How safe is my data and how secure are my applications in the cloud?
This is one of the first questions many organizations ask when they first start investigating migrating data, applications and workloads to public cloud infrastructure. Securing data and applications in an environment where you do not have direct control over the infrastructure, is often a barrier to entry for many organizations who want to adopt cloud and take advantage of the key business benefits cloud can offer.
Microsoft launched Azure Security Center in July of 2016 to allay some of these fears. There is a Free subscription that offers:
- Security policy, assessment, and recommendations
- Connected partner solutions – third party security products from Microsoft partners such as network and web application firewalls
- Basic security alerting
There is also a Standard subscription that offers all the features of the Free subscription as well as Advanced Threat Detection which includes:
- Threat Intelligence
- Behavioral analysis
- Crash analysis
- Anomaly detection
This Azure service provides an overview of the security state of Virtual Machines, Virtual Networks, SQL Databases and Applications for a specific subscription. The Azure Security Center overview page provides an excellent synopsis of this service. In this post, I will provide a real-world overview of this service and walk-through of the ‘Quickstart’ wizard provided by Microsoft.
Azure Security Center – Overview
The image below is the Security Center Overview blade. This is presented when you click on the Security Center icon on the Azure Portal. This example is from a subscription where I have provisioned virtual machines, a virtual network, a few databases as well as a few applications.
The graphical report clearly indicates I have services with some serious security issues.
To quickly ascertain what those issues are I can click on the ‘Recommendations’ graph which then opens a list of security recommendations in an adjacent blade which you can see in the image below.
As you can see in two clicks I can rapidly ascertain that I should look at adding a web application firewall, enable network security groups on subnets in my virtual networks, enable transparent data encryption etc.
Azure Security Center – Quickstart
Microsoft have provided a ‘Quickstart’ wizard to assist you in getting this service configured quickly and optimally. If you click on ‘Quickstart’ you are provided with a very useful set of options to get your Azure Security Center up and running in the shortest possible time as shown in the image below.
This ‘Quickstart’ guide is a good place to start in getting your Azure assets configured for Azure Security Center. It also assists you in taking the correct sequential steps so that you do not have to go back and redo configurations as you get further into configuring your security posture.
Azure Security Center – Set Security Policies
The workflow starts with setting a security policy. Every aspect of the Azure Security Center will rely on this policy to ascertain whether data collected is considered a threat or vulnerability for your specific security configuration. As per the official documentation, a security policy defines the set of controls, which are recommended for resources within the specified subscription or resource group.
The Security Policy can only be applied after data collection is set to ‘On’ via the ‘Security Policy’ blade. Azure Security Center collects data via agents that are installed on Azure services. These agents then send system updates, OS vulnerabilities and endpoint protection information to the Security Center service. The service then analyzes this data and utilizes this to send relevant security alerts and recommendations.
By default, Azure Security Center will warn you that you have not enabled data collection or threat auditing on your VM’s, Apps and Databases and will give you some basic recommendations for networking. To properly utilize Azure Security Center and gain the benefits of this service, you need to configure your policy and then deploy your agents to the resources you want to protect.
Azure Security Center – Implement Security Recommendations
Once you have your policy configured and resources reporting in you can then look at what recommendations Azure Security Center has made and implement those you feel are relevant to your environment / solution. By default, before you configure your security policy and deploy your agents, the clear majority of your recommendations will be to enable data collection and deploy agents to your Azure resources as you can see in the image below of my demo environment.
Azure Security Center – Monitor Security Health
Once you have implemented the recommendations you can then monitor the health of your Azure assets in the Resource Health Pane of the Overview section.
Azure Security Center – Manage and Respond to Security Alerts
Finally, you can monitor alerts where Azure Security Center notifies you as soon as one of your assets moves from a secure to an insecure state either by way of a configuration change, system update that needs to be applied etc. You can view this in the ‘Security Alerts’ pane or get notified via email. Email notifications are configured via the Security Policy.