Securing Microsoft Azure with Policy and Governance
I could write tons of hardening guidance with Azure but everyone’s workloads are very different and it would be tough to predict everyone’s scenario for security compliance.
Instead this is the route that I’ve taken to ensure security compliance in my tenants. Just keep reading. The first part is extremely generic approaches. I’ll get into the more interesting deep dives in a bit.
The holistic and generic approach
Utilize Azure Secure Score in Security Center
Utilize Microsoft Office 365 Secure Score
For this post I am going to focus more on Azure Policy. You can do all your security governance through policy. The best part is its free and in the long run it can prevent making insecure configuration mistakes in azure.
Part of what I do before getting started with policy is to create a centralized management group. This is very helpful especially if you want to start organizing RBAC roles into your resources across all your subscriptions from a central location.
To start focusing on specifics launch policy in azure
When you are inside policy, click on Assignments on the left hand side.
One you are in the assignments section select Assign initiative
From here you can select which Subscription you want to assign the policy initiative. Since this is my visual studio subscription. That is all that is available to me. I highly suggest you create management groups so you can spread a policy initiative across multiple subscriptions. I generally do not exclude resources to be exempt from a policy initiative but you can easily do so.
What will be focusing on is Initiative definitions. One of the cool parts to initiative definitions is pre-built definitions for compliance. So I can assign definitions like DOD Impact 4, NIST SP800–53, FEDRAMP, and CIS controls. For this particular exercise I am going to focus on CIS controls. Examples of how to find these prebuilt definitions are below.
So I am going to select the CIS Microsoft Azure Foundations Benchmark 1.1.0. If you have multiple regions where network watcher is running you will have to select them from the drop down list. The rest is taking the defaults.
The CIS Azure Foundations benchmark monitors 84 different policies within azure. That is a decent amount of out of the box auditing for regulatory compliance.
Once your initiative is finished scanning you environment you can go to the overview section and click on the initiative for regulatory compliance that you have deployed and start re mediating non-compliant policies and resources.
You can also do a subset of security compliance in Azure Blueprints and build your own custom artifacts. Use blueprints if you need to build a custom regulatory compliance. An over view of blueprints are in the links below along with CIS control mappings that are available if you need to snap in CIS artifacts into a brand new blue print.
