I need guidance for adopting Azure security best practices in our first foundational landing zone

Ryan 60 Reputation points
2023-11-23T18:50:57.7033333+00:00

Need some guidance with embedding Azure security best practice in our first foundational landing zone!

thanks

Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,262 questions
0 comments No comments
{count} votes

Accepted answer
  1. Adam Zachary 2,886 Reputation points
    2023-11-23T20:38:27.1+00:00

    Hi Ryan,

    Based on the Microsoft Cloud Adoption Framework (CAF) and the Azure Security Benchmark, here's a comprehensive outline of security component recommendations for adopting the cloud, covering all key domains:

    Security in the Microsoft Cloud Adoption Framework for Azure - Cloud  Adoption Framework | Microsoft Learn

    Identity Management (CAF & ASB)

    • Azure CAF Guidance: Focus on educating teams about cloud security, including the shared-responsibility model and changes in roles and responsibilities​​.
    • Azure Security Benchmark: Implement strong identity and access controls using Azure Active Directory, including single sign-on, strong authentication, and monitoring for account anomalies​​.

    Identity and Access Management (IAM) is a critical component of security in Azure, as it determines who has access to what resources in Azure.

    Practical Recommendations:

    1.       Design Role-Based Access Control (RBAC) Effectively:

    • Use least privilege principle: Grant the minimum permissions necessary to perform the needed task.
    • Use Azure built-in roles where possible.
    • Create custom roles for specific needs
    • Assign roles at the appropriate scope: following Microsoft recommendations; Management Groups -> Subscriptions -> Resource Groups -> Resource.

    2.       Implement Privileged Identity Management (PIM):

    Azure Privileged Identity Management (PIM) is a feature that provides a flexible, secure way to manage privileged access to resources in Azure. It enables administrators to grant elevated privileges to users and groups for a limited time, and tracks and monitors privileged access to resources.

    (PIM) Recommendations:

    • Use Just-In-Time (JIT) Access: JIT access enables administrators to grant temporary elevated privileges for a limited time, reducing the risk of unauthorized access or data breaches.
    • Enable MFA: Multi-Factor Authentication (MFA) adds an extra layer of security, reducing the risk of unauthorized access or data breaches. Enabling MFA for privileged accounts is a best practice in Azure PIM.
    • Limit the Number of Privileged Users: Limit the number of users who have privileged access to only those who need it, reducing the risk of unauthorized access or data breaches.
    • Configure monitoring for PIM audit logs: Regularly audit and monitor privileged access to resources, and track changes to privileged roles and permissions.

    Network Security (CAF & ASB)

    • Azure CAF Guidance: Ensure clear accountability for cloud security decisions, especially in network security​​.
    • Azure Security Benchmark: Secure and protect Azure networks, including virtual networks, private connections, attack prevention and mitigation, and DNS security​​.

    Practical Recommendation:

    • Implement Network Segmentation/Isolation Patterns on Azure:

    Network segmentation is the practice of dividing a network into smaller, isolated segments “Subnets” each with its own security policies. This helps to reduce the risk of security breaches and improve the overall security of the network.

    1. Use Network Security Groups:

    NSGs should be used to control inbound and outbound network traffic and to enforce security policies for resources within a virtual network.

    Recommendations:

    • Apply NSGs at the Subnet Level : It's best to apply NSGs at the subnet level to control network traffic at the granularity of the subnet. This allows for more fine-grained control over network traffic, making it easier to enforce security policies.
    • Block Unwanted Traffic: NSGs can be used to block unwanted traffic, such as traffic from known malicious IP addresses or traffic from unwanted sources. Blocking unwanted traffic helps to reduce the risk of security breaches and improve the overall security of the network.
    • Prioritize NSG Rules: When creating NSG rules, it's important to prioritize rules to ensure that the most important rules are processed first. This helps to ensure that the NSG is functioning as intended, and that security policies are enforced consistently.
    • Enable NSG Flow Logs: Network security group (NSG) flow logs is a feature of Azure Network Watcher that allows you to log information about IP traffic flowing through an NSG.
    • Keep NSGs Simple: It's best to keep NSGs simple, with a minimal number of rules. This helps to ensure that the NSG is easy to understand, manage, and maintain. Complex NSGs can make it difficult to troubleshoot network issues.
    • Consider using Azure Policies to enforce security governance and compliance:

    Azure Policy is a governance tool within the Microsoft Azure ecosystem that allows organizations to enforce organizational standards and assess compliance at-scale. Through its declarative syntax, Azure Policy evaluates resources in your Azure environment to ensure they adhere to your defined criteria, it offers,

    • Consistent Governance: Ensure that resources are compliant with organizational requirements and best practices.
    • Automated Compliance: Automatically enforce preset rules to prevent non-compliant resources from being provisioned.
    • Cost Management: Prevent the provisioning of high-cost resources or resources outside of specified regions.
    • Security Assurance: Limit potential vulnerabilities by enforcing security settings.
    • Continuous Monitoring: Periodically evaluate existing resources for compliance and produce compliance reports.

    Recommendations with Azure Policy:

    • Start Small: Begin with a set of basic policies and gradually expand as you become more familiar with your governance needs.
    • Utilize Built-in Policies: Azure offers a wide array of built-in policies that address common use cases and compliance standards.
    • Test Before Enforce: Always evaluate the effects of a policy in 'audit' mode before enforcing it to understand its impact.

    Data Protection (CAF & ASB)

    • Azure CAF Guidance: Focus on asset protection, maximizing the protection of data, applications, networks, and identities​​.
    • Azure Security Benchmark: Control data protection at rest, in transit, and via access mechanisms, including encryption and key management​​.
    • Enable Azure Data Encryption Data encryption is a crucial aspect of securing sensitive information in the cloud. Microsoft Azure provides a number of data encryption options to help protect your data and ensure compliance with industry and regulatory standards. Data Security recommendations:
    • Enable Encryption at Rest. Encryption at rest refers to the encryption of data when it is stored on disk. Azure provides several options for encrypting data at rest, including Azure Disk Encryption, Azure SQL Transparent Data Encryption, and Azure Key Vault-managed keys. It is recommended to enable encryption at rest for all sensitive data to prevent unauthorized access.
    • Enable Encryption in Transit Encryption in transit refers to the encryption of data when it is transmitted over the network. Azure provides support for encryption in transit through SSL/TLS protocols. It is recommended to enable encryption in transit for all sensitive data to prevent tampering.
    • Enable Azure Disk Encryption Azure Disk Encryption is a feature that allows you to encrypt virtual machine disks and the underlying operating system disk. It is recommended to enable Azure Disk Encryption for all virtual machines that contain sensitive data.
    • Enable Azure SQL Transparent Data Encryption Azure SQL Transparent Data Encryption is a feature that allows you to encrypt data stored in Azure SQL databases. It is recommended to enable Azure SQL Transparent Data Encryption for all Azure SQL databases that contain sensitive data.
    • Use Azure Key Vault-Managed Keys Azure Key Vault is a cloud-based service that provides secure storage of cryptographic keys and certificates. Azure Key Vault-managed keys can be used to encrypt data at rest in Azure Blob storage and Azure Files. It is recommended to use Azure Key Vault-managed keys for encrypting sensitive data in these storage solutions.
    • Encrypt Data at the Application Layer In addition to the encryption options provided by Azure, it is also possible to encrypt data at the application layer. This involves using encryption algorithms and cryptographic keys in the application code to encrypt data before storing it in Azure.
    • Use Azure Key Vault for Key Management Proper key management is critical for ensuring the security of encrypted data. Azure Key Vault provides a secure and scalable solution for key management, including the ability to manage and rotate keys. It is recommended to use Azure Key Vault for managing encryption keys, and to implement a key rotation strategy to ensure that keys are regularly changed and securely stored.
    • Logging and Threat Detection (CAF & ASB)
      • Azure CAF Guidance: Update incident response processes for the cloud, including native threat detection tools​​.
        • Azure Security Benchmark: Enable and collect audit logs, generate high-quality alerts with native threat detection, and use Azure Monitor and Sentinel for centralized security analysis​​.
    • Incident Response (CAF & ASB)
      • Azure CAF Guidance: Modernize incident response processes to suit cloud environments​​.
        • Azure Security Benchmark: Cover the entire incident response lifecycle, using Azure services like Microsoft Defender for Cloud and Sentinel to automate the process​​.
    • Posture and Vulnerability Management (CAF & ASB)
      • Azure CAF Guidance: Establish security posture management, focusing on continuous monitoring and risk mitigation​​.
        • Azure Security Benchmark: Assess and improve Azure security posture, including vulnerability scanning, penetration testing, and security configuration tracking and correction​​.
    • Endpoint Security (ASB)
      • Azure Security Benchmark: Implement controls in endpoint detection and response, including using EDR and anti-malware services for Azure environments​​.
    • Backup and Recovery (ASB)
      • Azure Security Benchmark: Ensure data and configuration backups are performed, validated, and protected across service tiers​​.
    • DevOps Security (ASB)
      • Azure Security Benchmark: Integrate security checks into DevOps processes, including static application security testing and vulnerability management prior to deployment​​.
    • Governance and Strategy (ASB)
      • Azure Security Benchmark: Establish a coherent security strategy and governance approach, including roles and responsibilities for cloud security functions and supporting policies and standards​​.

    Honestly there are more to consider when planning for Security within your foundational landing zone, things like

    Hub and Spoke Topology and using DMZ with Firewall.

    Depending on your workload nature, for example do you have web apps? If yes, then you might consider Web Application Firewall to protect your Apps.

    What kind off Entra ID SKU you're planning to have within your Azure tenant ? If you go P2 with E5 License for example you can take advantage something like DLP or Data Loss Prevention, Conditional Access, Safe Links and Safe attachment, etc. So, security is really big topic I can't just limit it to whatever I recommend here. But if you need further help, please feel free to share your business requirements and I'd be happy to give you more tailored details.

    Thanks

    1 person found this answer helpful.
    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. Bjoern Peters 8,856 Reputation points
    2023-11-23T19:05:04.1833333+00:00

    Hello Ryan,

    Welcome to the Q&A Forum; this is a great place to get support, answers, and tips.

    Thank you for posting your question; I'll be more than glad to help you out.

    And where specifically do you need assistance with?

    Both landing zones and Security are huge fields to have questions about...

    Maybe you start by reading the documentation:

    https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/

    https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/security

    Or give us much more information about where you stand, your plans, and where you have a problem.

    I hope my answer is helpful to you,

    Your

    Bjoern Peters

    If the reply was helpful, please upvote and/or accept it as an answer, as this helps others in the community with similar questions. Thanks!

    1 person found this answer helpful.
    0 comments No comments

  2. Adam Zachary 2,886 Reputation points
    2023-11-23T20:51:11.9+00:00

    Hi Ryan,

    Hi Ryan, Security is a broad and multifaceted topic, encompassing a variety of framework standards like CIS, NIST, SOC2, ISO27001, and Azure Benchmark. Each of these frameworks offers a comprehensive set of security controls, allowing for robust protection strategies. To best tailor a custom response that aligns with these frameworks while addressing your specific needs, it would be very helpful to understand more about your business requirements, goals, and plans. Details such as your licensing plans. For instance, are you considering Microsoft Entra ID P1 or P2, and what is your Office 365 licensing level - is it E5?

    Opting for P2 and E5 licenses opens up access to advanced security features beyond the basics, like DLP, Conditional Access Policies, Privileged Identity Management, Safe Links, and Safe Attachments.

    Additionally, are you planning to use Azure Firewall, and do your workloads require a Web Application Firewall for ingress traffic protection? It would also be helpful to know your network topology plans, such as whether you're implementing a Hub and Spoke model with a DMZ environment, and whether your setup will be hybrid or cloud-native. Lastly, could you outline your plans for network connectivity, particularly if you have an on-premises or multi-cloud environment?

    1 person found this answer helpful.