Azure security baseline for Azure Lighthouse
This security baseline applies guidance from the Azure Security Benchmark version 2.0 to Azure Lighthouse. The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. The content is grouped by the security controls defined by the Azure Security Benchmark and the related guidance applicable to Azure Lighthouse.
Note
Controls not applicable to Azure Lighthouse, and those for which the global guidance is recommended verbatim, have been excluded. To see how Azure Lighthouse completely maps to the Azure Security Benchmark, see the full Azure Lighthouse security baseline mapping file.
Network Security
For more information, see the Azure Security Benchmark: Network Security.
NS-7: Secure Domain Name Service (DNS)
Guidance: Not applicable; Azure Lighthouse does not expose its underlying DNS configurations, these settings are maintained by Microsoft.
Responsibility: Microsoft
Microsoft Defender for Cloud monitoring: None
Identity Management
For more information, see the Azure Security Benchmark: Identity Management.
IM-1: Standardize Azure Active Directory as the central identity and authentication system
Guidance: Azure Lighthouse uses Azure Active Directory (Azure AD) as the default identity and access management service. Standardize Azure AD to govern your organization’s identity and access management in:
- Microsoft Cloud resources, such as the Azure portal, Azure Storage, Azure Virtual Machine (Linux and Windows), Azure Key Vault, PaaS, and SaaS applications.
- Your organization's resources, such as applications on Azure or your corporate network resources.
With Azure Lighthouse, designated users in a managing tenant have an Azure built-in role which lets them access delegated subscriptions and/or resource groups in a customer's tenant. All built-in roles are currently supported except for Owner or any built-in roles with DataActions permission. The User Access Administrator role is supported only for limited use in assigning roles to managed identities. Custom roles and classic subscription administrator roles are not supported.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
IM-2: Manage application identities securely and automatically
Guidance: Azure managed identities can authenticate to Azure services and resources that support Azure Active Directory (Azure AD) authentication. Authentication is enabled through pre-defined access grant rules, avoiding hard-coded credentials in source code or configuration files. With Azure Lighthouse, users with the User Access Administrator role on a customer's subscription can create a managed identity in that customer's tenant. While this role is not generally supported with Azure Lighthouse, it can be used in this specific scenario, allowing the users with this permission to assign one or more specific built-in roles to managed identities.
For services that do not support managed identities, use Azure AD to create a service principal with restricted permissions at the resource level instead. Azure Lighthouse allows service principals to access customer resources according to the roles they are granted during the onboarding process. It is recommended to configure service principals with certificate credentials and fall back to client secrets. In both cases, Azure Key Vault can be used in conjunction with Azure managed identities, so that the runtime environment (such as an Azure function) can retrieve the credential from the key vault.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
Privileged Access
For more information, see the Azure Security Benchmark: Privileged Access.
PA-1: Protect and limit highly privileged users
Guidance: Limit the number of highly privileged user accounts, and protect these accounts at an elevated level. A Global Administrator account is not required to enable and use Azure Lighthouse.
To access tenant-level Activity Log data, an account must be assigned the Monitoring Reader Azure built-in role at root scope (/). Because the Monitoring Reader role at root scope is a broad level of access, we recommend that you assign this role to a service principal account, rather than to an individual user or to a group. This assignment must be performed by a user who has the Global Administrator role with additional elevated access. This elevated access should be added immediately before making the role assignment, then removed when the assignment is complete.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
PA-3: Review and reconcile user access regularly
Guidance: Azure Lighthouse uses Azure Active Directory (Azure AD) accounts to manage its resources, review user accounts and access assignment regularly to ensure the accounts and their access are valid. You can use Azure AD access reviews to review group memberships, access to enterprise applications, and role assignments. Azure AD reporting can provide logs to help discover stale accounts. You can also use Azure AD Privileged Identity Management to create access review report workflow to facilitate the review process.
Customers can review the level of access granted to users in the managing tenant via Azure Lighthouse in the Azure portal. They can remove this access at any time.
In addition, Azure Privileged Identity Management can also be configured to alert when an excessive number of administrator accounts are created, and to identify administrator accounts that are stale or improperly configured.
Note: that some Azure services support local users and roles which not managed through Azure AD. You will need to manage these users separately.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
PA-6: Use privileged access workstations
Guidance: Secured, isolated workstations are critically important for the security of sensitive roles like administrators, developers, and critical service operators. Depending on your requirements, you can use highly secured user workstations and/or Azure Bastion for performing administrative tasks with Azure Lighthouse in production environments. Use Azure Active Directory (Azure AD), Microsoft Defender Advanced Threat Protection (ATP), and/or Microsoft Intune to deploy a secure and managed user workstation for administrative tasks. The secured workstations can be centrally managed to enforce secured configuration, including strong authentication, software and hardware baselines, and restricted logical and network access.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
PA-7: Follow just enough administration (least privilege principle)
Guidance: Azure Lighthouse is integrated with Azure role-based access control (RBAC) to manage its resources. Azure RBAC allows you to manage Azure resource access through role assignments. You can assign these built-in roles to users, groups, service principals and managed identities. There are pre-defined built-in roles for certain resources, and these roles can be inventoried or queried through tools such as Azure CLI, Azure PowerShell or the Azure portal. The privileges you assign to resources through the Azure RBAC should be always limited to what is required by the roles. This complements the just in time (JIT) approach of Azure Active Directory (Azure AD) Privileged Identity Management (PIM) and should be reviewed periodically. Use built-in roles to allocate permission and only create custom roles when required.
Azure Lighthouse allows access to delegated customer resources using Azure built-in roles. In most cases, you'll want to assign these roles to a group or service principal, rather than to many individual user accounts. This lets you add or remove access for individual users without having to update and republish the plan when your access requirements change.
To delegate customer resources to a managing tenant, a deployment must be done by a non-guest account in the customer's tenant who has the Owner built-in role for the subscription being onboarded (or which contains the resource groups that are being onboarded).
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
Asset Management
For more information, see the Azure Security Benchmark: Asset Management.
AM-1: Ensure security team has visibility into risks for assets
Guidance: Ensure security teams are granted Security Reader permissions in your Azure tenant and subscriptions so they can monitor for security risks using Microsoft Defender for Cloud.
Depending on how security team responsibilities are structured, monitoring for security risks could be the responsibility of a central security team or a local team. That said, security insights and risks must always be aggregated centrally within an organization.
Security Reader permissions can be applied broadly to an entire tenant (Root Management Group) or scoped to management groups or specific subscriptions.
Note: Additional permissions might be required to get visibility into workloads and services.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
AM-2: Ensure security team has access to asset inventory and metadata
Guidance: Customers' security teams can review activity logs to see activity taken by service providers who use Azure Lighthouse.
If a service provider wants to allow their security team to review delegated customer resources, the security team's authorizations should include the Reader built-in role.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
AM-3: Use only approved Azure services
Guidance: Use Azure Policy to audit and restrict which services users can provision in your environment. Use Azure Resource Graph to query for and discover resources within their subscriptions. You can also use Azure Monitor to create rules to trigger alerts when a non-approved service is detected.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
Logging and Threat Detection
For more information, see the Azure Security Benchmark: Logging and Threat Detection.
LT-1: Enable threat detection for Azure resources
Guidance: Through Azure Lighthouse, you can monitor your customers' Azure resources for potential threats and anomalies. Focus on getting high-quality alerts to reduce false positives for analysts to sort through. Alerts can be sourced from log data, agents, or other data.
Use the Microsoft Defender for Cloud built-in threat detection capability, which is based on monitoring Azure service telemetry and analyzing service logs. Data is collected using the Log Analytics agent, which reads various security-related configurations and event logs from the system and copies the data to your workspace for analysis.
In addition, use Microsoft Sentinel to build analytics rules, which hunt threats that match specific criteria across your customer's environment. The rules generate incidents when the criteria are matched, so that you can investigate each incident. Microsoft Sentinel can also import third-party threat intelligence to enhance its threat detection capability.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
LT-2: Enable threat detection for Azure identity and access management
Guidance: Through Azure Lighthouse, you can use Microsoft Defender for Cloud to alert on certain suspicious activities in the customer tenants you manage, such as an excessive number of failed authentication attempts, and deprecated accounts in the subscription.
Azure Active Directory (Azure AD) provides the following user logs that can be viewed in Azure AD reporting or integrated with Azure Monitor, Microsoft Sentinel or other SIEM/monitoring tools for more sophisticated monitoring and analytics use cases:
- Sign-in – The sign-in report provides information about the usage of managed applications and user sign-in activities.
- Audit logs - Provides traceability through logs for all changes done by various features within Azure AD. Examples of audit logs include changes made to any resources within Azure AD like adding or removing users, apps, groups, roles and policies.
- Risky sign-in - A risky sign-in is an indicator for a sign-in attempt that might have been performed by someone who is not the legitimate owner of a user account.
- Users flagged for risk - A risky user is an indicator for a user account that might have been compromised.
Microsoft Defender for Cloud can also alert on certain suspicious activities such as excessive number of failed authentication attempts, deprecated accounts in the subscription. In addition to the basic security hygiene monitoring, Microsoft Defender for Cloud’s Threat Protection module can also collect more in-depth security alerts from individual Azure compute resources (virtual machines, containers, app service), data resources (SQL DB and storage), and Azure service layers. This capability provides visibility on account anomalies inside the individual resources.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
LT-4: Enable logging for Azure resources
Guidance: Activity logs, which are automatically available, contain all write operations (PUT, POST, DELETE) for your Azure Lighthouse resources except read operations (GET). Activity logs can be used to find an error when troubleshooting or to monitor how a user in your organization modified a resource.
With Azure Lighthouse, you can use Azure Monitor Logs in a scalable way across the customer tenants you're managing. Create Log Analytics workspaces directly in the customer tenants so that customer data remains in their tenants rather than being exported into yours. This also allows centralized monitoring of any resources or services supported by Log Analytics, giving you more flexibility on what types of data you monitor.
Customers who have delegated subscriptions for Azure Lighthouse can view Azure Activity log data to see all actions taken. This gives customers full visibility into operations that service providers are performing, along with operations done by users within the customer's own Azure Active Directory (Azure AD) tenant.
Responsibility: Shared
Microsoft Defender for Cloud monitoring: None
LT-5: Centralize security log management and analysis
Guidance: Centralize logging storage and analysis to enable correlation. For each log source, ensure you have assigned a data owner, access guidance, storage location, what tools are used to process and access the data, and data retention requirements.
Ensure you are integrating Azure Activity logs into your central logging. Ingest logs via Azure Monitor to aggregate security data generated by endpoint devices, network resources, and other security systems. In Azure Monitor, use Log Analytics workspaces to query and perform analytics, and use Azure Storage accounts for long term and archival storage.
In addition, enable and onboard data to Microsoft Sentinel or a third-party SIEM.
With Azure Lighthouse, you can use Azure Monitor Logs in a scalable way across the customer tenants you're managing. Create Log Analytics workspaces directly in the customer tenants so that customer data remains in their tenants rather than being exported into yours. This also allows centralized monitoring of any resources or services supported by Log Analytics, giving you more flexibility on what types of data you monitor.
Customers who have delegated subscriptions for Azure Lighthouse can view Azure Activity log data to see all actions taken. This gives customers full visibility into operations that service providers are performing, along with operations done by users within the customer's own Azure Active Directory (Azure AD) tenant.
Many organizations choose to use Microsoft Sentinel for “hot” data that is used frequently and Azure Storage for “cold” data that is used less frequently.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
LT-6: Configure log storage retention
Guidance: Azure Lighthouse does not currently produce any security-related logs. Customers who want to view service provider activity can configure log retention according to compliance, regulation, and business requirements.
In Azure Monitor, you can set your Log Analytics workspace retention period according to your organization's compliance regulations. Use Azure Storage, Data Lake or Log Analytics workspace accounts for long-term and archival storage.
How to configure retention policy for Azure Storage account logs
Microsoft Defender for Cloud alerts and recommendations export
How a customer can review activity log data for service providers
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
LT-7: Use approved time synchronization sources
Guidance: Azure Lighthouse does not support configuring your own time synchronization sources. The Azure Lighthouse service relies on Microsoft time synchronization sources, and is not exposed to customers for configuration.
Responsibility: Microsoft
Microsoft Defender for Cloud monitoring: None
Posture and Vulnerability Management
For more information, see the Azure Security Benchmark: Posture and Vulnerability Management.
PV-1: Establish secure configurations for Azure services
Guidance: Azure Lighthouse supports below service-specific policies that are available in Microsoft Defender for Cloud to audit and enforce configurations of your Azure resources. This can be configured in Microsoft Defender for Cloud or Azure Policy initiatives.
Allow managing tenant IDs to onboard through Azure Lighthouse
Audit delegation of scopes to a managing tenant
You can use Azure Blueprints to automate deployment and configuration of services and application environments including Azure Resource Manager templates, Azure RBAC controls, and policies, in a single blueprint definition.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
PV-2: Sustain secure configurations for Azure services
Guidance: Azure Lighthouse supports below service-specific policies that are available in Microsoft Defender for Cloud to audit and enforce configurations of your Azure resources. This can be configured in Microsoft Defender for Cloud or Azure Policy initiatives.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
PV-3: Establish secure configurations for compute resources
Guidance: Use Microsoft Defender for Cloud and Azure Policy to establish secure configurations on all compute resources including VMs, containers, and others.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
PV-6: Perform software vulnerability assessments
Guidance: Microsoft performs vulnerability management on the underlying systems that support Azure Lighthouse.
Responsibility: Microsoft
Microsoft Defender for Cloud monitoring: None
PV-8: Conduct regular attack simulation
Guidance: As required, conduct penetration testing or red team activities on your Azure resources and ensure remediation of all critical security findings. Follow the Microsoft Cloud Penetration Testing Rules of Engagement to ensure your penetration tests are not in violation of Microsoft policies. Use Microsoft's strategy and execution of Red Teaming and live site penetration testing against Microsoft-managed cloud infrastructure, services, and applications.
Responsibility: Shared
Microsoft Defender for Cloud monitoring: None
Endpoint Security
For more information, see the Azure Security Benchmark: Endpoint Security.
ES-1: Use Endpoint Detection and Response (EDR)
Guidance: Azure Lighthouse does not deploy any customer-facing compute resources which would require Endpoint Detection and Response (EDR) protection. The underlying infrastructure for the Azure Lighthouse service is handled by Microsoft.
Responsibility: Microsoft
Microsoft Defender for Cloud monitoring: None
ES-2: Use centrally managed modern anti-malware software
Guidance: Azure Lighthouse does not deploy any customer-facing compute resources which could be configured with an anti-malware solution. The underlying infrastructure for the Azure Lighthouse service is handled by Microsoft, which includes managing any installed anti-malware software.
Responsibility: Microsoft
Microsoft Defender for Cloud monitoring: None
ES-3: Ensure anti-malware software and signatures are updated
Guidance: Azure Lighthouse does not deploy any customer-facing compute resources which could be configured with an anti-malware solution. The underlying infrastructure for the Azure Lighthouse service is handled by Microsoft, which includes managing any installed anti-malware software.
Responsibility: Microsoft
Microsoft Defender for Cloud monitoring: None
Next steps
- See the Azure Security Benchmark V2 overview
- Learn more about Azure security baselines
Povratne informacije
Pošalјite i prikažite povratne informacije za