Azure Security

Description du service

Microsoft propose un certain nombre de services pour la mise en place d’une sécurité pour l’ensemble des services proposés dans Azure. Il ne faut pas oublier que la sécurité dans le Cloud est avant-tout une question de responsabilité. Le Cloud Provider ne peut être responsable de tout au niveau de la sécurité. Si le client n’applique pas les bonnes pratiques et configure mal les services et leur accès, le Cloud Provider ne peut être tenu responsable. Néanmoins, Microsoft met à disposition un service nommé Azure Security Center qui permet d’indiquer certains métriques concernant la sécurité mis en oeuvre. Mais ce service est proposé selon 2 SKU et naturellement selon celui qui est choisi, les métriques seront plus précis.

Microsoft a travaillé conjointement avec le CIS (Center for Internet Security).

Lorsqu’on souhaite mettre en oeuvre une gouvernance sur la sécurité dzns Azure, il faut travailler sur ce qu’on appelle une “platform security baseline”. Il faut prendre en compte 2 levels:

  • Level 1 - Recommended minimum security settings
  • Level 2 - Recommendations for highly secure environments:

Pour chaque niveau, il existe des recommandations classées dans des catégories:

  • Identity & Access Management (IAM) / Recommendations related to IAM policies (23)
  • Azure Security Center / Recommendations related to the configuration and use of Azure Security Center (19)
  • Storage accounts / Recommendations for setting storage account policies (7)
  • Azure SQL Database / Recommendations for helping secure Azure SQL databases (8)
  • Logging and monitoring / Recommendations for setting logging and monitoring policies for your Azure subscriptions (13)
  • Networking / Recommendations for helping to securely configure Azure networking settings and policies (5)
  • VMs / Recommendations for setting security policies for Azure compute services - specifically VMs (6)
  • Other / Recommendations regarding general security and operational controls, including those related to Azure Key Vault and resource locks (3)

Le total de recommandations proposées est au nombre de : 84 Les recommandations sont présentées dans la section Deploying ci-dessous.

Deploying

Pour mettre en place une Security guideline dans Azure, il faut effectuer les actions suivantes:

** IAM recommendations **

  • Restrict access to the Azure AD administration portal - Level 1
  • Enable Azure Multi-Factor Authentication (MFA) - Level 2
  • Block remembering MFA on trusted devices - Level 2
  • About guests - Level 1
  • Notify users on password resets - Level 1
  • Notify all admins when other admins reset passwords - Level 2
  • Require two methods to reset passwords - Level 1
  • Establish an interval for reconfirming user authentication methods - Level 1
  • Members and guests can invite - Level 2
  • Users to create and manage security groups - Level 2
  • Self-service group management enabled - Level 2
  • Allow users to register apps - Level 2

** Azure Security Center recommendations **

  • Enable the Standard pricing tier - Level 2
  • Enable the automatic provision of a monitoring agent - Level 1
  • Enable System Updates - Level 1
  • Enable Security Configurations - Level 1
  • Enable Endpoint Protection - Level 1
  • Enable Disk Encryption - Level 1
  • Enable Network Security Groups - Level 1
  • Enable Web Application Firewall - Level 1
  • Enable Vulnerability Assessment - Level 1
  • Enable Storage Encryption - Level 1
  • Enable JIT Network Access - Level 1
  • Enable Adaptive Application Controls - Level 1
  • Enable SQL Auditing & Threat Detection - Level 1
  • Enable SQL Encryption - Level 1
  • Set Security Contact Email and Phone Number - Level 1
  • Enable Send me emails about alerts - Level 1
  • Enable Send email also to subscription owners - Level 1

** Azure Storage account recommendations **

  • Require security-enhanced transfers - Level 1
  • Enable binary large object (blob) encryption - Level 1
  • Periodically regenerate access keys - Level 1
  • Require Shared Access Signature (SAS) tokens to expire within an hour - Level 1
  • Require SAS tokens to be shared only via HTTPS - Level 1
  • Enable Azure Files encryption - Level 1
  • Require only private access to blob containers - Level 1

** Azure SQL Server recommendations **

  • Enable auditing - Level 1
  • Enable a threat detection service - Level 1
  • Enable all threat detection types - Level 1
  • Enable the option to send security alerts - Level 1
  • Enable the email service and co-administrators - Level 1
  • Configure audit retention for more than 90 days - Level 1
  • Configure threat detection retention for more than 90 days - Level 1
  • Ensure that a log profile exists - Level 1
  • Ensure that activity log retention is set to 365 days or more - Level 1
  • Create an activity log alert for “Creating a policy assignment” - Level 1
  • Create an activity log alert for “Creating, updating, or deleting a Network Security Group” - Level 1
  • Create an activity log alerts for “Creating or updating an SQL Server firewall rule” - Level 1

** Azure networking security recommendations **

  • Restrict RDP and SSH access from the Internet - Level 1
  • Restrict SQL Server access from the Internet - Level 1
  • Configure the NSG flow log retention period for more than 90 days - Level 2
  • Enable Network Watcher - Level 1

** Azure networking security recommendations **

  • A VM agent must be installed and enabled for data collection for Azure Security Center - Level 1
  • Ensure that OS disk are encrypted - Level 1
  • Ensure only approved extensions are installed - Level 1
  • Ensure that the OS patches for the VMs are applied - Level 1
  • Ensure that VMs have an installed and running endpoint protection solution - Level 1

** Others **

  • Set an expiration date on all keys in Azure Key Vault - Level 1
  • Set an expiration date on all secrets in Azure Key Vault - Level 1
  • Set resource locks for mission-critical Azure resources - Level 2

Pricing

Ressources

Last update 28.11.2019