This post has been republished via RSS; it originally appeared at: Microsoft Developer Blogs - Feed.
This is the second in a six-part blog series where we will demonstrate the application of Zero Trust concepts for securing federal information systems with Microsoft Azure. In this blog we will explore how to leverage Azure Security Center for hybrid security management and threat protection in Zero Trust Architectures. Additional blogs in the series will include leveraging policy, investigating insider attacks and monitoring supply chain risk management. This blog series is coauthored by TJ Banasik, CISSP-ISSEP, ISSAP, ISSMP, Sr. Program Manager, Azure Global Customer Engineering, Mark McIntyre, CISSP, Senior Director, Enterprise Cybersecurity Group and Adam Dimopoulos, Azure Global Customer Engineering. Also, join us for the Microsoft Ignite Government Tour in Washington, D.C where we’ll be presenting Zero Hype: Practical Steps Towards Zero Trust on Friday, February 7th at 10:30AM.How is zero trust implemented in cloud workloads?
The Microsoft Zero Trust vision paper outlines three principles of Zero Trust- Verify Explicitly, Least Privilege Access and Assume Breach. These principles include strategy recommendations such as continuously measuring trust and risk. Security architecture design is a key starting point for Zero Trust, but this model must be continually monitored throughout the enterprise security lifecycle. This can be enabled by Azure Security Center, serving as both a Cloud Protection Platform (CWPP) and Cloud Security Posture Management (CSPM) solution, facilitating continuous monitoring of security controls in dynamic environments. This blog first defines key concepts for Zero Trust governance based on federal frameworks, and then walks through the 9 steps to protecting cloud workloads for Zero Trust with Azure Security Center:Defining Zero Trust governance based on federal frameworks
- The National Institute of Standards and Technology (NIST) has recently released NIST SP 800-207 which is in draft for comment. This document provides a framework for designing a zero-trust architecture (ZTA) network strategy[i].
- Trusted Internet Connections (TIC) is a federal cybersecurity initiative to enhance network and perimeter security across the United States federal government. The TIC initiative is a collaborative effort between the Office of Management and Budget (OMB), the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA), and the General Services Administration (GSA). The TIC 3.0: Volume 3 Security Capabilities Handbook provides various security controls, applications and best practice for risk management in federal information systems[ii].
- Continuous Diagnostics and Mitigation (CDM) Program is led by the Cybersecurity and Infrastructure Security Agency (CISA). The CDM program delivers cybersecurity capabilities across the federal government including providing cybersecurity tools, services, reporting and best practices. The Continuous Diagnostics and Mitigation Program Fact Sheet outlines five key program areas including dashboarding, asset management, identity and access management, network security management and data protection management[iii].
Protecting Cloud Workloads for Zero Trust with Azure Security Center
Microsoft Azure Government has developed a nine-step process for helping protect cloud workloads in federal information systems which is aligned with the security protection principles within the NIST, OMB, and CISA Zero Trust frameworks. Microsoft’s key offering for cloud workload protection is Azure Security Center. Azure Security Center is a unified infrastructure security management system that helps strengthen the security posture of your data centers and provides advanced threat protection across your hybrid workloads in the cloud - whether they're in Azure or not - as well as on premises.Nine Steps to Protecting Cloud Workloads for Zero Trust with Azure Security Center
1) Enable Cloud Workload Protection Azure Security Center provides unified security management and threat protection across your hybrid cloud workloads. While the Free tier offers limited security for your Azure resources only, the Standard tier extends these capabilities to on-premises and other clouds. Azure Security Center Standard helps you find and fix security vulnerabilities, apply access and application controls to block malicious activity, detect threats using analytics and intelligence, and respond quickly when under attack. Enabling Azure Security Center Standard is accomplished via the steps below:- Under the Security Center main menu, select Getting started.
- Under Upgrade, Security Center lists subscriptions and workspaces eligible for onboarding.
- Click Start trial to start your trial on the selected subscriptions
- Under the Security Center main menu, select Pricing & settings.
- On the row of the subscription, click on the subscription on which you'd like to change the settings
- In the Data Collection tab, set Auto provisioning to On.
- Select Save.
- Sign into the Azure Portal as a User administrator for the organization.
- Search for and select Security Center from any page.
- Click Secure Score
- At the top you can see Secure score highlights:
- The Overall secure score represents the score per policies, per selected subscription
- Secure score by category shows you which resources need the most attention
- Top recommendations by secure score impact provides you with a list of the recommendations that will improve your secure score the most if you implement them.
- In the table (below), you can see each of your subscriptions and the overall secure score for each.
- Click View recommendations to see the recommendations for that subscription that you can remediate to improve your secure score.
- In the list of recommendations, you can see that for each recommendation there is a column that represents the Secure score impact. This number represents how much your overall secure score will improve if you follow the recommendations. For example, in the screen below, if you Remediate vulnerabilities in container security configurations, your secure score will increase by 35 points. For more information, see Improve your Secure Score in Azure Security Center.
- Search for and select Security Center from any page.
- Click Regulatory compliance to see your overall compliance score and number of passing vs. failing assessments for each standard.
- Select a tab for a compliance standard that is relevant to you. You will see the list of all controls for that standard.
- Generate download a PDF report summarizing your current compliance status for a desired standard by clicking Download report. For more information, see Improve your regulatory compliance.
- Enable MFA for privileged accounts on your subscription
- Remove external accounts with write permissions from your subscription
- Remove privileged external accounts from your subscription
- Access Security Center
- Select Identity & Access under Resource Security Hygiene
- Click Overview
- Select Recommendations for a list of recommendations for the selected subscription and severity of each recommendation.
- Select Enable MFA recommendations for an assessment of these controls within your subscription and further steps on implementing MFA in the subscription.
- Access Security Center
- Select Recommendations under Resource Security Hygiene
- Click the recommendations for Disk encryption should be applied on virtual machines
- Select the virtual machine from the Affected Resources. This redirects to the virtual machine settings page for disks.
- Navigate to Disks to encrypt and select OS and data disks from the drop-down.
- Specify Key Vault, Key, and
- Select Enable key vault for disk encryption
- Click Save
- Click Yes on prompt for Enabling Azure Disk Encryption will cause the VM to reboot.
- Network map (Azure Security Center Standard tier only)
- Adaptive Network Hardening
- Networking security recommendations.
- Legacy Networking blade (the previous networking blade)
- Security Center, under Resource Security Hygiene, select Networking.
- Under Network map click See topology.
- Subscriptions you selected in Azure. The map supports multiple subscriptions.
- VMs, subnets, and VNets of the Resource Manager resource type
- Peered VNets
- Only resources that have network recommendations with a high or medium severity
- Internet facing resources
- The map is optimized for the subscriptions you selected in Azure. If you modify your selection, the map is recalculated and re-optimized based on your new settings.
- Endpoint Protection Visibility
- Network Security Recommendations
- Patch Management Status
- Security Orchestration
- Publicly Exposed Assets
- Vulnerability Auditing
- Malicious Communication Alerting
- Encryption Gaps
- Vulnerability Assessment Solution Integration
- Log Integration with SIEM solutions
- Unified Visibility and Control: Get a unified view of security across on-premises and cloud workloads, including your Azure IoT solutions. Onboard new devices and apply security policies across your workloads (Leaf devices, Microsoft Edge devices, IoT Hub) to ensure compliance with security standards and improved security posture.
- Adaptive Threat Prevention: Use Azure Security Center for IoT to continuously monitor the security of machines, networks, and Azure services. Choose from hundreds of built-in security assessments or create your own in the central Azure Security Center for IoT Hub dashboard. Optimize your security settings and improve your security score with actionable recommendations across virtual machines, networks, apps, and data. With newly added IoT capabilities, you can now reduce the attack surface for your Azure IoT solution and remediate issues before they can be exploited.
- Intelligence Threat Detection and Response: Use advanced analytics and the Microsoft Intelligent Security Graph to get an edge over evolving cyber-attacks. Built-in behavioral analytics and machine learning identify attacks and zero-day exploits. Monitor your IoT solution for incoming attacks and post-breach activity. Streamline device investigation and remediation with interactive tools and contextual threat intelligence. For more information, see Introducing Azure Security Center for IoT.
- Azure Diagnostics Extension: Collects monitoring data from the guest operating system and workloads of Azure compute resources. It primarily collects data into Azure Storage. Azure Monitor can be configured to copy the data from storage to a Log Analytics workspace and to collect guest performance data into Azure Monitor Metrics. Azure Diagnostic Extension is often referred to as the Windows Azure Diagnostic (WAD) or Linux Azure Diagnostic (LAD) extension.
- Log Analytics Agent: Collects monitoring data from the guest operating system and workloads of virtual machines in Azure, other cloud providers, and on-premises. It collects data into a Log Analytics workspace. The Log Analytics agent is the same agent used by System Center Operations Manager, and computers are multi-homed to communicate with a management group and Azure Monitor simultaneously. The Log Analytics agent for Windows is often referred to as Microsoft Management Agent (MMA). The Log Analytics agent for Linux is often referred to as OMS agent.
- Dependency Agent: Collects discovered data about processes running on the virtual machine and external process dependencies. This agent is required for Service Map and the Map feature Azure Monitor for VMs. The Dependency agent requires the Log Analytics agent and writes data to a Log Analytics workspace in Azure Monitor.
Learn more about Zero Trust with Microsoft
Here are some of the best resource to learn more about Zero Trust in the cloud with Microsoft:- Reach the Optimal State in your Zero Trust Journey
- The Zero Trust Maturity Model
- Zero Trust: A New Era of Security
- Implementing a Zero Trust Security Model at Microsoft
- Zero Trust Strategy: What Good Looks Like
- Securing Mobile: Designing SaaS Service Implementations to Meet Federal TIC Policy
[i] National Institute of Standards and Technology. (2019, September 1). Draft NIST Special Publication 800-207: Zero Trust Architecture. Retrieved January 25, 2020, from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207-draft.pdf [ii] Cybersecurity and Infrastructure Security Agency. (2019, December 1). Trusted Internet Connections 3.0: Volume 3 Security Capabilities Handbook. Retrieved January 22, 2020, from https://www.cisa.gov/sites/default/files/publications/Draft%20TIC%203.0%20Vol.%203%20Security%20Capabilities%20Handbook.pdf [iii] U.S. Department of Homeland Security, Cyber+Infrastructure. (2019, April 24). Continuous Diagnostics and Mitigation (CDM) Program. Retrieved January 22, 2020, from https://www.cisa.gov/publication/continuous-diagnostics-and-mitigation-cdm-program