In this series we will be looking at securing an Azure cloud tenant from scratch. At this stage, our environment does not have any virtual machines (VMs), virtual networks, web application firewalls or other Azure services. This will be an Azure tenant and O365 subscription with a Business Premium licence, which means we have an Azure P1 licence.
Firstly, Microsoft has made massive progress in trying to provision secure by default infrastructure to customers, including the introduction of security defaults. If you are using the free version of Azure then security defaults are probably right for you and you should enable them using the security defaults guide, however if your tenant was created after October 22, 2019 then security defaults will already be enabled.
Microsoft also provide a tonne of guidance on security for Azure and in particular we are going to be using a combination of recommendations within the Azure portal, the newly rebranded “Microsoft Cloud Security Benchmark”, and the “Technical Guide – Office 365 UK Blueprint – Secure Configuration Alignment”.
First off the security recommendations found in the Defender for Cloud Azure portal are based on the “Microsoft Cloud Security Benchmark”. The Microsoft cloud security benchmark is the Microsoft-authored set of guidelines for security and compliance best practices based on common compliance frameworks such as the CIS controls and NIST. You can find the reference table for the framework here.
The Microsoft Cloud Security Benchmark or MCSB (previously known as the Azure Security Benchmark – ASB) is broken into 12 sections and is available as a downloadable spreadsheet here.
We will also break our series into the following sections which align to this benchmark.
- Network security
- Identity management
- Privileged access
- Data protection
- Asset management
- Logging and threat detection
- Incident response
- Posture and vulnerability management
- Endpoint security
- Backup and recovery
- DevOps security
- Governance and strategy
The “Technical Guide – Office 365 UK Blueprint – Secure Configuration Alignment” contains a configuration for “Good”, “Better” and “Best” which they have also aligned to the required Microsoft licencing as shown below.
Even though we do not possess the required licence level for all the “Best” controls, we can still refer to this document as a great resource for a well-secured tenant as this was prepared for the UK Gov in partnership with Microsoft. The most recent version was updated in 2021.
Using these three resources we are going to secure our tenant, but it doesn’t stop there, this is not a one-time thing. We need to be continually assessing and improving so we will also look at how we can continue to make improvements so our security program does not stagnate. Also one of the biggest obsticles to security improvements is the need to do everything at once! Accept that you can’t implement all required controls in one go, you need a roadmap, understand cyber security maturity, and your own threat exposure.
Understanding that making two minor successful changes in six months, is more productive than attempting to make twenty unsuccessful changes over the same period is paramount to achieving costant incremental improvements.
An example is this diagram from Microsoft which relates to a recommended roadmap for securing privileged access.
- Stage 1 (24-48 hours): Critical items that we recommend you do right away
- Stage 2 (2-4 weeks): Mitigate the most frequently used attack techniques
- Stage 3 (1-3 months): Build visibility and build full control of administrator activity
- Stage 4 (six months and beyond): Continue building defenses to further harden your security platform
We can see the recommended approach is to break improvements into stages based on criticality and importance, and you should bear in mind as we go through this guide that not all the recommendations and settings will be as important to your environment as it may be to ours. It’s really important you understand your threat exposure, compliance requirements and risk level. That said, the documentation we are using should be relevant to most orgs as they are based on current accepted best practice.
@2codemonte 