We've already reviewed 7 of the 13 security controls we're working through, as we discuss how to effectively use them within Microsoft Azure. We'll review the remaining 6 in this blog post.Remember, these 7 key security principles align with ISO 27001 controls. Of the 14 total ISO 27001 groups/control objectives and 114 controls, these key principles have the most relevance to secure development and operations.
These security principles are designed to make cloud-based solutions more resilient to attack by decreasing the amount of time needed to prevent, detect, contain, and respond to real and potential internet-based security threats. As we already know, the result is the increased security of related services.
Log Security Events, Implement Monitoring, and Visualize Capabilities
In a not-so-distant blogpost, we learned how Azure Monitor maximizes the availability and performance of your applications by:
- Delivering a comprehensive solution for collecting, analyzing, and acting on telemetry from your cloud and on-premises environments
- Helping you understand how your applications are performing while proactively identifying issues affecting them and the resources they depend on
A log is a record of the events occurring within an organization's systems and networks. Logs are composed of log entries. Each entry contains information related to a specific event that has occurred within a system or network. A forensic analysis uses a security and audit solution to find evidence that potentially malicious users leave behind. Regardless of what hackers do in their IT environment, many of their activities generate security artifacts. Evidence of and about their use is stored in event logs.
Azure Security Center provides one location to help prevent, detect, and respond to threats, with increased visibility into and control over Azure resources. It also provides DevOps a quick and effective (not dirty) means to protect Azure resources when deploying them, as well as the ability to alert and analyze security events at a glance.
- Enforce the right settings to ensure that Azure instances are collecting the correct security and audit logs.
- Store service data in a separate storage account, apart from security log data. This isolation ensures that saving security log data does not affect the storage performance for production service data.
- Monitor Azure data factories using Data Factory .NET SDK.
- Protect and audit log files in VMs running in Azure IaaS using Windows ACLs.
Determine the Root Cause of Incidents
Root Cause Analysis (RCA) is a structured and facilitated team process used to identify root causes of an event that led to an undesired result. The outcome of this exercise is a set of corrective actions that can be driven back into policy.
The RCA process provides a way to identify breakdowns in processes and systems that contributed to the event, and how to prevent future incidences. The purpose of RCA is to find out what happened, why it happened, and what changes need to be made as a result.
Organizations need to be prepared to investigate a breach and provide an RCA explaining what happened. In other words, they need to thoroughly document the breach, including how it happened and, specifically, what has been done to address the security issue so the breach never happens again.
- Monitor high-risk Windows/Linux events within VMs running in Azure IaaS for better RCA.
- Establish aggressive audit policies within VMs running in Azure IaaS.
- Adhere to and understand best practices for forensic analysis, security breach pattern investigations, and audit scenarios (Keep an eye out for an upcoming blog post on this topic).
- Use the Azure Security Center to conduct security investigations for a suspicious executable.
Train All Staff in Cybersecurity
If a development team does not understand the basics of secure design and development or the risk of running web-based solutions and services, security training is imperative and should be completed before any Azure-based application is designed, built, tested, or deployed.
All members of the operations and development teams should be informed about security basics and recent trends in security and privacy.
Patch All Systems and Ensure Security Updates are Deployed
It's important to enable Windows Update or use Windows Server Update Services, as they provide recommendations regarding the upgrading of systems and ensure they are all always up-to-date. You should also update all third-party applications and use their patching capabilities whenever possible.
Be sure to follow the Security Development Lifecycle (SDL) recommendations to build more secure software and address security compliance requirements, while reducing development cost. Last but not least, use the Azure Security Center to report on the status of updates applied to infrastructure.
Keep Service and Server Inventory Current and Up-to-Date
Service and server inventory is about knowing what subscriptions, domains, services, networks, and hosts are owned and managed. Keeping track of services and mitigating the risks that come with them is key for secure operations. It's very important to have an understanding of and be able to prioritize the data being protected, by implementing a data classification effort. Let's look more into data classification.
Data classification provides one of the most basic ways for organizations to determine and assign relative values to the data they possess. The process of data classification allows organizations to categorize their stored data by sensitivity and business impact, in order to determine the risks associated with the data.
After the process is complete, organizations can manage their data in ways that reflect its value, instead of treating all data the same. Data classification is a conscious, thoughtful approach that enables organizations to realize optimization may not be possible when all data is assigned the same value.
- Establish information classification.
- Identify data flows between integrated systems.
- Maintain documentation to reflect changes in inventory.
- Run network discovery to help identify hosts and networks in the organization's IP range.
Maintain Clear Server Configuration with Security in Mind
Server misconfiguration is one of the most common causes of unauthorized users accessing and compromising the host. Because of the potentially complex security configuration requirements, it is essential to use a master server image that has security measures in place.
Azure provides customers a marketplace with a gallery of servers that have been configured with security in mind.
However, the use of servers in the marketplace requires attention when organizations need custom security modifications, while preventing security configuration drift.
If a customer VM image is created, it's essential that the VMs have a standard set of baselines applied to them.
The Microsoft Security Compliance Manager (SCM) provides a means to create that standard baseline and deploy it to existing servers. It also helps with the creation of a master (or gold) image which enables security capabilities.
The Microsoft Baselines Configuration Analyzer (MBCA) identifies and maintains optimal system configuration by analyzing configurations of computers against a predefined set of baselines. It then shares the results of the analysis.
- Protect domain and local administrative accounts with strong passwords and multi-factor authentication.
- Allow RDP connections only from specific IPs by enabling "Azure MFA White Listing" on administrative computers.
- Configure auditing events, monitor failed log-on attempts, and block the IPs.
- Test deployments using the Azure Best Practices Analyzer (BPA) from Azure Pack. It identifies many configuration, security, and performance issues. It also recommends best practices to resolve them. Run the BPA and take appropriate action to fix the security issues reported.
Cloud computing offers tremendous opportunities to enable increased quality and greater access to services, all at a lower cost. When organizations consider moving a portion of their infrastructure to Azure, they must evaluate their overall privacy, security, and regulatory compliance posture.
These controls provide a way to approach such a migration with the use of an international standard, understanding compliance requirements, and the principle of shared responsibilities.
Take your Cloud capabilities to the next level with Mbong Ekwoge's Cloud Application Architecture Course