Oldies but not so goodies
It’s no secret that some security best practices often get neglected because of technical challenges, lack of personnel, budget constraints, or out-of-date policies and procedures. However, administrators must perform critical tasks, no matter how troublesome, in order to operate efficiently and to secure the organization’s data, wherever that data might reside.
Some of these troublesome security best practices include:
- Multifactor authentication (MFA) and single sign-on (SSO)
- Role-based access control and access reviews
- Privileged access management
- Data identification and classification
- Threat and vulnerability management
These practices can greatly increase an organization’s security posture, but they often prove daunting to implement. On top of more routine responsibilities such as controlling user access and conducting account reviews, maintaining compliance with industry regulation, and logging audits, these security best practices are instrumental in securing an organization’s assets. However, they can add to an already long list of responsibilities for administrators to juggle in their day-to-day operations.
New solutions to deal with old troubles
Azure offers numerous solutions to tackle critical infrastructure, IAM, and security responsibilities, and it can assist in managing an organization’s IT infrastructure. These solutions provide a more streamlined approach to managing common security best practices in an automated manner that can be managed and audited from a centralized location.
Azure has implemented several key services and functionalities to assist in maintaining best practices, including:
- Azure Active Directory (AD) MFA and SSO
- Azure Role-Based Access Control (RBAC)
- Azure Conditional Access
- Azure Information Protection (AIP)
- Azure Data Discovery and Classification
- AIP policy
- Azure Privileged Identity Management (PIM)
- Azure Security Center
Administrators can use these functions and services to tackle best practices with a much more efficient and streamlined approach. Harnessing the scalability and agility of cloud-based solutions offers a much quicker approach to implementing best practices. Note: Azure’s licensing model varies from service to service, and several services have multiple tiers of cost and features. The minimum license requirements are included in each of the following sections.
Azure Active Directory MFA and SSO
Requirements: Azure AD Premium P1 licensing or Microsoft Office365™ applications in use
With Azure AD, MFA and SSO can be deployed quickly while providing several options to confirm identity through an email, text, or phone call. Additionally, MFA can be configured to use the authenticator application to provide an additional code to users attempting to log in to secure services and applications. MFA is critical in mitigating the risk of employee user accounts becoming compromised. Should a user somehow have his or her password stolen or phished, another method of authentication is required through MFA when logging in to prevent potentially malicious or unauthorized access.
Registering enterprise applications within Azure allows organizations to link applications to Azure and offer seamless integration with the employees’ application dashboards. When applications are registered with an organization’s Azure subscription, access to the applications is linked to the organization’s Azure AD, through security assertion markup language or other supported SSO registration, to allow users to log in to applications with their employee credentials.
Combining MFA and SSO allows for strong user access controls to applications hosted by and connected to an organization’s Azure environment. It also enables a single, centrally managed IAM solution that administrators can audit and review rather than individually managing applications and third-party tools used by the organization.
Azure Role-Based Access Control (RBAC)
Requirements: None. RBAC is free within any Azure subscription.
In order to understand how role-based access operates within Azure, it is critical to understand how permissions are inherited throughout the scope of the cloud platform and underlying resources. The hierarchy consists of the following parts, and the permissions trickle down to the scopes contained within.
- Management group. The management group has the least granular permission scope, allowing for grouping of permissions of multiple subscriptions to be inherited.
- Subscription. The subscription-level scope allows for the entire collection of resource groups and their resources to inherit permissions at the same base level.
- Resource group. The resource group scope enables groupings of resources to share the same permissions, which leads to more granular control over all components of a set resource group.
- Resource. The resource scope is the most granular level, allowing permissions to be scoped to each individual resource deployed within Azure.
Within these scopes, permissions can be set for individual users, groups, and tags, which are labels that can be attached to resources to allow for grouping and organization. Much as with a traditional Active Directory, user account permissions should be configured using a role-based approach to provide users the least amount of privileges required to perform their job functions. By default, Azure has many preconfigured roles to allow administrators to assign user groups with predefined roles. While each individual role might vary, Azure has three core roles that extend throughout the Azure AD and services that use its management:
- Owner. The owner has full control over the addition, deletion, and modification of data within the defined scope of permissions. In addition to having full access to data, the owner can modify user permissions and provide access to resources he or she manages.
- Contributor. The contributor role allows users to access, add, delete, and modify data to the same extent as the owner; however, a contributor cannot manage the permissions of other users to access that data.
- Reader. The reader role consists of permissions allowing the user read-only access to the data, and readers are unable to add, delete, or modify data.
When configuring user account permissions, administrators should use hardening guides from authoritative sources to best configure access controls. Microsoft has released an extremely helpful Azure services mapping guide that links Azure services to the controls outlined by the National Institute of Standards and Technology’s Cybersecurity Framework (CSF).
Azure Conditional Access
Requirements: Azure AD Premium P1 or P2
Microsoft has implemented Conditional Access to allow for increased granularity of access controls based on defined attributes of the user account at the time of login. Through Conditional Access, administrators can tighten or relax security controls based on how and where the user is attempting to log in or access organization resources. Some of the main attributes that Conditional Access can consider include:
- The IP address of the user attempting to log in
- The date and time of the attempted login
- The geographic location of the user attempting to log in
- The user’s roles and the groups he or she belongs to
Using these attributes, administrators can use Conditional Access to adjust security by:
- Restricting users from logging in from foreign countries
- Forcing users to use MFA when logging in on IP addresses external to the organization
- Restricting users who belong to groups that have access to more sensitive information from logging in from locations other than their offices
- Requiring users to use compliant devices when attempting to access organizational resources
Conditional Access combined with strong RBAC and MFA can be used to lock down an organization’s IAM. While these systems can increase an organization’s security posture, it is still critical that management continue to perform traditional responsibilities, such as user access reviews and periodic review of role matrices, to verify that excessive access is not provisioned to users.
Azure Information Protection (AIP)
Requirements: None. The functionality of AIP is included within any subscription of Azure.
Large organizations often struggle to implement data classification even if policies and procedures are in place to dictate the requirements. The challenge lies in detecting where data resides throughout the network and then accurately classifying it to make sure the data is protected according to the standards outlined by the organization’s policies and procedures. Useful AIP tools include:
Azure Data Discovery and Classification
Requirements: Azure Advanced Data Security
This tool assists in discovering, classifying, labeling, and reporting sensitive data stored within Azure’s structured query language (SQL) databases. Administrators can customize the taxonomy of the data including the type and hierarchy of sensitivity used by the organization. Once data is identified and sorted, Azure SQL auditing can help track user queries to access sensitive information. A dashboard and reports allow administrators to have a clear understanding of what data resides within their databases and who is accessing it.
AIP policy
Requirements: AIP
Policies can be developed to mirror data governance policies and procedures and assist in protecting documents and emails based on conditions configured by administrators. When a user begins writing a document or email and uses words or phrases set by policies within Azure, the document will be tagged and assigned appropriate security settings to classify the document.
For example, should an employee use phrases related to payment card information or personal identifiable information, the document or email will recommend the employee update the status of the document to reflect the defined classification. When used in tandem with a data loss prevention solution, strong controls around data exfiltration can be deployed to prevent accidental or malicious disclosure of sensitive information.
Azure Privileged Identity Management (PIM)
Requirements: Azure AD Premium P2
Keeping track of users with administrative permissions becomes much easier with Azure PIM. With PIM enabled and configured, users with administrative access can be classified into two different types: eligible or enabled.
Users with the eligible role assignment can use their administrative functions only after first taking some additional security actions, such as completing MFA, providing justification for why the administrative permissions are required, or being approved by another administrator. Users with the enabled role always retain their administrative action.
PIM also allows administrators to perform access reviews, download an audit history of account usage, and receive notifications when privileged roles are activated. As a whole, PIM provides a centralized solution for managing administrative accounts and applying the principle of least privilege throughout AD.
Azure has strong reporting functionality to assist in compliance and audit workflows. Many of the systems mentioned so far integrate with Azure Monitor, Azure’s logging and monitoring solution, and they can be exported to an organization’s security information and event management solution to assist in the creation of dashboards and alerts.
Azure Security Center
Requirements: Azure Security Center – Standard
Finally, the security of all these services as well as critical infrastructure services and resources can be managed within the Azure Security Center. Not only does the Security Center offer recommendations throughout the Azure portal in order to further secure the cloud, but individual resources can be integrated with the Security Center to allow for health checks, patch management, and security alerts.
Virtual machines can be managed through the Security Center to note any missing patches, block potentially malicious applications, and use Microsoft Windows™ Defender Advanced Threat Protection™ to send alerts on anomalous activity tracked by behavioral analytics for both Windows and Linux systems.
The Security Center can define security policies that, when broken, will alert administrators of the potential security issue and offer recommended solutions to resolve the incident. Administrators can configure playbooks that can automatically perform remediation efforts to resolve known or common issues, which vastly streamlines the incident response process. Should administrators need to run scripts, pull logs, or apply patching or rollbacks to systems, incident response actions can be planned in advance to minimize response time. Additionally, the Security Center can be used to identify vulnerabilities and misconfigurations on web applications or SQL databases that allow exploits to put data at risk. Within the Security Center, administrators will find a dashboard of organization databases, and should Azure find critical vulnerabilities – for example, SQL injection – notification and remediation tips will be provided.
Locking down the cloud
Although navigating the Azure cloud might be new territory for some, the core security principals required to harden the cloud environment should be familiar. Microsoft has come a long way in providing useful and convenient security tools for cloud administrators that might even already be included in a current subscription. As more organizations shift more of their operations and data into cloud resources, administrators should become familiar with the new tools at their disposal for managing emerging areas of risk and ultimately keeping the cloud environment secure.