tonearly
nearlyall
allsecurity
securityassurances.
assurances.Attackers
Attackers
with access to your network can exploit
with access to your network can exploit
weaknesses
weaknessesin inolder
olderversions
versionsof
ofthese
these
protocols.
protocols.
•• How
How––
•• Discover
Discoverusage
usagebybyreviewing
reviewinglogs
logswith
with
Azure Sentinel
Azure Sentinel
Insecure
InsecureProtocol
ProtocolDashboard
Dashboardor or33rd
rd

party
partytools
tools
•• Restrict
Restrictor
orDisable
Disableuse
useof
ofthese
these
protocols (recommend pilot/testing).
protocols (recommend pilot/testing).
Guidance
GuidanceforforSMB,
SMB,NTLM,
NTLM,WDigest
WDigest
GRC – Compliance
GUIDANCE

REGULATORY
REGULATORYCOMPLIANCE
COMPLIANCE AZURE
AZUREBLUEPRINTS
BLUEPRINTS

•• What
What––Use
UseAzure
AzureSecurity
SecurityCenter
Centerto
toreport
reporton
on •• What
What––UseUseAzure
AzureBlueprints
Blueprintsto
torapidly
rapidlyand
and
compliance with regulatory standards
compliance with regulatory standards consistently deploy compliant workloads
consistently deploy compliant workloads
•• How
How––Azure
AzureBlueprint
BlueprintService
Serviceautomates
automates
deployment
deploymentof ofenvironments
environmentsincluding
includingRBAC
RBAC
roles, policies, resources (VM/Net/Storage/etc.),
roles, policies, resources (VM/Net/Storage/etc.),
and
andmore.
more.Several
Several
Security
Security andCompliance
and ComplianceBlueprints
Blueprints templates
templatesare
are
available
available

•• How
How––
https://docs.microsoft.com/en-us/azure/security-c
https://docs.microsoft.com/en-us/azure/security-c
enter/security-center-compliance-dashboard
enter/security-center-compliance-dashboard

Why
Why––These
Thesecapabilities
capabilitieshelp
helpyou
youstay
staycompliant
compliantwith
withregulatory
regulatorystandards
standards
GRC – Benchmarks
GUIDANCE

EVALUATE
EVALUATEUSING
USINGBENCHMARKS
BENCHMARKS

•• What
What––Benchmark
Benchmarkyour
yourorganization’s
organization’s
Azure
Azuresecurity
securityagainst
againstexternal
externalsources
sources

•• Why
Why––External
Externalcomparisons
comparisonshelp
helpvalidate
validate
and
andenrich
enrichyour
yourteam’s
team’ssecurity
securitystrategy.
strategy.

•• How
How––Compare
Compareyour
yourconfiguration
configurationtoto
guidance
guidancelike
likeCenter
Centerfor
forInternet
InternetSecurity
Security
(CIS) Benchmarks
(CIS) Benchmarks

Benchmark
Benchmark--
https://www.cisecurity.org/benchmark/
https://www.cisecurity.org/benchmark/
azure/
azure/

ASC
ASCCompliance
ComplianceCheck
Check
https://docs.microsoft.com/en-us/azure
https://docs.microsoft.com/en-us/azure
/security-center/security-center-compli
/security-center/security-center-compli
ance-dashboard
ance-dashboard
GRC – Azure Policy
GENERAL BEST PRACTICE

IMPLEMENT
IMPLEMENTAZURE
AZUREPOLICY
POLICY

•• What
What––Use
UseAzure
Azurepolicy
policyto
tomonitor
monitor
and
andenforce
enforceyour
yourorganization’s
organization’s
security policy
security policy
•• Why
Why––Ensure
Ensurecompliance
compliancewith
withyour
your
security
securitystrategy
strategyand/or
and/orregulatory
regulatory
security
security requirements acrossyour
requirements across your
Azure
Azureworkloads.
workloads.
•• How
How––Follow
Followthetheinstructions
instructionsinin
the
theAzure
AzurePolicy
Policydocumentation
documentationto to
plan and create policies
plan and create policies
https://docs.microsoft.com/en-us/
https://docs.microsoft.com/en-us/
azure/governance/policy/tutorials/
azure/governance/policy/tutorials/
create-and-manage
create-and-manage
GRC – Elevated Security Capabilities BEST PRACTICE CHOICE

GENERAL GUIDANCE

Azure
AzureCustomer
CustomerLockbox
Lockbox
Determine
Determine whetheryour
whether yourpersonnel
personnelare
arerequired
requiredtotoreview
reviewand
andapprove
approveor orreject
rejectaccess
accessrequests
requestsfrom
fromMicrosoft
Microsoftsupport
support
engineers where your data must be accessed to resolve a support issue.
engineers where your data must be accessed to resolve a support issue.
https://docs.microsoft.com/en-us/azure/security/fundamentals/customer-lockbox-overview
https://docs.microsoft.com/en-us/azure/security/fundamentals/customer-lockbox-overview

A small number of regulatory bodies explicitly require specialized security measures.

While broadly available, these capabilities often increase overhead and cost.

Dedicated
DedicatedHardware
HardwareSecurity
SecurityModules
Modules(HSMs)
(HSMs)
Identify
Identify whether you need to utilize dedicatedHardware
whether you need to utilize dedicated HardwareSecurity
SecurityModules
Modules(HSMs)
(HSMs)to
tomeet
meetregulatory
regulatoryor
orsecurity
securityrequirements
requirements
https://docs.microsoft.com/en-us/azure/dedicated-hsm/
https://docs.microsoft.com/en-us/azure/dedicated-hsm/

Confidential
ConfidentialComputing
Computing
Identify
Identify whetheryou
whether youneed
needtotoutilize
utilizeConfidential
ConfidentialComputing
Computingto
tomeet
meetregulatory
regulatoryor
orsecurity
securityrequirements
requirements
https://azure.microsoft.com/en-us/blog/azure-confidential-computing/
https://azure.microsoft.com/en-us/blog/azure-confidential-computing/
GRC BEST PRACTICE CHOICE

GENERAL GUIDANCE

Monitor
Monitor Azure
Azure AD
AD Risk
Risk Reports
Reports
Monitor
Monitor your
your Azure
Azure AD
AD Risk
Risk Reports
Reports for
for
 Risky
Risky sign-in
sign-in
 Risky
Risky users
users
https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-risk-events
https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-risk-events

Penetration
Penetration Testing
Testing
Use
Use Penetration
Penetration Testing
Testing or
or Red
Red Team
Team activities
activities to
to validate
validate security
security defenses
defenses
https://technet.microsoft.com/en-us/mt784683
https://technet.microsoft.com/en-us/mt784683
 N

Security Operations

Architecture guidance on this topic can be found at

https://docs.microsoft.com/en-us/azure/architecture/security/security-operations
Microsoft’s
The First Bigapproach (from
Challenge our SOC)
of every SOC
Enforce Quality + Apply
Overwhelming SignalTechnology
& Limited Human Capacity

Detect Respond
Billions of events per month

CONCERN
CONCERN11 CONCERN
CONCERN22
Miss
Missreal
realdetections
detections Attackers
Attackersoperate
operatefreely
freely
while
whilechasing
chasingfalse
falsepositives
positives Enforce
Enforce90%
90%true
truepositive
positive until
untilremediated
remediated
on
onalert
alertfeeds
feeds
Machine Learning
(Artificial Intelligence)

Focus on time to acknowledge and remediate

Behavioral Analytics (UEBA)
(User and Entity) Security
SecurityOrchestration,
Orchestration,Automation,
Automation,
and
and Remediation(SOAR)
Remediation (SOAR)

Hundreds of investigations
SIEM Integration
Existing
Existing SIEM
SIEM AZURE
AZURE SENTINEL
SENTINEL
Microsoft
Microsoftprovides
providesAPIs
APIsand
andconnectors
connectors Built-in
Built-in11st&&33rdparty
st rd
partyconnectors
connectors

GRAPH
GRAPHSECURITY
SECURITYAPI
API
Alert
AlertIntegration
Integration&&Actions
Actions

Office
Office365
365
Log
Log&&Alert
AlertIntegration
Integration
Azure,
Azure,Office
Office365,
365, Azure
Azure
Azure
Azure AdvancedThreat
Advanced ThreatProtectio
Protectio
nn(ATP),
(ATP),
Microsoft
MicrosoftSecurity
SecurityTools
Tools
Microsoft
MicrosoftDefender
DefenderATP,
ATP,
Microsoft Cloud App Security
Microsoft Cloud App Security

FIREWALL,
FIREWALL,NETWORK,
NETWORK,AND
ANDMORE
MORE

Built
Builtinin
connectors
connectors
varies
variesdepending
depending
on
on SIEMvendor
SIEM vendor

CEF/Syslog/API
CEF/Syslog/API
Integrated toolset for
rapid threat remediation SOC Reference Architecture

Breadth
Breadth
Microsoft Threat Protection •• Unified
UnifiedAlert
AlertQueue
Queue
•• Customized Alerts
Customized Alerts

Cloud
Cloud Native
Native SIEM
SIEM ++ SOAR
SOAR -- Azure
Azure Sentinel
Sentinel
Built on Azure Monitor, Logic Apps, and Microsoft’s UEBA/ML Technology

NETWORK
NETWORK SERVERS
SERVERS IIAA
AASS OTHER
OTHER
ENDPOINT
ENDPOINT IDENTITY
IDENTITY SaaS
SaaS AZURE
AZURE Event
EventLog
LogData
Datafrom
fromDevices,
Devices,Services,
Services,and
and
Windows
WindowsDefender
DefenderATP
ATP Azure
AzureATP
ATP++Azure
AzureADAD Office
Office365
365Advanced
Advanced Azure
AzureSecurity
Security Security Tools (3rd party and Microsoft)
Security Tools (3rd party and Microsoft)
Endpoint
Endpoint Detection&&
Detection Identity Protection
Identity Protection Threat
Threat Protection(ATP)
Protection (ATP) Center
Center
Response
Response(EDR)
(EDR) ++Cloud App Security
Cloud App Security

Depth
Depth
•• High
Highquality
qualityalerts
alerts
•• End
End to end investigationand
to end investigation andremediation
remediation
Centralized Visibility
Azure Security Center Azure Sentinel
IDENTIFY PROTECT DETECT RESPOND RECOVER

GRC IT / Security SOC

Professional Professional Analyst
Assess Risk Implement Primary Console
& Compliance Protections Alerts, Investigation

Log Flow

Generate Alerts

Identity Endpoint Cloud Network and more

Security Operations – Azure Alerts BEST PRACTICE CHOICE

CRITICAL GUIDANCE

Azure Security Center Alerts

ASC
ASCBUILT
BUILTIN
INSECURITY
SECURITYALERTS
ALERTS
Virtual Machine Behavioral
•• What Analysis (VMBA)
What––Enable
EnableAzure
AzureSecurity
SecurityCenter
Center SQL Database & Data
security Alerts
security Alerts Warehouse Analysis​
•• Why
Why––Azure
AzureSecurity
SecurityCenter
Centerprovides
provides
actionable
actionable detections for commonattack
detections for common attack Contextual Information
methods
methods (Alert List depicted on thisslide),
(Alert List depicted on this slide),
which can save your team significant
which can save your team significant
effort
efforton
onquery
querydevelopment.
development.
Network Analysis
These
Thesealerts
alertsare
arefocused
focusedon onhigh
hightrue
true
positive
positiverate
rateby
byleveraging
leveragingMicrosoft’s
Microsoft’s
extensive
extensive threat intelligence,advanced
threat intelligence, advanced
machine learning, industry leading
machine learning, industry leading
Endpoint
EndpointDetection
Detection&&Response
Response(EDR)
(EDR)((
MITRE
MITREreport),
report),and
andother
otherapproaches.
approaches.
•• How
How––Enable
EnableAzure
AzureSecurity
SecurityCenter
Center
(Recommend Standard
(Recommend Standard Tier) Tier)
https://docs.microsoft.com/en-us/azure/s
https://docs.microsoft.com/en-us/azure/s
ecurity-center/security-center-get-started
ecurity-center/security-center-get-started
Security Operations – Alert & Log Integration
GENERAL GUIDANCE

NOW
NOW--ALERT
ALERTINTEGRATION
INTEGRATION LATER
LATER-- ADDITIONAL
ADDITIONALLOGS
LOGS
•• What
What––When
Whenrequired,
required,integrate
integrate
•• What
What––Integrate
IntegrateAlerts
Alertsfrom
fromAzure additional
Security Center into your
Azure
existing
additionalAzure
Azureservice
servicelogs
logsfor
for
Security Center into your existing Azure platform and services into
SIEM Azure platform and services into
SIEM(if
(ifyou
youare
arecurrently
currentlyusing
usingone).
one). your
•• Why
yourSIEM
SIEM
Why––Organizations
Organizationsuse useSIEMs
SIEMsas asaa
central •• Why
Why––Additional
AdditionalLogs
Logsmay
maybe be
centralclearinghouse
clearinghousefor forsecurity
security NOW
NOW--CRITICAL
CRITICALLOGS LOGS
alerts
alerts that require an analystto
that require an analyst to required
required for investigation andfor
for investigation and for
•• What
What––Integrate
IntegrateAzure
Azurelogs
logswith
withyour
your
respond
respond SIEM (or archive logs if no SIEM)
generating
generatingcustomized
customizedalerts
alertsfor
for
SIEM (or archive logs if no SIEM)
•• How
How––Follow
Followthese
theseinstructions
instructions
applications
applicationsand
andAzure
Azureservice
service
•• Why
Why––These
Theselogs
logsenable
enablesecurity
security
https://docs.microsoft.com/en-us/azu
https://docs.microsoft.com/en-us/azu usage.
usage.
re/security-center/security-center-ex incident
incident investigation and enableyou
investigation and enable youto
to
re/security-center/security-center-ex •• How
port-data-to-siem
port-data-to-siem
query data prior to the online log
query data prior to the online log How––Follow
Followthese
theseinstructions
instructions
retention
retentionperiod
periodofofthe
theservice.
service. and
andguidance
guidanceto toonboard
onboard
•• Alternately,
Alternately,you
youcan
canuse
useAzure
Azure
Security •• How
How––UseUseAzure
AzureMonitor
Monitortotogather
gatherlogs
logs appropriate logs
appropriate logs
Security Center for centralsecurity
Center for central security
dashboard function
dashboard function if if https://docs.microsoft.com/en-us/
https://docs.microsoft.com/en-us/
•• You
azure/security/azure-log-audit
azure/security/azure-log-audit
Youdon’t
don’thave
haveaaSIEM
SIEM
•• Your
Yourteams
teamsdesire/require
desire/requireaaconsole
console
focused
focused on Azureresources
on Azure resources CR I T I CA L L O G S A Z U R E MO N I T O R
Security Operations – Journey to Cloud Analytics
CRITICAL CHOICE

Benefits
Benefitsof
ofnative
nativecloud
cloud
CLOUD
3.
3. Cloud
Cloud Native
Native Architecture
Architecture analytics
analyticsmay
mayalso
alsoaccelerate
accelerate
CLOUDANALYTICS
ANALYTICSSTRATEGY
STRATEGY transition plans (advanced
transition plans (advanced
Security
Securityanalytics
analyticsand
andstorage
storageuse
usenative
nativecloud
cloud capabilities,
services. capabilities,simplified
simplified
•• What
What––Choose
Choosewhen whenandandhowhowto to services. management,
management,etc.)etc.)
integrate cloud-based security
integrate cloud-based security
analytics/SIEM
analytics/SIEM(such(suchasasAzure
AzureSentinel,
Sentinel,
ELK
ELKstack,
stack,etc.)
etc.) 2.
2. Side
Side by
by Side
Side Architecture
Architecture Can
CanbebeNative
NativeCloud
CloudAnalytics
Analytics
•• Why Separate
Separateevent
eventlog
logstores
storesand
andanalytics
analyticsengines
engines (recommended) or
Why––As Asmore
moreenterprise
enterpriseservices
services (recommended) or
Infrastructure
generate
generatesecurity
securitydata
datain inthe
thecloud,
cloud, •• On
Onpremises
premisesfor
forlocal
localresources
resources InfrastructureasasaaService
Service(IaaS)
(IaaS)
hauling this data back to on premises SIEM. Native is recommended
SIEM. Native is recommended
hauling this data back to on premises •• Cloud
Cloudbased
basedanalytics
analyticsfor
forcloud
cloudresources
resources over
becomes
becomesexpensive
expensiveandandinefficient.
inefficient. overIaaS
IaaSbecause
becauseof ofreduced
reduced
This ‘Data Gravity’ will increasingly Integration
Integrationcan
canbe
bedone
doneatatthe
thelevel
levelof
of infrastructure management
infrastructure management
This ‘Data Gravity’ will increasingly
require
requiresecurity
securityanalytics
analyticsto tobe
behosted
hosted •• Alerts
Alerts––using
usingMicrosoft
MicrosoftGraph
GraphSecurity
SecurityAPI
API
in the cloud as you migrate workloads.
in the cloud as you migrate workloads. Hybrid
•• Incidents
Incidents––using
usingcase
casemanagement
managementtooling
tooling HybridArchitecture
Architecturecan
can
•• How
How––Ensure
Ensureyouryourstrategy
strategyfor for
Function as either a
Function as either a
security
security analytics & SIEM plansfor
analytics & SIEM plans forthis
this ••Transition
TransitionState
State
transition and includes thresholds &
transition and includes thresholds &
timing 1.
1. On-Premises
On-Premises SIEM
SIEM Architecture
Architecture ••Permanent
PermanentState
timingforforprogression
progressioninto intoeach
State
each
phase.
phase. Classic
Classicmodel
modelwith
withon-premises
on-premisesanalytics
analytics&&database
database
Security Operations BEST PRACTICE CHOICE

GENERAL GUIDANCE

Have
Haveanalysts
analystslearn
learnnew
newauthentication
authenticationflows
flows
Many
Many analysts may be unfamiliar with how newerauthentication
analysts may be unfamiliar with how newer authenticationprotocols
protocolslike
likeOAuth,
OAuth,SAML,
SAML,and andWS-Federation
WS-Federationwork.
work.Ensure
Ensure
analysts get familiar with these protocols as they are different than on premises protocols like NTLM and Kerberos
analysts get familiar with these protocols as they are different than on premises protocols like NTLM and Kerberos

Prioritize
Prioritizecritical
criticalimpact
impactadmin
adminaccounts
accounts
Ensure
Ensure your SOC processes prioritizeattacks
your SOC processes prioritize attackson
oncritical
criticalimpact
impactadmins
adminsthatthatcould
couldhave
haveaasignificant
significantbusiness
businessimpact
impactifif
compromised.
compromised.Prioritization
Prioritizationshould
shouldinclude
includeadmin
adminonly
onlyelements
elementslike
likeAzure
AzureAD ADPIM
PIMasaswell
wellas
asprioritizing
prioritizinggeneral
generaldetections
detections
that include admin users like leaked credentials, behavior analytics,
that include admin users like leaked credentials, behavior analytics, etc. etc.
https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-integrate-activity-logs-with-sumologic
https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-integrate-activity-logs-with-sumologic

On-Premises
On-PremisesIdentity
IdentityAttack
AttackDetection
Detection
Attackers
Attackers frequently use pass thehash/ticket/password
frequently use pass the hash/ticket/passwordand andother
othercredential
credentialtheft/impersonation
theft/impersonationattacks
attackswhich
whichcan
canaffect
affect
Infrastructure
Infrastructure as a Service (IaaS) Virtual Machines (VMs). Azure Security Center includes some detections on Azure, butyou
as a Service (IaaS) Virtual Machines (VMs). Azure Security Center includes some detections on Azure, but you
should
should also consider specialized identity security tools such as Azure ATP or a 3rd party solution (which can also protecton-
also consider specialized identity security tools such as Azure ATP or a 3rd party solution (which can also protect on-
premises
premisescomponents).
components).
 N

Identity and Access Management

Architecture guidance on this topic can be found at

https://docs.microsoft.com/en-us/azure/architecture/security/identity
Identity as the Control Plane
Single Sign-On and Zero Trust Access Control Across Your Enterprise

Partners
Customers

Commercial
IdPs BYOD
Azure
Consumer Active Directory
IdPs

Windows Server Azure AD

Active Directory Connect

On-
premises
Cloud
 Managed identities for Azure resources

 Simplifies Azure VM

authentication/security for Your code 3

Azure Service
(e.g. ARM, Azure Storage)
developers (vs. service
principals) 1

 Authenticate to services without inserting Azure Active Directory

http://localhost/oauth2/token
credentials into code
 Target Service must support Azure AD authentication MSI VM 2
 E.g. Allow (code running on) a specific VM Extension

to access Azure Key Vault, Storage Account, Credentials

Azure SQL, etc.
https://docs.microsoft.com/en-us/azure/active-directory
Azure (inject and roll credentials)
/managed-identities-azure-resources/overview
Top 3 Attacks

lllllllll
Password Spray
200,000 accounts compromised in Aug 2018
(Primarily via legacy AuthN protocols)

Phishing
5B emails blocked in 2018
44M risk events in Aug 2018

lllllllll
Breach Replay
650,000 accounts with leaked credentials in 2018
 [email protected] Password123

Password Spray
[email protected] Password123
[email protected] Password123
[email protected] Password123
[email protected] Password123
[email protected] Password123
[email protected] Password123
[email protected] Password123
[email protected] Password123
[email protected] Password123
Typical Attack [email protected] Password123
1. Attempt a common password [email protected] Password123
used against many, many [email protected] Password123
[email protected] Password123
accounts.
[email protected] Password123
(stay below account lockout threshold)
[email protected] Password123
2. After successful login, dump the [email protected] Password123
GAL. [email protected] Password123
3. Start pivoting in environment. [email protected] Password123
[email protected] Password123
Identity – Consistency
CRITICAL BEST PRACTICES

SINGLE
SINGLEENTERPRISE
ENTERPRISEDIRECTORY
DIRECTORY SYNCHRONIZE
SYNCHRONIZEWITH
WITHACTIVE
ACTIVE AZURE
AZUREAD
ADFOR
FORAPPLICATIONS
APPLICATIONS
DIRECTORY & IDENTITY SYSTEMS
DIRECTORY & IDENTITY SYSTEMS
•• What
What––Establish
Establishaasingle
singleenterprise
enterprise •• What
What––For
Fornew
newdevelopment,
development,useuse
Azure
Azure Active Directory (AzureAD)
Active Directory (Azure AD) •• What
What––Synchronize
SynchronizeAzure
AzureAD
ADwith
with Azure AD for consistent
Azure AD for consistent
instance
instance your existing on-premises AD
your existing on-premises AD authentication
authentication
•• How
How––Designate
Designateaasingle
singleAzure
AzureAD
AD •• How
How––Leverage
LeverageAzure
AzureAD
ADconnect
connecttoto •• How
How––Use
Useappropriate
appropriatecapabilities
capabilities
directory as the authoritative source
directory as the authoritative source synchronize with on premises AD and
synchronize with on premises AD and to
to support authenticationneeds
support authentication needs: :
for
forcorporate/organizational
corporate/organizational any
anyidentity
identitymanagement
managementsystems
systems •• Azure
AzureAD
AD––Employees
Employees
accounts.
accounts. https://docs.microsoft.com/en-us/azure/acti
https://docs.microsoft.com/en-us/azure/acti •• Azure
AzureAD
ADB2B
B2B––Partners
Partners
ve-directory/connect/active-directory-aadco
ve-directory/connect/active-directory-aadco
nnect •• Azure
nnect AzureAD
ADB2C
B2C--Customers/citizens
Customers/citizens

•• Why
Why––Consistency
Consistencyand
andsingle
singleauthoritative
authoritativesources
sourceswill
willincrease
increaseclarity
clarityand
andreduce
reducesecurity
securityrisk
riskfrom
fromhuman
humanerrors
errorsand
and
configuration/automation complexity.
configuration/automation complexity.
Identity
CRITICAL BEST PRACTICES

BLOCK
BLOCKLEGACY
LEGACYAUTHENTICATION
AUTHENTICATION DON’T
DON’TSYNCH
SYNCHAD
ADADMINS
ADMINS

•• What
What––Block
Blocklegacy
legacyauthentication
authenticationprotocols
protocolsfor
forAzure
AzureAD
AD •• What
What––Don’t
Don’tsynchronize
synchronizeaccounts
accountsto toAzure
AzureADADthat
that
•• Why have high privileges in your existing Active Directory
have high privileges in your existing Active Directory
Why––Weaknesses
Weaknessesin inolder
olderprotocols
protocolsareareactively
activelyexploited
exploited
by
by attackers daily, particularly for bypassing MFA andfor
attackers daily, particularly for bypassing MFA and for •• Why
Why––This
Thismitigates
mitigatesthetherisk
riskof
ofadversaries
adversariespivoting
pivoting
password spray attacks (majority use legacy auth)
password spray attacks (majority use legacy auth) from
from cloud to on premises assets (creating apotential
cloud to on premises assets (creating a potential
•• How major incident).
major incident).
How––Configure
ConfigureConditional
ConditionalAccess
Accesstotoblock
blocklegacy
legacy
protocols
protocols •• How
How––This
Thisisisblocked
blockedby
bydefault.
default.Do
Donot
notchange
changethe the
default
default Azure AD Connect configuration that filtersout
Azure AD Connect configuration that filters out
https://techcommunity.microsoft.com/t5/Azure-Active-D
https://techcommunity.microsoft.com/t5/Azure-Active-D
irectory-Identity/Azure-AD-Conditional-Access-support- these accounts
these accounts
irectory-Identity/Azure-AD-Conditional-Access-support-
for-blocking-legacy-auth-is/ba-p/245417
for-blocking-legacy-auth-is/ba-p/245417
See
Seealso
alsothe
theconverse
converseguidance
guidancein
inAdministration
Administrationsection:
section:
• • Critical
CriticalImpact
ImpactAdmin
Admin--Account
Account
• • Critical Impact Admin - Workstation
For
Formore
moreinformation
information Critical Impact Admin - Workstation
https://www.youtube.com/watch?v=wGk0J4z90GI
https://www.youtube.com/watch?v=wGk0J4z90GI
Identity – Password Synchronization
CRITICAL BEST PRACTICE

SYNCHRONIZE
SYNCHRONIZEPASSWORD
PASSWORDHASHES
HASHES
B. Check Azure
AD Risk Report
Azure AD
Identity Protection
Admin

•• What
What––Synchronize
Synchronizeyour
youruser
userpassword
password
Leaked
Credential
A, Identify matches
with leaked credentials
Database
hashes
hashes from on-premises ActiveDirectory
from on-premises Active Directory
instance
instance to Azure Active Directory(Azure
to Azure Active Directory (Azure
AD).
AD). 1. Request unicodePWD via MS-DRSR
7. String + salt + iteration count (SSL)

•• Why
Why––This
Thisincreases
increasesboth
both
2. Encrypted unicodePWD via MS-DRSR

Windows Server 2016 Azure AD Azure Active 8a. If conditional

•• Security
Security--Protects
Protectsagainst
againstleaked
leakedcredentials
credentials Domain Controller Connect Server Directory access enabled and
being
being replayed from previousattacks
replayed from previous attacks
password matches
leaked credential,
force user to change
•• Reliability
Reliability--Customers
Customersaffected
affectedbyby(Not)Petya
(Not)Petya
Processing
3. Decrypts envelope to retrieve MD4 hash password (including
attacks were able to continue business
attacks were able to continue business 4. Convert to 64-byte binary Conditional
MFA validation)
5. Add 10-byte salt Access
operations
operationswhen
whenpassword
passwordhashes
hasheswere
weresynced
synced 6. PBKDF2 + 1,000 iterations of HMAC-SHA256
to
to Azure AD (vs. near zero IT functionalityfor
Azure AD (vs. near zero IT functionality for
customers who did not)
customers who did not)
•• How
How––Configure
ConfigureAzure
AzureAD
ADConnect
Connectto
to 8. User signs into Azure AD. If their hashed
synchronize password hashes
synchronize password hashes
password matches the stored password
then the user is authenticated.
User Devices
https://docs.microsoft.com/azure/active-directory/con
https://docs.microsoft.com/azure/active-directory/con
nect/active-directory-aadconnectsync-implement-pass
nect/active-directory-aadconnectsync-implement-pass
word-hash-synchronization
word-hash-synchronization
Identity – Password Protection from Cloud
CRITICAL BEST PRACTICES

AZURE
2.
2. Automatic
Automatic Enforcement
Enforcement
AZUREAD
ADPASSWORD
PASSWORDPROTECTION
PROTECTION
Automatically
Automaticallyremediate
remediatehigh
highrisk
riskpasswords
passwordswith
withConditional
ConditionalAccess
Access(leveraging
(leveraging
Azure AD Identity Protection risk assessments)
Azure AD Identity Protection risk assessments)
•• What
What––Choose
Choosethe
thelevel
levelof
ofpassword
password
protection
protectionininAzure
AzureActive
ActiveDirectory
Directory https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview
•• Why
Why––Static
Staticon-premises
on-premisesdefenses
defenses
capabilities
capabilitiescan
canno
nolonger
longerprotect
protect
password-based accounts.
password-based accounts.
1.
1. Report
Report &
& Remediate
Remediate
View
Viewreports
reportsand
andmanually
manuallyremediate
remediateaccounts
accounts
•• Microsoft
Microsoft--
https://www.microsoft.com/en-us/resear •• Azure
https://www.microsoft.com/en-us/resear
ch/publication/password-guidance/ AzureAD ADreporting
reporting--Risk
Riskevents
eventsare
arepart
partof
ofAzure
AzureAD's
AD'ssecurity
securityreports.
reports.
ch/publication/password-guidance/ For more information, see the users at risk security report and the
For more information, see the users at risk security report and the
risky
riskysign-ins
sign-inssecurity
securityreport.
report.
•• NIST
NIST-- •• Azure
AzureAD ADIdentity
IdentityProtection
Protection--Risk
Riskevents
eventsare
arealso
alsopart
partof
ofthe
thereporting
reporting
https://pages.nist.gov/800-63-3/sp800-6
https://pages.nist.gov/800-63-3/sp800-6
3b.html
3b.html capabilities of Azure Active Directory Identity Protection.
capabilities of Azure Active Directory Identity Protection.
•• Usethe
Use theIdentity
IdentityProtection
Protectionrisk
riskevents
eventsAPI
APIto
togain
gainprogrammatic
programmaticaccess
accessto
to
Passwordless
Passwordlesssolutions
solutionsare
areideal
idealand
and security detections using Microsoft Graph.
security detections using Microsoft Graph.
MFA can help, but password-based
MFA can help, but password-based
accounts
accountsmust
mustbebeprotected
protected
How
0.
0. Do
Do Nothing
Nothing (Not
(Not Recommended)
Recommended)
How––Choose
Chooseprotection
protectionfor
forAzure
AzureAD
AD
Passwords
Passwords
Identity BEST PRACTICE CHOICE

GENERAL GUIDANCE

AZURE
AZUREAD ADFOR
FORLINUX
LINUXLOGIN
LOGIN
Use
Use Azure Active Directoryfor
Azure Active Directory forauthenticating
authenticatingto
toLinux
LinuxVMs
VMsto
tosimplify
simplifymanagement
managementand
andsecurity
security
https://docs.microsoft.com/en-us/azure/virtual-machines/linux/login-using-aad
https://docs.microsoft.com/en-us/azure/virtual-machines/linux/login-using-aad

CLOUD
CLOUDPROTECTION
PROTECTIONFOR FORON
ONPREMISES
PREMISESACTIVE
ACTIVEDIRECTORY
DIRECTORY
Protect
Protect passwords in your on-premises AD using AzureAD
passwords in your on-premises AD using Azure AD
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad-on-premises
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad-on-premises
 N

Administration

Architecture guidance on this topic can be found at

https://docs.microsoft.com/en-us/azure/architecture/security/critical-impact-accounts
Highest Protection for Highest Privileges

Critical
Critical Impact
Impact Accounts
Accounts in
in Azure
Azure Most
Mostguidance
guidancein
inthis
thissection
sectionrefers
refersto
to
protecting
protectingIT
ITAdmin
Adminaccounts
accounts
1. Administrative Privileges
• Global Azure AD Admins + Azure Tenant Admins You
Youshould
shouldconsider
considerapplying
applyingsimilar
similar
procedures
proceduresto
toother
otheradmins
adminsasaswell
well
2. Data Access
• Groups & Accounts with read/write/delete
access to business-critical data

3. Operational Access
• Groups & Accounts with control
of business-critical systems
*Owners & Admins of Management Groups
MGs/Subscriptions containing
• Shared Services
• Business Critical Apps
Admin – Quantity BEST PRACTICE CHOICE

CRITICAL BEST PRACTICES

LEAST
LEAST NUMBER
NUMBER OF
OF CRITICAL
CRITICAL IMPACT
IMPACT ADMINS
ADMINS
••What
What –– Grant
Grant the
the fewest
fewest How –
number
number of of accounts
accounts to
to groups
groups • Assign at least 2 accounts for business continuity
with
with critical
critical business
business impact
impact

••Why • When 2+ accounts, provide justification for each

Why –– Each
Each admin
admin account
account
represents
represents potential
potential attack
attack
surface
surface and
and business
business risk
risk
• Regularly review members & justification

•• Grant
Grant only
only required
required privileges
privileges (using
(using built
built in
in RBAC
RBAC roles)
roles) vs.
vs. global
global admin
admin and
and segment
segment
Tips owner
owner roles
roles
•• For
For people
people outside
outside your
your organization,
organization, use
use AAD
AAD B2B
B2B Collaboration
Collaboration instead
instead of
of personal
personal or
or
corporate
corporate accounts
accounts
Admin – Accounts BEST PRACTICE CHOICE

CRITICAL BEST PRACTICE

MANAGED
MANAGED ACCOUNTS
ACCOUNTS FOR
FOR ADMINS
ADMINS SEPARATE
SEPARATE ACCOUNTS
ACCOUNTS FOR
FOR ADMINS
ADMINS

••What
What –– Ensure
Ensure all
all critical
critical impact
impact admins
admins are are ••What
What –– Ensure
Ensure all all critical
critical impact
impact admins
admins havehave
managed
managed Azure
Azure ADAD accounts
accounts aa separate
separate account
account for for administrative
administrative taskstasks
••Why
Why –– This
This provides
provides enterprise
enterprise visibility
visibility into
into ••Why
Why –– Adversaries
Adversaries regularly
regularly use
use phishing
phishing and and
whether
whether the
the policies
policies of of the
the organization
organization and and web
web browser
browser attacks
attacks to to compromise
compromise
any
any regulatory
regulatory requirements
requirements are are followed.
followed. administrative
administrative accounts.
accounts.
••How
How –– Ensure
Ensure all
all critical
critical impact
impact admins
admins are are ••How
How –– Create
Create aa separate
separate administrative
administrative
in
in your
your enterprise
enterprise Azure
Azure AD.AD. Remove
Remove any any account
account for
for critical
critical privileges.
privileges. For
For these
these
consumer
consumer accounts
accounts fromfrom these
these roles
roles (e.g.
(e.g. accounts,
accounts, block
block productivity
productivity tools
tools like
like Office
Office
Microsoft
Microsoft accounts
accounts likelike @Hotmail.com,
@Hotmail.com, 365
365 email
email (remove
(remove license)
license) and
and arbitrary
arbitrary web
web
@live.com,
@live.com, @outlook.com,
@outlook.com, etc.) etc.) browsing
browsing (with
(with proxy
proxy and/or
and/or application
application
controls
controls ifif available)
available)
Admin – Emergency Access
CRITICAL BEST PRACTICE

BREAK
BREAK GLASS
GLASS ACCESS
ACCESS

••What
What –– Ensure
Ensure you
you have
have aa mechanism
mechanism for for
obtaining
obtaining emergency
emergency administrative
administrative access
access
••Why
Why –– Provide
Provide access
access inin the
the event
event of
of where
where
normal
normal administrative
administrative accounts
accounts can’t
can’t be
be
used
used (federation
(federation unavailable,
unavailable, etc.)
etc.)
••How
How –– Follow
Follow the
the instructions
instructions atat
Managing
Managing emergency
emergency access
access administrative
administrative
accounts in Azure
accounts in Azure AD AD
and
and ensure
ensure that
that security
security operations
operations
monitors
monitors these
these accounts
accounts carefully
carefully
 See
Seeidentity
identitysection
sectionfor
forconverse

Admin – Attack Pivot Risk

converse
guidance
guidance “Don’t Synch ADAdmins”
“Don’t Synch AD Admins”

CRITICAL BEST PRACTICE

CRITICAL
CRITICALIMPACT
IMPACTADMIN
ADMIN--ACCOUNT
ACCOUNT CRITICAL
CRITICALIMPACT
IMPACTADMIN
ADMIN--WORKSTATION
WORKSTATION
•• What
What––For
Forcritical
criticalimpact
impactaccounts,
accounts,carefully
carefullychoose
choosethe
the •• What
What––For
Forcritical
criticalimpact
impactaccounts,
accounts,choose
choosewhether
whetherthe
the
account
accounttype
typeand
anddirectory
directory admin
adminworkstation
workstationthey
theyuse
usewill
willbe
bemanaged
managedby
bycloud
cloud
services or existing on-premises processes
services or existing on-premises processes

•• Why
Why––Leveraging
Leveragingexisting
existingmanagement
managementand andidentity
identityde/provisioning
de/provisioningprocesses
processescan
candecrease
decreasesome
somerisk,
risk,but
butcan
canalso
alsocreate
create
risk
riskof
ofan
anattacker
attackercompromising
compromisingan anon-premises
on-premisesaccount
accountand
andpivoting
pivotingto
tothe
thecloud.
cloud.You
Youmay
maychoose
chooseaadifferent
differentstrategy
strategyfor
for
different roles (e.g. IT admins vs. business unit admins)
different roles (e.g. IT admins vs. business unit admins)

DEFAULT RECOMMENDATION
Native
NativeAzure
AzureAD
ADAccounts
Accounts Native
NativeCloud
CloudManagement
Management& &Protection
Protection
Create
CreateNative
NativeAzure
AzureAD
ADAccounts
Accountsthat
thatare
arenot
notsynchronized
synchronized •• Join
Jointo
toAzure
AzureAD
AD&&Manage/Patch
Manage/Patchwith
withIntune/other
Intune/other
with on-premises Active Directory
with on-premises Active Directory •• Protect
ProtectandandMonitor
Monitorwith
withWindows
WindowsDefender
DefenderATP/other
ATP/other

Synchronize
Synchronizefrom
fromOnOnPremises
PremisesActive
ActiveDirectory
Directory Manage
ManagewithwithExisting
ExistingSystems
Systems
Leverage
Leverageexisting
existingadministrative
administrativeroles
roles Join
JoinAD
ADdomain
domain&&leverage
leverageexisting
existingmanagement/security
management/security
Administration – Account protection BEST PRACTICE CHOICE

CRITICAL BEST PRACTICES

PASSWORDLESS
PASSWORDLESSOR
ORMULTI-FACTOR
MULTI-FACTORAUTHENTICATION
AUTHENTICATIONFOR
FORADMINS
ADMINS NO
NOSTANDING
STANDINGACCESS
ACCESS
•• What
What––Require
Requireall
allcritical
criticalimpact
impactadmins
adminsto
tobe
bepasswordless
passwordless(preferred)
(preferred) •• What
What––NoNostanding
standingaccess
accessfor
forcritical
critical
or require MFA.
or require MFA. impact admins
impact admins
•• Why
Why––Passwords
Passwordscannot
cannotprotect
protectaccounts
accountsagainst
againstcommon
commonattacks.
attacks. •• Why
Why––Permanent
Permanentprivileges
privilegesincrease
increase
https://channel9.msdn.com/events/Ignite/Microsoft-Ignite-Orlando-2017/BRK3016 business
https://channel9.msdn.com/events/Ignite/Microsoft-Ignite-Orlando-2017/BRK3016 business risk by increasing attacksurface
risk by increasing attack surface
•• How
How–– of accounts (time)
of accounts (time)
•• Passwordless
Passwordless(Windows
(WindowsHello)
Hello) •• How
How––
http://aka.ms/HelloForBusiness
http://aka.ms/HelloForBusiness •• Just
Justin
inTime
Time--Enable
EnableAzure
AzureAD
ADPIM
PIMor
or3rd
3rd
•• Passwordless
Passwordless(Authenticator
(AuthenticatorApp)
App) party solution) for all of these accounts
party solution) for all of these accounts
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-phon
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-phon
e-sign-in
e-sign-in
•• Break
Breakglass
glass––Process
Processfor
foraccounts
accounts
(preferred
(preferred for low use accountslike
for low use accounts likeglobal
global
•• Multifactor admin)
admin)
MultifactorAuthentication
Authentication
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates
•• 3rd
3rdParty
PartyMFA
MFASolution
Solution

Note:
Note:Text
TextMessage
Messagebased
basedMFA
MFAisisnow
nowrelatively
relativelyinexpensive
inexpensivefor
forattackers
attackersto
tobypass,
bypass,so
sofocus
focuson
onpasswordless
passwordless&
&stronger
strongerMFA
MFA
Admin – Workstation Security
CRITICAL BEST PRACTICES

ADMIN USE RS
ADMINWORKSTATION
WORKSTATIONSECURITY
SECURITY
ROLES D EV ELOP ERS
•• What
What––For Forcritical
criticalimpact
impactadmins,
admins, I T OPE RATI ONS / AD M I N S
choose
choosewhatwhatadmin
adminworkstation
workstation
security
security level to startwith
level to start with(and
(andwhen
when PROFILES
you will progress to full
you will progress to full admin admin
workstations)
workstations)
•• Why
Why––Attack
Attackvectors
vectorsthat thatuseuse SECURITY
browsing and email (like
browsing and email (like phishing) phishing) CONTROLS
are
arecheap
cheapandandcommon.
common.IsolatingIsolating
critical
critical impact admins fromthese
impact admins from thesewill
will
significantly
significantlylower
loweryour yourrisk
riskofofaa
major
majorincident
incident
•• How
How––Choose
Chooselevellevelof ofadmin
admin Secure
SecureWorkstation
WorkstationDocumentation
Documentation
workstation
workstation security (usingeither
security (using either OR Overview-
Overview-http://aka.ms/SWoverview
http://aka.ms/SWoverview
Microsoft
Microsoft security capabilitiesor
security capabilities or Implementation
Implementation--http://aka.ms/secureworkstation
http://aka.ms/secureworkstation
equivalent from 3 rdparty security
rd
equivalent from 3 party security Virtualization Physical Separation
providers)
providers)
Admin – Conditional access BEST PRACTICE CHOICE

CRITICAL BEST PRACTICE

ENFORCE
ENFORCEACCESS
ACCESSSECURITY
SECURITY
•• What
What––Choose
Choosesecurity
securityrequirements
requirementsto to
enforce for admins managing
enforce for admins managing Azure Azure
•• Why
Why––Attackers
Attackerscompromising
compromisingAzure AzureAdmin
Admin
accounts
accountscancancause
causesignificant
significantharm.
harm.
Conditional
Conditional Access can significantlyreduce
Access can significantly reduce
that
that risk by enforcing security hygienebefore
risk by enforcing security hygiene before
allowing access to Azure management
allowing access to Azure management
•• How
How––Configure
Configure
Conditional
ConditionalAccess
Accesspolicy
policyforforAzure
Azuremanagem
managem
ent
ent
that
thatmeets
meetsyour
yourorganizations
organizationsriskriskappetite
appetite
and operational needs
and operational needs
• • Require
RequireMultifactor
from
MultifactorAuthentication
designated work
Authenticationand/or
network
from designated work network
and/orconnection
connection More information on Conditional Access:
• • Require
RequireDevice
Deviceintegrity
integritywith
withWindows
WindowsDefender
DefenderATP
ATP
https://docs.microsoft.com/en-us/azure/active-directory/con
(Strong Assurance)
(Strong Assurance) ditional-access/overview
Admin – Simplify Permissions
CRITICAL BEST PRACTICES

USE
USEBUILT
BUILTIN
INROLES
ROLES AVOID
AVOIDGRANULAR
GRANULARAND
ANDCUSTOM
CUSTOMPERMISSIONS
PERMISSIONS

•• What
What––UseUsebuilt-in
built-inroles
rolesfor
for •• What
What––Avoid
Avoidpermissions
permissionsspecifically
specificallyreferencing
referencingresources
resourcesor orusers
users
assigning permissions
assigning permissions •• Why
Why––Specific
Specificpermissions
permissionscreate
createunneeded
unneededcomplexity
complexityand andconfusion,
confusion,
•• Why
Why––Customization
Customizationleads
leadstoto accumulating
accumulatinginto
intoaa“legacy”
“legacy”configuration
configurationthat
thatisisdifficult
difficulttotofix
fix(without
(withoutfear
fear
complexity
complexitythat
thatinhibits
inhibitshuman
human of
of“breaking
“breakingsomething”)
something”)
understanding, security,
understanding, security, •• How
How––
automation,
automation,andandgovernance.
governance. Avoid
AvoidResource
Resourcespecific
specificpermissions
permissions–– Instead,
Instead,you
youshould
shoulduse
use
•• How
How––Evaluate
Evaluatethe
the Management
ManagementGroups
Groupsfor
forenterprise
enterprisewide
widepermissions
permissions
built-in
built-inroles
rolesdesigned
designedto tocover
cover Resource
Resourcegroups
groupsfor
forpermissions
permissionswithin
withinsubscriptions
subscriptions
most
mostcommon
commonscenarios.
scenarios.
Avoid
Avoiduser
userspecific
specificpermissions
permissions––Instead,
Instead,you
youshould
should
Custom
Customroles
rolesare
areaapowerful
powerfulandand Assign
Assignaccess
accessto
togroups
groupsin
inAzure
AzureAD.
AD.
sometimes
sometimesuseful
usefulcapability,
capability,but
but IfIfthere
thereisn’t
isn’tan
anappropriate
appropriategroup,
group,work
workwith
withthe
theidentity
identityteam
teamtotocreate
createone
one
they
theyshould
shouldbebereserved
reservedfor
forcases
cases This
Thisallows
allowsyouyoutotoadd
addand
andremove
removegroup
groupmembers
membersexternally
externallyto
toAzure
Azureand
andensure
ensurepermissions
permissionsare
are
when
whenbuilt
builtin
inroles
roleswon’t
won’twork
work current,
current, while also allowing the group to be used for other purposes such as mailinglists.
while also allowing the group to be used for other purposes such as mailing lists.
Admin – Account Lifecycle
GENERAL GUIDANCE

Automatic
Automatic deprovisioning
deprovisioning
Ensure
Ensure you
you have
have aa process
process for
for disabling
disabling oror deleting
deleting administrative
administrative accounts
accounts when
when admin
admin
personnel
personnel leave
leave the
the organization
organization (or
(or leave
leave administrative
administrative positions)
positions)
See
See also
also “Regularly
“Regularly Review
Review Critical
Critical Access”
Access” in
in Governance,
Governance, Risk,
Risk, and
and Compliance
Compliance section
section

Attack
Attack Simulation
Simulation
Regularly
Regularly test
test administrative
administrative users
users using
using current
current attack
attack techniques
techniques to to educate
educate and
and empower
empower
them.
them. You
You can
can use
use Office
Office 365
365 Attack
Attack Simulation
Simulation capabilities
capabilities or
or aa 33 rd party
rd
party offering
offering
https://docs.microsoft.com/en-us/office365/securitycompliance/attack-simulator
https://docs.microsoft.com/en-us/office365/securitycompliance/attack-simulator
 N

Network Security & Containment

Architecture guidance on this topic can be found at

https://docs.microsoft.com/en-us/azure/architecture/security/network-security-containment
Azure Networking Services

Virtual Network  DDoS Protection

Virtual WAN Firewall

ExpressRoute Network Security Groups

VPN Web Application Firewall

DNS Virtual Network Endpoints

CDN
Network Watcher
Front Door
ExpressRoute Monitor
Traffic Manager
Azure Monitor
Application Gateway
Virtual Network TAP
Load Balancer
Network protection services

NSG

DDoS Web Application Azure Network Service Security

protection Firewall Firewall Security Groups Endpoints Appliances

DDOS
DDOS protection
protection Centralized
Centralized inbound
inbound Centralized
Centralized Distributed
Distributed inbound
inbound Restrict
Restrict access
access Leverage
Leverage your
your
tuned
tuned to your
to your web application
web application outbound
outbound and and and outbound
and outbound to
to Azure service
Azure service existing skillsets,
existing skillsets,
application
application protection
protection from
from inbound
inbound (non-
(non- network
network (L3-L4)
(L3-L4) resources
resources (PaaS)
(PaaS) processes,
processes, and
and
traffic
traffic patterns
patterns common exploits
common exploits HTTP/S)
HTTP/S) network
network and
and traffic
traffic filtering on
filtering on to only your
to only your licenses
licenses by adding
by adding
and
and vulnerabilities
vulnerabilities application
application VM,
VM, Container
Container Virtual
Virtual Network
Network technologies
technologies from
from
(L3-L7)
(L3-L7) filtering
filtering or
or subnet
subnet the Azure
the Azure
Marketplace
Marketplace

Application protection Segmentation And more…

 Physical vs. Software Defined Networking
Intercept points Controls on groups of assets

NSG

12

Internet

NSG NSG
4 5
Physical vs. Software Defined Networking
Intercept points Controls on groups of assets

Azure
Azure Firewall
Firewall

1
Public
Public IP
IP
Firewall
Virtual Network
2
Internet Subnet

NSG
Subnet

NSG NSG
Network
Network Security
Security Subnet Subnet
Group
Group (NSG)
(NSG)

6
Web App Firewalls

Azure
Azure Firewall
Firewall

1
Public
Public IP
IP
Firewall
Virtual Network
2
Internet Subnet

NSG
Subnet

Public
Public IP
IP

Web
Web Application
Application
Firewall
Firewall

NSG NSG
Network
Network Security
Security Subnet Subnet
Group (NSG)
Group (NSG)

6
Distributed Denial of Service (DDoS) protection
Basic Protection Built in + Available Advanced Protection

Azure
Azure Firewall
Firewall

1
Public
Public IP
IP
Firewall
Virtual Network
2
Internet Subnet

NSG
Subnet
DDoS
DDoS Protection
Protection
Public
Public IP
IP

Web
Web Application
Application
Firewall
Firewall

NSG NSG
Network
Network Security
Security Subnet Subnet
Group (NSG)
Group (NSG)

6
Connecting to On Premises Resources
ExpressRoute or VPN provides connectivity

Azure
Azure Firewall
Firewall

1
Public
Public IP
IP
Firewall
Virtual Network
2
Internet Subnet

NSG
Subnet
DDoS
DDoS Protection
Protection
Public
Public IP
IP

Web
Web Application
Application
Firewall
Firewall
NSG
Gateway Subnet
On Premises ExpressRoute
Network(s) ExpressRoute Gateway

NSG NSG
Network
Network Security
Security Subnet Subnet
Group (NSG)
Group (NSG)

6
Reference Configuration with Native Controls
Azure Firewall + Application Gateway with Web App Firewall (WAF)
Core Services

Core Services Subscription

Azure
Azure Firewall
Firewall

1
Public
Public IP
IP
Firewall
Virtual Network
2
Internet Subnet

NSG
Subnet
DDoS
DDoS Protection
Protection
Public
Public IP
IP

Web
Web Application
Application
Firewall
Firewall
NSG
Gateway Subnet
On Premises ExpressRoute
Network(s) ExpressRoute Gateway

NSG NSG
Network
Network Security
Security Subnet Subnet
Group (NSG)
Group (NSG)

6
Reference Configuration with Virtual Appliance(s)
Next Generation Firewall with Integrated WAF/Proxy
Core Services

Core Services Subscription

Public
Virtual Network
2
Internet Public IP
IP
DMZ DMZ
Popular Next Generation Firewalls outside N
I
C
NVA N
I
C
inside NSG
Subnet
available in Azure Marketplace Availability
set

DDoS
DDoS Protection
Protection
Load balancer enables scalability Load balancer
NSG
N
I
C
NVA N
I
C NSG

and availability
DDoS Protection Standard can be NSG
Gateway Subnet
applied to public IP addresses.
On Premises ExpressRoute
Network(s) Gateway
More Information online
ExpressRoute

https://docs.microsoft.com/en-us/azure
/architecture/reference-architectures/h Network
Network Security
Security
NSG
Subnet
NSG
Subnet
ybrid-networking/shared-services Group (NSG)
Group (NSG)

6
Reference Enterprise Design - Azure Network Security
Hybrid Cloud Infrastructure – Network Architecture

Microsoft Azure
3rd party IaaS On Premises Core Services Additional Segment(s)
Datacenter(s) Development
Shared Services Segment Segment(s) Stage Segments
Edge
Security Organization

Public
PublicIP
IP
Extranet Applications
DDoS Mitigation
Extrane

Load Balancer
(Optional)
t

Firewall
NSG Dev
NSG NSG

ExpressRoute
Gateway Gateway subnet NSG
ExpressRoute

VNET PEERING

Domain Controllers Management & Security

Test
Legend
NSG NSG
Intranet

Subscription
Enterprise Applications Others as needed
Virtual Network
Subnet
NSG NSG

NSG Network Security Group Application Prod

HUB – SHARED SERVICE VIRTUAL NETWORK SPOKE(S) - ALIGNED TO SEGMENT MODEL

 Network Visibility
Security
Security Information
Information and
and Event
Event Investigation
Investigation Workflow
Workflow Analytics
Analytics
Management
Management (SIEM)
(SIEM)

Azure
Azure Monitor
Monitor Network
Network Watcher
Watcher Virtual
Virtual Tap
Tap (Preview)
(Preview)
Log
Log Aggregation
Aggregation Advanced
Advanced Functions
Functions Raw
Raw Traffic
Traffic Access
Access

Virtual Network
2

NSG WAF Azure Firewall NSG Packet Capture

Diagnostic Logs Flow Logs (Point in Time)
Accessing Azure Services
Internet

Azure Network
(uses public IP address space)
Native PaaS Apps
(App Service Web App,
API, etc.)

Azure Tenant VM VM VM

ExpressRoute
ExpressRoute Gateway VM VM VM

IaaS App
On-premises​ Azure Services
Storage Account, Event
Hub, Database, etc.
App or
Component VM VM VM

VM VM VM
Networks & Containment – Enterprise Consistency
CRITICAL BEST PRACTICES

SEGMENTATION
SEGMENTATIONALIGNMENT
ALIGNMENT CENTRAL
CENTRALNETWORK
NETWORKMANAGEMENT
MANAGEMENT CENTRALIZED
CENTRALIZEDNETWORK
NETWORKSECURITY
SECURITY
•• What
What--Align
Alignnetwork
networkmodel
modelwith •• What
with
•• What What––Centralize
Centralizegovernance
governanceand
andof
of
overall segmentation
overall segmentation andand What––Centralize
Centralizemanagement
managementof
of network
networksecurity
securityelements
elementssuchsuchasas
administrative core
corenetwork
networkfunctions
functionslike
administrativemodel
model like Network
Networkvirtual
virtualappliances
appliancesfunctions
functions
ExpressRoute,
ExpressRoute, virtual networkand
virtual network and like ExpressRoute, virtual network
•• Why
Why––AAstraightforward
straightforwardunified
unified like ExpressRoute, virtual network
subnet provisioning, IP addressing,
subnet provisioning, IP addressing, and
security
security strategy leads to lesserrors
strategy leads to less errors and andsubnet
subnetprovisioning,
provisioning,IP IP
as it increases human understanding andrelated
relateditems.
items. addressing, etc.
addressing, etc.
as it increases human understanding
and •• How
How––Recommend
Recommendusing
usingan
anexisting
andautomation
automationreliability.
reliability. existing •• How
How––Recommend
Recommendusing usingan anexisting
existing
•• How on
onpremises
premisesprocess
processififapplicable.
applicable. on premises process if applicable.
How––Build
Buildyour
yourdesigns
designsbased
basedon
on This
on premises process if applicable.
the reference models in this guidance This is typically a centralnetworking
is typically a central networking This
Thisisistypically
typicallyaacentral
centralnetworking
networking
the reference models in this guidance group
group or a council of keystakeholder
or a council of key stakeholder group
group or a council of keystakeholder
or a council of key stakeholder
groups from business units.
groups from business units. groups from business units.
groups from business units.

ADMINISTRATIVE •• Why
Why––Inconsistent
Inconsistentstrategy
strategyand
andmanagement
managementof
ofthese
thesecore
corefunctions
functionscan
cancreate
create
significant
significantsecurity
securityrisks
risksthat
thatan
anattacker
attackercan
canexploit
exploit
NETWORK SECURITY
Networks and Containment
PRAGMATIC CONTAINMENT STRATEGY

Network
NetworkSecurity
SecurityGroups
Groups(NSGs)
(NSGs)for
forsubnets
subnets
•• What Use
UseNetwork
NetworkSecurity
SecurityGroups
Groupstotoprotect
protectagainst
againstunsolicited
unsolicitedtraffic
What––Build
Buildaarisk
riskcontainment
containmentstrategy
strategy traffic
that into Azure Subnets (replaces/supplements East-West traffic controls)
thatblends
blendsthe
thebest
bestavailable
availableapproaches
approaches into Azure Subnets (replaces/supplements East-West traffic controls)
•• Existing
Existingcontrols
controlsand
andpractices
practices
Choose
Choosehost-based
host-basedfirewall
firewallstrategy
strategy
•• Native
Nativecontrols
controlsavailable
availablein
inAzure
Azure Choose
Choosewhether
whethertotocontinue
continueexisting
existingpractices
practicesfor
forhost-based
host-based
•• Zero firewalls in Azure or discontinue their use.
Zerotrust
trustapproaches
approachesto
tocontinuous
continuous firewalls in Azure or discontinue their use.
validate
validate Zero
ZeroTrust
Trustapproach
approachforfornew
newmicro/segmentation
micro/segmentationinitiatives
initiatives
•• Why
Why––Containment
Containmentof
ofattack
attackvectors Adopt
vectors AdoptZero-trust
Zero-trustbased
basedapproaches
approachesfor fornew
newinitiatives
initiativesthat
thatvalidate
validate
within
withinananenvironment
environmentisiscritical,
critical,but
but trust at access time (instead of static network IP/Port controls)
trust at access time (instead of static network IP/Port controls)
traditional
traditional approaches aren’t enoughand
approaches aren’t enough and
must evolve. Consistency of controls 1. Conditional
1. ConditionalAccess
Accesstotoresources
resourcesbased
basedon
ondevice,
device,identity,
identity,
must evolve. Consistency of controls assurance, network location, and more. More
assurance, network location, and more. More Info Info
across
acrosson-premises
on-premisesand andcloud
cloud
infrastructure
infrastructureisisimportant,
important,but
butdefenses
defenses 2. Just
2. Justin
inTime
TimeManagement
ManagementPort
PortAccess
Access––
are using
usingAzure
AzureSecurity
SecurityCenter
Centertotoenable
enableaccess
accessonly
onlyafter
afterworkflow
workflow
are more effective and manageablewhen
more effective and manageable when
leveraging native azure security controls, approval
approval
leveraging native azure security controls,
dynamic
dynamic(just
(justinintime)
time)approaches,
approaches,and and 3. Just
3. Justin
inTime
TimeAdministrative
AdministrativePrivileges
Privileges––using
usingAzure
AzureADADPIM
PIM
integrated
integrated identity/password controls(e.g.
identity/password controls (e.g. or
oraa33rdparty
rd
partyPIM/PAM
PIM/PAMsolution
solution
zero
zerotrust
trust//continuous
continuousvalidation)
validation) 4. Just
4. Justin
inTime
TimeLocal
LocalAdmin
AdminAccount
AccountAccess
Access––using
using
Local Admin Password Solution (LAPS) or a 3 rdparty PIM/PAM
rd
Local Admin Password Solution (LAPS) or a 3 party PIM/PAM
solution
solution
Networks and Containment
CRITICAL BEST PRACTICES

INTERNET
INTERNETEDGE
EDGESTRATEGY
STRATEGY

•• What
What––Choose
Choosewhether
whetherto
touse
useNative
Native
Azure
AzureControls
Controlsor
or33rdparty
rd
partyNetwork
Network
Virtual
VirtualAppliances
Appliances(NVAs)
(NVAs)forforinternet
internet AZURE
AZURENATIVE
NATIVECONTROLS
CONTROLS 33RD
RDPARTY CAPABILITIES
PARTY CAPABILITIES
edge security (North-South)
edge security (North-South)
Basic
Basiccapabilities
capabilitieswith
withsimple
simple Advanced
Advancedsecurity
securitycapabilities
capabilities
•• Why
Why––Legacy
Legacyworkloads
workloadsrequire
require integration & management
integration & management from existing vendors
from existing vendors
network
networkprotection
protectionfromfrominternet
internet
sources
sources and there are advantagesto
and there are advantages to
using either 1 stor 3 rdparty controls to
st rd
using either 1 or 3 party controls to Azure
AzureFirewall
Firewall++Web WebApp AppFirewall
Firewall Next
NextGeneration
GenerationFirewall
Firewall(NGFW)
(NGFW)
provide
providethis.
this. (in Application Gateway)
(in Application Gateway) and other 3 rdparty offerings
rd
and other 3 party offerings
•• How
How––Select
Selectaastrategy
strategyusing
usingthe
the These
Theseoffer
offerbasic
basicsecurity
securitythat
thatisisgood
good Network
Networkvirtual
virtualappliances
appliancesin inthe
the
comparison
comparisoninformation
information
 enough
enough for some scenarios with afully
for some scenarios with a fully Azure Marketplace include familiar
Azure Marketplace include familiar
stateful firewall as a service, built-in
stateful firewall as a service, built-in security
securitytools
toolsthat
thatprovide
provideenhanced
enhanced
Note
Note––Some
Someorganizations
organizationschoose
chooseaahybrid
hybrid
configuration where some VNets use
high
highavailability,
availability,unrestricted
unrestrictedcloud
cloud network security capabilities
network security capabilities
configuration where some VNets use
scalability,
scalability,FQDN
FQDNfiltering,
filtering,support
supportforfor Configuration
advanced
advanced33rdparty
partycontrols
controlsand
andothers
othersuse Configurationisismore
morecomplex,
complex,but
rd
use
OWASP core rule sets, and simple but
native
nativecontrols
controls OWASP core rule sets, and simple allows you to leverage existing
setup allows you to leverage existing
setupand
andconfiguration
configuration capabilities,
capabilities,and
andskillets
skillets
Networks
CRITICAL CHOICE

EXPRESSROUTE
EXPRESSROUTETERMINATION
TERMINATION

•• What
What––Identify
Identifywhere
whereto toterminate
terminateExpressRoute
ExpressRoute
private
privatepeering
peering(or (orSite
SitetotoSite
SiteVPN)
VPN)ininexisting
existing(on-
(on-
premises) network
premises) network
•• Why
Why––TheThetermination
terminationpoint
pointcan
canaffect
affectfirewall
firewallcapacity,
capacity,
scalability, reliability, and network traffic visibility
scalability, reliability, and network traffic visibility
•• How
How––
•• Terminate
Terminateoutside
outsidethe thefirewall
firewall(DMZ
(DMZParadigm)
Paradigm)IfIf
you
yourequire
requirevisibility
visibilityinto
intothe
thetraffic,
traffic,continue
continuean an
existing
existingpractice
practiceof
ofisolating
isolatingdatacenters,
datacenters,or orififyou
youare
are
solely putting extranet resources on
solely putting extranet resources on Azure.Azure.
https://docs.microsoft.com/en-us/azure/expressroute/
•• Terminate
Terminateinside
insidethethefirewall
firewall(Network
(NetworkExtension
Extension expressroute-introduction
Paradigm
Paradigm--Default
DefaultRecommendation)
Recommendation)In Inall
allother
other
cases, recommend treating Azure as a N thdatacenter
th
cases, recommend treating Azure as a N datacenter
Network – Deprecating Legacy Technology
CRITICAL CHOICES

CLASSIC
CLASSICNETWORK
NETWORKINTRUSION
INTRUSION NETWORK
NETWORKDATA
DATA
DETECTION/PREVENTION
DETECTION/PREVENTIONSYSTEMS
SYSTEMS LOSS
LOSSPREVENTION
PREVENTION(DLP)
(DLP)
(NIDS/NIPS)
(NIDS/NIPS)
•• What
What––Choose
Choosewhether
whetherto
toadd
addNetwork
NetworkDLP
DLP
•• What
What––Choose
Choosewhether
whetherto
toadd
addexisting
existingNIDS/NIPS
NIDS/NIPS capabilities
capabilitieson
onAzure
Azure
capabilities
capabilitieson
onAzure
Azure •• Why
Why––Network
NetworkDLP
DLPisisincreasingly
increasinglyineffective
ineffectiveat
at
•• Why
Why––The
TheAzure
Azureplatform
platformalready
alreadyfilters
filtersmalformed
malformed identifying
identifyingboth
bothinadvertent
inadvertentand
anddeliberate
deliberatedata
data
packets
packetsand
andmost
mostclassic
classicNIDS/NIPS
NIDS/NIPSsolutions
solutionsare
are loss.
loss. This is because most modern protocolsand
This is because most modern protocols and
typically based on outdated signature-based
typically based on outdated signature-based most attackers use encryption (most available
most attackers use encryption (most available
approaches
approacheswhich
whichare
areeasily
easilyevaded
evadedbybyattackers
attackersand
and attacker
attackertoolkits
toolkitshave
haveencryption
encryptionbuilt
builtin)
in)
typically produce high rate of false positives.
typically produce high rate of false positives. •• How
How––
•• How
How–– • • Do Not Add (Default Recommendation)
Do Not Add (Default Recommendation)
• • Do Not Add (Default Recommendation) • • Add to Azure tenant
Do Not Add (Default Recommendation) Add to Azure tenant
• • Add to Azure tenant
Add to Azure tenant
Networks and Containment – Subnet & NSG Design

DESIGN
DESIGNVIRTUAL
VIRTUALNETWORKS
NETWORKS&
& APPLICATION
APPLICATIONSECURITY
SECURITY AVOID
AVOIDFULLY
FULLYOPEN
OPENALLOW
ALLOW
SUBNETS
SUBNETSFOR
FORGROWTH
GROWTH GROUPS
GROUPS(ASGS)
(ASGS) RULES
RULES

•• What
What––Avoid
Avoidprovisioning
provisioningsmall
small •• What
What––Simplify
SimplifyNSG
NSGrule
rule •• What
What––Don’t
Don’tassign
assignallow
allowrules
ruleswith
with
virtual
virtualnetworks
networksand
andsubnets
subnets management
managementby bydefining
definingapplication
application extremely
extremelybroad
broadranges
ranges(e.g.
(e.g.allow
allow
security groups (ASGs)
security groups (ASGs) 0.0.0.0 -255.255.255.255)
0.0.0.0 -255.255.255.255)
•• Why
Why––Most
Mostorganizations
organizationsadd
addmore
more
resources
resourcesthan
thaninitially
initiallyplanned
plannedon on •• Why
Why––While
Whiletheir
theiruse
useisisnot
not
•• Why
Why––These
Theselead
leadto
toaafalse
falsesense
senseof
of
top of VNets and subnets, triggering
top of VNets and subnets, triggering required,
required,defining
definingASGs
ASGsallow
allowyou
youto
to security
securityand
andare
arefrequently
frequentlyfound
foundand
and
aalabor-intensive
labor-intensivere-allocation
re-allocationof of simplify setup and maintenance of
simplify setup and maintenance of exploited by red teams.
exploited by red teams.
addresses. There is limited security
addresses. There is limited security NSG
NSGrules.
rules. •• How
How––Ensure
Ensureyour
yourtroubleshooting
troubleshooting
value
valueininsmall
smallsubnet
subnetsize
size++increased
increased •• How
How––Define
Definean
anASG
ASGfor
forlists
listsof
ofIP
IP procedures
proceduresdiscourage
discourageor orban
banthese
these
overhead to map an NSG to
overhead to map an NSG to each. each.
addresses
addressesthat
thatyou
youexpect
expectmay
may “fully open” allow rules
“fully open” allow rules
•• How
How––Define
Definesubnets
subnetsbroadly
broadlyto
to • • Change in the future
Change in the future Discover
Discoverthese
theseissues
issueswith
withNetwork
Network
ensure
ensurethat
thatyou
youhave
haveflexibility
flexibilityfor
for
• • Be used across many NSGs Security
Security Watcher and correctthem
Watcher and correct them
growth. A rule of thumb is to assume
growth. A rule of thumb is to assume Be used across many NSGs
you
youwill
willmigrate
migrateall
allenterprise
enterprise Ensure
https://docs.microsoft.com/en-us/azure/ne
https://docs.microsoft.com/en-us/azure/ne
resources Ensureto
toname
namethem
themclearly
clearlyfor
for twork-watcher/network-watcher-nsg-auditi
twork-watcher/network-watcher-nsg-auditi
resources to Azure asan
to Azure as anend
endstate.
state. others to understand their
others to understand their ng-powershell
ng-powershell
content/purpose.
content/purpose.
Networks and Containment – DDoS Mitigations
GENERAL GUIDANCE

DDOS
DDOSMITIGATIONS
MITIGATIONS

•• What
What––Enable
EnableDDoS
DDoSMitigations
Mitigationsforfor
all business-critical web applications,
all business-critical web applications,
and
andservices
services
•• Why
Why––DDoS
DDoSattacks
attacksare
areprevalent
prevalent
and
andare
arevery
veryinexpensive
inexpensiveto toaccess
accessonon
the dark markets
the dark markets
•• How
How––Evaluate
Evaluateand
andselect
selectthe
thebest
best
option for protecting your critical
option for protecting your critical
applications
applicationsand
andservices
services
• • Azure
AzureDDoS
DDoSbasic
basic
• • Azure
AzureDDoS
DDoSstandard
standard
• • 33rdrdparty
partyservice
service
Networks and Containment – Egress/Ingress
GENERAL GUIDANCE

NETWORK
NETWORKINGRESS/EGRESS
INGRESS/EGRESSSECURITY
SECURITY
•• What
What––Choose
Choosewhether
whetherto toroute
routeAzure
Azure
ingress/egress traffic through on-premises
ingress/egress traffic through on-premises
network
networkedge
edgesecurity
securityor orvia
viasecurity
securityhosted
hostedon
on
Azure
Azure
•• Why
Why––Routing
Routingallallinternet
internettraffic
trafficfor
forAzure
Azure
through
through on-premises ingress/egress pointscan
on-premises ingress/egress points can
add
addsignificant
significantcost
costandandlatency
latencyat atscale.
scale.
•• How
How––Choose
Choose
Direct
DirectInternet
Internet(Default
(Defaultrecommendation)
recommendation)-- On Premises Azure
Route
Routetraffic
trafficdirectly
directlyto
tointernet
internetusing
usingAzure
Azure
hosted network edge security.
hosted network edge security.
Traffic hairpin approach fits a Datacenter Expansion paradigm and works
“Hairpin”
“Hairpin”(Not
(Notrecommended)
recommended)--RouteRouteall
all well for a quick proof of concept, but scales poorly because of the increased
traffic
trafficthrough
throughexisting
existingnetwork
networkedge
edgesecurity
security traffic load/latency and cost.
on premises. with forced tunneling
on premises. with forced tunneling onon
Azure Direct Internet approach fits a Nth Datacenter paradigm and scales much
AzureExpressRoute
ExpressRouteororSite-to-Site
Site-to-SiteVPN
VPN better for an enterprise deployment as it removes unnecessary hops.
Network – Advanced Visibility BEST PRACTICE CHOICE

GENERAL GUIDANCE

Network
NetworkLogs
Logs
As
As required,integrate
required, integratenetwork
networklogs
logsinto
intoSIEM
SIEM//analytics
analyticsplatform
platformusing
usingAzure
AzureMonitor
Monitor
•• NSG
NSGLogs
Logs
•• WAF Logs
WAF Logs
•• Azure
AzureFirewall
FirewallLogs
Logs

NSG
NSGFlow
FlowLogs
Logs
IfIfyou
you do thistoday,
do this today,Integrate
IntegrateNSG
NSGflow
flowlogs
logsand
andpacket
packetcapture
capture(via
(viaNetwork
NetworkWatcher)
Watcher)into
intoyour
yourinvestigation
investigationworkflow
workflow

Virtual
VirtualTAP
TAP
IfIfrequired,
required,integrate
integratevirtual
virtualTAP
TAPinto
intoexisting
existingnetwork
networkmonitoring
monitoringprogram/analytics
program/analyticscapability
capability
 N

Information Protection
& Storage

Architecture guidance on this topic can be found at

https://docs.microsoft.com/en-us/azure/architecture/security/storage-data-encryption
Azure Storage
REST REST REST REST SMB 3.1

Azure Cloud Storage:

• Object based, durable, massively scalable storage Blob/Disk
Blob/Disk Table
Table Queue
Queue File
FileShare
Share
• Designed from ground up by Microsoft Endpoint
Endpoint Endpoint
Endpoint Endpoint
Endpoint Endpoint
Endpoint
• Presents as Blobs, Disks, Tables, Queues and Files
• Accessed via REST APIs, Client Libraries and Tools
Massive
MassiveScale
ScaleOut
Out&&Auto
AutoLoad
LoadBalancing
BalancingIndex
IndexLayer
Layer
Access Control
• Azure Active Directory (Azure AD)
• Symmetric Shared Key Authentication Distributed
DistributedReplication
ReplicationLayer
Layer
• Shared Access Signature (SAS)

Notable Security Attributes

• All data is encrypted by the service
• No read without write (mitigate cross-tenant data leaks) More
MoreInformation
Information
• Maintains 3 Synchronous copies of data
• Virtual storage, not dedicated disks Storage System
Azure Storage
• Detailed activity logging availability (Opt in) Design and Arc Managed Disks
hitecture:
• Data will remain only in the region you choose
Azure Storage Firewalls
Configured on each Storage Account
(prompt during creation) Enterprise
Network
Other network
traffic
 Controls network access using ACLs
Internet
 Enforced on all network protocols
 If not configured, all networks
can access

Authentication is still required

Firewall
to access storage (Azure AD, SAS
tokens, etc.) Subnet
Storage Access Control
Virtual
Access by Azure Services Network

must be configured to allow

connection (checkbox)
 VM Access to VM Disks not Storage

affected by storage firewall

Account
Microsoft
 https://docs.microsoft.com/en-us/a Azure
zure/storage/common/storage-net
work-security
Advanced Threat Protection for Azure Storage
 Alerts on anomalous access
& potential data exfiltration
 Investigation & remediation guidance

 Alerts in Azure Security Center

Attacker
(2) Possible threat to
access / breach data
User

Apps Azure Storage

Diagnostic Advanced
Log Threat Protection
https://docs.microsoft.com/en-us/azure Developer
/storage/common/storage-advanced-t (1) Turn on Advanced
hreat-protection Threat Protection
(3) Real-time actionable
alerts
 Encryption
Encryption
Azure Data Encryption isisnot
notaa
panacea
panacea

Layers (and why each is important)

Encryption Technologies
Encrypt
EncryptDocuments
Documentsand
andunstructured
unstructureddata
data
•• Regulatory
Regulatoryrequirements
requirements
• Azure Information Protection (AIP) or 3rd party solutions
•• Data
DataLeakage
Leakage(malicious
(maliciousor
orinadvertent)
inadvertent)

Application
ApplicationLayer
LayerEncryption
Encryption
• BYO Encryption - .NET Libraries, client-side encryption, etc.
•• Meet
Meetregulatory
regulatoryrequirements
requirements
•• Mitigate
Mitigateagainst
againstattacks
attackson
oncloud
cloudprovider/infrastructure
provider/infrastructure
• SQL Transparent Data Encryption, Always Encrypted>
Azure
AzureService
ServiceEncryption
Encryption • HDInsight Encryption
•• Same
Sameasasapplication
applicationlayer
layer • Azure Backup Encrypted at Rest, Encrypted VM support
•• Near
Near zero managementeffort
zero management effort(for
(forMicrosoft
Microsoftmanaged
managedkey)
key)
• Azure Disk Encryption - <BitLocker [Windows], DM-Crypt
Virtual
VirtualMachine
Machine//Operating
OperatingSystems
Systems [Linux]>
• Partner Volume Encryption – <CloudLink® SecureVM,
•• Mitigate
Mitigateagainst
againstloss/leakage
loss/leakageof
ofVM
VMDisks
Disksfrom
fromstorage
storageaccount
account Vormetric, etc.>
• BYO Encryption – <Customer provided>
Storage
StorageSystem
System
•• Mitigate • Azure Storage Service Encryption (server side
Mitigateagainst
againstattacks
attackson
oncloud
cloudprovider/infrastructure
provider/infrastructure
•• On encryption) <AES-256, Block, Append, and page Blobs>
Onbybydefault
defaultand
andunable
unableto
todisable
disable
Storage and Encryption BEST PRACTICE CHOICE

CRITICAL GUIDANCE

USE
USEAZURE
AZUREAD
ADFOR
FORSTORAGE
STORAGEAUTH
AUTH ENABLE
ENABLEVM
VMDISK
DISKENCRYPTION
ENCRYPTION ENABLE
ENABLEENCRYPTION
ENCRYPTIONIN
INAZURE
AZURE
AND CLOUD SERVICES
AND CLOUD SERVICES
•• What
What––Use
UseAzure
AzureAD
ADfor for •• What
What––Enable
Enabledisk
diskencryption
encryptionon on
authenticating
authenticating access tostorage
access to storage all IaaS VMs
all IaaS VMs •• What
What––Enable
Enablebuilt
builtin
inencryption
encryption
unless
unlessanother
anothermethod
methodisis •• Why features
featuresfor
foranyanyAzure
Azureservices
servicesas
as
required Why––ThisThisprovides
providesmitigation
mitigation
requiredand
andthere
thereisisno
noother
otheroption well as 3 rdparty services you call
rd
option against
against data leakage fromaaVM
data leakage from VMdisk
disk well as 3 party services you call
•• Why from
fromAzure
Azureapplications.
applications.
Why––Azure
AzureADADprovides
providesflexible
flexible being
beingdownloaded
downloadeddirectly
directlyfrom
from
role-based access control while
role-based access control while storage (because of configuration
storage (because of configuration •• Why
Why––Typically
Typicallynearnearzero
zero
providing
providingaccountability
accountability error,
error,etc.)
etc.) overhead for using integrated
overhead for using integrated
•• How encryption
encryptionfeatures
features
How––Configure
ConfigureStorage
Storageobjects
objectstoto •• How
How––Configure
Configuredisk
diskencryption
encryptiononon
use Azure AD Authentication
use Azure AD Authentication all Windows and Linux
all Windows and Linux VMsVMs •• How
How––SeeSeethethetable
tableininthe
thelink
linkbelow
below
https://docs.microsoft.com/en-us/azu https://docs.microsoft.com/en-us/azu for which services offer encryption:
for which services offer encryption:
https://docs.microsoft.com/en-us/azu https://docs.microsoft.com/en-us/azu
re/storage/common/storage-auth-aa
re/storage/common/storage-auth-aa re/security/azure-security-disk-encryp
re/security/azure-security-disk-encryp https://docs.microsoft.com/en-us/azu
https://docs.microsoft.com/en-us/azu
dd tion-overview
tion-overview re/security/azure-security-encryption-
re/security/azure-security-encryption-
atrest
atrest
Azure Security Center - Remediation
Microsoft and CIS Partnership

Goal
Simplify and drive consistency in our
customers’ efforts to securely deploy
workloads to Azure

Benefits
CIS brings independence and
consensus driven approach
Benchmarks informed by Microsoft’s
experience & best practices
What are CIS Benchmarks?

Consensus Based Best Practices

Over 100 benchmarks covering
14 technology groups
Examples:
 Ensure Multi-factor Auth is Enabled

 Ensure SSH access is restricted

 Ensure that 'Data disks' are encrypted

https://azure.microsoft.com/en-us/resources/cis-
microsoft-azure-foundations-security-benchmark/
What's inside a CIS benchmark?

What it applies to…

What to do…
Why to do it…
How to audit…

How to fix…
Summary of CIS Controls v1.0 MAIN
MENU

Section Recommendations Control Count

Identity & Access Mgmt. Setting the appropriate IAM policies 23

Azure Security Center Configuration and use of Azure Security Center 19

Storage Accounts Setting storage account policies 7

Azure SQL Services Securing Azure SQL Servers 8

Azure SQL Databases Securing Azure SQL Databases 8

Logging/Monitoring Setting logging & monitoring policies on Azure subscriptions 13

Networking Securely configuring Azure networking settings and policies 5

Virtual Machines Setting security policies for Azure compute services, specifically virtual machines 6

General security and operational controls, including those related to Azure Key
Other 3
Vault and Resource Locks

Total Recommendations 92