The Center for Internet Security (CIS) is a company that maintains cybersecurity standards for a wide variety of internet-connected technologies. The ultimate internet-connected technologies are cloud platforms!
And Microsoft Azure is one of the most popular cloud platforms around. There’s a good chance that Azure is one of the vendors in your technological ecosystem. It works well natively with Windows Server, Active Directory, and many other Microsoft technologies.
If your organization benefits from CloudDefense.AI CSPM (Cloud Security Posture Management), then you understand that the cloud is a vast potential cyber attack surface that must be properly managed in the wake of the ever evolving cyber threat landscape.
I would also recommend using CIS Benchmarks to evaluate your Azure security configurations at least once or twice per year. If you fill out a form on CIS’s website, they will send you a PDF with the Benchmarks of your choice. But before you do that, here’s a brief summary to get you started.
5 Things to know about CIS Benchmarks for Microsoft Azure
When it comes to securing your Microsoft Azure environment, following best practices is essential. The Center for Internet Security (CIS) provides valuable benchmarks that can help organizations enhance their security posture.
In this article, we’ll explore five important areas covered by CIS Benchmarks for Microsoft Azure that you should know about. By implementing these recommendations, you can significantly improve the security of your Azure infrastructure.
1. Identity and Access Management
One of the critical aspects of securing your Azure environment is implementing robust identity and access management (IAM) controls.
IAM governs user and administrator access to your Azure networks and applications, making it a primary target for cyber attackers seeking unauthorized access to sensitive data.
To strengthen your IAM settings, ensure that Security Defaults is enabled on Azure Active Directory. It is crucial to enable “Multi-Factor Auth Status” for both privileged and non-privileged users to add an extra layer of security. Additionally, disabling “Allow users to remember multi-factor authentication on devices they trust” helps reduce the impact of Shadow IT.
Other essential IAM settings include having a multi-factor authentication policy for all Administrative Groups and All Users. Enforce multi-factor authentication for “risky sign-ins,” and require it for Azure Management activities.
Ensure trusted locations are defined, set “users can create Azure AD Tenants” to “No,” and review guest users regularly. Lastly, enable the notification of users on password resets and enforce a custom bad password list for your organization.
Adjust various permissions settings, such as disallowing users to register applications or create security groups in Azure portals, API, or PowerShell.
2. Microsoft Defender
To protect your Azure infrastructure from malware and other cyber threats, leveraging Microsoft Defender is crucial. Microsoft Defender provides malware protection and helps enforce security policies across multiple components of your Azure network.
Make sure Microsoft Defender is actively scanning various Azure components, such as servers, app services, databases (including Azure SQL Databases and SQL Servers on Machines), open-source relational databases, storage, containers, Azure Cosmos DB, Key Vault, DNS, and the Resource Manager. This ensures comprehensive protection against software code-related exploits.
Check and confirm that the Microsoft Defender recommendation for “apply system updates” is marked as “completed.” Ensure that any instance of ASC Default Policy Settings is “disabled.”
Auto provisioning of essential resources like the Log analytics agent for Azure VMS, Vulnerability assessment for machines, and Microsoft Defender for Containers components should be enabled. Additionally, set the appropriate configurations for roles and severity levels to maximize the effectiveness of Microsoft Defender.
3. Storage Accounts
Storage accounts play a vital role in Azure, and securing them properly is crucial for protecting your data. Ensure that the following settings are enabled for your storage accounts:
- “Secure transfer required” to enforce encrypted connections.
- “Enable Infrastructure Encryption” for each Storage Account in Azure Storage.
- “Enable key rotation reminders” to ensure regular key rotation.
- “Allow Azure services on the trusted services list to access this storage account” for authorized access.
- “Soft Delete” for Azure Containers and Blob Storage to enable recovery of deleted data.
Enable storage logging for different services, such as the Queue Service, Blob Service, and Table Service, to capture essential security event data for effective security monitoring. Set the “Minimum TLS version” for storage accounts to “Version 1.2” to use the latest encryption protocols. Additionally, set the “Default Network Access Rule for Storage Accounts” to “deny” to restrict access by default.
It’s crucial to configure logging and monitoring settings properly. Ensure that a “Diagnostic Setting” exists and enable logging for Key Vault to capture important security-related events.
Set up Activity Log Alerts for specific events and entities, such as policy assignments, network security groups, security solutions, SQL Server firewall rules, and public IP addresses. This ensures that security administrators are promptly notified of any security events that require attention.
4. Networking
Networking is a critical aspect of Azure security, as the internet represents a significant cyber attack vector. To reduce your attack surface and enhance security, evaluate and restrict the following networking settings:
- RDP (Remote Desktop Protocol) access from the Internet
- SSH access from the Internet
- UDP access from the Internet
- HTTP(S) access from the Internet
Additionally, set the Network Security Group Flow Log retention period to be greater than 90 days and enable Network Watcher. These settings enhance your organization’s ability to understand and improve its security posture.
For virtual machines (VMs), protecting access is essential to limit potential attack vectors. Ensure the following:
- Azure Bastion Host is deployed to provide secure remote access.
- VMs utilize Managed Disks for improved security.
- OS and Data disks, as well as unattached disks, are encrypted with Customer Managed Keys.
- Only approved extensions are installed.
- Endpoint Protection for all VMs is installed to detect and mitigate threats.
5. Key Vault
Key Vault is where your Azure application keys are stored, making it a critical component to secure properly. Ensure the following Key Vault settings:
- Set expiration dates for keys and secrets in both RBAC and non-RBAC Key Vaults.
- Enable Role-Based Access Control for Azure Key Vault.
- Ensure the Key Vault is recoverable.
- Use Private Endpoints for Azure Key Vault.
- Enable automatic key rotation for supported services within Azure Key Vault.
For App Service, ensure that you are using the latest versions of PHP, Python, Java, and HTTP, as they generally have fewer security vulnerabilities. Disable FTP deployments, use the latest version of TLS encryption, and store secrets in Azure Key Vaults.
Enable “Register with Azure Active Directory” and set up App Service Authentication for apps in Azure App Service. Finally, apply resource locks to mission-critical Azure resources to prevent accidental deletion or modification.
By considering these five key areas and implementing the corresponding CIS Benchmark recommendations, you can significantly enhance the security of your Microsoft Azure environment. Remember that security is an ongoing process, and regular review and updates are crucial to stay ahead of evolving threats.
Those are most of the crucial CIS Benchmarks for Azure. To make sure that you don’t miss any, you can request your own PDF here.
Kim has a long history of conducting cybersecurity writing and research for Tripwire, AT&T Cybersecurity, Venafi, Kaspersky, and BlackBerry Cylance. She has also contributed to Infosecurity Magazine, Threatpost, Comodo’s blog, CCSI’s blog, CSO, CIO, Computerworld, Hacker Noon, The Threat Report, and 2600 Magazine.
