Eliminate risk

Completed

Use the completed data-flow diagram, answers from the security assessment, and existing security requirements to identify potential solutions to enterprise threats and security gaps.

In this example, we used many security services available in Azure.

Visit Microsoft cloud security benchmark to learn about each security category and associated requirements published for public use.

Access control

Access Control domain.

Issue Solution
File access per user Use role-based access control, which allows an administrator to grant access based on roles instead of specific employees. It makes it easier to grant, manage, and revoke access. If an individual employee needs access to a highly classified resource, use just-in-time access. It grants the employee access to the resource for a short period of time.
No MFA Enable MFA across each SaaS offering. Integrate with Microsoft Entra Connect for hybrid identities where applicable.
No password or group policy Configure security policy settings for all endpoints with group policy or Microsoft Entra Domain Services.
No shared account protection Avoid using shared accounts wherever possible. If engineering teams require a service account as part of automation or engineering, use group managed service accounts.
No dedicated administrator account use Use Microsoft Identity Manager for on-premises or Microsoft Entra ID Privilege Identity Management for cloud privileged access management.
Decentralized identities Integrate each SaaS offering with Microsoft Entra Connect for hybrid identities where applicable. Rotate passwords on all service accounts.

Secure development

Secure Development domain.

Issue Solution
No SDL practices found Implement Microsoft SDL, operational security assurance, and secure devops practices. Move all development to cloud build servers, like GitHub enterprise, which can be used on-premises and on the cloud. It also has valuable security features.

Business continuity

Business Continuity domain.

Issue Solution
Unencrypted backup Use Azure backup, which has a robust set of features, including encryption. Azure SQL transparent data encryption can be used too.
No business continuity plan Use Azure paired regions and Azure Virtual Desktop on workstations.
No disaster recovery plan Use Azure Site Recovery.
No tests or audits Follow Azure backup guidance.

Cryptography

Cryptography domain.

Issue Solution
Use of self-signed certificates on dev environment Use Azure Directory Services to manage your on-premises Public Key Infrastructure (PKI) and Azure Key-Vault to manage APIs, passwords, certificates, and other secrets.
No key rotation Use Azure Key-Vault for key rotation.

Asset management

Asset Management domain.

Issue Solution
No data retention policy Use Azure data retention practices and Azure time series insights. You may also need to create a security policy for the enterprise highlighting how long to keep each resource. Use long-term retention with Azure SQL.
No data classification or labeling Use Azure data discovery & classification, Azure information protection for emails and documents. Also, Microsoft Purview, and built-in capabilities in Azure SQL Database, like dynamic data masking. Also, check out data security and encryption guidance
No folder restrictions Assign file level permissions using role-based access control.
No asset disposal or deprecation plan Use Azure inventory and asset management guidelines to come up with an asset disposal or deprecation plan.
No data encryption on shared drives and servers Follow data encryption guidance.
No Data Loss Prevention (DLP) Use data loss prevention compliance guidelines.
NAS used for both backups and file shares First, separate the NAS by either migrating file shares completely to OneDrive, or adding a secondary NAS just for file sharing. You may also use Azure backup for your backup needs.
OneDrive not fully adopted Develop and enforce timelines to give teams time to move their files. You may also use the migration center tool. Share the adoption guidelines with teams.
No disk encryption on enterprise machines Follow data encryption guidance.
No station lock policy Enforce Azure group policy.

Legal domain.

No other action needed.

Incident response

Incident Response domain.

Issue Solution
No incident response program for enterprise or product Use Azure incident response guidance to create an incident response program for the enterprise and its product offerings.

Network

Network domain.

Issue Solution
No network segmentation Segment the network into multiple subnets. If needed, consider adding a perimeter network to secure more sensitive resources. Visit segmentation strategies for information on segmenting your infrastructure in Azure.
No custom firewall rules Harden firewall rules by identifying and setting only outbound rules. Check out firewall design guidelines and consider implementing a firewall in Azure using a hub vnet.
Weak VPN authentication mechanism Connect to Azure using a site-to-site VPN. Upgrade your VPN to a validated device. Check out the Azure VPN gateway service. Most importantly, enforce a zero-trust mindset across the company and secure workstation connections with VPN.
Limited data encryption Enforce secure communication protocols in Azure, like TLS 1.2.

Operations

Operations domain.

Issue Solution
No automated process for security patches and updates Use Automatic VM guest patching for Azure VMs or Microsoft Intune. Integrate with Microsoft Defender for Cloud for the ultimate protection.
No Antivirus (AV) enforcement Use Microsoft Defender for Endpoint for advanced threat protection.
No timeout session enforcement on machines Enforce Azure group policy.
No Mobile Device Management (MDM) solution Implement Microsoft Configuration manager, which includes solutions like Microsoft Intune. It manages and monitors mobile devices, desktop computers, virtual machines, embedded devices, and servers.
Limited logging and monitoring Use Azure Monitor Log analytics and follow Azure logging guidelines.
No intelligence platform or analytics service Use Microsoft Sentinel, Microsoft's Security Information and Event Management (SIEM) solution.
Limited logging history Follow Azure logging guidelines.

Physical and environmental

Physical and environmental domain.

Issue Solution
IT room is unlocked Add a lock to the IT room. Examples include lock and key, code entry, and key fobs. As you continue with your investigation, consider adding a lock that also provides a logging mechanism to keep track of traffic.
No cameras or access records for the IT room Consider adding a camera pointed directly at the IT room. It works well if combined with a lock that keeps a log of all entries.
Building owner has access to all rooms and floors Depending on the contract signed by the company, consider excluding access to the IT room. If that's not possible, add locked cages to the network equipment to prevent unauthorized access.
No building cameras or guards Consider adding cameras pointed at each exit. If not already implemented, add doors that automatically lock upon exit.
No formal visitor registration process Create a logging system to keep track of all visitors, their sponsors, and reason for visit. Consider using visitor badges to distinguish them from employees.

Governance

Governance domain.

Issue Solution
No information security policy Create an information security policy by using the Azure governance guidelines.
No risk management program Create risk management program by using the Azure governance guidelines.
No security training Consider using Microsoft end-user security awareness training as the starting point for your training program. The IT security team should also consider certifications available from Microsoft Learn, like the Security administrator associate.

Security architecture

Security architecture domain.

Issue Solution
No secure template images Create a set of templates to be used on each VM, server, and user machine. Use Azure architecture guidelines or Azure VM builder.
No security baselines Create a set of security baselines for each OS and its security configuration. Use Azure architecture guidelines, Azure security baselines, and Azure blueprints.
No formal audit to ensure hybrid infrastructure security Follow the guidance provided by Azure best practices and patterns.
No human operated ransomware protection plan Review the human operated ransomware guide, which contains information on securing your privileged access to sensitive resources. Check out how to deploy a secure, Azure-managed workstation.

Supplier

Supplier risk domain.

Issue Solution
No supplier management program Consider using a supplier management questionnaire as the basis for your supplier program.