Azure Security Roadmap


This page is a summary of Azure Security Roadmap

Step Description
Step 1 Inventory
  • Identify all Azure subscriptions and have point of contact for each
  • Organize subscriptions into Azure Management Groups
  • Security team has their own subscriptions (at least dev and prod)
Step 2 Visibility
  • Azure Platform Logs are going to some sort of SIEM
  • Security team has access to a Security Reader Azure RBAC role
  • There's a paved path for provisioning new accounts that includes the above capabilities (Management Group, Platform Logs, Security Reader, etc.)
  • One-time security scan of subscriptions to identify tactical remediations
Step 3 Detection
  • Azure Security Center is enabled in all subscriptions; findings are triaged by an on-call team
  • Security teams have documentation and training for log-based incident response investigation
  • There's periodic / continuous security scanning of environments
  • Control plane audit logs are going to some sort of SIEM (AKS, Container Registry, etc.)
  • Containers / host OS send run-time telemetry to some sort of SIEM
  • There's a framework for writing detection engineering alerts, and we have some alerts written
Step 4 Identity and Access Management
  • Go through Azure Identity Management security best practices
  • Azure RBAC roles are scoped to jobs-to-be-done & access is periodically reviewed
  • Do a one-time audit of RBAC roles in production to look for opportunities to scope down to least privilege
Step 5 Reduce Attack Surface and Mitigate Compromises
  • Secrets access is scoped and auditable (strongly recommend Azure Key Vault)
  • Resource that don't need public IP addresses should not have them (even if they have firewalls in place): application servers, data stores, etc
  • Use Azure Policy to enforce organizational security policies
  • Harden build environment: ephemeral instances, restrict network egress, sign build artifacts, verify signatures before deploy
Step 6 Reproducibility and Ownership
  • Use Infrastructure as Code
  • Create hardened base images and drive adoption
  • Consider using Azure Resource Tagging to aid ownership tracking
Step 7 Enhanced Detection and Least Privilege
  • Build out detection engineering alerts further
  • Implement automatic remediation for common incidents
  • Systematize developing least privilege RBAC policies
Step 8 Secure Network Communications
  • Move everything you can to private networks
  • Segment network for services that don't need to talk to each other
  • Restrict egress network traffic
Step 9 Advanced Incident Response
  • a) Practice responding to incident scenarios (like compromised user accounts)
  • Develop forensics for traditional VM workloads as well as orchestrated and container workloads