Security is the most important thing in any data center. So is in the cloud. Microsoft Azure as a cloud platform has various mechanisms to ensure the integrity of customer workloads. The newest addition to this set of tools is the Azure Security Center, a single console to prevent, detect, and respond to security vulnerabilities in your Azure environment.
What it can do?
According to Microsoft following are the key capabilities in Azure Security Center Preview. I believe that when this service reaches General Availability we will have more features.
- Monitors the security state of your Azure resources
- Defines policies for your Azure subscriptions based on your company’s security requirements and the type of applications or sensitivity of your data
- Uses policy-driven security recommendations to guide service owners through the process of implementing needed controls
- Rapidly deploys security services and appliances from Microsoft and partners
- Automatically collects and analyses security data from your Azure resources, the network, and partner solutions like antimalware and firewalls
- Leverages global threat intelligence from Microsoft products and services, Digital Crime and Incident Response Centers, and external feeds
- Applies advanced analytics, including machine learning and behavioral analysis
- Provides prioritized security incidents/alerts
- Offers insights into the source of the attack and impacted resources
- Suggests ways to stop the current attack and help prevent future attacks
In this post let’s see how we can set the security policies for your Azure subscriptions and try to understand the logic behind security data collection in Azure.
Understanding Security policies
Security policies are subscription wide which means there is one policy per subscription. Important thing to note is that you must be an Owner or Contributor of a subscription to modify it’s security policy.
After selecting the subscription which you need to set the security policy you can select relevant policies as below.
Following table describe what each of these policies mean and you can customize these according to your requirement.
Retrieves a list of available updates from Windows Update or WSUS, depending on which service is configured for that virtual machine, every 12 hours and recommends missing updates be installed on your Windows virtual machines.
|Baseline Rules||Analyzes all supported virtual machines every 12 hours to identify any OS configurations that could make the virtual machine more vulnerable to attack and recommends configuration changes to address these vulnerabilities.|
|Antimalware||Recommends antimalware be provisioned for all Windows virtual machines to help identify and remove viruses, spyware, and other malicious software.|
|Access Control List on endpoints||Recommends that an Access Controls List (ACL) be configured to limit access to a Classic virtual machine endpoints. This would typically be used to ensure that only users who are connected to the corporate network can access the virtual machines.|
|Network security groups on Subnets and Network Interface||Recommends that Network Security Groups (NSGs) be configured to control inbound and outbound traffic to subnets and network interfaces for Resource Manager virtual machines. NSGs configured for a subnet will be inherited by all virtual machine network interfaces unless otherwise specified. In addition to checking that an NSG has been configured, Inbound Security Rules are assessed to identify rules that allow Any incoming traffic.|
|Web Application Firewall||Recommends a Web Application Firewall be provisioned on Resource Manager virtual machines when: Instance Level Public IP (ILPIP) is used and the associated NSG Inbound Security Rules are configured to allow access to port 80/443. Load Balanced IP (VIP) is used and the associated load balancing and inbound NAT rules are configured to allow access to port 80/443.|
|SQL Auditing||Recommends that auditing of access to Azure SQL Servers and Databases be enabled for compliance, advanced detection and investigation purposes.|
|SQL Transparent Data Encryption||Recommends that encryption at rest be enabled for your Azure SQL databases, associated backups and transaction log files so that even if your data is breached, it will not be readable.|
Let’s see how we can enable security health monitoring and how to manage and respond to security alerts in Azure Security Center in another post.