Welcome back to the Security Controls in Microsoft Defender for Cloud blog series! This time we are here to talk about the security control: Implement security best practices.
Keeping your resources safe is a joint effort between your cloud provider, Azure, and you, the customer. You have to make sure your workloads are secure as you move to the cloud, and at the same time, when you move to IaaS (infrastructure as a service) there is more customer responsibility than there was in PaaS (platform as a service), and SaaS (software as a service). Microsoft Defender for Cloud provides you the tools needed to harden your network, secure your services and make sure you're on top of your security posture.
“Implement security best practices” is the largest control that includes more than 50 recommendations covering resources in Azure, AWS, GCP and on-premises. This list constantly gets updated as our teams add new resources and discover new attack technics, vulnerabilities, and risky misconfigurations.
As of this writing (April 2021) this control does not affect your Secure Score, but this does not mean that you want to ignore or shelve these recommendations.
Just a reminder, recommendations flagged as “Preview” are not included in the calculation of your Secure Score. However, they should still be remediated wherever possible, so that when the preview period ends, they will contribute towards your score.
Defender for Cloud provides a comprehensive description, manual remediation steps, additional helpful information, and a list of affected resources for all recommendations.
Some of the recommendations might have a “Quick Fix!” option that allows you to quickly remediate the issue. In such cases we also provide “View remediation logic” option so that you can review what happens behind the scenes when you click the “Remediate” button, for instance:
In addition, you may use the remediation scripts for your own automations/templates to avoid similar issues in the future. You can also find some remediation scripts in our GitHub Repository.
Let’s now review the most common recommendations from this security control that can be grouped into the following categories:
Category #1: App Services recommendations.
Keep your software up to date.
Keeping software up to date is one of the top security practices you need to implement to make sure your systems are not vulnerable to known threats. Out of date or not regularly updated operating systems and applications put you at risk because they have a lot of vulnerabilities. Many of these vulnerabilities can be easily detected and exploited by threat actors.
Periodically, newer versions are released for software either due to security flaws or to include additional functionality. Using the latest version of PHP/Java/Python/.NET/Node/Ruby for web/function/api apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.
The following recommendations are part of this sub-category:
The manual remediation steps for these recommendations are:
Implement Azure App Service best practices.
The following recommendations are part of this sub-category:
The manual remediation steps for these recommendations are:
Learn more about best practices for securing Azure App Services here.
Category #2: Identity and access recommendations.
Secure your Azure Key Vaults.
You use Azure Key Vault to protect encryption keys and secrets like certificates, connection strings, and passwords in the cloud. When storing sensitive and business critical data, you need to take steps to maximize the security of your vaults and the data stored in them.
The following recommendations are part of this sub-category:
Learn more about Azure Key Vault security here.
Protect your Azure Subscriptions.
To reduce the potential for breaches by compromised owner accounts, it is recommended to limit the number of owner accounts to as few as necessary and require two-step verification for all users.
The following recommendations are part of this sub-category:
Configure notification settings.
To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Defender for Cloud.
The following recommendations are part of this sub-category:
The manual remediation steps for these recommendations are:
Learn more about Azure Identity Management and Access Control security best practices here.
Category #3: Compute recommendations.
In most infrastructure as a service (IaaS) scenarios, Azure virtual machines (VMs) are the main workload for organizations that use cloud computing. This fact is evident in hybrid scenarios where organizations want to slowly migrate workloads to the cloud. In such scenarios, follow the general security considerations for IaaS, and apply security best practices to all your VMs.
The following recommendations are part of this category:
Defender for Cloud provides description, manual remediation steps and additional information for every recommendation in this category, e.g.:
Auto provisioning reduces management overhead by installing all required agents and extensions on existing - and new - machines to ensure faster security coverage for all supported resources. We recommend enabling auto provisioning, but it's disabled by default.
Learn more about securing IaaS workloads in Azure here.
Category #4: Data recommendations.
To help protect data in the cloud, you need to account for the possible states in which your data can occur, and what controls are available for that state. Best practices for Azure data security and encryption relate to the following data states:
The following recommendations are part of this category:
Defender for Cloud provides description, manual remediation steps and additional information for every recommendation in this category, e.g.:
Learn more about:
Category #5: IoT recommendations.
Securing an Internet of Things (IoT) infrastructure requires a rigorous security-in-depth strategy. This strategy requires you to secure data in the cloud, protect data integrity while in transit over the public internet, and securely provision devices. Each layer builds greater security assurance in the overall infrastructure.
The following recommendations are part of this category:
Learn more about securing an Internet of Things (IoT) infrastructure here.
Category #6: Networking recommendations.
Network security could be defined as the process of protecting resources from unauthorized access or attack by applying controls to network traffic. The goal is to ensure that only legitimate traffic is allowed. Azure includes a robust networking infrastructure to support your application and service connectivity requirements. Network connectivity is possible between resources located in Azure, between on-premises and Azure hosted resources, and to and from the internet and Azure.
The following recommendations are part of this category:
Defender for Cloud provides description, manual remediation steps and additional information for every recommendation in this category, e.g.:
Learn more about Azure best practices for network security here.
Category #7: AWS and GCP recommendations.
Defender for Cloud protects workloads in Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP).
Onboarding your AWS and/or GCP accounts into Defender for Cloud, integrates AWS Security Hub or GCP Security Command Center with Defender for Cloud. Defender for Cloud thus provides visibility and protection across these cloud environments:
Defender for Cloud provides description, manual remediation steps and additional information for every recommendation, e.g.:
Note: Microsoft is actively partnering with other cloud providers to expand Defender for Cloud coverage and provide its customers with comprehensive visibility across and protection for their multi-cloud environments. A list of supported providers and security insights Defender for Cloud pulling from those cloud continues to grow, so please expect to see the number of recommendations in this category to increase as we progress.
Worth mentioning that some recommendation might have the “Deny” or “Enforce” option that allows you to prevent creation of potentially insecure or incompliant resources, for instance:
Reference:
Microsoft Security Best Practices
Azure security best practices and patterns
Top 10 Best Practices for Azure Security
Security controls and their recommendations
Security recommendations - a reference guide
Recommendations with deny/enforce options
P.S. Subscribe to our Microsoft Defender for Cloud Newsletter to stay up to date on helpful tips and new releases and join our Tech Community where you can be one of the first to hear the latest Defender for Cloud news, announcements and get your questions answered by Azure Security experts.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.