At Ignite 2019, Microsoft released some interesting updates for Azure, with Security being a big focus. Here are some of my favorite announcements that you may not have seen in the headlines.
Azure Security Center has more standards, including NIST SP 800-53 R4.
The Regulatory Compliance section of Azure Security Center is one of my favorites. This handy tool allows you to pick a compliance and compares the pre-defined policies against your existing resources, with non-compliant resources being called out. For example, if you select the CIS controls, any VMs whose disks are not encrypted will be shown as non-compliant, as well as showing the control section and number for the non-compliant control (ex: 2.6 Ensure ASC Default policy setting "Monitor Disk Encryption" is not "Disabled").
While you should not rely solely on Security Center to determine regulatory compliance, it does point you in the right direction. Until now, Regulatory Compliance has been limited to the basics like CIS, PCI DSS, and a few others. NIST was noticeably absent from this list, so its inclusion goes a long way to complete the offering.
To use these new standards, go to Security Center > Regulatory Compliance > Manage Compliance Policies. Then, select your subscription, and click on Add More Standards. The policy is run automatically and, after a few hours, will give you a list of all the controls, using the selected standard numbering system, and all the systems that do, or do not, comply with the control. Only specified resources, and VMs with the Security Center Agent installed, in the specified subscription will show.
Customer Lockbox for Managed Disks and memory dumps, Azure SQL and other services.
One of the biggest issues with using a Cloud Provider, is the loss of control of underlying systems. With PaaS services like Azure SQL and Managed Disks, you have no control over underlying systems, and you must rely on Microsoft Engineers to keep you abreast of issues.
Now, by adding a Customer Lockbox, Microsoft Engineers must first request access from you before they can view your data for diagnostics purposes. It is important to note that Microsoft Engineers only ever have access to your data when you open a support ticket. That said, Customer Lockbox can now be applied in addition to that and any other internal authorizations you already have in place. This is same ability is already offered for Office 365, and has been automatically enabled for the following services:
· Azure Storage
· Azure SQL Database
· Azure Data Explorer
· Memory dumps and managed disks for Azure Virtual Machines
· Transferring Azure subscriptions
Customer Managed Keys now available in Managed Disks, Event Hubs, and Power BI.
One of the main ways to secure your data in the Cloud is by using encryption at rest. This prevents your Cloud Provider from accessing your clear data. With Customer Managed Keys, you create a key in a key vault and use that key for encrypting your data at rest. And, because Microsoft designed the Key Vault in
such a way that they cannot access the keys, Microsoft cannot decrypt your data. It is also important to note that the encryption key is created in the key vault but is completely controlled by you, the customer.
While Customer Managed Keys have been available in Azure Disks and Azure Storage, they are now available for Managed Disks, Event Hub, and Power BI.
The addition of Customer Managed Keys to Event Hubs is especially important for anyone exporting Event Logs to another system. Likewise, it is important for people using Power BI for reporting data.
I highly recommended using Customer Managed Keys to secure your data on all of the Microsoft products and services it is now available in.
Azure Key Vault Certificate Policies released.
One of the biggest issues with creating certificates in Azure Key Vault is the lack of control over certificate settings. Until now, other than using Access Policies, certificates could be created without any restrictions.
With the addition of Certificate Policies, you can specify the Issuer (ex: only allow internally issued certs, disallow self-signed certs, etc.), Key Type, Key Size, Expiry Policy, and lifespan.
With these policies, it becomes a lot easier to ensure all your certificates meet your company guidelines, and to prevent the spread of self-signed certificates in Azure Key Vault.
Free TLS certificates announced.
Adding certificates to all your websites can be expensive and complex to manage. To combat that, Microsoft Azure will now provide certificates for your custom Domains at no cost, with automatic key renewal on the following services:
· Azure CDN managed certificates (generally available.)
· Azure Front Door managed certificates (generally available.)
· Azure App Service managed certificates for both web apps and functions
This is an exciting announcement, as having certificate costs included in the aforementioned services makes them more worthwhile. Not to mention, it eliminates the excuse for not having everything protected by TLS.
With all of these cloud security enhancements, Microsoft can help you realize increased compliance, as well as help you ensure that your data is as secure as possible. And, because Azure is a cloud system, you can expect more security options in the future.
To learn more about cloud security, or to better understand how to take advantage of these features, contact a member of the Blue Chip team.