Security is not a one-size-fits all solution, it requires a customized, multi-layered approach with continuous monitoring.
The core principles of cybersecurity are Confidentiality, Integrity, and Availability.
- Confidentiality: the data is protected from unauthorized users
- Integrity: the data remains accurate and complete
- Availability: the data can be accessed by its intended users
Achieving these security best practices depend upon the assets and services being protected, the constraints, level of compliance, and risk tolerances of the company. As such, IT security policies can vary greatly from one environment to the next.
Securing Azure resources can be broken down into these major disciplines:
- Identity access management (IAM)
- Data security
- System security
- Network security
- Monitoring
- Compliance
In this article we will introduce a checklist for Azure cloud security best practices.
Quick start
The Azure Security Center offers a central location to manage security tooling and reports. It provides the resources you need to get started on your security roadmap, but it is not an all-in-one solution. To access the Security Center, sign into your account and select Security Center on the left side.
The Center for Internet Security (CIS) provides an excellent framework for securing Azure resources according to industry best practices. The security recommendations are divided into two levels.
Level 1 provides basic security recommendations that should be enforced in most environments.
Level 2 provides advanced recommendations that should be enforced for increased security.
This checklist is a supplemental introduction to your security roadmap and should not serve a standalone IT security policy.
IAM
Level 1
- Restrict access to the Azure AD administration portal
In Azure Active Directory select Users or Groups, then User settings.
Ensure Restrict access to Azure AD administration portal is set to Yes.
- Guests – Remove guest users or limit their permissions
In AD Users, select All Users, and in the Show drop down select Guest Users only to view the guests.
- Passwords – Require two methods for password resets and notify users on reset
In AD Users, select Password reset, Authentication methods, and set Number of methods to 2.
- Reconfirm user authentication methods every 180 days
In AD Users, under Password reset, select Registration, and make sure Number of days before users are asked to reconfirm… set to 180 days.
Level 2
- Enable MFA
In Azure AD Users, select Multi-factor authentication and make sure the status is Enabled for Admins, Owners, or Contributors.
- Block remembering MFA
Under Multi-factor authentication, select users, Manage users settings, and checkmark Restore MFA on all remembered devices.
- Guests – Restrict invitations through administrators only
In AD Users, select User settings, go to External users, Manage external collaboration settings, and set Members/Guests can invite to No.
- Restrict Security Group creation to administrators
In Azure AD, select Groups, go to General settings, and make sure Users can create security groups is set to No.
- Disable self-service group management
In Azure AD, Groups, select General settings, ensure Self-service group management enabled is set to No.
- Disable users from registering apps
In AD Users, go to User settings, make sure User can register applications is set to No.
Security Center
Level 1
- Enable automatic provisioning of monitoring agent
In Security Center select Security Policy and check mark your subscription. Click Install agents.
- Policies – Enable system updates: updates OS
In Security Center, Security Policy, select subscription under Policy Management.
Select Enable Monitoring in Azure Security Center
In Compute and Apps, find the policy “System updates should be installed on your machines” and make sure it’s AuditIfNotExists or Audit.
- Enable security configurations: applies and recommends security hardening rules
In Security Policy, Policy Management, select subscription under Policy Management.
Enable Vulnerabilities in security configuration on your virtual machine scale sets should be remediated
- Enable Endpoint Protection: protects VMs from malware
- Enable Disk Encryption: encrypts data on the disk
- Enable Network Security Groups: allow or denies network traffic
- Enable Web Application Firewall: secures traffic to web applications
- Enable Vulnerability Assessment: performs vulnerability and health monitoring assessments and recommendations
- Enable Storage Encryption: encrypts Azure Blobs and Files
- Enable JIT Network Access: locks down inbound traffic to VMs
- Enable Adaptive Application Controls: whitelists safe applications running on VMs
- Enable SQL Auditing and Threat Detection: identifies malicious behavior on SQL DBs
- Enable SQL Encryption: Enables transparent data encryption on SQL DBs
- Set Security Contact Email and Phone number
Make sure contact info is added in Cost Management + Billing.
- Send emails on Alerts
In Security Center, Pricing & settings, click Email notifications and enable for high severity alerts and subscription owners
Level 2
- Upgrade to a Standard tier
Extends the Security Center to private workloads and other cloud platforms for unified management
Enables advanced threat detection (Azure Defender)
Azure Storage
Level 1
- Require security-enhanced transfers: enables HTTPS on network communications and API transfers
Select your account in Storage Accounts and under Settings select Configuration. Set Secure Transfer required to Enabled.
- Encrypt Files and blob object storage
Under your Storage Account Settings, select Encryption and make sure the storage account is being encrypted.
- Make blob containers private: restricts blob access to authorized users
Select your storage account and go to Containers under BLOB Service. Ensure Public access level is set to Private.
- Regenerate access keys periodically
Under Storage Account, select Activity log. Click Timespan drop down and set it to a 90 day range to see keys being used.
Use Azure Key Vault to regenerate these keys.
- Shared Access Signature tokens – Set a one hour expiration
Select your Storage account and go to Shared access signature. Set the expiration time to one hour after creation.
- Require tokens to be shared only via HTTPS
Under Shared access signature set Allowed protocols to HTTPS only.
Azure SQL Database
Level 1
- Enable auditing: tracks DB events and writes them to an audit log
In SQL Databases, select your DB instance and select Auditing under Security. Make sure Auditing is ON.
- Retain audit logs for more than 90 days
Select Auditing and select Configure under Audit log destination. Set the retention longer than 90 days.
- Enable threat detection: detects malicious activities to the DB
In the DB instance, under Security, click Advanced Data Security and click Enable.
- Retain threat detection logs for more than 90 days
Select Auditing and select Configure under Audit log destination. Set the retention longer than 90 days.
- Enable all threat detection types
- Send security alerts
In the DB instance, select Auditing & Threat Detection, Database settings, View Advanced Data Security server settings, and enable Send Alerts
- Email service and administrators
Select Advanced Data Security, under Advanced Threat Protection Setting select Email service and co-administrators
- Ensure regular automatic database backups
Logging and Monitoring
Level 1
- Stream Activity Log to Event Hub: allows logs to be monitored and archived
In Monitor, select Activity Log and ensure a Log Profile is set. If not, select Export to Event Hub.
- Retain activity logs for 365 days or more
In Activity Log, adjust the Retention slider to 365 days or more.
- Create a log alerts – “Creating a policy assignment”: alerts when policies are created
In Monitor, select Alerts, click + New alert rule. Click on Resource and select Policy from Filter by resource type.
“Creating, updating, or deleting a Network Security Group”: alerts when NSGs are created/updated/deleted
Click + New alert rule. Click on Resource type and select Network security group from Filter by resource type.
“Creating or updating an SQL Server firewall rule”: alerts when SQL network access
Click + New alert rule. Click on Resource type. Select SQL servers from Filter by resource type.
Level 2
- Enable Azure Sentinel
Enable Azure Sentinel for integrated SIEM alerting for security events.
Networking
Level 1
- Restrict RDP and SSH access from the internet: access VMs via VPN, ExpressRoute, or Bastion Host
On your VM, open the Networking pane, restrict RDP(3389)/SSH(22) rules
- Restrict SQL Server access from the internet
Go to SQL Databases, for each server, click on Set server Firewall.
Make sure no rule has a Start IP of 0.0.0.0 and End IP of 0.0.0.0 or any other wide IP range
Allow only trusted IPs to connect
- Restrict web application traffic with Web application firewalls: protects applications from common exploits and vulnerabilities
Enable WAF when you create an Application Gateway.
- Enable Network Watcher: logs inbound and outbound IP traffic
In All servers, select Network Watcher, select Regions, and Enable Network Watcher.
Level 2
- Retain NSG flow logs for longer than 90 days: allows deeper history analysis of traffic
In Networking, select Network Watcher, select NSG flow logs under Logs, ensure retention is greater than 90 days.
Virtual Machines
Level 1
- Enable Auto Provisioning
In Security Center, select Pricing & Settings, click on Data Collection and make sure Auto Provisioning is ON.
- Ensure disks are encrypted
On the Virtual Machine page, go to Settings, select Disks and ensure OS and Data disks have encryption set to Enabled.
- Ensure only approved extensions are installed
On the Virtual Machine page, go to Settings, select Extensions, and evaluate the installed extensions
- Ensure OS updates are applied
In Security Center, open Recommendations under Resource Security Hygiene. Make sure “Apply system updates” is not listed.
- Ensure VMs have an updated and running endpoint protection solution
In Security Center review for Endpoint protection issues in Resource Security Hygiene.
Recommended extension: Microsoft Antimalware for Azure Cloud Services and Virtual Machines
Other
Level 1
- Azure Backup – Ensure regular automated backups
Enable Azure Backup and configure the backup source (Azure VMs, SQL Server, or File Shares), as well as desired frequency and retention period.
- Azure Key Vault – Make sure all keys have an expiration date
In Azure Key Vault, select Key Vaults, click on Keys, and make sure each key has an appropriate EXPIRATION DATE listed
Make sure all secrets have an expiration date
Select Key Vaults, click on Secrets, ensure each secret has an appropriate EXPIRATION DATE listed
Level 2
- Set resource locks on critical resources: can make resources undeletable or readonly
Open the resource, resource group, or subscription and select Settings. Open Locks and click Add. Select CanNotDelete or ReadOnly.
These are general security controls to secure your Azure environment, in the next few articles we will dive deeper into the various disciplines of Azure security.
Learn more about the CIS Azure benchmark.
Read more on Microsoft Security Best Practices.