As architects, it's our responsibility to help customers understand how to protect their data and environmental infrastructure after their service has been provisioned. This includes applications, data content, virtual machines, access credentials, and compliance issue requirements.This blog post provides insight on how you can use 13 security principles to address critical security and compliance controls. It also demonstrates how these controls can fast track an organization's ability to meet its compliance obligations, using cloud-based services.
As we work through these 13 principles, keep in mind that they are designed around best practices concerning ISO 27001, the Microsoft Security Development Lifecycle (SDL), and operational security for Microsoft online services.
Different cloud service models affect how responsibilities are shared between cloud service providers (CSPs) and customers.
- On-Premises - The customer is completely responsible for all aspects of operations when solutions are deployed.
- IaaS - The lower levels of the stack (physical hosts or servers) and host security are managed by the platform vendor. The customer is still responsible for securing and managing the operating system, network configuration, applications, identity, clients, and data. IaaS reduces the developer requirement to configure physical computers. This is an obvious benefit for developers.
- PaaS - Everything, from network connectivity through the runtime or identity service, may be provided and managed by the platform vendor.
- SaaS - A vendor provides the application and abstracts customers from all underlying components. Nonetheless, the customer continues to be responsible for ensuring that data is classified correctly, and that user devices are secured and protected when connected to the service.
Considerations for Meeting Compliance Requirements
This foundation for establishing an information security management system (ISMS) is rooted in ISO.
After such a system is set and the key best practices are established, the focus of the ISMS incorporates three key areas:
- Governance and compliance considerations
- Adopting secure development processes
- Establishing secure operations principles
The intention is to ensure that standard security development and operations best practices are incorporated from the beginning of a cloud project. It's also important that key activities are communicated effectively with all the interested parties in the context appropriate for their roles.
Establishing an ISMS Aligned to ISO 27001
In order to establish an ISMS aligned to ISO 27001, it's important to also establish standard operating procedures to make that alignment possible.
There are many compliance regulations that must be considered. Compliance regulations such as SOC, PCI, and EU DPD must all have clearly defined physical, technical, and administrative controls aligned to ISO 27001.
The tools necessary to accomplish this solution design are:
- Adopt data governance practices aligned to ISO 27001
- Security Development Lifecycle aligned to ISO 27001
- Operational security for Microsoft online services, aligned to ISO 27001 and NIST
- 13 key principles for designing and securing solutions for Azure (presented in this blog with additional recommendations) aligned to ISO 27001
For organizations that deal with sensitive information, the ratified ISO 27018 (an extension of the ISO 27001 standard) governs the processing of personally identifiable information (PII) by cloud service providers acting as PII processors. ISO 27018 details controls that address protecting PII in public cloud services.
By comparison, ISO 27002 is a complementary collection of 114 controls and best practice guidelines designed to meet the requirements detailed in ISO 27001. The controls are organized into 14 groups (objectives). When properly implemented, they can help an organization achieve and maintain information security compliance by addressing specific issues identified during formal, periodic risk assessments.
The 14 Groups of ISO 27001
- Information security policies
- Organization of information security
- Human Resource security
- Access control
- Physical and environmental security
- Operations security
- Communications security
- System acquisition
- Development and maintenance
- Supplier relationships
- Information security incident management
- Information security aspects of business continuity management
Key Principles and Recommendations for Secure Development Operations
Security Development Lifecycle (SDL)
Enable Identity and Authentication Solutions
Identity management remains a priority, even as business networks change. It helps systems control the amount and type of data that users can access.
A well-implemented solution ensures that users who are performing necessary functions are doing so at the appropriate privilege level. Maintaining separation of roles and duties is critical and may be required for specific regulatory and compliance standards.
- Identities should be kept up-to-date and managed for changes, additions, and removals. Ensure that only qualified individuals are made administrators. Consider creating a unique user group to manage and log identities. Store customer identities in custom repositories, such as Azure Active Directory.
- Connections between services should be implemented through a virtual private network. Azure supports both site-to-site or point-to-point VPN connectivity. Additional services, such as ExpressRoute, can also be implemented.
- Grant appropriate access to Azure AD users, groups, and services by assigning roles to them using Azure AD RBAC.
- Lessen risks by monitoring admins using Azure AD Privileged Identity Management. A compromised user account with privileged access could affect overall cloud security.
- Enable on-demand, "just in time" administrative access to directory services.
- Ensure that permissions to sensitive data follow the least privilege principle and grant access for only the minimum necessary time needed for each role.
Authentication is essential for managing user identities. It is the process of proving identity, typically through credentials such as a username or password.
- Enable multi-factor authentication functionality for both cloud and on-premises applications.
- Establish strong password policies to manage accounts stored in Azure AD.
- If your corporate account has become compromised or if a device that has cached credentials is lost or stolen, suspend MFA for remembered devices and browsers.
- Set up Azure Conditional Access fo SaaS applications, which allows the configuration of per-application multi-factor authentication access rules.
- Configure app passwords for non-browser clients.
Information Security Management System (ISMS)
Use Appropriate Controls
Comprehensive access control strategies need to be in place, especially considering the fact that corporate employees expect to work from any location, on devices of their choice, and to seamlessly connect and access business applications.
RBAC features can be used to restrict access and permissions for specific cloud resources. To help detect suspicious access, AAD offers reports that provide alerts about anomalous activity, such as a user logging in from an unknown device.
- Secure inbound internet communications to services using SSL.
- Register corporate devices to AAD.
- Set up Azure Conditional Access fo SaaS applications, which allows the configuration of per-application multi-factor authentication access rules.
- Communication between on-premises hosts and cloud services should be authenticated, authorized, and encrypted using virtual site-to-site or point-to-site VPNs.
International Organization for Standardization (ISO)
Use an Industry-Recommended, Enterprise-Wide Anti-Malware Solution
Malware (malicious code, malicious software), refers to programs that are inserted into a system, usually covertly, with the intent of compromising the victim's data, applications, or operating system.
Microsoft Antimalware for Azure is a security solution that extends anti-malware protection to virtual machines and cloud services. It supports a fully centrally managed solution that includes real-time scanning for incoming files, automatic checks for updated signature files and software updates, and alerts to the Microsoft Operations Center (MOC) of detected malicious code.
Microsoft also employs intrusion detection, distributed denial of service (DDoS) attack prevention, regular penetration testing, data analytics, and machine learning tools to help mitigate threats to the Azure platform.
Azure offers three options for antivirus/anti-malware solutions for Azure VMs:
- Symantec Endpoint protection
- Trend Micro Deep Security as a Service
- Microsoft Antimalware solution
- Use the Azure Security Center to manage and deploy anti-malware applications and its pertinent updates.
- Deploy anti-malware solutions on Azure VMs.
- Use Azure Security Center to help deploy and monitor anti-malware solutions on IaaS and Pass VMs.
- Establish and maintain general malware awareness programs for all users, as well as specific awareness training for the IT staff directly involved in activities that relate to malware protection.
Cloud Service Provider (CSP)
Effective Certificate Acquisition and Management
A certificate is a form of identification for websites and web applications that is used to verify authenticity. Websites rely on TLS and SSL to encrypt communications. Configuring TLS or SSL securely for an application requires a TLS or SSL certificate. Self-signed certificates can be acceptable in some restricted cases. However, a signed and authorized certificate that is issued by a certification authority (CA) or a trusted third-party who issues certificates for this purpose, is recommended.
Azure uses certificates in several ways. There are RDP connections to Windows VMs as well as point-to-site and site-to-site VPNs into Azure resources, which require certificates for authentication and encryption. Other examples include:
Management Certificates - Stored at the subscription level, these certificates are used to enable the use of SDK tools, the Windows Azure Tools for Microsoft Visual Studio, or the Service Management REST API Reference.
Service Certificates - Stored at the cloud service level, these certificates are used by deployed services.
SSH Keys - Stored on the Linux VM, SSH keys are used to authenticate remote connections to the VM.
- Certificates used in production systems should be acquired from one of the reputable certification authorities (CAs).
- Certificates need to be configured with traceable information, including designated contacts, from a limited set of authorized users.
- Self-signed certificates, as well as general certificates, should not be shared with or reused on systems that have a different application context.
- It is essential that certificates are treated as highly valued assets.
- Track expiration dates of certificated and keys. Because certificates and keys expire by design, it is important to be aware of expiration dates and take appropriate action prior to expiration. As a result, applications that use them can continue to function properly without interruption.
- Avoid embedded IDs and secrets into applications.
- Secure keys by protecting them in Key Vault. Key Vault encrypts keys and small points of sensitive data (such as passwords) with keys stored in hardware security modules (HSM). To learn more about key management and Key Vaults, read my previous blog post.
System and Organization Controls (SOC)
Encrypt All Customer Data
Encryption is the process of encoding messages or information in such a way that only authorized parties can read it.
Developers can use the cryptographic service providers (CSPs) built into the Microsoft.NET Framework to access Advanced Encryption Standard (AES) algorithms, along with Secure Hash Algorithm (SHA-2) functionality, to handle such tasks as validating digital signatures.
Azure builds on the straightforward key management methods incorporated into the .NET security model. This allows developers to retain custom encryption keys within the Azure storage services.
Azure also allows customers to encrypt data and manage keys. It safeguards customer data for applications, platforms, systems, and storage in the following ways:
- Protecting data-at-rest - Azure Key Vault helps streamline key management and maintains control of keys used by cloud applications and services, to encrypt data.
- Protecting data-in-transit - Customers can enable encryption for traffic between their own VMs and end users. Azure protects data-in-transit, such as between two virtual networks.
- Encrypt data in storage and in transit to align with best practices for protecting confidentiality and data integrity.
- Ensure all devices, including BYOD devices, use protected transmission and storage capabilities.
- Encrypt all traffic between web clients and servers implementing TLS on Internet Information Services.
- Choose HTTPS for REST API for storage.
- Use well-known encryption algorithms as provided in the .NET cryptographic service providers (CSPs). These are proven and tested for security.
- Authentication tokens are often the target of eavesdropping, theft, or replay-type attacks. To reduce the success of these attacks, encrypt the communication channels.
- When designing web applications, use the secure design guidelines.
- Use Azure Key Vault to store secrets, such as passwords, with keys stored in HSMs.
Payment Card Industry Data Security Standard (PCI DSS)
Penetration testing verifies the absence of unsecured functionality. It's about finding properties in software and its environment that can be varied, varying them, and seeing how the software responds. The goal is to ensure that software performs reliably and securely under reasonable and even unreasonable production scenarios.
- Work with a reputable penetration solution vendor.
- Perform tests on endpoints to uncover OWASP top 10 vulnerabilities.
- When using Azure services, request permission to execute penetration tests.
- Review methods in penetration testing, also called Red Teaming.
EU Data Protection Directive
Threat Modeling Services and Applications
Organizations need to properly define threats and classify information assets with a threat modeling process. The Microsoft Security Development Lifestyle (SDL) provides an effective threat modeling process that is used to identify threats and vulnerabilities in software and services.
Threat modeling activities include completing the threat models for all functionality SDL Threat Modeling Tool, which can be used to identify high-risk issues, as well as ensuring that threats can be mitigated and reviewed by the team. Threat Modeling can be imposed on all services and projects. All code exposed on the attach surface and all code written by or licensed from a third-party should be included in a threat model.
It's important to review a threat model when software is updated. New features or functionality can change the solution's threat profile. Essentially, threat models endeavor to build secure solutions with the mindset that they are trying to protect their customer's assets.
- Use approved tools, software, and services. Ensure that only verified tools are used in solutions.
- Remove and deprecate unsafe functions, processes, and designs.
- Perform fuzz testing, static, and dynamic analysis of services and software solutions.
- Conduct attack surface analysis and reviews.
- Learn and understand how exploits and vulnerabilities might affect an organization by reviewing security threat intelligence.
- Apply threat modeling best practices as appropriate to current, new, and third-party services and applications.
Until Next Time...
Of the 13 security controls, we've reviewed 7 of them in this post. We'll review the remaining 6 in the next blog post.
Remember, these 7 key security principles align with ISO 27001 controls. Of the 14 total ISO 27001 groups/control objectives and 114 controls, these key principles have the most relevance to secure development and operations.
These security principles are designed to make cloud-based solutions more resilient to attack by decreasing the amount of time needed to prevent, detect, contain, and respond to real and potential Internet-based security threats. As we've discussed, the result is the increased security of related services.
Keep moving forward with Azure Infrastructure. Sign in with your All Access Pass and learn more today