Create an Azure Security Center baseline

Security center is the built in security module which covers the whole of the Azure platform. It is enabled by default and comes with some free basic features. You need to have a design already in place before following this stage.

You may already have an AV or security solution in place and security center may not be in that design. If that’s the case, you will need to make sure your current solution supports SaaS and that you cover that aspect of your cloud. SaaS don’t come with an OS layer so you will need to figure out how you are going to secure/audit them. You won’t be able to just install an agent which you do today. This may break your “standard” so you will have to balance cost/security.

 Enabling Standard Pricing Tier (Optional)

A recommendation would be to turn on the additional features. The standard tier gives you a lot more for a dynamic price tag. It also gives you multiple features that are compatible across the platform.

To enable, go to: Security Center > Pricing & Settings:

The cost is per subscription, VM or SaaS. This allow you to implement a hybrid model should you choose to stick with your current solution.

Enabling Monitoring Automation

You need as many eyes as possible so it’s always good to adopt automation. Enabling this will install the monitoring agent on all supported Azure VMs. If you do enable this, remember the cost aspect. If you aren’t using it on all services such as VMs, you need to balance the cost. If you chose to do this manually, remember that you won’t get the alerts and recommendations unless the agent is installed.

To enable, go to: Security center > Security Policy and select your subscription. You can then click Install Agents.  

Enable System Updates

You will most likely have patch management policies in place. This feature will just add to the compliance side of things. Security Center will alert you of any critical updates that may have been missed.

To check, go to: Security Center > Security Policy and then select your subscription. Once you’ve expanded the policies, you will see the following:

Enabling Security Configurations

There are tons of rules which can be enabled that will help increase your security posture. There are too many to talk about so let’s cover some basics. These should all be enabled:

Enable Endpoint Protection

This just enabled the endpoint on all virtual machines.

Enable Disk Encryption

Encryption should be enabled by default as you don’t want your data available to all. By default, you should be encrypting both the OS and Data layer of your virtual machines.

Enable Network Security Groups

Network security groups contain a list of access control lists that allow or deny network to pass on your virtual network. Having this control at the top level is always preferred as the manual approach may cause user error. You could have a basic network security group applied to the subnet level will help keep the ‘intended purpose’ of the subnet.

For example, if you have separated out a VLAN for databases, you don’t want internet access or non-related servers being able to reach them. Once applied, if say a DB admin creates a new instance, they get the security group by default. You could look to use NSGs to act as a safety net to enforce compliance.

Enable Web Application Firewall

Web application firewall or WAF is an application firewall for HTTP applications. The aim of a WAF is to thwart common attacks such as XSS and SQL Injection. These attacks are at high risk at the minute and sit in the OWASP top ten.

Don’t be confused with a normal firewall as they work quite differently. A network firewall will not be able to protect against XSS or SQL Injection. The reason being is that it’s inspecting the network traffic at a different layer. To a network firewall, ‘ OR ‘1’=’1′ – posses no risk. It would instead look to see if the front end server can speak to the database on port 1433 (should you implement a tier model).

Enable Vulnerability Assessment

Security center has its own vulnerability solution however the option is there should you use a third party. You may already have one in play. If you don’t, the Security center option is a quickfire way to get the ball rolling. It’s important that you have some form of vulnerability assessment or process as this helps to spot weak points. If you don’t run one, an attacker will.

Enable Storage Encryption

This should be the default and shouldn’t be limited to just storage accounts. Encryption is one of the main defence mechanisms against data theft and sniffing. Cloud solutions are different than on-premise as it’s not your infrastructure. Someone else holds the fort and you’ve uploaded your company data there. It’s your responsibility to make sure it’s secure.

Enable JIT Network Access

This is a strong control if you wish to limit RDP access for instance. JIT allows you to lock down inbound traffic until it is needed. This enables a workflow instead of a manual process of switching it off and on again.

Enable Adaptive Application Controls

This allows you to control which applications run on your VMs. It allows you to apply whitelisting rules around applications, kind of like app locker. This can really play a part in stopping malware from running. It can also help kept a inventory and stop admins from installing risky software.

Enable SQL Auditing & Threat Detection

Your SQL DB can deal with hundreds of transactions a day. Auditing will help you keep track of database activity should any anomalies occur. It also enabled the threat detection that adds intelligence into the mix. Enabling this control should be standard as our databases often store our critical/sensitive data. For compliance reasons, you want to be aware if something malicious has taken place. If you don’t have controls such as this, you can’t ensure data integrity is kept.

Enable SQL Encryption

Enabling transparent data encryption (TDE) on your database should be another standard. Just like the storage accounts, you want to be in control of that data. Minimising as many eyes on as possible. TDE should not interfere with your application or cause it to halt.

Contact Information

For security reasons, you should provide an email address and phone number per subscription. Microsoft security response center will contact this person should your customer data been accessed by an unlawful or unauthorized party.

To enable, go to: Cost Management + Billing and click on Contact Info

Email Notifications

Your security team will always appreciate a good alert. Security center has its own notification list so it’s important to update.

To update multiple email addresses, use ‘,’.
Example: email@domain.com,email2@domain.com

To update, go to: Security Center > Pricing & Settings and click Email Notifications.