Azure security baseline for Microsoft Defender for Cloud Apps
This security baseline applies guidance from the Azure Security Benchmark version 2.0 to Microsoft Defender for Cloud Apps. The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. The content is grouped by the security controls defined by the Azure Security Benchmark and the related guidance applicable to Microsoft Defender for Cloud Apps.
When a feature has relevant Azure Policy Definitions they are listed in this baseline, to help you measure compliance to the Azure Security Benchmark controls and recommendations. Some recommendations may require a paid Microsoft Defender plan to enable certain security scenarios.
Controls not applicable to Microsoft Defender for Cloud Apps, and those for which the global guidance is recommended verbatim, have been excluded. To see how Microsoft Defender for Cloud Apps completely maps to the Azure Security Benchmark, see the full Microsoft Defender for Cloud Apps security baseline mapping file.
For more information, see the Azure Security Benchmark: Network Security.
NS-6: Simplify network security rules
Guidance: Use Azure Virtual Network Service Tags to define network access controls on network security groups or Azure Firewall configured for your Microsoft Defender for Cloud Apps resources. You can use service tags in place of specific IP addresses when creating security rules. By specifying the service tag name (For example: "MicrosoftCloudAppSecurity") in the appropriate source or destination field of a rule, you can allow or deny the traffic for the corresponding service. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change.
For more information, see the Azure Security Benchmark: Identity Management.
IM-1: Standardize Azure Active Directory as the central identity and authentication system
Guidance: Microsoft Defender for Cloud Apps uses Azure Active Directory (Azure AD) as the default identity and access management service. You should standardize Azure AD to govern your organization’s identity and access management in:
- Microsoft Cloud resources, such as the Azure portal, Azure Storage, Azure Virtual Machine (Linux and Windows), Azure Key Vault, PaaS, and SaaS applications.
- Your organization's resources, such as applications on Azure or your corporate network resources.
Securing Azure AD should be a high priority in your organization’s cloud security practice. Azure AD provides an identity secure score to help you assess identity security posture relative to Microsoft’s best practice recommendations. Use the score to gauge how closely your configuration matches best practice recommendations, and to make improvements in your security posture.
Note: Azure AD supports external identity that allows users without a Microsoft account to sign in to their applications and resources with their external identity.
IM-3: Use Azure AD single sign-on (SSO) for application access
Guidance: Microsoft Defender for Cloud Apps uses Azure Active Directory (Azure AD) to provide identity and access management to Azure resources, cloud applications, and on-premises applications. This includes enterprise identities such as employees, as well as external identities such as partners, vendors, and suppliers. This enables single sign-on (SSO) to manage and secure access to your organization’s data and resources on-premises and in the cloud. Connect all your users, applications, and devices to the Azure AD for seamless, secure access, and greater visibility and control.
For more information, see the Azure Security Benchmark: Privileged Access.
PA-1: Protect and limit highly privileged users
Guidance: Microsoft Defender for Cloud Apps has the following highly-privileged accounts:
Global administrator and Security administrator: Admins with Full access have full permissions in Microsoft Defender for Cloud Apps. They can add admins, add policies and settings, upload logs, and perform governance actions.
Compliance administrator: Has read-only permissions and can manage alerts. Cannot access Security recommendations for cloud platforms. Can create and modify file policies, allow file governance actions, and view all the built-in reports under Data Management.
Compliance data administrator: Has read-only permissions, can create and modify file policies, allow file governance actions, and view all discovery reports. Cannot access Security recommendations for cloud platforms.
Security operator: Has read-only permissions and can manage alerts.
Security reader: Has read-only permissions and can manage alerts. The Security reader is restricted from doing the following actions:
Create policies or edit and change existing ones
Performing any governance actions
Uploading discovery logs
Banning or approving third-party apps
Accessing and viewing the IP address range settings page
Accessing and viewing any system settings pages
Accessing and viewing the Discovery settings
Accessing and viewing the App connectors page
Accessing and viewing the Governance log
Accessing and viewing the Manage snapshot reports page
Accessing and editing the SIEM agent
Global reader: Has full read-only access to all aspects of Microsoft Defender for Cloud Apps. Cannot change any settings or take any actions.
Limit the number of highly privileged accounts or roles and protect these accounts at an elevated level because users with this privilege can directly or indirectly read and modify every resource in your Azure environment.
You can enable just-in-time (JIT) privileged access to Azure resources and Azure Active Directory (Azure AD) using Azure AD Privileged Identity Management (PIM). JIT grants temporary permissions to perform privileged tasks only when users need it. PIM can also generate security alerts when there is suspicious or unsafe activity in your Azure AD organization.
PA-3: Review and reconcile user access regularly
Guidance: Microsoft Defender for Cloud Apps uses Azure Active Directory (Azure AD) accounts to manage its resources, review user accounts, and access assignments regularly to ensure the accounts and their access are valid. You can use Azure AD access reviews to review group memberships, access to enterprise applications, and role assignments. Azure AD reporting can provide logs to help discover stale accounts. You can also use Azure AD Privileged Identity Management to create an access review report workflow to facilitate the review process.
In addition, Azure Privileged Identity Management can also be configured to alert when an excessive number of administrator accounts are created, and to identify administrator accounts that are stale or improperly configured.
Note: Some Azure services support local users and roles which are not managed through Azure AD. You will need to manage these users separately.
PA-7: Follow just enough administration (least privilege principle)
Guidance: Microsoft Defender for Cloud Apps is integrated with Azure role-based access control (RBAC) to manage its resources. Azure RBAC allows you to manage Azure resource access through role assignments. You can assign these roles to users, groups service principals, and managed identities. There are pre-defined built-in roles for certain resources, and these roles can be inventoried or queried through tools such as Azure CLI, Azure PowerShell, or the Azure portal. The privileges you assign to resources through the Azure RBAC should be always limited to what is required by the roles. This complements the just in time (JIT) approach of Azure Active Directory (Azure AD) Privileged Identity Management (PIM) and should be reviewed periodically.
Use built-in roles to allocate permission and only create custom roles when required.
For more information, see the Azure Security Benchmark: Data Protection.
DP-1: Discovery, classify and label sensitive data
Guidance: Microsoft Defender for Cloud Apps manages sensitive data; all data flow is covered by the Microsoft privacy review and SDL process. Customers have no ability to control the data,
DP-2: Protect sensitive data
Guidance: Microsoft Defender for Cloud Apps manages sensitive data and uses Azure Active Directory (Azure AD) roles to control permissions for different types of data.
DP-4: Encrypt sensitive information in transit
Guidance: Microsoft Defender for Cloud Apps supports data encryption in transit with TLS v1.2 or greater.
While this is optional for traffic on private networks, this is critical for traffic on external and public networks. For HTTP traffic, ensure that any clients connecting to your Azure resources can negotiate TLS v1.2 or greater. For remote management, use SSH (for Linux) or RDP/TLS (for Windows) instead of an unencrypted protocol. Obsolete SSL, TLS, and SSH versions and protocols, and weak ciphers should be disabled.
By default, Azure provides encryption for data in transit between Azure data centers.
DP-5: Encrypt sensitive data at rest
Guidance: Microsoft Defender for Cloud Apps encrypts data at rest to protect against ‘out-of-band’ attacks (such as accessing underlying storage) using encryption. This helps ensure that attackers cannot easily read or modify the data.
For more information, see the Azure Security Benchmark: Asset Management.
AM-1: Ensure security team has visibility into risks for assets
Guidance: Ensure security teams are granted Security Reader permissions in your Azure tenant and subscriptions so they can monitor for security risks using Microsoft Defender for Cloud.
Depending on how security team responsibilities are structured, monitoring for security risks could be the responsibility of a central security team or a local team. That said, security insights and risks must always be aggregated centrally within an organization.
Security Reader permissions can be applied broadly to an entire tenant (Root Management Group) or scoped to management groups or specific subscriptions.
Note: Additional permissions might be required to get visibility into workloads and services.
Logging and Threat Detection
For more information, see the Azure Security Benchmark: Logging and Threat Detection.
LT-1: Enable threat detection for Azure resources
Guidance: Forward any logs from Microsoft Defender for Cloud Apps to your SIEM which can be used to set up custom threat detections. Ensure you are monitoring different types of Azure assets for potential threats and anomalies. Focus on getting high-quality alerts to reduce false positives for analysts to sort through. Alerts can be sourced from log data, agents, or other data.
LT-7: Use approved time synchronization sources
Guidance: Not applicable; Microsoft Defender for Cloud Apps does not support configuring your own time synchronization sources. The Microsoft Defender for Cloud Apps service relies on Microsoft time synchronization sources and is not exposed to customers for configuration.
Posture and Vulnerability Management
For more information, see the Azure Security Benchmark: Posture and Vulnerability Management.
PV-6: Perform software vulnerability assessments
Guidance: Microsoft performs vulnerability management on the underlying systems that support Microsoft Defender for Cloud Apps.
PV-8: Conduct regular attack simulation
Guidance: As required, conduct penetration testing or red team activities on your Azure resources and ensure remediation of all critical security findings. Follow the Microsoft Cloud Penetration Testing Rules of Engagement to ensure your penetration tests are not in violation of Microsoft policies. Use Microsoft's strategy and execution of Red Teaming and live site penetration testing against Microsoft-managed cloud infrastructure, services, and applications.