Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This security baseline applies guidance from the Microsoft cloud security benchmark version 1.0 to IoT Central. The Microsoft cloud security benchmark provides recommendations on how you can secure your cloud solutions on Azure. The content is grouped by the security controls defined by the Microsoft cloud security benchmark and the related guidance applicable to IoT Central.
You can monitor this security baseline and its recommendations using Microsoft Defender for Cloud. Azure Policy definitions will be listed in the Regulatory Compliance section of the Microsoft Defender for Cloud portal page.
When a feature has relevant Azure Policy Definitions, they are listed in this baseline to help you measure compliance with the Microsoft cloud security benchmark controls and recommendations. Some recommendations may require a paid Microsoft Defender plan to enable certain security scenarios.
Note
Features not applicable to IoT Central have been excluded. To see how IoT Central completely maps to the Microsoft cloud security benchmark, see the full IoT Central security baseline mapping file.
Security profile
The security profile summarizes high-impact behaviors of IoT Central, which may result in increased security considerations.
| Service Behavior Attribute | Value |
|---|---|
| Product Category | IoT |
| Customer can access HOST / OS | No Access |
| Service can be deployed into customer's virtual network | False |
| Stores customer content at rest | True |
Network security
For more information, see the Microsoft cloud security benchmark: Network security.
NS-1: Establish network segmentation boundaries
Features
Virtual Network Integration
Description: Service supports deployment into customer's private Virtual Network (VNet). Learn more.
| Supported | Enabled By Default | Configuration Responsibility |
|---|---|---|
| False | Not Applicable | Not Applicable |
Feature notes: IoT Central doesn't support deploying directly into a virtual network. To secure IoT Central to a private networking environment, use Azure Private Link.
Configuration Guidance: This feature is not supported to secure this service.
NS-2: Secure cloud services with network controls
Features
Azure Private Link
Description: Service native IP filtering capability for filtering network traffic (not to be confused with NSG or Azure Firewall). Learn more.
| Supported | Enabled By Default | Configuration Responsibility |
|---|---|---|
| True | False | Customer |
Feature notes: The private connectivity is enabled for device connections and requires users to update the device's DPS endpoint to enable traffic via private endpoint.
Configuration Guidance: Connect your devices to your IoT Central application by using a private endpoint in an Azure Virtual Network. Private endpoints use private IP addresses from a virtual network address space to connect your devices privately to your IoT Central application.
Reference: Create and configure a private endpoint for IoT Central
Disable Public Network Access
Description: Service supports disabling public network access either through using service-level IP ACL filtering rule (not NSG or Azure Firewall) or using a 'Disable Public Network Access' toggle switch. Learn more.
| Supported | Enabled By Default | Configuration Responsibility |
|---|---|---|
| True | False | Customer |
Feature notes: Currently, private connectivity is only enabled for device connections to the underlying IoT hubs and DPS in the IoT Central application. The IoT Central web UI and APIs continue to work through their public endpoints.
Configuration Guidance: IoT Central supports disabling public access for device connectivity so that all device traffic can only be reachable via a private endpoint or via specified IP rules.
Reference: Restrict public access for devices connecting to Azure IoT Central
Identity management
For more information, see the Microsoft cloud security benchmark: Identity management.
IM-1: Use centralized identity and authentication system
Features
Azure AD Authentication Required for Data Plane Access
Description: Service supports using Azure AD authentication for data plane access. Learn more.
| Supported | Enabled By Default | Configuration Responsibility |
|---|---|---|
| True | False | Customer |
Feature notes: Azure AD identities are supported for all data plane access in IoT Central. AD users can be added to IoT Central applications for access via portal and the associated AAD bearer tokens can be used to authenticate with REST API. AD service principals can also be added to IoT Central's data plane access for the authorization required for REST API calls.
Configuration Guidance: IoT Central supports two ways for authorizing REST API Calls
- Azure AD bearer token - A bearer token is associated with an Azure Active Directory user account or service principal. The token grants the caller the same permissions the user or service principal has in the IoT Central application.
- API token - create a specific API token in the IoT Central application and associate with a role.
Use a bearer token associated with your user account while you're developing and testing automation and scripts that use the REST API. Use a bearer token that's associated with a service principal for production automation and scripts. Use a bearer token in preference to an API token to reduce the risk of leaks and problems when tokens expire.
Reference: Authorize REST API in Azure IoT Central
Local Authentication Methods for Data Plane Access
Description: Local authentications methods supported for data plane access, such as a local username and password. Learn more.
| Supported | Enabled By Default | Configuration Responsibility |
|---|---|---|
| True | False | Customer |
Feature notes: Avoid the usage of local authentication methods or accounts, these should be disabled wherever possible. Instead use Azure AD to authenticate where possible.
Configuration Guidance: IoT Central provides local authentication methods for 2 scenarios
- Device authentication by shared access signature (SAS) token
- REST API authentication via API tokens
Devices authenticate with the IoT Central application by using either a shared access signature (SAS) token or an X.509 certificate. X.509 certificates are recommended in production environments.
To access an IoT Central application using the REST API, you can create and use an IoT Central API token in addition to using an Azure Active Directory Bearer token. It is currently not possible to block/disable such local authentication but the ability to create/manage API tokens are governed by Role Based Access Control (RBAC) and Organizations.
Reference: Device authentication
IM-3: Manage application identities securely and automatically
Features
Managed Identities
Description: Data plane actions support authentication using managed identities. Learn more.
| Supported | Enabled By Default | Configuration Responsibility |
|---|---|---|
| True | False | Customer |
Configuration Guidance: IoT Central supports system-assigned managed identities to secure connectivity to data egress destinations configured via continuous data export feature.
Learn more about configuring a managed identity for IoT Central applications
Learn more about using managed identities to secure connection to export destinations
Reference: Configure a managed identity
Service Principals
Description: Data plane supports authentication using service principals. Learn more.
| Supported | Enabled By Default | Configuration Responsibility |
|---|---|---|
| True | False | Customer |
Additional Guidance: IoT Central supports adding Service Principals to data plane access. The service principal must belong to the same Azure Active Directory tenant as the Azure subscription associated with the IoT Central application.
Learn more about how to add service principals as users
The Azure Active Directory bearer token associated with the Service Principal can also be used to authenticate and authorize REST API calls.
Learn more about authenticating and authorizing IoT Central REST API calls
Reference: Azure IoT Central API service principal authentication
IM-7: Restrict resource access based on conditions
Features
Conditional Access for Data Plane
Description: Data plane access can be controlled using Azure AD Conditional Access Policies. Learn more.
| Supported | Enabled By Default | Configuration Responsibility |
|---|---|---|
| False | Not Applicable | Not Applicable |
Configuration Guidance: This feature is not supported to secure this service.
Privileged access
For more information, see the Microsoft cloud security benchmark: Privileged access.
PA-7: Follow just enough administration (least privilege) principle
Features
Azure RBAC for Data Plane
Description: Azure Role-Based Access Control (Azure RBAC) can be used to managed access to service's data plane actions. Learn more.
| Supported | Enabled By Default | Configuration Responsibility |
|---|---|---|
| False | Not Applicable | Not Applicable |
Feature notes: IoT Central currently does not support Azure Role-Based Access Control (Azure RBAC), but provides similar capabilities within IoT Central applications via extensive RBAC, custom roles that cover entire application surface area and Organizations.
Roles enable you to control who within your organization is allowed to do various tasks in IoT Central. There are three built-in roles you can assign to users of your application. You can also create custom roles if you require finer-grained control.
Learn more about managing users and roles and ceating a custom role
Organizations let you define a hierarchy that you use to manage which users can see which devices in your IoT Central application. The user's role determines their permissions over the devices they see, and the experiences they can access. Use organizations to implement a multi-tenanted application.
Learn more about how to manage IoT Central organizations
Configuration Guidance: This feature is not supported to secure this service.
Data protection
For more information, see the Microsoft cloud security benchmark: Data protection.
DP-2: Monitor anomalies and threats targeting sensitive data
Features
Data Leakage/Loss Prevention
Description: Service supports DLP solution to monitor sensitive data movement (in customer's content). Learn more.
| Supported | Enabled By Default | Configuration Responsibility |
|---|---|---|
| False | Not Applicable | Not Applicable |
Configuration Guidance: This feature is not supported to secure this service.
DP-3: Encrypt sensitive data in transit
Features
Data in Transit Encryption
Description: Service supports data in-transit encryption for data plane. Learn more.
| Supported | Enabled By Default | Configuration Responsibility |
|---|---|---|
| True | True | Microsoft |
Feature notes: Data in-transit encryption (TLS) is enabled by default in the service
Configuration Guidance: No additional configurations are required as this is enabled on a default deployment.
DP-4: Enable data at rest encryption by default
Features
Data at Rest Encryption Using Platform Keys
Description: Data at-rest encryption using platform keys is supported, any customer content at rest is encrypted with these Microsoft managed keys. Learn more.
| Supported | Enabled By Default | Configuration Responsibility |
|---|---|---|
| True | True | Microsoft |
Configuration Guidance: No additional configurations are required as this is enabled on a default deployment.
Reference: Azure data at-rest encryption by default
DP-5: Use customer-managed key option in data at rest encryption when required
Features
Data at Rest Encryption Using CMK
Description: Data at-rest encryption using customer-managed keys is supported for customer content stored by the service. Learn more.
| Supported | Enabled By Default | Configuration Responsibility |
|---|---|---|
| False | Not Applicable | Not Applicable |
Configuration Guidance: This feature is not supported to secure this service.
Asset management
For more information, see the Microsoft cloud security benchmark: Asset management.
AM-2: Use only approved services
Features
Azure Policy Support
Description: Service configurations can be monitored and enforced via Azure Policy. Learn more.
| Supported | Enabled By Default | Configuration Responsibility |
|---|---|---|
| True | False | Customer |
Configuration Guidance: Azure IoT Central supports Azure Policy and offers a variety of built-in policies to support network isolation.
Reference: Azure Policy built-in policy definitions
Logging and threat detection
For more information, see the Microsoft cloud security benchmark: Logging and threat detection.
LT-1: Enable threat detection capabilities
Features
Microsoft Defender for Service / Product Offering
Description: Service has an offering-specific Microsoft Defender solution to monitor and alert on security issues. Learn more.
| Supported | Enabled By Default | Configuration Responsibility |
|---|---|---|
| False | Not Applicable | Not Applicable |
Configuration Guidance: This feature is not supported to secure this service.
LT-4: Enable logging for security investigation
Features
Azure Resource Logs
Description: Service produces resource logs that can provide enhanced service-specific metrics and logging. The customer can configure these resource logs and send them to their own data sink like a storage account or log analytics workspace. Learn more.
| Supported | Enabled By Default | Configuration Responsibility |
|---|---|---|
| False | Not Applicable | Not Applicable |
Feature notes: Service metrics is supported but not resource logs.
Configuration Guidance: This feature is not supported to secure this service.
Backup and recovery
For more information, see the Microsoft cloud security benchmark: Backup and recovery.
BR-1: Ensure regular automated backups
Features
Azure Backup
Description: The service can be backed up by the Azure Backup service. Learn more.
| Supported | Enabled By Default | Configuration Responsibility |
|---|---|---|
| False | Not Applicable | Not Applicable |
Configuration Guidance: This feature is not supported to secure this service.
Service Native Backup Capability
Description: Service supports its own native backup capability (if not using Azure Backup). Learn more.
| Supported | Enabled By Default | Configuration Responsibility |
|---|---|---|
| False | Not Applicable | Not Applicable |
Configuration Guidance: This feature is not supported to secure this service.
Next steps
- See the Microsoft cloud security benchmark overview
- Learn more about Azure security baselines