At Microsoft Ignite we're sharing the many new capabilities our teams have built to improve security with Azure Security Center and the Azure Platform. We have a long list of new innovations, and this blog provides our general direction and summarizes some of our favorite new features.
With Azure Security Center our goal is to protect every cloud workload and we have made progress to that goal with new support for containers, and SQL in virtual machines. You’ll be pleased to know that we now include Qualys vulnerability assessment for no additional fee in Azure Security Center standard edition so that you have a richer set of security recommendations. We are further extending Azure Security Center to include partner recommendations with Check Point, Tenable and CyberArk shipping integrations today. We continue to focus on making sure you can maximize your valuable time addressing important security issues with new quick fix capabilities so that you can secure multiple items at once far faster than before, custom policy support, simplifications in secure score including making it a percentage, and more.
On the Azure platform side we have extended Azure Customer Lockbox beyond virtual machines, made it easier to encrypt virtual machine disks directly from the portal, simplified certificates for web sites on custom domains and released a new tool called the Microsoft Secure Code Analysis toolkit to help you build secure code.
If I had just one call to action for each of you it would be to go check-out your secure score and address the top five issues in secure score today. Misconfigurations are the leading source of attacks and improving your secure score can make a remarkable difference in your overall security posture.
The details are below:
Azure Security Center Updates
Azure Security Center provides unified infrastructure security management that strengthens the security posture and provides advanced threat protection across your workloads running in Azure, on-premises, and in other clouds. It enables continuous assessment of security posture, protects against cyberattacks using Microsoft’s vast threat intelligence and helps implement security faster with integrated controls.
With Security Center, you can monitor the security of machines, networks, and Azure services using hundreds of built-in security assessments or create your own in a central dashboard.
Extending Azure Security Center’s coverage with platform for community & partners
A constantly evolving threat landscape requires new approaches to protection, cloud security posture, enterprise-scale deployment, and automation. Through partnering with members of the Microsoft Intelligent Security Association, Microsoft is able to leverage a vast knowledge pool to defend against a world of increasing cybersecurity threats.
Leverage all of Security Center's capabilities against built-in and partner recommendations. Azure Security Center's simple onboarding flow connects existing solutions, including Check Point CloudGuard, CyberArk and Tenable enabling you to view all security posture recommendations in a single place. Run unified reports and export Security Center’s recommendations for connected partner products.
We also invite the security community to contribute and improve policies and configurations used in Security Center through the Azure Security Center community menu, a central hub of information for additional scripts, content and community resources to access:
- Azure Security Center GitHub: containing custom policies, remediation scripts, custom Logic Apps playbooks and more is open for your usage and contribution
- Central location for Azure Security Center blog posts and customer
- Central enrollment for Azure Security Center private previews
Enhanced threat protection for your cloud resources with Azure Security Center
Azure Security Center's threat protection enables you to detect and prevent threats across a wide variety of services from Infrastructure-as-a-Service (IaaS) layer to Platform-as-a-Service (PaaS) resources in Azure such as IOT and App Service and finally with on-premises virtual machines.
Stream threat detection findings to Azure Sentinel for investigation, threat hunting, correlation with signals from other security solutions, and security operations center (SOC) level management.
Going forward, Azure Security Center continues to extend its threat protection capabilities to counter sophisticated threats on cloud platforms:
- Threat Protection and Vulnerability support for SQL servers hosted on an Azure Virtual Machines in Public Preview
Azure Security Center’s support for Threat Protection and Vulnerability Assessment for SQL DBs running on IaaS VMs is now in public preview.
- Vulnerability assessment is an easy to configure service that can discover, track, and help you remediate potential database vulnerabilities. It provides visibility into your security posture as part of Azure secure score and includes the steps to resolve security issues and enhance your database fortifications.
- Advanced Threat Protection detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit your SQL server. It continuously monitors your database for suspicious activities and provides action-oriented security alerts on anomalous database access patterns. These alerts provide the suspicious activity details and recommended actions to investigate and mitigate the threat.
For a complete set of instructions, review the documentation for Advanced data security for SQL Server on VM.
- Vulnerability Assessment is now included as part of Security Center in Public Preview
Applications that are installed in virtual machines could often have vulnerabilities that could lead to a breach of the virtual machine. To address this, we are announcing that the Azure Security Center Standard tier includes built-in vulnerability assessment for virtual machines for no additional fee. Today, Azure Security Center uses proven technology from Qualys that has industry leading vulnerability coverage and support for both Windows and Linux virtual machines. This will allow you to continuously scan all the installed applications on a virtual machine to find vulnerable applications and present the findings in the Security Center portal’s experience. Security Center takes care of all deployment operations so that no extra work is required from the user. This capability will be available in public preview by end of the month.
- Threat Protection for Azure Key Vault in Public Preview in North America Regions
Azure Key Vault is an essential service for protecting data and improving performance of cloud applications by offering the ability to centrally manage keys, secrets, cryptographic keys and policies in the cloud. Since Azure Key Vault stores sensitive and business critical data, it requires maximum security for the key vaults and the data stored in them.
Azure Security Center’s support for Threat Protection for Azure Key Vault provides an additional layer of security intelligence that detects unusual and potentially harmful attempts to access or exploit key vaults. This new layer of protection allows customers to address threats against their key vaults without being a security expert or manage security monitoring systems. The feature will be in public preview in North America Regions by end of the month.
- Threat Protection for Azure Storage includes Malware Reputation Screening
Threat protection for Azure Storage offers new detections powered by Microsoft Threat Intelligence for detecting malware uploads to Azure Storage using hash reputation analysis and suspicious access from an active Tor exit node (an anonymizing proxy). You can now view detected malware across storage accounts using Azure Security Center.
- Containers - Threat Protection for Azure Kubernetes Service (AKS) Support in Security Center
Kubernetes is quickly becoming the new standard for deploying and managing software in the cloud. Few people have extensive experience with Kubernetes and many only focuses on general engineering and administration and overlook the security aspect. Kubernetes environment needs to be configured carefully to be secure, making sure no container focused attack surface doors are not left open is exposed for attackers. Security Center is expanding its support in the container space to one of the fastest growing services in Azure - Azure Kubernetes Service (AKS).
The new capabilities in this public preview release include:
- Discovery & Visibility - Continuous discovery of managed AKS instances within Security Center’s registered subscriptions.
- Secure Score recommendations - Actionable items to help customers comply to security best practices in AKS as part of the customer’s Secure Score, such as "Role-Based Access Control should be used to restrict access to a Kubernetes Service Cluster".
- Threat Detection - Host and cluster-based analytics, such as “A privileged container detected”.
- Containers - Scan container images in Azure Container Registry (ACR) for vulnerabilities
Azure Security Center can now scan container images in Azure Container Registry for vulnerabilities.
The image scanning works by parsing through the packages or other dependencies defined in the container image file, then checking to see whether there are any known vulnerabilities in those packages or dependencies (powered by a Qualys vulnerability assessment DB).
The scan itself can be automatically triggered when pushing new container images to Azure Container Registry. Found vulnerabilities will surface as Security Center recommendations and included in the Azure Secure Score together with information on how to patch them to reduce the attack surface they allowed.
Cloud security posture management enhancements
Misconfiguration is the most common cause of security breaches for cloud workloads. Azure Security Center provides you with a bird’s eye security posture view across your Azure environment, enabling you to continuously monitor and improve your security posture using the Azure Secure Score. Security Center helps manage and enforce your security policies to identify and fix such misconfigurations across your different resources and maintain compliance. We continue to expand our resource coverage and the depth insights that are available in security posture management.
- Secure Score Simplified
Secure Score is the foundation of Azure Security Center’s security posture management. Today Secure Score is done per every recommendation so multiple recommendations as part of the same attack surface are scored separately, creating more noise and making it harder for the customer to understand which action to take first in order to improve his security posture. This causes fluctuations in score as well as potential misalignment between score and probability for an attack.
Going forward, we are introducing Secure Score Controls which will each group multiple recommendations focusing on a specific attack surface (e.g. restrict access to management ports). This will help you get better visibility into the secure score controls and provide a more reliable method for calculating the score. The new functionality will be available in Public Preview by the end of the month. We recommend that you familiarize with the Secure Score changes during the public preview phase and determine which other remediations you can do to further secure your environment.
The new Secure Score user interface will look like this:
- Support for custom policies in Public Preview
Our customers have been wanting to extend their current security assessments coverage in Azure Security Center with their own security assessments based on policies that they create in Azure Policy.
We are happy to announce that Azure Security Center supports custom policies in Public Preview release. These new policies will be part of the Azure Security Center recommendations experience, Secure Score and the regulatory compliance standards dashboard. With the support for custom policies, you are now able to create a custom initiative in Azure policy and then add it as a policy in Azure Security Center in a simple click-through onboarding experience and visualize them as recommendations.
- Additional regulatory compliance standards in Public Preview
The Regulatory Compliance dashboard provides insights into your compliance posture based on Security Center assessments. The dashboard shows how your environment complies with controls and requirements designated by specific regulatory standards and industry benchmarks and provides prescriptive recommendations for how to address these requirements.
The regulatory compliance dashboard has thus far supported four built-in standards: Azure CIS 1.1.0, PCI-DSS, ISO 27001 and SOC-TSP. We are now announcing the public preview release of additional supported standards: NIST SP 800-53 R4, SWIFT CSP CSCF v2020, Canada Federal PBMM and UK Official together with UK NHS. We are also releasing an updated version of Azure CIS 1.1.0, covering more controls from the standard and enhancing extensibility.
- Quick Fix for bulk resources generally available
With the many tasks that a user is given as part of Secure Score, the ability to effectively remediate issues across a large fleet can become challenging.
In order to simplify remediation of security misconfigurations and to be able to quickly remediate recommendations on a bulk of resources and improve your secure score use Quick Fix remediation.
This operation will allow you to select the resources you want to apply the remediation to and launch a remediation action that will configure the setting on your behalf.
Quick fix is generally available today customers as part of the Security Center recommendations blade.
Implement security faster with Azure Security Center
To enable large organizations to leverage Security Center’s findings in enterprise scale, Azure Security Center also provides clear APIs, automation and management capabilities that can help customers connect Security Center to workflows, processes and tools used across the organization.
- Workflow automation with Logic Apps
Organizations with centrally managed security and IT/operations implement internal workflow processes to drive required action within the organization when discrepancies are discovered in their environments. In many cases these workflows are repeatable processes and automation can greatly reduce overhead streamline processes within the organization.
Today we are introducing a new capability in Security Center that allows customers to create automation configurations leveraging Azure Logic Apps and to create policies that will automatically trigger them based on specific Security Center findings such as Recommendations or Alerts. Azure Logic App can be configured to do any custom action supported by the vast community of Logic App connectors or use one of the templates provided by Security Center such as sending an email or opening a ServiceNow™ ticket In addition, users are now able to manually trigger a Logic App on an individual alert or recommendation directly from the recommendation or alert page in Azure Security Center.
- Advanced integrations with export of Security Center recommendations and alerts in Public Preview
In order to enable enterprise level scenarios on top of Security Center, we now enable you to consume Security Center alerts and recommendations in additional places except the Azure Portal or API. These can be directly exported to an Event Hub and to Log Analytics workspaces. Here are a few examples of workflows you can create around these new capabilities:
- With Export to Log Analytics workspace, you can create custom dashboards with PowerBI.
- With Export to Event Hub, you will be able to export Security Center alerts and recommendations to your 3rd party SIEMs, to a 3rd party solution in real-time, or Azure Data Explorer.
- Improved reporting for Security Center alerts and recommendations
Security Center now offers to download a CSV report that can be imported directly to Excel, with detailed data about their Security Center alerts and recommendations, including direct links to view the alert in the Azure Portal as part of a Public Preview release.
- Onboard on-prem servers to Security Center from Windows Admin Center (WAC)
Windows Admin Center is a management portal for Windows Servers who are not deployed in Azure offering them several Azure management capabilities such as backup and system updates. We have recently added an ability to on-board these non-Azure servers to be protected by Security Center directly from the Windows Admin Center experience.
With this new experience users will be to on-board a WAC server to Azure Security Center and enable viewing its security alerts and recommendations directly in the Windows Admin Center experience.
Call to action
If you have not started using Azure Security Center in your Azure subscription, get started today. You can also visit Azure Security and Security Center web page to learn more.
If you are an existing Azure Security Center customer, you might consider:
- Starting your Secure Score evaluation,
- Protecting your cloud workloads using Security Centers threat protection capabilities
- Becoming an active participant in the community
- Benefiting from newly introduced controls to report, automate and respond to threats and vulnerabilities.
Azure Security Platform Updates
In addition to Azure Security Center updates we have several additional enhancements for the Azure platform security. To empower you to do more, we are continuously enhancing the platform services to improve existing offerings and address your feedback.
Here are some of the exciting updates coming to Azure Platform.
Extension of Customer Lockbox for Microsoft Azure beyond virtual machines
Customer Lockbox provides customers the capability to control Azure support engineers' access to workloads that contain customer data This expanded support now provides customers control over access to their data for a larger set of Azure offerings.
New services and scenarios, available in preview:
- Azure Storage
- Azure SQL Database
- Azure Data Explorer
- Memory dumps and managed disks for Azure Virtual Machines
- Transferring Azure subscriptions
Please sign-up using the link here to enable Customer Lockbox in Public Preview.
Release of Microsoft Secure Code Analysis toolkit to help you build secure code
With the Microsoft Security Code Analysis extension, you can infuse security analysis tools including Credential Scanner, BinSkim, and others into your Azure DevOps continuous integration and delivery (CI/CD) pipelines. Increase developer productivity and simplify security through easily configurable build tasks that abstract away the complexities (installing, updating, maintaining, and running) from analysis tools without relinquishing control over them. The ever-growing supported toolset currently includes:
- Anti-Malware Scanner – Check for viruses and other malware on your build agent.
- BinSkim - Validate compiler settings, linker settings and other security-relevant characteristics of binary files.
- Credential Scanner - Detect secrets, certificates and other sensitive content in your source code and build outputs.
- Microsoft Security Risk Detection - Fuzz testing to identify exploitable security bugs in software.
- Roslyn Analyzers - Compiler-integrated tool for statically analyzing managed C# and Visual Basic code
- TSLint - Check TypeScript & JavaScript code for readability, maintainability, and errors in functionality
The Extension also provides powerful post processing capabilities such as:
- Configuring build breaks on regressions.
- Publishing logs for retention.
- Generating actionable, developer-focused reports.
This product is now available via Unified Support. Customers can sign up using their existing credit or paying the service fee. To learn more please visit: https://aka.ms/mscadocs
Free Azure Managed Certificates for your domains on Azure
We want to make sure there are no reasons NOT to use TLS for your applications on Azure. Azure now provides TLS certificates at no cost to you for your custom domains hosted on the following services. Azure renews these certificates automatically.
Azure managed certificates are available for the following Azure services today.
- Azure CDN managed certificates – Generally Available
- Azure Front Door managed certificates – Generally Available
- Azure App Services managed certificates (for both Web Apps and Functions) – in Public Preview.
We will expand this to other Azure PaaS services in the future.
Note that this is just one of your options. If you have a need to use certificates from a different certificate authority (CA), then you have the option to configure these Azure services to use a certificate you manage in your key vault.
Azure Disk Encryption in more places, and more services offering customer-managed keys
Azure Disk Encryption enables you to encrypt your Azure Virtual Machine disks with your keys safeguarded in Azure Key Vault. Previously this capability was available through PowerShell and CLI. This is great for automating and scaling out deployments. However, many users want to enable Azure Disk Encryption for just a single machine and want a simple way to do so.
To support this, we have enabled Azure Disk Encryption UX for IaaS Windows and Linux VMs and integrated in the Azure portal in all public regions! This UX allows users to turn on disk encryption for their VMs with keys safeguarded in Azure Key Vault with just a few clicks.
To enable, select one of the disks of your VM in the portal, and click Encryption.
Select the key vault, and optionally a key, to use.
This begins the encryption process in the background.
We have also continued to added support for the latest versions of the most common Linux distros on Azure, including Red Hat 7.6 and 7.7 and CentOS 7.6 and 7.7.
Enable encryption on an Azure VM today and see how easy it is!
Try it yourself using Quickstart for Windows or Quickstart for Linux now.
The following services recently announced preview for customer-managed keys for encryption at rest.
- Azure Event Hubs
- Azure Managed Disks
- Power BI
For a full list of services offering encryption with customer-managed keys, see the Azure Data Encryption-at-Rest documentation page.
New Azure policies to manage certificates across your organization, currently in preview
Large organizations have thousands of certificates in key vaults distributed across thousands of applications and subscriptions. If you are responsible for security and compliance across the organization, you need a simple way to set rules across all these certificates, prove that those rules were followed, and flag violations. Azure policy helps with this. We have added new policies in preview for certificates in Azure Key Vault.
- Issuer Policy: Flag certificates that are (or are not) issued by a particular issuer.
- Key Type Policy: Flag certificates that are (or are not) protected by a RSA or ECC key pairs.
- Key Size Policy: Flag certificates that are (or are not protected) by a key of a certain size.
- Expiry Policy: Flag certificates that are (or are not) renewed within “X” number of days of their expiry date.
- Validity Lifespan Policy: Flag certificates that have (or do not have) Validity Lifespan that is less than, or more than, or equal to "X" number of years.
To set these policies, go to the Azure Policy tab of the portal and add a policy.
You can choose how broadly to apply that policy. E.g. you may apply it to an entire management group comprising all subscriptions in your business unit.
Now wait for Azure to evaluate your key vaults against the new policy, and see the results:
For more information see the documentation for Azure Key Vault governance policies.
Azure Key Vault Virtual Machine extension now generally available
Every app that uses certificates from a key vault needs to do some common tasks – authenticate to Azure AD, periodically re-read certificates from the key vault (because they have been updated), handle network errors in communicating to the Key Vault service.
To simplify this, we are announcing the Key Vault VM extension. When you load this extension on your VM, it provides automatic refresh of certificates stored in your key vault directly to the VM for both Windows and Linux VMs. Specifically, the extension monitors a list of observed certificates stored in key vaults, and, upon detecting a change, retrieves, and installs the corresponding certificates directly on the VM for your app to consume, allowing you to avoid polling your key vault for the latest certificate.
This extension is now generally available for Windows and Linux.
Learn more
With these additions, Azure continues to provide a secure foundation and gives you built-in security tools and intelligent insights to help you rapidly improve your security posture in the cloud. Azure Security Center strengthens its role as the unified security management and advanced threat protection solution for your hybrid cloud.
For Azure app developers:
- Use the Microsoft Secure Code Analysis toolkit to inspect your code for security issues.
- Enable TLS for your Azure CDN, Front Door, and App Service (web app and function) resources.
- Evaluate the new Azure Virtual Machine extension for Azure Key Vault to simplify how your app uses certificates from Azure Key Vault (for Windows and Linux).
For users responsible for security across their organizations:
- Evaluate Azure Policy, including the new Key Vault policies, to ensure developers across your organization follow the rules you set for security and compliance.
Security can’t wait. Get started with Azure Security Center today and visit Azure Security Center Tech Community, where you can engage with other security-minded users like yourselves.