Security Center provides out of the box policies and a dashboard to identify possible security issues with your subscription.
To start with Security Center has a good set of policies that will help you do basic audits and provide security alerts.
Use Security Center to meet your cloud requirements
In this article, you will be able to meet the following requirements:
- Set up ways for your security team, developers, and operations to quickly audit subscriptions.
- Mitigate security issues
In a later post, you will learn how to add additional policies, set up a management group as a way to manage policies across multiple subscriptions.
First some definitions.
- Management Group. This is a logical container that allow Azure administrators to manage access, policy, and compliance across multiple Azure Subscriptions.
- Security Center. A unified infrastructure security management system that strengthens the security posture of your data centers. And it provides advanced threat protection across your hybrid workloads in the cloud – whether they’re in Azure or not.
- Policy. A feature of Azure that helps you enforce organizational standards and to assess compliance at-scale.
- Scope. In this article a scope refers to what level you assign permissions. In this article you can assign permissions at the subscription level, the resource group level and to individual resources.
- Log Analytics. The repository that receives the data from Security Center for alerting and analysis.
About Security Center
Security Center sets up Azure Policies that provide guardrails for your subscription. Security Center comes with a set of default policies. At a high level, the policies check:
- Failure to deploy system updates on virtual machines (VMs).
- Unnecessary exposure to the Internet through public-facing endpoints.
- Unencrypted data in transit or storage.
You can customize your security policy to focus your own areas of emphasis. For example:
- Add check for web application firewalls
- Add storage encryption
- Apply your policy to multiple Azure subscriptions.
And then, it provides a dashboard that gives you visibility into your security posturea at a glance. The following illustration shows a Security Center dashboard.
Gain visibility across your environment to verify compliance with regulatory requirements, such as CIS, PCI DSS, SOC, and ISO.
It also provides for suggestions and in many cases, provides a way to immediately remedy the issue.
Use the dashboard to drill into specific requirements. In many cases, Security Center provides a single click solution to remediate the issue. For others, you will need deeper solution. The following illustration shows an example summary of the solutions to make a virtual machine more secure.
Many of the resources were misconfigured when they were built, often using the defaults in the Azure portal. This means that is it easy for your users and cloud administrators to create resoources that may not be as protected as you want.
The default configurations of many resources provided in the portal will not pass a rigorous security audit. As enterprise administrators you will need to provide other ways for your users to create those resources, such as through deployment in Azure DevOps of sets of resources that will pass your audits.
This blog will highlight ways to provide your users with compliant resources and ways for you to build an approval process within your organization. But for now, you can look to:
- Deployment of compliant ARM templates (or Terraform templates) through Azure DevOps
- Deployment of resources, policies, and using Azure Blueprints
But first, you will need to set up Security Center Standard.
Upgrade Security Center to Standard
Security Center provides a good set of policies and dashboards through the free portal. But for enterprise and for production, you will want the standard version.
As explained in the documentation: “The standard tier also adds threat protection capabilities, which use built-in behavioral analytics and machine learning to identify attacks and zero-day exploits, access and application controls to reduce exposure to network attacks and malware, and more. In addition, standard tier adds vulnerability scanning for your virtual machines. You can try the standard tier for free. Security Center standard supports Azure resources including VMs, Virtual machine scale sets, App Service, SQL servers, and Storage accounts. If you have Azure Security Center standard, you can opt out of support based on resource type.”
The following table shows a summary of features.
|Feature||Free Tier||Standard Tier|
|Assessment and recommendations|
|Just in Time (JIT)||–|
|Threat protection for IaaS and PaaS||–|
|Microsoft Defender ATP for Servers||–|
Review Security Center pricing. When you upgrade to the Standard tier of Azure Security Center, you are automatically enrolled and Security Center by default protects all your resources unless you explicitly decide to opt-out.
One of the most important features provided by Security Center standard, are:
- Just in Time VM access to virtual machines. Your admins and users will occasionally need to access a VM inside the virtual network. JIT closes down the RDP and SSH ports and opens them only to the users who are authorized.
- Adaptive application controls is an intelligent, automated, end-to-end solution from Azure Security Center which helps you white-list which applications can run on your Azure and non-Azure machines (Windows and Linux).
- Adaptive Network Hardening improves your security posture by hardening the network security group (NSG) rules, based on the actual traffic patterns
- Security alerts are the notifications that Security Center generates when it detects threats on your resources.
- Threat protection. You can enable threat protection for Azure Storage accounts at either the subscription level or resource level. You can enable threat protection for Azure SQL Database SQL servers at either the subscription level or resource level. You can enable threat protection for Azure Database for MariaDB/ MySQL/ PostgreSQL at the resource level only.
- Microsoft Defender ATP
Security Center comes with a set of built in policy definitions that are discussed in a following section in more detail.
But first, you should follow the documentation to learn how to upgrade to Security Center Standard in the portal. Or you can automate the process to onboard new subscriptions to use Security Center standard as explained in the next section.
Onboard Security Center using PowerShell
In the previous article, you learned how to set up Log Analytics. Log Analytics can act as a central repository for your Security Center data and is a prerequisite for this step.
Get the log analytics workspace ID from the PowerShell cmdlet that you used to set up the workspace, or you can get it from the portal.
To find your workspace, open the portal and in the search bar at the top of the page, type Log Analytics to see the list of your workspaces as shown in the following illustration.
Then click on the workspace that you want Security Center to conntect to. The workspace ID is shown in the Overview section.
Next, use the following cmdlet to set your subscription to use Security Center standard, sets up your security administrator to receive email and phone for security alerts, and attaches the policy to your Log Analytics workspace.
Review the Security Center built-in policies
Security Center comes with a set of built in Policies for Security Center. Most of the policies are instantly recongizable. For example:
- System updates should be installed on your machines
- Role-Based Access Control (RBAC) should be used on Kubernetes Services
- Security Center standard pricing tier should be selected
- Subnets should be associated with a Network Security Group
- There should be more than one owner assigned to your subscription
- Vulnerabilities in container security configurations should be remediated
- Vulnerabilities in security configuration on your machines should be remediated
- External accounts with owner permissions should be removed from your subscription
Many of the policies can be used out of the box. But a few will need to be updated based on your own compliance needs. It is a best practice to use your infrastructure as code practices (checking the changes in policies as code into Azure DevOps and deploying them through DevOps.)
For example, as you learned in the previous blog post, Setting up your enterprise Azure subscription administrators, multifactor authentication should be required on all users, except for two emergency owners. Yet the default policy applied by Security Center provides MFA should be enabled on accounts with owner permissions on your subscription. In this rare case, this means you need to create a custom policy in Security Center.
Also, you will want to be aware of the following:
NOTE: When you deploy new resources, the Security Center dashboard will not update immediately. You will need to wait a few minutes (20 minutes to an hour) to receive reports on the new resources. Also, some resources that have been deleted may continue to impact your score. So review the dashboard information closely to determine the actual impact on your systems.
In this article, you learned the basics of Security Center, its features, the importance of using Security Center standard in production environments, and how you can connect it to Log Analytics.
Next, you will want to dive deper to:
- Strengthen security posture
- Remediate recommendations in Azure Security Center
- See more about Working with security policies
- Download and review Security best practices for Azure solutions
If you want to do fine-grained selection of the tiers available for each of the service, you can adapt an Azure ARM template to deploy and update Security Center tiers.