Design and Deploy a Secure Azure Environment: Mapping the NIST Cybersecurity Framework to Azure Services 9781484296776, 9781484296783
Follow this comprehensive guide as it provides you with a deep understanding of Azure security principles, best practice
204 74 4MB
English Pages 714 Year 2023
Table of contents :
Table of Contents
About the Author
About the Technical Reviewer
Acknowledgments
Introduction
Chapter 1: Get Started with Azure Security
Introduction to Cybersecurity
What Is a Cybersecurity Attack?
Why Are Cyberattacks Executed?
A Closer Look at Cybersecurity
Cybersecurity Risk Analysis
Threat Landscape
Attack Vectors
Security Breaches
Data Breaches
Malware
Known Mitigation Strategies
Multifactor Authentication
Browser Security
Threat Intelligence
Cryptography
Authentication and Authorization
Threats to Network Security
Threats to Application Security
Applications with Untrustworthy Origins
Vulnerabilities in Embedded Applications
Open-Source Vulnerabilities
Zero-Day Vulnerabilities
Browser-Based Threats
Cookie-Based Attacks
Typosquatting
Threats to Device Security
Device Threat Vectors
Phone, Laptop, or Tablet
USB Drives
Always-On Home Assistant Devices
Device Vulnerabilities
Getting Started with Cloud Computing
Top Benefits of Cloud Computing
Three Delivery Models of Cloud Computing
Microsoft Azure Overview
Azure Regions
Azure Geography
Azure Availability Zones
Azure Management Groups
Azure Subscriptions
Azure Resource Groups
Azure Resource Manager
Azure Management Offerings
Microsoft Azure Portal
Microsoft Azure PowerShell
Microsoft Azure CLI
Microsoft Azure Cloud Shell
Microsoft ARM Templates
Microsoft Azure Mobile App
Azure Monitoring Offerings
Microsoft Azure Advisor
Microsoft Azure Security Capabilities
Microsoft Sentinel
Microsoft Defender for Cloud
Azure Resource Manager
Application Insights
Azure Monitor
Azure Monitor Logs
Azure Advisor
Azure-Based Application Security Capabilities
Penetration Testing
Web Application Firewall
Authentication and Authorization in Azure App Service
Layered Security Architecture
Web Server Diagnostics and Application Diagnostics
Azure-Based Storage Security Capabilities
Azure Role-Based Access Control (Azure RBAC)
Shared Access Signature
Encryption in Transit
Encryption at Rest
Storage Analytics
Enabling Browser-Based Clients Using CORS
Azure Network Security Capabilities
Azure Network Communication with the Internet
Azure Communication Between Azure Resources
Azure Network Communication with the Private Cloud
Filter Network Traffic
Route Network Traffic
Integrate Azure Services
Other Network Services
Azure Compute Security Capabilities
Azure Confidential Computing
Anti-malware and Antivirus
Hardware Security Module
Virtual Machine Backup
Azure Site Recovery
SQL VM TDE
VM Disk Encryption
Virtual Networking
Patch Updates
Security Policy Management and Reporting
Azure Identify Security Capabilities
Azure Active Directory (Azure AD)
Azure Active Directory External Identities
Azure Active Directory Domain Services
Azure Apps and Data Security Capabilities
Overview of the NIST CSF
Summary
Chapter 2: Design and Deploy Security for Infrastructure, Data, and Applications
Design and Deploy a Strategy for Securing Infrastructure Components
Azure Data Centers and Network
Azure Data Center Physical Security
Azure Infrastructure Availability
Cloud Security Shared Responsibility Model
Foundation of Cloud Infrastructure and Endpoint Security
Securing Virtual Machines
Antimalware
Protect Sensitive Data
Organize Your Keys and Secrets with Key Vault
Virtual Machine Disks for Linux and Windows Can Be Encrypted
Build More Compliant Solutions
Shield Network Traffic from Threats
Securing Containers
Use a Private Registry
A Publicly Available Container Image Does Not Guarantee Security
Monitor and Scan Container Images
Protect Credentials
Securing Hosts
Securing Networks
Microsoft Cloud Security Benchmark for Network Security
Deploy Network Segmentation
Protect Cloud Native Services with Network Security Controls
Implement a Firewall at the Edge of the Enterprise Network
Implement Intrusion Detection/Protection System
Implement DDOS Protection
Implement Web Application Firewall
Follow Simplicity in Network Security Configuration
In General, Disable Unused Services
Have a Private Connectivity Between On-Premises and Azure
Implement DNS Security
Securing Storage
Deploy Shared Access Signatures
Govern Azure AD Storage Authentication
Azure Storage Encryption for Data at Rest
Securing Endpoints
Microsoft Cloud Security Benchmark for Endpoint Security
Adopt Endpoint Detection and Response (EDR)
Deploy Modern Anti-malware Software
Have a Release Parodic Recycle for Anti-Malware Software and Signatures
Securing Backup and Recovery
Microsoft Cloud Security Benchmark for Backup and Recovery
Deploy Scheduled Automated Backups
Safeguard Backup and Recovery
Monitor Backups
Periodically Test Backups
Design and Deploy a Strategy for Securing Identify
Microsoft’s Azure Active Directory
Authentication Choices
Cloud Authentication
Federated Authentication
Azure AD Identify Protection
Azure AD Privileged Identify Protection
Microsoft Cloud Security Benchmark for Identify
Identify and Authenticate Users Using a Centralized System
Authentication and Identify Systems Need to Be Protected
Automate and Secure Application Identify Management
Servers and Services Must Be Authenticated
Access Applications Using Single Sign-On (SSO)
Ensure Strong Authentication Controls Are in Place
Resource Access Can Be Restricted Based on Conditions
Ensure That Credentials and Secrets Are Not Exposed
Existing Applications Can Be Accessed Securely by Users
Microsoft Cloud Security Benchmark for Privileged Access
Ensure That Highly Privileged and Administrative Users Are Separated and Limited
Permissions and Accounts Should Not Be Granted Standing Access
Life-Cycle Management of Identities and Entitlements
Reconcile User Access Regularly
Emergency Access Should Be Set Up
Workstations with Privileged Access Should Be Used
Use the Least Privilege Principle (Just-Enough Administration)
Specify Access Method for Cloud Provider Support
Design and Deploy a Strategy for Securing Apps and Data
Software Frameworks and Secure Coding Libraries Should Be Used
Conduct a Vulnerability Scan
When Designing an Application, Use Threat Modeling
Keep Your Attack Surface as Small as Possible
Identify Identify as the Primary Security Perimeter
For Important Transactions, Reauthentication Should Be Required
Ensure the Security of Keys, Credentials, and Other Secrets by Using a Key Management Solution
Make Sure Sensitive Data Is Protected
Make Sure Fail-Safe Measures Are in Place
Ensure That Errors and Exceptions Are Handled Correctly
Alerts and Logging Should Be Used
Modernize
Microsoft Cloud Security Benchmark for DevOps
Analyze Threats
Ensure the Security of the Software Supply Chain
Infrastructure for DevOps That Is Secure
DevOps Pipeline Should Include Static Application Security Testing
Dynamic Application Security Testing Should Be Incorporated Into the DevOps Pipeline
DevOps Life-Cycle Security Is Enforced
Monitoring and Logging Should Be Enabled in DevOps
Getting Started with Microsoft SecOps
Category 1: Preparation, Planning, and Prevention
Category 2: Monitoring, Detection, and Response
Category 3: Recovery, Refinement, and Compliance
Microsoft SOC Function for Azure Cloud
Microsoft Azure Security Operations Center
SecOps Tools
Summary
Chapter 3: Design and Deploy an Identify Solution
Introduction to NIST Identify
Asset Management (ID.AM)
Azure Mapping for Asset Management (ID.AM)
Microsoft Defender for Cloud
Asset Inventory
Software Inventory
How to Enable It
Azure AD Registered Devices
How to Enable It
IoT Hub Identify Registry
Microsoft Intune
How to Enable It
Azure Service Map
How to Enable It
Azure Network Watcher and Network Security Group
How to Enable It
Azure Information Protection
How to Enable It
Azure AD Privilege Identify Management
How to Enable It
Privilege Access Management
How to Enable It
Business Environment (ID.BE)
Privilege Access Workstation
Microsoft Azure Bastion
Azure Reliability by Design
Governance (ID.GV)
Microsoft Incident Response and Shared Responsibility
Microsoft and General Data Protection Regulation
Microsoft Compliance Manager
Azure Policy
Risk Assessment (ID.RA)
Risk Assessment for Microsoft Azure
Vulnerability Assessments in Microsoft Defender for Cloud
AD Risk Management
Design and Implementation of Active Directory
Microsoft Sentinel
How to Enable It
Microsoft Threat Modeling Tool
Microsoft Threat Management
Azure Monitor
Cybersecurity Operations Services
Summary
Chapter 4: Design and Deploy a Protect Solution: Part 1
Introduction to NIST Protect
Identify Management, Authentication, and Access Control (PR.AC)
Key Aspects of IDM
Methods of Authentication
Azure Mapping for PR.AC
Azure AD
How It Works
Design Considerations
How To Enable It
Azure IoT
Design Considerations
How To Enable It
Conditional Access
How To Enable It
Azure AD’s Application Proxy
How It Works
How To Enable It
Just Enough Administration
How To Enable It
Managed and Protected Physical Access to Assets
Awareness and Training (PR.AT)
Azure Mapping for PR.AT
Summary
Chapter 5: Design and Deploy a Protect Solution: Part 2
Data Security
Azure Mapping for Data Security
Azure Disk Encryption
How It Works
Design Considerations
How to Enable It
Azure Storage Service Encryption
How It Works
Design Considerations
How to Enable It
Azure Key Vault
How to Enable It
Azure Information Protection
How It Works
Design Considerations
How to Enable It
Azure Backup Encryption
How It Works
Design Considerations
How to Enable It
Azure VPN Gateway
Design Considerations
How to Enable It
Azure Site-to-Site VPN
Design Considerations
How to Enable It
Azure Point-to-Site VPN
How It Works
Design Considerations
How to Enable It
Azure ExpressRoute
How It Works
Design Considerations
How to Enable It
Azure WAF
How It Works
Design Considerations
How to Enable It
Microsoft Purview DLP
How It Works
Design Considerations
How to Enable It
Data Segregation
Summary
Chapter 6: Design and Deploy a Protect Solution: Part 3
Information Protection Processes and Procedures (PR.IP)
Azure Mapping for PR.IP
Azure Automation Desired State Configuration
How It Works
Design Considerations
How to Enable It
PowerShell Desired State Configuration
How It Works
How to Enable It
Microsoft SDL
How to Enable It
Security and Compliance in Office 365
How to Enable It
Office 365 Secure Score
Design Considerations
How to Enable It
Azure Site Recovery
Design Considerations
How to Enable It
Vulnerabilities Assessment
How to Enable It
Protective Technology (PR.PT)
Azure Mapping for PR.PT
Azure Security Information and Event Management
How to Enable It
AD Log Analytics
Design Considerations
How to Enable It
Microsoft BitLocker
Design Considerations
How to Enable It
Microsoft AppLocker
Design Considerations
How to Enable It
Azure Network Security Services
Design Considerations
How to Enable It
Microsoft Defender for Identify
Design Considerations
How to Enable It
Summary
Chapter 7: Design and Deploy a Detect Solution
Incident Detection in Cybersecurity
Introduction to NIST Detect
Anomalies and Events (DE.AE)
Example 1: Cybersecurity Security Professional at Midsize Client
Example 2: Cybersecurity Analyst Working for a Financial Institution
Azure Mapping to Anomalies and Events (DE.AE)
Azure Sentinel
Design Considerations
How to Enable It
Security Continuous Monitoring (DE.CM)
Getting Started with DevSecOps
DevSecOps Continuous Monitoring
Azure Mapping to Security Continuous Monitoring (DE.CM)
Azure Monitor
Design Considerations
How to Enable It
Azure AD Conditional Access
How It Works
Design Considerations
How to Enable It
Microsoft Defender for Cloud
Design Considerations
How to Enable It
Microsoft Defender for Endpoint
Design Considerations
How to Enable It
Azure Policy
How to Enable It
Detection Processes (DE.DP)
Azure Mapping to DE.DP
Azure AD Identify Protection
Design Considerations
How to Enable It
Microsoft Defender ATP
How It Works
Design Considerations
How to Enable It
Microsoft Red Team
Summary
Chapter 8: Design and Deploy a Respond Solution
Incident Response in Cybersecurity
Introduction to NIST Respond
Response Planning (RS.RP)
Example: NIST CSF Response Plan
Azure Mapping to Response Planning (RS.RP)
Preparation
Detection and Analysis
Containment, Eradication, and Recovery
Post-Incident Activity
Microsoft Azure Security Response in the Cloud
What Is Azure Security Control: Incident Response?
Key Features of Azure Security Control: Incident Response
Benefits of Azure Security Control: Incident Response
How to Build the Response Plan
Communications (RS.CO)
Azure Mapping to Response Communication (RS.CO)
Communications in the Real World
Analysis (RS.AN)
Azure Mapping to Response Communication (RS.AN)
Microsoft Incident Response
Threat Intelligence
Advanced Threat Detection
Security Incident and Event Management
Security Automation and Orchestration
Incident Response Playbooks
Mitigation (RS.MI)
Design Considerations
Azure Security Center
How to Enable It
Summary
Chapter 9: Design and Deploy a Recovery Solution
Cybersecurity Incident Recovery
Introduction to NIST Recovery
Example: Data Breach
Overview of the NIST CSF Recovery Module
Example: Recovering from a Ransomware Attack
Azure Mapping to NIST Recovery
Benefits of Azure Recovery Services
Azure Backup
Key Components of Azure Backup
Overview of Supported Elements
Protect Against Ransomware
Azure Backup Security Features Overview
Azure VM Backup
How to Backup, Restore, and Manage Azure VM Using Azure Backup
Azure Disk Backup
How to Backup, Restore, and Manage Azure Disk Backup using Azure Backup
Azure Blob Backup
How to Back Up and Restore Azure Blob Storage Using Azure Backup
Azure File Share Backup
How to Back Up and Restore Azure File Share Using Azure Backup
Azure Backup for Database
Azure Backup for Azure Kubernetes Service
Azure Offline Backup
Azure Site Recovery
Key Features of Azure Site Recovery
Site Recovery Services
Azure Site Recovery in the Event of a Cybersecurity Incident
Recovery Plans
The Modernization of Disaster Recovery Failovers/Failbacks On-Premises
Azure Traffic Manager and Azure Site Recovery
Azure ExpressRoute with Azure Site Recovery
Azure Virtual Machine Recovery with Azure Site Recovery
Overall Security Integration Component with Azure Site Recovery
How to Set Up Disaster Recovery for an Azure VM to a Secondary Azure Region
Azure Security Baselines for Azure Site Recovery
Backup and Restore Plan to Protect Against Ransomware
Summary
Index
