Step 1 Inventory |
- Identify all Azure subscriptions and have point of contact for each
- Organize subscriptions into Azure Management Groups
- Security team has their own subscriptions (at least dev and prod)
|
Step 2 Visibility |
- Azure Platform Logs are going to some sort of SIEM
- Security team has access to a Security Reader Azure RBAC role
- There's a paved path for provisioning new accounts that includes the above capabilities (Management Group, Platform Logs, Security Reader, etc.)
- One-time security scan of subscriptions to identify tactical remediations
|
Step 3 Detection |
- Azure Security Center is enabled in all subscriptions; findings are triaged by an on-call team
- Security teams have documentation and training for log-based incident response investigation
- There's periodic / continuous security scanning of environments
- Control plane audit logs are going to some sort of SIEM (AKS, Container Registry, etc.)
- Containers / host OS send run-time telemetry to some sort of SIEM
- There's a framework for writing detection engineering alerts, and we have some alerts written
|
Step 4 Identity and Access Management |
- Go through Azure Identity Management security best practices
- Azure RBAC roles are scoped to jobs-to-be-done & access is periodically reviewed
- Do a one-time audit of RBAC roles in production to look for opportunities to scope down to least privilege
|
Step 5 Reduce Attack Surface and Mitigate Compromises |
- Secrets access is scoped and auditable (strongly recommend Azure Key Vault)
- Resource that don't need public IP addresses should not have them (even if they have firewalls in place): application servers, data stores, etc
- Use Azure Policy to enforce organizational security policies
- Harden build environment: ephemeral instances, restrict network egress, sign build artifacts, verify signatures before deploy
|
Step 6 Reproducibility and Ownership |
- Use Infrastructure as Code
- Create hardened base images and drive adoption
- Consider using Azure Resource Tagging to aid ownership tracking
|
Step 7 Enhanced Detection and Least Privilege |
- Build out detection engineering alerts further
- Implement automatic remediation for common incidents
- Systematize developing least privilege RBAC policies
|
Step 8 Secure Network Communications |
- Move everything you can to private networks
- Segment network for services that don't need to talk to each other
- Restrict egress network traffic
|
Step 9 Advanced Incident Response |
- a) Practice responding to incident scenarios (like compromised user accounts)
- Develop forensics for traditional VM workloads as well as orchestrated and container workloads
|