Category: Security

Cloud Security – Who’s Responsible?

If you manage a single cloud tenant with a single subscription, roles and responsibilities for security can usually be maintained by a small SecOps team.

But if your organization has dozens or hundreds of departments, the need for a much more hierarchical structure can quickly become difficult for a single security team to maintain control over.

So what can happen is departments are handed over the role of the security administrator for their own resources and users.

And before you know it, SecOps has lost control of who’s making changes to what.

Fear not, this isn’t a terrible thing, but it’s important to put checks in place to ensure simple practices are being followed.

One approach:

  • Perform a security audit that provides a list of the security categories of interest. (This audit should provide both high level and lower level topics, so you can easily end up with hundreds of checks). Example high level topics:
    • Identity & Access Controls
    • Logging, Monitoring and Reporting
    • Data Protection
    • Network Security
    • Endpoint Protection
    • Inventory Management
    • Configuration Management
    • Vulnerability Management
  • Create a list of relevant security checks from the above audit (this checklist is much shorter than the original security audit, since these departmental security admins have a much smaller list of security responsibilities).
  • Identify a security owner for each relevant department/group
  • Require each security owner to perform periodic checks and report back to the SecOps team.

Not only does the above approach provide clear security checks/responsibilities to the security owners, but it gives the SecOps team a way to track security in a growing organization without getting overwhelmed. It also ensures that as security owners come and go from the organization, that the new owners will be quickly identified by the SecOps team, thus avoiding gaps in maintaining security controls.

Simple Guide to Cyber Resiliency in Azure/O365

So I skimmed NIST 800-160 V2 – it’s all about ‘Cyber Resiliency’.

What is cyber resiliency?

“The ability to deliver an intended outcome, despite adverse cyber events”

My thoughts on NIST 800-160 vol 2:

Once you understand the basics you might consider these points as a starting approach:

Perform a ‘cyber resilience maturity audit’

Using 800-160 V2 create a checklist to discuss and better understand your organization’s maturity around cyber resiliency.

Identify security tools to enable and improve on your cyber resiliency, eg:

Microsoft Defender for Cloud – Use the built in NIST regulatory standsards to enforce configuration of resources with resilience – eg. don’t allow VMs without backups enabled and redundancy features configured.

O365 Compliance Manager – Create assessments using the NIST templates to identify misconfigurations.

Microsoft Secure Scores – use the several available Secure Scores in O365 and Azure to improve security posture.

Sentinel – Configure alerts to monitor resiliency related issues.

Click to access NIST.SP.800-160v2r1.pdf

Some more references

High level objectives:

Areas in red can be monitored using Sentinel and Defender for Cloud (and possibly more, just what I know about):

Here is where 800-160 refers to other NIST controls, some of which are templates within Defender for cloud and O365 Compliance Manager (800-70 and 800-37 are premium templates so extra $$):

References

CSF – general cyber security framework

https://www.nist.gov/cyberframework/framework

800-53 – Security and Privacy Controls for Federal Information Systems and Organizations

Click to access NIST.SP.800-53r4.pdf

800-171 – information protection

Click to access NIST.SP.800-171r2.pdf

800-160 – Cyber Resiliency

Click to access NIST.SP.800-160v2r1.pdf

Working with Azure Policy

Azure policy is a big deal.

In addition to being a central feature of Azure, it’s at the core of Microsoft’s Defender for Cloud.

Simply put, Azure policy provides rules which say what you can and can’t do to your resources in Azure.

Defender for Cloud is Microsoft’s CSPM(cloud security posture management), and Azure policy is what it uses to regulate, identity, alert and enforce misconfigurations in Azure, as well as AWS and GCP(Google Cloud).

Here’s an example of using Azure Policy.

If something below doesn’t make sense, watch the video here from Blaize Stewart.

(For maintenance tips, jump to the bottom of the article)

Tip: the Boolean can confusing with policies, so just pay attention to the logic.

Example: NIC must have an NSG when created:

This logic below says:

IF [TRUE] THEN DENY

But inside the [TRUE] there’s another Boolean checking for FALSE.

So oddly enough, if the result is ‘false’ then the logic in the {} is TRUE!!!

Example:

if[….] then deny.

all of these must match:

scope field is securityRules

if allof these are true [

access = allow

direction = inbound

]

AND Any of:

[

securityRules: distinationPortRange notIn [parameters(‘allowed’)]

]

 <so this is saying check for ports that aren’t in the defined allowed list>

If that port match is TRUE, then DENY.

Creating a policy:

An Initiative is a GROUP of 1 or more policies

The 2nd example policy above required a list of ports, so when you create an initiative you must provide the array/list of ports:

Create an ‘assignment’ from your initiative:

The main step for the assignment is to set the scope

(eg: these policies take affect for all resource inside a resource group):

So now what is this policy initiative enforcing?

if you don’t set the nic then you get a rather meaningless error like this:

However if you click on ‘Click here for details’ you get a better description:

But the BEST description comes from the raw error tab.

As another example, try to edit an existing NSG and add a port that’s out of the defined range above:

Azure Policy Maintenance Tips

Use powershell commands to export your policies for backup and re-use/sharing.

Assign ALL policies to the variable $definitions
$definitions = Get-AzPolicyDefinition

Get a count:
$definitions.count

Show the first policy:
$definitions[0]

Convert a single policy to json
$definitions[0] | ConvertTo-Json

(thanks to DCtheGeek)

Important References for when you’re ready to get dirty

Design Azure Policy as Code workflows – Azure Policy | Microsoft Docs

https://docs.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure

List of built-in policy initiatives – Azure Policy | Microsoft Docs

GitHub – Azure/azure-policy: Repository for Azure Resource Policy built-in definitions and samples

Microsoft Cloud Training and Education

new links for 2022 (that I didn’t find in 2021…)

lots of new training here (2022):

https://msuspartners.eventbuilder.com/microsoftsecurityandcompliance

https://azurecloudai.blog/2021/05/12/all-the-microsoft-ninja-training-i-know-about/

https://demo.microsoft.com

Full list of study guides!!!

https://www.skylinesacademy.com/resources