Security Control v3: Asset management

  • Article

Asset Asset Management covers controls to ensure security visibility and governance over Azure resources, including recommendations on permissions for security personnel, security access to asset inventory, and managing approvals for services and resources (inventory, track, and correct).

AM-1: Track asset inventory and their risks

CIS Controls v8 ID(s) NIST SP 800-53 r4 ID(s) PCI-DSS ID(s) v3.2.1
1.1, 1.5, 2.1, 2.4 CM-8, PM-5 2.4

Security Principle: Track your asset inventory by query and discover all your cloud resources. Logically organize your assets by tagging and grouping your assets based on their service nature, location, or other characteristics. Ensure your security organization has access to a continuously updated inventory of assets.

Ensure your security organization can monitor the risks of the cloud assets by always having security insights and risks aggregated centrally

Azure Guidance: The Microsoft Defender for Cloud inventory feature and Azure Resource Graph can query for and discover all resources in your subscriptions, including Azure services, applications, and network resources. Logically organize assets according to your organization's taxonomy using Tags as well as other metadata in Azure (Name, Description, and Category).

Ensure that security organizations have access to a continuously updated inventory of assets on Azure. Security teams often need this inventory to evaluate their organization's potential exposure to emerging risks, and as an input to continuously security improvements.

Ensure security organizations are granted Security Reader permissions in your Azure tenant and subscriptions so they can monitor for security risks using Microsoft Defender for Cloud. Security Reader permissions can be applied broadly to an entire tenant (Root Management Group) or scoped to management groups or specific subscriptions.

Note: Additional permissions might be required to get visibility into workloads and services.

Implementation and additional context:

Customer Security Stakeholders (Learn more):

AM-2: Use only approved services

CIS Controls v8 ID(s) NIST SP 800-53 r4 ID(s) PCI-DSS ID(s) v3.2.1
2.5, 2.6 , 2.7, 4.8 CM-8, PM-5 6.3

Security Principle: Ensure that only approved cloud services can be used, by auditing and restricting which services users can provision in the environment.

Azure Guidance: Use Azure Policy to audit and restrict which services users can provision in your environment. Use Azure Resource Graph to query for and discover resources within their subscriptions. You can also use Azure Monitor to create rules to trigger alerts when a non-approved service is detected.

Implementation and additional context:

Customer Security Stakeholders (Learn more):

AM-3: Ensure security of asset lifecycle management

CIS Controls v8 ID(s) NIST SP 800-53 r4 ID(s) PCI-DSS ID(s) v3.2.1
1.1, 2.1 CM-8, CM-7 2.4

Security Principle: Ensure security attributes or configurations of the assets are always updated during the asset lifecycle.

Azure Guidance: Establish or update security policies/process that address asset lifecycle management processes for potentially high impact modifications. These modifications include changes to identity providers and access, data sensitivity, network configuration, and administrative privilege assignment.

Remove Azure resources when they are no longer needed.

Implementation and additional context:

Customer Security Stakeholders (Learn more):

AM-4: Limit access to asset management

CIS Controls v8 ID(s) NIST SP 800-53 r4 ID(s) PCI-DSS ID(s) v3.2.1
3.3 AC-3 N/A

Security Principle: Limit users' access to asset management features, to avoid accidental or malicious modification of the assets in your cloud.

Azure Guidance: Azure Resource Manager is the deployment and management service for Azure. It provides a management layer that enables you to create, update, and delete resources (assets) in Azure. Use Azure AD Conditional Access to limit users' ability to interact with Azure Resource Manager by configuring "Block access" for the "Microsoft Azure Management" App.

Implementation and additional context:

Customer Security Stakeholders (Learn more):

AM-5: Use only approved applications in virtual machine

CIS Controls v8 ID(s) NIST SP 800-53 r4 ID(s) PCI-DSS ID(s) v3.2.1
2.5, 2.6, 2.7, 4.8 CM-8, CM-7, CM-10, CM-11 6.3

Security Principle: Ensure that only authorized software executes by creating an allow list and block the unauthorized software from executing in your environment.

Azure Guidance: Use Microsoft Defender for Cloud adaptive application controls to discover and generate an application allow list. You can also use ASC adaptive application controls to ensure that only authorized software executes and all unauthorized software is blocked from executing on Azure Virtual Machines.

Use Azure Automation Change Tracking and Inventory to automate the collection of inventory information from your Windows and Linux VMs. Software name, version, publisher, and refresh time are available from the Azure portal. To get the software installation date and other information, enable guest-level diagnostics and direct the Windows Event Logs to Log Analytics workspace.

Depending on the type of scripts, you can use operating system-specific configurations or third-party resources to limit users' ability to execute scripts in Azure compute resources.

You can also use a third-party solution to discover and identify unapproved software.

Implementation and additional context:

Customer Security Stakeholders (Learn more):