Skip to content

Latest commit

 

History

History

security

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 
 
 
 
 

Security

The questions and initiatives below are based on the Security pillar of the Well-Architected Framework, on the Microsoft Security Best Practices (formerly known as the Azure Security Compass or Microsoft Security Compass) and on the Azure Security Benchmark. Reflect on each question and priorize/plan the initiatives of the Security playbook.

Questions to make

  • What design considerations did you make in your workload in regards to security?
  • What considerations for compliance and governance do you need to take?
  • How are you managing encryption for this workload?
  • How are you managing identity for this workload?
  • How have you secured the network of your workload?
  • What tradeoffs do you need to make to meet your security goals?
  • How are you ensuring your critical accounts are protected?

Initiatives

Validate security best practices are applied

  • Review whether the most important Azure Identity Management best practices are put in place. Some examples:
    • Validate well-defined roles and responsibilities implemented as Azure RBAC (via Management Groups) and Azure AD roles, ideally with Azure AD PIM. For enterprise scenarios, you can find here a good reference for a typical roles and responsibilities/permissions matrix.
    • Validate universal usage of Azure AD-based authentication into services (Storage Accounts and Azure SQL Server are some examples)
    • Validate identity lifecycle management (Access Reviews)
    • Enforce Conditional Access (at least for Azure administrators)
    • Promote usage of Managed Identities instead of Service Principals
    • Monitor identity risk with Identity Protection
    • Implement Azure AD break-glass accounts
    • Implement separate accounts for administrators
    • Ensure on-premises AD administrators are not synced to Azure AD
  • Monitor security posture with Microsoft Defender for Cloud (MDfC) and the Secure Score. Check MDfC settings (default Log Analytics workspace, auto-provisioning or notification contacts). Ensure you periodically review and plan remediations for MDfC recommendations.
  • Review IaaS network security - network segmentation best practices, Network Security Groups applied to subnets with rules following best practices, correct usage of UDRs and Virtual Appliances such as Azure Firewall, or avoiding direct VM Internet connectivity are some examples. Other initiatives below provide useful pointers to specific actions that contribute to the overall network security health.
  • Review IaaS compute security (best practices overview)
  • Review PaaS native security controls. There are checklists for example for Storage Accounts or SQL Database, but all other PaaS services have their checklists as well.
  • Enforce security best practices with Azure Policy. Besides the policies built into MDfC (Azure Security Benchmark), there are other built-in Policies or custom ones that you should also consider:
  • Implement threat protection with Microsoft Defender for Cloud
  • Implement Azure DDoS Protection Standard (see helper article and script for costs estimation)
  • Implement SIEM/SOAR with Microsoft Sentinel
  • Collect and centralize audit and security logs from Azure Activity, Azure AD (incl. Sign-in logs), PaaS services (SQL, Key Vault) or NSG (flow logs)
  • Implement patch management with Azure Update Management
  • Promote usage of Private Link for private network-only access to PaaS resources
  • Assess the need for protecting public-facing web applications with a Web Application Firewall (WAF) for Azure Front Door or Application Gateway.
  • Validate data encryption at rest and in transit (see some best practices).

Incorporate security in release engineering procedures

  • Leverage the Azure Tenant Security Solution (AzTS), by bringing security verification tests and security assurance to your Azure services release pipelines and improving overall security posture, detecting security configuration drifts and providing visibility over your progresses in security management.
  • Perform regular Penetration Testing for simulating attacks to your Azure services. But review before Microsoft's guidance on the subject.

Tools