More and more enterprises are taking advantage of the competitive marketplace of public cloud providers. While AWS continues to be the leader, Microsoft Azure’s growth is exponential. What’s common to any public cloud initiative is the need to build a cloud security program that typically focuses on the following tasks:
- Recognizing the areas of information security risks to the organization that are related to organizational objectives such as “Cloud First”; and defining the impact and necessary enhancements on three levels: people, processes and technology.
- Evaluating and implementing security controls to limit the exposure to risks in these areas.
However, in practice, many companies often initiate cloud security programs after the fact, as a reaction to workloads already being deployed on public clouds. Many security teams were long under the impression that workloads would not be adequately protected in the public cloud. Hence, the need to review the current state of Azure security controls arbitrarily implemented by various delivery teams, has become urgent in many organizations.
Start your Azure security assessment by defining a standardized security benchmark
Let’s assume you agree that assessing the security controls already implemented in your Azure environments is one of your top priorities. Where do you start?
NIST SP 800-53 and ISO 27001 are comprehensive security standards, but implementing them will take months of planning and execution. The Center for Internet Security (CIS) Top 20 Critical Security Controls prioritize those controls, focusing on the most essential ones. They were designed to “serve as the basis for immediate high-value action” and align with other security standards, such as PCI and FedRAMP, making this standard an efficient starting point. There is already a CIS AWS Foundations Benchmark that defines prescriptive security configurations for a subset of core AWS services. However, you will not find an analogous baseline for Azure.
That is why we at CTP developed our own Azure Foundations Benchmark which is closely based on the CIS AWS Foundations Benchmark. Why did we decide to model it after the CIS AWS Foundations Benchmark, rather than start directly from the CIS Top 20 Critical Security Controls? One of the key reasons was to ensure the consistency of security best practices and controls across cloud providers. Many enterprises pursue multi-cloud strategies. In these scenarios, the proposition of having different foundational security policies, and different foundational security controls, across cloud providers is worrisome. Security risks for these multi-cloud deployments are better managed when organizations establish a consistent set of best practices and security controls across providers.
Another reason to start from the AWS Foundations Benchmark was that it offers detailed, step-by-step audit procedures for its set of security rules and we wanted to leverage that approach. For each rule put into the CTP Azure Foundations Benchmark, we defined the following sections:
- Description: the ‘What’ of the security rule
- Rationale: the ‘Why’ of the security rule
- Audit: the ‘How’ of the security rule — step-by-step guidance on how Audit and Security professionals can validate the rule
- Remediation: manual, ad hoc remediation steps
- Mapping and References: mapping the rule to the CIS Top 20 Security Controls and Microsoft documentation.
The CTP Azure Foundations Benchmark has the same number of rules as the CIS AWS Foundations Benchmark and, similarly, four sections: Identity and Access Management, Monitoring, Logging and Network. The services and areas covered by the CTP Azure Foundations Benchmark are Azure services which are analogous to services covered in the CIS AWS Foundations Benchmark:
1. Identity and Access Management (IAM)
The CTP Azure Foundations Benchmark rules for IAM provide recommendations and validations pertaining to the utilization of Azure Role-Based Access Control (RBAC) roles. Minimizing the use of subscription-level roles such as “Owner,” and introducing resource group-level roles allows you to implement the principle of “least privilege” for access to Azure resources. This reduces the risk of accidental changes and limits the damage that can result from an accident or error.
Also, the CTP Azure Foundations Benchmark rules for IAM recommend and validate the use of Managed Service Identity (MSI). The Azure MSI is one of the latest controls added to the Azure IAM toolset and is analogous to AWS IAM instance roles used to supply credentials to get access to AWS resources. Managed Service Identity allows you to keep credentials outside your code and thus solve the pesky “bootstrap identity” problem.
The rules guiding the use of multi-factor authentication (MFA) are part of the CTP Azure Foundations Benchmark as well.
2. Logging and Real-time Monitoring
The CTP Azure Benchmark rules control appropriate handling of Azure Activity Logs for further analysis and processing in Security Information and Event Management (SIEM) systems. The Azure Activity Logs contain information about events that have occurred in your Azure resources, such as create, update, or deleted resource events.
Background analysis of log information is undoubtedly useful, but there are events that require immediate processing–for example, events related to IAM roles assignment. The CTP Azure Foundations Benchmark rules prescribe the creation of Azure Activity Log Alerts for change events that may have significant security ramifications. Azure Activity Log Alerts trigger the generation of real-time notifications, such as email or text messages, when an activity occurs that matches predefined alert conditions.
The network rules of the CTP Azure Benchmark are very much the same as the CIS AWS Foundations Benchmark. They validate basic Network Security Group (NSG) rules. These are the equivalent of a simple stateful packet filtering firewall, capturing information about the IP traffic in VNETs that represent your network on Azure.
Institutionalize the use of security benchmarks within your organization
Once you start validating the security posture of your Azure environments using the CTP Azure Foundations Benchmark, or similar benchmarks, how should you keep the compliance records for potentially hundreds of Azure environments? How should you maintain the security policies defined by the benchmarks, to stay up to date given the pace of Azure innovations and changes? In other words, how should you scale the process of consistently validating the security posture of your Azure environments?
The CTP Azure Foundations Benchmark document is 120 pages long. It will take, even an experienced Azure security specialist, well over one business day to audit one environment against the CTP Azure Foundations Benchmark and record the results.
That is why CTP offers the Continuous Compliance program to help enterprises define and manage the application of Compliance and Security Controls for cloud environments at scale, facilitating compliance efforts. The CTP Azure Foundations Benchmark is in fact the latest addition to the set of security policies, standards and benchmarks of the CTP Continuous Compliance for Azure program that is currently under development.
Too often, we receive news of data breaches involving the personal information of millions of people falling into the wrong hands. The latest Uber breach shows that cyberattacks do not have to be super-sophisticated, James Bond movie efforts, to be successful. The disciplined, consistent implementation of security controls and best practices is key to preventing most of these breaches and keeping intruders at bay.