Specify security requirements for web workloads
This unit summarizes the Azure security baseline for App Service to assist you in creating new requirements specifications for Web workloads.
Please refer to Introduction to Microsoft Cybersecurity Reference Architecture and cloud security benchmark for more background on Microsoft Cloud Security Benchmark.
In the table below, we have included controls from the full baseline where:
- Security controls were supported but not enabled by default
- There was explicit guidance which contained action to be taken on the part of the customer
| Area | Control | Feature | Guidance Summary |
|---|---|---|---|
| Network security | NS-1: Establish network segmentation boundaries | Virtual Network Integration | Ensure a stable IP for outbound communications towards internet addresses: You can provide a stable outbound IP by using the Virtual Network integration feature. This allows the receiving party to allowlist based on IP, if needed. |
| NS-2: Secure cloud services with network controls | Azure Private Link | Use private endpoints for your Azure Web Apps to allow clients located in your private network to securely access the apps over Private Link. The private endpoint uses an IP address from your Azure VNet address space. | |
| NS-2: Secure cloud services with network controls | Disable Public Network Access | Disable Public Network Access' using either service-level IP ACL filtering rules or private endpoints or by setting the publicNetworkAccess property to Disabled in Azure Resource Manager. | |
| NS-5: Deploy DDoS protection | Enable DDoS Protection on the virtual network hosting your App Service's Web Application Firewall. Azure provides DDoS infrastructure (Basic) protection on its network. For improved intelligent DDoS capabilities, Enable Azure DDoS Protection which learns about normal traffic patterns and can detect unusual behavior. Azure DDoS Protection have two tiers; Network Protection and IP Protection. | ||
| NS-6: Deploy web application firewall | Avoid WAF being bypassed for your applications. Make sure the WAF can't be bypassed by locking down access to only the WAF. Use a combination of Access Restrictions, Service Endpoints and Private Endpoints. | ||
| Identity management | IM-1: Use centralized identity and authentication system | Microsoft Entra authentication Required for Data Plane Access | For authenticated web applications, only use well-known established identity providers to authenticate and authorize user access. |
| Local Authentication Methods for Data Plane Access | Restrict the use of local authentication methods for data plane access. Instead, use Microsoft Entra ID as the default authentication method to control your data plane access. | ||
| IM-3: Manage application identities securely and automatically | Managed Identities | Use Azure managed identities instead of service principals when possible, which can authenticate to Azure services and resources that support Microsoft Entra authentication. Managed identity credentials are fully managed, rotated, and protected by the platform, avoiding hard-coded credentials in source code or configuration files. | |
| IM-7: Restrict resource access based on conditions | Conditional Access for Data Plane | Define the applicable conditions and criteria for Microsoft Entra Conditional Access in the workload. | |
| IM-8: Restrict the exposure of credential and secrets | Service Credential and Secrets Support Integration and Storage in Azure Key Vault | Ensure that app secrets and credentials are stored in secure locations such as Azure Key Vault, instead of embedding them into code or configuration files. Use a managed identity on your app to then access credentials, or secrets stored in Key Vault in a secure fashion. | |
| Privileged access | PA-8: Determine access process for cloud provider support | Customer Lockbox | In support scenarios where Microsoft needs to access your data, use Customer Lockbox to review, then approve or reject each of Microsoft's data access requests. |
| Data protection | DP-3: Encrypt sensitive data in transit | Data in Transit Encryption | Use and enforce the default minimum version of TLS v1.2, configured in TLS/SSL settings, for encrypting all information in transit. Also ensure that all HTTP connection requests are redirected to HTTPS. |
| DP-5: Use customer-managed key option in data at rest encryption when required | Data at Rest Encryption Using CMK | If necessary for regulatory compliance, define the use case and service scope where encryption using customer-managed keys are needed. Enable and implement data at rest encryption using customer-managed key for those services. | |
| DP-6: Use a secure key management process | Key Management in Azure Key Vault | Use Azure Key Vault to create and control the life cycle of your encryption keys, including key generation, distribution, and storage. Rotate and revoke your keys in Azure Key Vault and your service based on a defined schedule or when there's a key retirement or compromise. | |
| DP-7: Use a secure certificate management process | Certificate Management in Azure Key Vault | App Service can be configured with SSL/TLS and other certificates, which can be configured directly on App Service or referenced from Key Vault. To ensure central management of all certificates and secrets, store any certificates used by App Service in Key Vault instead of deploying them locally on App Service directly. | |
| Asset management | AM-2: Use only approved services | ||
| AM-4: Limit access to asset management | Isolate systems that process sensitive information. To do so, use separate App Service Plans or App Service Environments and consider the use of different subscriptions or management groups. | ||
| Logging and threat detection | LT-1: Enable threat detection capabilities | Microsoft Defender for Service / Product Offering | Use Microsoft Defender for App Service to identify attacks targeting applications running over App Service. |
| LT-4: Enable logging for security investigation | Azure Resource Logs | Enable resource logs for your web apps on App Service. | |
| Posture and vulnerability management | PV-2: Audit and enforce secure configurations | Turn off remote debugging, remote debugging must not be turned on for production workloads as this opens more ports on the service, which increases the attack surface. | |
| PV-7: Conduct regular red team operations | Conduct regular penetration test on your web applications following the penetration testing rules of engagement. | ||
| Backup and recovery | BR-1: Ensure regular automated backups | Azure Backup | Where possible, implement stateless application design to simplify recovery and backup scenarios with App Service. If you really do need to maintain a stateful application, enable the Backup and Restore feature in App Service, which lets you easily create app backups manually or on a schedule. |
| DevOps security | DS-6: Enforce security of workload throughout DevOps lifecycle | Deploy code to App Service from a controlled and trusted environment, like a well-managed and secured DevOps deployment pipeline. This avoids code that wasn't version controlled and verified to be deployed from a malicious host. |