Security monitoring and regulatory compliance in Microsoft Azure

In the last decade, popularity of cloud computing has increased multi-folds. The ubiquitous, on-demand, and convenient way to spin up resources in the cloud has contributed to its fast adoptions.

Why cloud audit?

An organization, irrespective of its cloud deployment model, may perform a cloud audit to evaluate its resources on the cloud for performance, security controls and, enforcement of privacy policies, etc

This article focuses on the information security aspect of cloud audits. A cloud security auditor may access the security controls to establish to what extent they have been implemented correctly, their effectiveness, and to identify gaps in the security controls. A cloud audit may also include verification of compliance with the regulatory and governance policies.

To gain assurance and to lower the risk of data being lost or compromised, continuous monitoring of cloud resources must be in place.

Image Credit: https://pixabay.com

Azure Security Center

Keeping the cloud resources safe is a shared responsibility of the cloud service provider and the cloud resource consumer. This responsibility drifts from the cloud security provider to the consumer as we move from SaaS (Software as a Service) to PaaS (Platform as a Service) and then to IaaS (Infrastructure as a Service).

Azure Security Center (ASC) is an integral part of the IaaS services offered by Microsoft Azure. ASC covers SQL servers, storage accounts, service fabric, etc. ASC provides a regulatory compliance dashboard to streamline the process of meeting regulatory standards and compliance requirements. ASC regulatory compliance dashboard provides the status of all the audits in your Azure subscription against all enabled standards and regulations. Not just this, ASC also provides recommendations for an administrator to act upon and improve the overall security posture of one's cloud deployment in Azure.

Auditing cloud resources in Azure for compliance

How do I get started?

Enable Azure Defender for the subscription

To start a compliance audit in Azure, the Azure Defender must be enabled for the subscription. The Azure Defender is available free of cost for a 30 day period.

Also, one must have minimum Resource Policy Contributor and Security Admin roles assigned to have access to the security compliance data in Azure.

The Regulatory Compliance Dashboard

In the Azure portal, navigate to Security Center. From there, select Regulatory compliance.

Azure Security Center: Regulatory Compliance Dashboard

In the ASC regulatory compliance dashboard, one can see the summary of the compliance status of the Azure subscription. In the dashboard, one can also see the overall security score, the number of passing and failing controls for each of the selected regulatory standards.

One can also select the compliance standard of their interest and see the number of passing and failing controls for that standard.

Through this dashboard, an Azure administrator can easily figure out the gaps in security controls with the chosen regulatory requirement or standard.

Adding a new standard

Microsoft has curated a set of controls for the security and compliance requirements for Azure called the Azure Security Benchmarks. This benchmark has been tailored from a number of standards, regulatory compliance requirements, and industry best practices. Azure Security Benchmarks are automatically assigned when ASC is enabled for an Azure subscription. One can add more standards and monitor compliance with them. A few of the standards which Azure provides are:

  • PCI-DSS
  • HIPPA
  • NIST 800–53
  • Azure CIS 1.1.0 and many more

To add a new standard, click on the Manage Compliance Policies tab in the compliance dashboard and select the subscription/management group. Click on Add More Standards and select the standards relevant to your deployment. Select the scope, remediation task, alert message, and other parameters to add the standard.

Add a new compliance standard in ASC

The newly added standard will be available in the compliance dashboard under the Regulatory and Industry Standards section. Generally, it takes a few minutes to a few hours for the newly added standard to appear in the compliance dashboard.

There is also an option to customize your own standards based on the needs and security posture of your organization.

Compliance and Assessment

The regulatory compliance dashboard provides a summary of the compliance posture of your Azure subscription. You can also select the standard which is of your interest. One will see a list of all the controls defined in that standard. On clicking a control, one can see all the assessments associated with that control and all the passing/failing assessments.

ASC with failing CIS control

In the above screenshot, we see Azure CIS 1.1.0 being applied to a subscription. Azure CIS 1.1.0 standard recommends log profile to be enabled for all the subscriptions, which is not the case here. This non-compliance to the assessment will appear in the ASC compliance dashboard as a failure under the Azure CIS 1.1.0 standard tab.

You will also notice that some controls for a standard are greyed. It means that these controls don't have an assessment associated with them. This may be because of one of the below reasons:

  1. The controls are procedure or process-related and can not be verified by ASC.
  2. The assessment is not yet implemented in ASC.
  3. The control is a shared responsibility between Azure and the cloud customer.

Export Compliance Data

ASC provides the feature to download the status of compliance to an applied standards as CSV and PDF reports. Based on the applied standard’s assessment data, this report provides an executive summary of the security posture of the Azure subscription. This report can be used to plug in the gaps in security, mitigate risks, or as a form of evidence for audit.

ASC also provides a mechanism to export compliance data to Azure Event Hub or Azure Log Analytics Workspace. This makes integration with other monitoring tools straightforward. ASC provides two options:

  1. Export all compliance data as a continuous stream
  2. Export snapshots of compliance data weekly

To enable continuous export of compliance data in ASC, click on Pricing and settings under the Management section and select the subscription.

ASC: Pricing and settings

Under the Continuous export section, select Regulatory compliance as the exported data type. One can also select a few or all the standards of interest enabled for the subscription.

ASC: Continuous Export

Setup the export configuration by selecting the desired frequency of export, resource group, event hub namespace, and event hub policy where the compliance data will be exported.

ASC: Continuous ExportEvents in Azure Event Hub

ASC provides native support to stream compliance data to popular SIEM solutions including but not limited to:

  • Azure Sentinel
  • Splunk
  • ArcSight
  • Power BI, etc.

Azure Security Center Recommendation

ASC evaluates the resources deployed in your Azure subscription and provides recommendations to mitigate potential vulnerabilities. These recommendations are based on the Azure Security Benchmark and are broadly classified into the following categories:

  1. App Services
  2. Compute
  3. Container
  4. Data
  5. Identity and Access
  6. IoT

Each of the above categories contains multiple recommendations which can be applicable to an Azure cloud environment.

ASC recommendations can be viewed under the Recommendations section in the ASC. Over there one can filter the recommendations based on their type, severity, environment, etc.

ASC Recommendations

To view a recommendation in detail, click on the recommendation. This recommendation details page contains information like severity of the recommendation, refresh interval, detailed description of the recommendation, steps to remediate the misconfiguration, list of resources on which this recommendation is applicable, etc. A resource can also be exempted from the scope of a recommendation from this page.

ASC Recommendation: Disk encryption should be applied on virtual machines

Misconfigured cloud resources can possibly cause a security-related incident. ASC can prevent misconfiguration of a cloud resource with regard to a security recommendation. This feature is offered in two modes:

  1. Deny: Prevent non-compliant resources from being created
  2. Enforce: Automatically remediate non-compliant resources

Not all ASC recommendations have deny/enforce options enabled for them.

Automatically detect changes to the security posture

ASC provides a way to generate event triggers on security alerts, recommendations, or when the compliance state changes. ASC facilitates this through means of Logic Apps. For example, an Azure administrator may want to send email notifications to a group of stakeholders whenever a virtual machine is spun up with a disk that is not encrypted (Azure CIS 1.1.0 recommends all OS and data disks to be encrypted).

To detect changes to the security compliance posture in Azure, and then to act upon it, we will first need to create a Logic App.

A Logic App is a service in Azure to orchestrate and schedule tasks. Go to the Logic Apps section in the Azure portal and create a new Logic App. Next, you will need to create a workflow and attach it to the Logic App. Workflow templates for commonly used scenarios are available in Azure. One can either use an existing template or create a new template for defining a workflow.

Azure Logic Apps supports three ASC events:

  1. ASC recommendation is created or triggered
  2. ASC alert is created or triggered
  3. ASC regulatory compliance is created or triggered
Logic Apps Designer

Once the Logic App is created go back to the Workflow automation tab in the ASC and click on Add workflow automation. This will open a blade where the workflow automation needs to be defined. One will need to configure the trigger condition for this workflow which can either be a creation or trigger of ASC recommendation, alert or regulatory compliance data. Under the Actions section, select the Logic App to specify the action which will be taken on the trigger of the configured event.

Azure Logic Apps provides trigger-dependent dynamic content which can be used to generate rich workflow actions. The workflow action is not just for sending alerts. It can also be used to perform a pre-defined task when a security recommendation or alert is triggered.

ASC recommendation sent as email through Logic App

One can also manually trigger Logic Apps for ASC alerts or recommendations. To do so, navigate to recommendations or alerts in ASC and click on the Trigger Alert button.

References:

Security monitoring and regulatory compliance in Microsoft Azure was originally published in Walmart Global Tech Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

Article Link: https://medium.com/walmartglobaltech/security-monitoring-and-regulatory-compliance-in-microsoft-azure-b62710e9ad69?source=rss----905ea2b3d4d1---4