This is Susan Bradley for CSO online. Today, I’m going to talk about Azure Security Benchmark V2. Recently at Microsoft Ignite, they announced the new V2 version of the Microsoft security benchmark. So what’s new in the V2, they’ve included controls for Nist, SP 853, and they’re going to be mapping that between the as their security benchmarks and the benchmarks. So what are these benchmarks, basically, it comes down to best practices, it’s things like network security. To control and secure their networks, virtual networks, private connections, its identity management in the cloud, the new security edge is the identity.
So this includes controls to establish a secure identity, including as your active directory and includes single sign on strong authentication, managed identities for applications, conditional access. Privileged access is a key item that you need to monitor, especially in any cloud service, the attackers want to go after global admin, so you want to make sure you understand and protect those roles. So privilege access is a key thing that you need to look at, investigate and make sure you understand how to protect data protection.
Are you doing enough to protect the raw data in your organization to make sure that they’re scanned and protected and identified as they travel across your network next to one of the areas that I think is underutilized is logging and threat detection.
Make sure that in your cloud storage that you identify where logging occurs, turn it on in cases where it’s not turned on, and make sure you have data going to either as a sentinel or a third party logging tool. Do you understand how to do incident investigation in a cloud scenario? Again, you want to look at the benchmark to give you ideas or workflow automation in the V2 version of the user controls, they map between CSI controls version seven point one and also Nist 853.
Soon they’ll also be documenting the mapping between these and also the PCI controls as well. Now, currently in my security center, I still only have the resources one point 1.0, but soon I’ll have the v2 in there as well. Now, what if I want to up my game a little bit and actually do some customized compliance policies? There’s a couple of ways I can do it. If I go in and click on manage compliance policies, I choose my subscription.
Then I come down here and I want to look at industry and regulatory standards. And as you can see, I’ve got several down here. I want to add even more. And you can see the custom ones that I can build. That builds on HIPAA as a security benchmark. Nist, UK, you get the idea that we can build on these benchmarks and build the information into our systems. There’s yet another way to build up security in your reserve, and that’s something called a landing page or I should say landing zones.
This gives you fully integrated governance, security and operations from the get go with preset values. So here in GitHub is the example of what they’re planning to do. A management group hierarchy is deployed along with a set of policies that will enable autonomy for the platform in landing zones. If you have an Azure subscription dedicated for management, you can do log analytics policies as your security monitoring, as your sentinel diagnostic settings, et cetera, et cetera. Now, if you plan to have these landing zones, you have to establish permissions in your as your tenant.
So you have to go to the Azure AD directory, click on Manage Properties. Under the access management for resources toggle it to yes, no, that’s default for no, if you’ve not come in here before, then you have to grant access to the user at the root scope. So what’s this about? You basically open up a PowerShell window and grant additional rights. So I have the Azure Cloud Shell opened up and I’m just going to do my commands in here to give myself rights.
Well, obviously I’ve already done it. So it gives me the error message that it already exists. But if you hadn’t given yourself rights, this would come back with a message indicating that the rights and permissions have been added. Now, you can come back and actually set up these settings, start here in the basics, pick the location of the region that you want to deploy this to. You’ll have to set up an enterprise scale company prefix. Now, I’m just going to do a test here, so I’ll just use the word test.
You’ll then go down your selections of what you want to do is your default. So here we’re setting up analytics workspace. We’re setting up data retention for 30 days. We’re picking our subscription. We’re going to deploy an agent health solution, change tracking, solution, update management, solution, activity, log solution, VM Inside Solution and similar solution service map skill assessment. We’re going to deploy is there a security center and enable security monitor monitoring. And last but not least, we’re going to deploy their sentences are defaults.
Now, you may not be able to do all of these. You’ll have to check the pricing. I have some links in the article about how to determine the pricing. So you may want to run some tests to see how much this is going to cost. But once you set this as default, this will be your framework for everything in the subscription. Landing zone configuration, again, picked the subscription, you determine which things are going to be impacted.
So do you want all of your VMS to be monitored? Do you want them, the ARC’s, to be monitored? Do you want to prevent inbound RDP from the Internet? And by the way, while I’m here, if you have not done that already or if you’re not devising some better way to access your machines, don’t do it with straight inbound RDP from the Internet, especially these days, attackers are using all sorts of means and methods to directly attack open RTP.
So if you do that currently where you allow open RDP from your Internet, think twice because attackers are using that as a key way they can get into systems and you get the idea that you can go through and set up a default for all of your subscriptions, click on review and create it runs the final validation. And if everything’s ready to go, it will actually say to create. And there you go, that’s the way to automatically by default.
Have yourself set up in a secure format from the get go. If you want to give any feedback to Microsoft regarding these benchmarks or any of these security settings, go ahead and send them an email benchmark feedback at Microsoft Dotcom until next time. This is Susan Bradley for CSO online. Everyone, stay safe. Stay secure.