As per my previous overview post on Azure Security Center, this Azure service provides and overview of the security state of Azure apps and services running on a specific subscription.
The power of Azure Security Center is only unleashed when you configure and enable your Security Policies. The process is simple and very straightforward and involves just a few steps to get your Azure Security Center configured.
The first step is to open Azure Security Center and click on the Security Policy icon.
This will open the Security Policy blade. You will note that you can set your policy at a subscription level or set a policy per resource. In the image below I have selected to configure the policy at a subscription level and have all resources inherit from a single master policy. The configuration blade opens once you select the level you want to apply your policy to.
As with all system configurations, less is always more. Try and keep the number of individual policies as low as possible. This makes management and maintainability much easier during the operational phase.
To configure your Azure Security Center policy, it is compulsory to enable Data Collection and choose a Storage Account per region.
The Policy Components can be left in their default settings. Azure Security Center will begin monitoring and evaluating without any changes to the default settings of these additional options. Note that by default, your Prevention Policy is set to show recommendations for all monitoring components, Email Notifications are disabled and the Free Pricing Tier is selected.
Step 1 – Enable Data Collection
To enable Data Collection simply toggle the Data Collection switch from ‘Off’ to ‘On’ as per the image below.
Step 2 – Configure Storage Account(s)
Now you need to configure storage for your data collection. Note that you must configure storage for each Azure region where you have services running. In the example below, the subscription has services running in three regions and so a storage account must be configured for each. If you click ‘OK’ a new storage account will be configured automatically for each region.
You can also choose to have Azure Security Center save all data collection information to an existing storage account. You must still configure one storage account per region, so in this example I would need to choose three. You must however take cognizance of the fact that should you deprovision a service which shares the storage account with Azure Security Center, your data will be lost. Azure does warn you about this but sharing storage accounts, even though it may seem cost effective, is less manageable down the line.
With these two settings configured you can click ‘Save’ and Azure Security Center will install and configure its agents. It does take a couple of hours for the service to start reporting on device specific recommendations and issues.
If you want to tweak the service from its default settings, there are three configurations that can be altered. These are the Prevention Policy, Email Notifications and the Pricing Tier.
Step 3 – Amend Default Prevention Policy (Optional)
To amend the default settings of the Prevention Policy, simply click on the Prevention Policy icon as shown in the figure below. As you can see by default the Prevention Policy is enabled for every available metric from checking for the latest ‘System Updates’ to confirming that ‘SQL Encryption’ is enabled on your SQL instances.
It is important to note at this stage that you might want to disable the two firewall settings as well as the vulnerability assessment. These monitors check to see if you have enabled these services on Azure. If you have not, as you are using an external service to provide this capability for you, your Security Center Dashboard will unfairly reflect high risk items. If you do not use a Web Application Firewall or Next Generation Firewall at all, I highly recommend that you put these services in place to protect your cloud assets.
Step 4 – Enable Notifications (Optional)
You can also enable Email Notifications so that Azure Security Center can proactively alert you to events as they are happening. I prefer these notifications as there may be something that needs immediate attention and I may not be at my console. If I have notifications configured I can at the very least be alerted via my mobile phone and act sooner rather than later. The image below details where and how to enable these notifications.
Step 5 – Select Pricing Tier (Optional)
Finally, if you require the advanced Security Center offerings such as Threat Intelligence, Behavioral Analysis, Crash Analysis and Anomaly Detection, you can select to move from the ‘Free Tier’ to the ‘Standard Tier’. Azure does offer a free trial on the Standard Tier where you can evaluate this advanced service and ascertain if it would add the necessary value to your environment.
Remember to click ‘Save’ once you have made any changes to ensure your amendments are committed and actioned.