Azure CIS Benchmark for Compliance and Security

The Azure CIS Benchmark is a set of guidelines that helps you secure and harden your Azure environment. It's based on the Center for Internet Security (CIS) benchmarks, which are widely recognized as a standard for best practices in cloud security.

The Azure CIS Benchmark covers 84 controls that are organized into 15 categories, including account management, identity and access, and data protection. This comprehensive framework ensures that your Azure environment is secure, compliant, and meets the requirements of various regulatory bodies.

By following the Azure CIS Benchmark, you can reduce the risk of security breaches and ensure that your Azure environment is compliant with industry standards and regulations. This is particularly important for organizations that handle sensitive data or are subject to strict regulatory requirements.

Implementing the Azure CIS Benchmark requires a thorough understanding of the controls and categories, as well as a systematic approach to assessment and remediation.

Azure CIS Benchmark Defaults are designed to provide a secure foundation for your Azure environment. The CIS Microsoft Azure Foundations Benchmark, for instance, recommends setting the default network access rule for Storage Accounts to Deny.

This recommendation is found in several sections of the benchmark, including recommendations 3.8 and 3.9. To implement this, you should configure network rules so only applications from allowed networks can access the storage account.

According to the benchmark, network access to storage accounts should be restricted. You can grant access to traffic from specific Azure virtual networks or to public internet IP address ranges if needed.

Disabling IP-based filtering is a preferred method of restricting network access, as it prevents public IPs from accessing your storage accounts. This is in line with the benchmark's suggestion to protect your storage accounts from potential threats using virtual network rules.

To allow connections from specific internet or on-premises clients, you can grant access to traffic from specific Azure virtual networks or to public internet IP address ranges. However, it's essential to remember that some Microsoft services interact with storage accounts and operate from networks that can't be granted access through network rules.

These services will then use strong authentication to access the storage account, so it's recommended to allow the set of trusted Microsoft services to bypass the network rules.

Authentication and Authorization is a crucial aspect of Azure security. Multi-factor authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.

To implement MFA, ensure that accounts with owner permissions on Azure resources are MFA enabled. This can be done by checking the "Accounts with owner permissions on Azure resources should be MFA enabled" section in the Azure portal.

Here are the different types of users who should have MFA enabled:

Biometric authentication mechanisms should also be adopted to provide an additional layer of security. This can be done by implementing biometric authentication mechanisms, such as fingerprint or facial recognition, to provide an additional layer of security.

Multi-Factor Authentication is a must-have for all users, regardless of their privileges. It's a simple yet effective way to prevent breaches of accounts or resources.

Enabling Multi-Factor Authentication (MFA) for all users, including non-privileged users, is crucial. According to the CIS Microsoft Azure Foundations Benchmark, MFA should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources.

Here are some key points to consider:

Conditional Access is another important feature that can help you build policies that require MFA, define trusted subnets, and more. With Conditional Access, you can even define the security profile of the system that originates a request.

In order to ensure that Multi-Factor Authentication is enabled for all users, you should regularly review and update your authentication policies. This includes automating account management, implementing training for protecting authenticators, and monitoring access across the organization.

Adding gallery apps to My Apps requires careful consideration. Ensure that 'Users can add gallery apps to My Apps' is set to 'No' to maintain security.

ID: CIS Microsoft Azure Foundations Benchmark recommendation 1.13

Ownership: Shared

This setting is crucial for shared ownership scenarios. It prevents users from adding unauthorized gallery apps.

ID: CIS Microsoft Azure Foundations Benchmark recommendation 1.16

Ownership: Shared

To ensure the security of your Azure subscriptions, it's essential to avoid creating custom subscription administrator roles. This is because custom roles can introduce unnecessary complexity and potentially create security vulnerabilities.

Custom subscription administrator roles can be created, which can lead to a lack of accountability and make it difficult to track who has access to sensitive resources.

Two specific CIS Microsoft Azure Foundations Benchmark recommendations (1.23 and 1.9) emphasize the importance of avoiding custom subscription administrator roles, as they can undermine the security and integrity of your Azure environment.

By following these recommendations, you can maintain a secure and well-governed Azure subscription, reducing the risk of unauthorized access and data breaches.

To ensure your organization is notified in case of a potential security breach, it's essential to configure an additional email address for security contact.

You should set a security contact to receive email notifications from Security Center for each subscription.

According to CIS Microsoft Azure Foundations Benchmark recommendation 1.22, you should implement training for protecting authenticators.

This includes managing system and admin accounts, as mentioned in CIS Microsoft Azure Foundations Benchmark recommendation 1.19, and monitoring access across the organization.

A security contact email address should be configured with 'Additional email addresses' in the Azure portal.

Here's a list of essential steps to follow:

By following these steps, you'll ensure your organization is notified in case of a potential security breach, and you'll be able to take prompt action to mitigate the issue.

It's also important to note that you should review malware detections reports weekly, as mentioned in CIS Microsoft Azure Foundations Benchmark recommendation 1.22, and update antivirus definitions regularly, as recommended in CIS Microsoft Azure Foundations Benchmark recommendation 1.22.

Storage logging is crucial for tracking Table Service activities, especially for CRUD (Create, Read, Update, Delete) requests.

The CIS Microsoft Azure Foundations Benchmark recommends enabling Storage logging for Table service for read, write, and delete requests.

Enabling Storage logging for Table Service helps with auditing and debugging, ensuring that all requests are properly logged and tracked.

Storage logging can be enabled for 'Read', 'Write', and 'Delete' requests, as per CIS Microsoft Azure Foundations Benchmark recommendation 3.14.

This is a shared responsibility, as per the ownership listed in recommendation 3.14.

The ownership of this responsibility is shared, as stated in CIS Microsoft Azure Foundations Benchmark recommendations 3.11 and 3.3.

Use Azure Active Directory (AAD) Client Authentication and Azure RBAC where possible. This is recommended by the CIS Microsoft Azure Foundations Benchmark, specifically in recommendation 4.5.3.

Ensure a Custom Role is Assigned Permissions for Administering Resource Locks, as per CIS Microsoft Azure Foundations Benchmark recommendation 1.24. This is a shared ownership responsibility.

To ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key, follow CIS Microsoft Azure Foundations Benchmark recommendation 4.1.3.

For critical SQL Servers, ensure Microsoft Defender for SQL is set to 'On'. This is recommended by CIS Microsoft Azure Foundations Benchmark recommendation 4.2.1.

Here are some best practices to consider:

Using Azure Active Directory (AAD) Client Authentication and Role-Based Access Control (RBAC) is essential for securing your Azure resources. This ensures that only authorized users can access sensitive data and perform critical operations.

AAD Client Authentication provides a secure way to authenticate users and services, while RBAC enables fine-grained access control to Azure resources. By combining these two features, you can ensure that users have the right permissions to perform specific tasks.

According to the CIS Microsoft Azure Foundations Benchmark, it's recommended to use AAD Client Authentication and RBAC where possible (Example 1). This best practice helps prevent unauthorized access to sensitive data and resources.

Here are some key benefits of using AAD Client Authentication and RBAC:

By implementing AAD Client Authentication and RBAC, you can improve the security and compliance of your Azure environment, while also reducing the risk of data breaches and unauthorized access.

Complete Automation is a game-changer in the world of authentication and authorization. Almost all CIS tests are automated with SmartProfiler for Azure CIS Assessment.

This level of automation saves a tremendous amount of time and effort. It's like having a personal assistant who takes care of the tedious tasks, freeing you up to focus on more important things.

Multi-factor authentication (MFA) is a crucial security measure to prevent account take-over (ATO) risk. It should be enabled for all non-privileged users with read permissions on Azure resources to prevent a breach of accounts or resources.

Enabling MFA for privileged users is equally important, especially for those with owner permissions on Azure resources. This ensures that even if an attacker gains access to a privileged account, they will still need to provide additional authentication factors to access sensitive resources.

To mitigate ATO risk, it's essential to restrict access to subscription management features. This includes disabling subscription entering and leaving Azure Active Directory (AAD) directory features for all users except those with explicit permission to perform these actions.

Here's a list of best practices to mitigate ATO risk:

Authentication and Authorization are crucial for securing your Azure resources.

Ensure that multi-factor authentication is enabled for all non-privileged users. This is a best practice to prevent a breach of accounts or resources.

Enable multi-factor authentication (MFA) for all subscription accounts with read privileges to prevent unauthorized access. This is a simple yet effective way to add an extra layer of security.

To implement MFA, you can use Azure's built-in MFA feature, which supports various authentication methods, including SMS, voice calls, and authenticator apps.

Here are some specific steps to enable MFA for your Azure resources:

Biometric authentication mechanisms, such as fingerprint or facial recognition, can also be adopted to provide an additional layer of security.

To enable biometric authentication, you can use Azure's biometric authentication feature, which supports various biometric modalities.

Here are some specific steps to enable biometric authentication for your Azure resources:

In addition to MFA and biometric authentication, it's also essential to ensure that your Azure resources are properly configured to use customer-managed keys for encryption.

For example, you can enable customer-managed keys for encryption on your "OS and Data" disks.

To enable customer-managed keys for encryption on your "OS and Data" disks, you can follow these steps:

1. Go to the Azure portal and navigate to the "Disk" section.

2. Select the disk you want to encrypt and click on the "Encryption" tab.

3. Click on the "Enable encryption" button and select the customer-managed key you want to use.

By following these steps, you can ensure that your Azure resources are properly secured with multi-factor authentication, biometric authentication, and customer-managed keys for encryption.

Role-Based Access Control is a crucial aspect of securing your Azure environment. It allows you to grant specific permissions to users and groups, ensuring that they only have access to the resources they need to perform their tasks.

To enable Role-Based Access Control (RBAC) in Azure Key Vault, follow CIS Microsoft Azure Foundations Benchmark recommendation 8.6. This will help you control access to sensitive data and ensure that only authorized users can perform critical operations.

RBAC is also essential in Azure Kubernetes Services, where it helps manage permissions and configure authorization policies. By implementing RBAC, you can provide granular filtering on the actions that users can perform, as recommended in CIS Microsoft Azure Foundations Benchmark recommendation 8.5.

Here are some key considerations for implementing RBAC in Azure:

By following these guidelines, you can ensure that your Azure environment is secure and compliant with best practices.

Security and Compliance is a top priority for any organization using Azure. To ensure your Azure environment is secure, you should enable 'Secure transfer required' which forces your storage account to accept requests only from secure connections (HTTPS). This ensures authentication between the server and the service and protects data in transit from network layer attacks.

To further secure your data, you should use customer-managed keys for encryption. This includes using customer-managed keys for Transparent Data Encryption (TDE) protectors in SQL servers and for encrypting data at rest in storage accounts. Implementing TDE with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties.

Automatic Key Rotation should also be enabled within Azure Key Vault for supported services. This ensures that keys are rotated within a specified number of days after creation, helping to manage organizational compliance requirements.

Customer Support is a crucial aspect of maintaining a secure and compliant environment in Microsoft Azure. If you're experiencing issues with encryption or need help with implementing customer-managed keys, Microsoft Azure provides extensive customer support resources.

You can reach out to Microsoft Azure support teams for assistance with troubleshooting encryption-related issues or for guidance on implementing customer-managed keys. They offer various support channels, including online documentation, community forums, and direct support tickets.

If you're unsure about the correct implementation of customer-managed keys for your specific use case, you can consult Microsoft Azure's official documentation, which provides detailed guides and best practices for encryption and key management.

To ensure you're getting the most out of Microsoft Azure's customer support, it's essential to familiarize yourself with the CIS Microsoft Azure Foundations Benchmark recommendations, particularly those related to encryption and key management.

Here are some key recommendations to keep in mind:

Microsoft Azure's customer support is designed to help you resolve issues and implement best practices for security and compliance. By leveraging these resources and staying up-to-date with the latest recommendations and guidelines, you can ensure a secure and compliant environment for your Azure deployment.

In the realm of security and compliance, setting expiration dates for keys and secrets is a crucial practice to prevent potential attackers from exploiting them.

It's essential to ensure that all keys in Non-RBAC Key Vaults have an expiration date. This includes setting a defined expiration date, rather than making them permanent, as permanent keys can provide attackers with more time to compromise them.

CIS Microsoft Azure Foundations Benchmark recommendation 8.2, 8.3, 8.4, 8.5, and 8.7 emphasize the importance of setting expiration dates for keys and secrets in Non-RBAC Key Vaults.

To ensure compliance, you can follow these best practices:

By setting expiration dates for keys and secrets in Non-RBAC Key Vaults, you can significantly reduce the risk of security breaches and ensure your organization remains compliant with industry standards.

Evaluating your environment is a crucial step in ensuring security and compliance. You can use Steampipe's Azure Compliance mod to check your Azure subscriptions against CIS Benchmarks.

This mod includes hundreds of controls that check for compliance with various standards, including HIPAA HITRUST and NIST. You can install and configure the Steampipe Azure plugin to get started.

To evaluate your environment, download Steampipe and install the Azure plugin. Then, run these commands to get started. If you've already installed Steampipe and the Azure plugin, and cloned the Azure Compliance mod, you can skip this step.

Steampipe allows you to output results in various formats, including JSON, CSV, and HTML. You can also use custom output templates to create new formats.

To view the Azure CIS v1.5 benchmark report in your browser, run a specific command in the cloned repo. Then, open http://localhost:9194 in your browser to view the dashboard.