As most IT people are aware, the question that lurks behind every project, every process, and every support request is, “What about security?” For some, the sheer gravity of the question is enough to inspire some cosmic horror as we stare into the abyss of a seemingly insurmountable task. It triggers an avalanche of questions:
- Am I installing a potentially vulnerable piece of software?
- Are my systems up to date?
- Are there any new and/or potential vulnerabilities we need to prepare for?
- How do I keep up with the ever-shifting landscape of technology?
- Did I just open a huge hole into our network?
This alone is enough to keep any IT administrator awake at night as they contemplate the many ways everything can go horribly wrong. Or maybe not. If your organization already has a security team, lucky you.
The point is, security is a crucial part of any IT infrastructure. And there are many components to it as well, such as infrastructure security, application security, and AD security. We hear a lot about how essential it is to increase security in an organization, but how? What steps need to be taken? How do we demonstrate progress? How do we keep up with all the ways an attacker could break into our systems?
Those of you who leverage Azure infrastructure for your cloud platform may want to look at Azure Security Center (ASC). This service acts as a central point for connecting your virtual machines. Those machines can be in Azure, on-premises, in your traditional data center, or even in another cloud-hosting platform. The service can also cover some PaaS resources you may have running in your environment (e.g. Azure SQL, App Services/Web Apps, Blob Storage). ASC will analyze connected resources and provide recommendations for enhancing the security of your infrastructure. Microsoft maintains these recommendations so you will always be made aware of any new vulnerabilities that could compromise your infrastructure.
So, how does it work? ASC has two tiers: Free and Standard. Note that the Free tier only applies to Azure resources; non-Azure resources can only be added to the Standard tier. In either case, ASC leverages the Microsoft Monitoring Agent for collecting data on your systems.
Once resources are added, ASC will collect data over the next 24 hours and assess the security configuration of your systems. Then it generates a list of recommendations that appear in the ASC dashboard. These recommendations can be used to build a roadmap for securing your infrastructure. Some of these recommendations may be simple configuration settings (e.g. block inbound RDP/SSH on the public internet, enforce HTTPS for web apps). Others may be more long-term projects, such as remediating vulnerabilities found in connected servers or setting up a patch management process/schedule. You will also receive a “Secure Score” that rates your current infrastructure configuration and provides a priority list for improving security in your network. All of this is included in the Free tier.
If you need to enforce more strict security measures, or if you need to also secure resources outside of Azure, or if you just want to play with some shiny tools in ASC, you will want to upgrade to Standard tier. This will incur a monthly cost, but it provides some nice features, including:
- Application controls: prevents the install of unapproved applications, even if someone acquires admin access to a server
- “Just in time” VM access: blocks RDP/SSH to servers and only allows temporary access from approved users
- Auditing of who requested access and when
- Regulatory-compliance dashboard: for managing infrastructure compliance with regulatory standards. Currently supports PCI DSS 3.2.1, ISO 27001, SOC TSP
My personal favorite is the built-in vulnerability assessment tool. As part of the ASC Standard tier, Azure also provides the ability to set up the Qualys vulnerability scanner for your servers. Typically, setting up a vulnerability management tool would incur costs for licensing and infrastructure; you would need to build/configure servers (which you need to get educated on) manage/support and build processes/policies—all before you even derive value from the technology. However, the built-in vulnerability tool has no cost when using ASC Standard tier and is provided as a managed service on the Azure backend. You only need to install the Qualys extension on your Azure VMs to start using it. The extension will run its own assessment of your servers’ security configuration. and provide another, more in-depth list of recommendations for securing your infrastructure at the OS level. These recommendations will include documentation and instructions on how to remediate any vulnerabilities (e.g. installing updates or updating registry keys or other required security policies).
You can find all this (and more) in one central location within the Azure portal. If you can’t tell, I like ASC a lot and highly recommend that everyone check it out. We at Anexinet would love to help your organization out with ASC or any other areas of the Microsoft universe: Azure in general, Azure Site Recovery, Office 365, even cost optimization. Please reach out to us with any questions; we’d love to have a conversation on how we can help with your Azure journey.