With more and more organisations adopting cloud solutions such as Azure, the security of the cloud resources is becoming a growing concern.
This blog will aim to give you a detailed overview of the Azure security center and how it gives you the tools you need to address your organisations security posture in the cloud.
Azure Security Center provides you with a centralized view of all your Azure Resources and their security state. At a glance, you can verify the appropriate security controls that are in place and quickly identify any resources that require attention. Azure Security Center has 3 core capabilities which are
- Prevent – Azure Security Center will monitor your Azure subscription(s) based on the security policies you configure.
- Detect – Azure Security Center will automatically collect and analyse security data from your Azure resources, the network, and partner solutions like anti-malware programs and firewalls. It leverages global threat intelligence from Microsoft products and services, the Microsoft Digital Crimes Unit (DCU), the Microsoft Security Response Center (MSRC), and external feeds.
- Respond – Any alerts generated are prioritised, insights into the source of an attack and any impacted resources are all part of Azure Security Center, along with suggestions on how to stop a current attack and help prevent future attacks.
Security Center Dashboard
Below is a screenshot of the Security Center Dashboard which gives you a high level overview of the security of your Azure Subscription.
You can drill down further to view the security issues by clicking on the line items, or graphs where you can view recommendations about the issue. (more on this below)
A security policy defines the set of controls, which are recommended for resources within your subscription or resource group.
By default all prevention policies are turned on. Prevention policies and recommendations are tied to each other. In other words, if you enable a prevention policy, such as OS Vulnerabilities, then that enables recommendations for that policy. In most situations, you will want to enable all policies, even though some might be more important to you than others depending on the Azure resource you’ve deployed.
Below is a screenshot of all the prevention policies (turned on by default) with details of what the recommendations are.
System updates. Retrieves a daily list of available security and critical updates from Windows Update or Windows Server Update Services.
OS vulnerabilities. Analyses operating system configurations daily to determine issues that could make the virtual machine vulnerable to attack.
Endpoint protection. Recommends endpoint protection to be provisioned for all Windows virtual machines to help identify and remove viruses, spyware, and other malicious software.
Disk encryption. Recommends enabling disk encryption in all virtual machines to enhance data protection at rest.
Network Security Groups. Recommends that network security groups be configured to control inbound and outbound traffic to VMs that have public endpoints. In addition to checking that a network security group has been configured, this policy assesses inbound security rules.
Web application firewall. Extends network protections beyond network security groups, which are built into Azure. Security Center will discover deployments for which a next generation firewall is recommended and enable you to provision a virtual appliance.
Next generation firewall. Extends network protections beyond network security groups, which are built into Azure. Security Center will discover deployments for which a next generation firewall is recommended and enable you to provision a virtual appliance.
Vulnerability Assessment. Recommends that you install a vulnerability assessment solution on your VM.
SQL auditing & Threat detection. Recommends that auditing of access to Azure Database be enabled for compliance and advanced threat detection, for investigation purposes.
SQL Encryption. Recommends that encryption at rest be enabled for your Azure SQL Database, associated backups, and transaction log files. Even if your data is breached, it will not be readable.
As Security Center collects data from your Azure resources, it will periodically analyse the contents of that data and present you with recommendations to address potential security vulnerabilities. On the Security Center blade, the recommendations tile displays the total number of available recommendations. If you click on the recommendation tile it will present you with the full list of recommendations.
Once you click on the Recommendations tile you will be presented with a table as shown in the following screenshot. You can click on each recommendation to view additional information or to act to resolve the issue.
After reviewing the list of available recommendations, you can click on the individual line items to take further action. For example, from the screenshot above, if you click on the line item to ‘Enable Network Security Groups on subnets’, you will be presented with all of the resources that apply to the recommendation, as shown in the following screenshot
From here, on the ‘Configure Missing Network Security Groups for subnets’ you can mark the subnet you need to remediate, which will present you with the option to create a Network Security Group for that subnet.
(Please view the following article for best practices on Azure Network Security Groups: https://blogs.msdn.microsoft.com/igorpag/2016/05/14/azure-network-security-groups-nsg-best-practices-and-lessons-learned/)
Security Center is integrated tightly with third-party solutions from Azure partners. When it comes time to implement a solution to a Security Center recommendation, you often have several choices. You can implement one of the Microsoft solutions. Or, you can implement a partner solution.
For example, there is a recommendation for adding a Next Generation Firewall. Next generation firewall solutions extend network protections beyond Network Security Groups, which are built-in to Azure. At the time of this writing, there are three options for adding a Next Generation Firewall – adding a Barracuda Networks NextGen firewall, adding a Check Point vSEC firewall and adding a Fortinet VM Firewall. This is one example of a recommendation that can be remediated by partner solutions. Additional partner solutions are planned and will be integrated into Azure Security Center in the future.
Monitoring Partner Solutions
After you’ve implemented some partner solutions, Azure enables you to monitor those solutions. The Partner solutions tile on the Security Center blade lets you monitor the health status. The screen capture below shows the Security Center overview blade with the Partner solutions tile highlighted
The Partner solutions tile displays the number of partner solutions and a status summary for those solutions. The status of a partner solution can be:
Protected (green). There is no health issue.
Unhealthy (red). There is a health issue that requires immediate attention.
Stopped reporting (orange). The solution has stopped reporting its health.
Unknown protection status (orange). The health of the solution is unknown at this time due to a failed process of adding a new resource to the existing solution.
Not reported (grey). The solution has not reported anything yet, a solution’s status may be unreported if it has just been connected and is still deploying.
Monitor Solutions Health
To view the health of your partner solutions, select the Partner solutions tile. A blade opens displaying a list of your partner solutions connected to Security Center, as seen in the screen capture below:
From this screen, select a partner solution to display the status of the partner solution as well as the solution’s associated resources. You can click Solution console to open the partner management experience for this solution. Additionally, you can click on the Link app button to connect resources to this partner solution. For example, you could do basic management (add a new application to be protected by WAF) or access the partner management console for advanced configuration.
Further reading : https://docs.microsoft.com/en-us/azure/security-center/security-center-intro