Welcome back to the Security Controls in Microsoft Defender for Cloud blog series! This time we are here to talk about the security control: Encrypt data in transit.
Data must be encrypted when transmitted across networks to protect against eavesdropping of network traffic by unauthorized users. In cases where source and target endpoint devices are within the same protected subnet, data transmission must still be encrypted due to the potential for high negative impact of a data breach. The types of transmission may include client-to-server, server-to-server communication, as well as any data transfer between core systems and third-party systems.
Examples of insecure network protocols and their secure alternatives include:
|
Instead of... |
Use... |
Web Access |
HTTP |
HTTPS |
File transfer |
FTP, RCP |
FTPS, SFTP, SCP, WebDAV over HTTPS |
Remote Shell |
Telnet |
SSH2 |
Remote desktop |
VNC |
RDP |
As of this writing (March 2021) this control includes 22 recommendations, and this list constantly grows as we add additional resources, e.g. AWS or GCP services. Your actual list may be different, depending on types of resources you have in your environment. To be able to increase your Secure Score by 2% (1 point) you will have to remediate all active recommendations.
Just a reminder, recommendations flagged as “Preview” are not included in the calculation of your Secure Score. However, they should still be remediated wherever possible, so that when the preview period ends, they will contribute towards your score.
Microsoft Defender for Cloud provides a comprehensive description, manual remediation steps, additional helpful information, and a list of affected resources for all recommendations.
Some of the recommendations might have a “Quick Fix!” option that allows you to quickly remediate the issue. In such cases we also provide “View remediation logic” option so that you can review what happens behind the scenes when you click the “Remediate” button. In addition, you may use the remediation scripts for your own automations/templates to avoid similar issues in the future.
Let’s now review the most common recommendations from this security control.
Secure transfer to storage accounts should be enabled.
Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.
You can find the related Azure policy here.
The manual remediation steps for this recommendation are:
- In your storage account, go to the 'Configuration' page.
- Enable 'Secure transfer required'.
Please review our documentation to learn more about this configuration option.
Web Application should only be accessible over HTTPS.
Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.
You can find the related Azure policy here.
The manual remediation steps for this recommendation are:
- Go to the app service custom domains page
- In the HTTPS Only toggle select On
TLS should be updated to the latest version for your web app.
Transport Layer Security (TLS), like Secure Sockets Layer (SSL), is an encryption protocol intended to keep data secure when being transferred over a network. TLS 1.0 is a security protocol first defined in 1999 for establishing encryption channels over computer networks. Microsoft has supported this protocol since Windows XP/Server 2003. While no longer the default security protocol in use by modern Operating Systems, TLS 1.0 is still supported for backwards compatibility. Evolving regulatory requirements as well as new security vulnerabilities in TLS 1.0 provide corporations with the incentive to disable TLS 1.0 entirely.
Recommendation: Upgrade to the latest TLS version.
You can find the related Azure policy here.
The manual remediation steps for this recommendation are:
- Navigate to Azure App Service
- Select TLS/SSL settings
- Under the Protocol Settings section, choose the latest Minimum TLS Version.
Please review our documentation to learn more about why upgrading to TLS 1.2 is very important.
FTPS should be required in your web App.
Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.
You can find the related Azure policy here.
The manual remediation steps for this recommendation are:
- Go to the App Service for your API app
- Select Configuration and go to the General Settings tab
- In FTP state, select FTPS only.
Function App should only be accessible over HTTPS.
Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.
You can find the related Azure policy here.
The manual remediation steps for this recommendation are:
- Go to the Function App service custom domains page
- In the HTTPS Only toggle select On
Please review our documentation to learn more about serverless functions security.
TLS should be updated to the latest version for your function app.
Azure Functions is a serverless solution that allows you to write less code, maintain less infrastructure, and save on costs. Instead of worrying about deploying and maintaining servers, the cloud infrastructure provides all the up-to-date resources needed to keep your applications running.
Recommendation: Upgrade to the latest TLS version.
You can find the related Azure policy here.
The manual remediation steps for this recommendation are:
- Navigate to Azure App Service
- Select TLS/SSL settings
- Under the Protocol Settings section, choose the latest Minimum TLS Version.
Please review our documentation to learn more about why upgrading to TLS 1.2 is very important.
FTPS should be required in your function App.
You can use FTP or FTPS to deploy your web app, function app, mobile app backend, or API app to Azure App Service. For enhanced security, you should allow FTP over TLS/SSL only. You can also disable both FTP and FTPS if you don't use FTP deployment.
You can find the related Azure policy here.
The manual remediation steps for this recommendation are:
- Go to the App Service for your API app
- Select Configuration and go to the General Settings tab
- In FTP state, select FTPS only.
Please review our documentation to learn more about serverless functions security.
Enforce SSL connection should be enabled for MySQL database servers.
Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.
You can find the related Azure policy here.
The manual remediation steps for this recommendation are:
- Select your Azure Database for MySQL.
- In Connection Security, set Enforce SSL connection to 'Enabled'.
Please review our documentation to learn more about this configuration option.
Enforce SSL connection should be enabled for PostgreSQL database servers.
Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.
You can find the related Azure policy here.
The manual remediation steps for this recommendation are:
- Select your Azure Database for PostgreSQL.
- In Connection Security, set Enforce SSL connection to 'Enabled'.
Please review our documentation to learn more about this configuration option.
Only secure connections to your Redis Cache should be enabled.
Enable only connections via SSL to Redis Cache. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.
You can find the related Azure policy here.
The manual remediation steps for this recommendation are:
- Go to the Redis Caches, and select your redis cache.
- Select 'Advanced settings'.
- For 'Allow access only via SSL', click 'Yes' and then click 'Save'.
Worth mentioning that this particular recommendation has the “Deny” option that allows you to prevent creation of potentially insecure or incompliant resources, for instance:
Reference:
Security controls and their recommendations
Security recommendations - a reference guide
Recommendations with deny/enforce options
P.S. Subscribe to our Microsoft Defender for Cloud Newsletter to stay up to date on helpful tips and new releases and join our Tech Community where you can be one of the first to hear the latest Defender for Cloud news, announcements and get your questions answered by Azure Security experts.