Azure security baseline for Batch

This security baseline applies guidance from the Azure Security Benchmark version 2.0 to Azure Batch. The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. The content is grouped by the security controls defined by the Azure Security Benchmark and the related guidance applicable to Batch.

Note

Controls not applicable to Batch, and those for which the global guidance is recommended verbatim, have been excluded. To see how Batch completely maps to the Azure Security Benchmark, see the full Batch security baseline mapping file.

Network Security

For more information, see the Azure Security Benchmark: Network Security.

NS-1: Implement security for internal traffic

Guidance: Deploy Azure Batch pool(s) within a virtual network. To allow pool compute nodes to communicate securely with other virtual machines, or with an on-premises network, you can provision the pool in a subnet of an Azure virtual network. Also, deploying your Pool within a virtual network gives you control over the network security group (NSG) used to secure the individual nodes' network interfaces (NIC), as well as the subnet. Configure the NSG to allow traffic from only trusted IP(s)/locations on the Internet.

You can limit connectivity and discoverability of remote access to your Batch compute nodes from outside sources by disabling publicly exposed RDP/SSH endpoints on port 3389 (Windows) or 22 (Linux). Note: you may need to enable port 22 rules on Linux if you require support for multi-instance tasks with certain MPI runtimes though allowing traffic on these ports is not strictly required for the pool compute nodes to be usable. Configuring these ports for access should be done with just-in-time mechanisms on the assigned network security groups.

Responsibility: Customer

Azure Security Center monitoring: None

NS-2: Connect private networks together

Guidance: Since Azure Batch can be deployed directly into virtual networks you can enable access to your Batch resource from other networks in many ways.

Use Azure ExpressRoute or Azure virtual private network (VPN) to create private connections between Azure datacenters and on-premises infrastructure in a colocation environment to the network that hosts your Batch resources. ExpressRoute connections do not go over the public internet , and they offer more reliability, faster speeds, and lower latencies than typical internet connections. For point-to-site VPN and site-to-site VPN, you can connect on-premises devices or networks to a virtual network using any combination of these VPN options and Azure ExpressRoute.

To connect two or more virtual networks in Azure together, use virtual network peering or Private Link. Network traffic between peered virtual networks is private and is kept on the Azure backbone network.

Responsibility: Customer

Azure Security Center monitoring: None

NS-3: Establish private network access to Azure services

Guidance: You can restrict access to nodes and reduce the discoverability of the nodes from the internet by provisioning the pool without public IP addresses. The compute nodes can securely communicate with other virtual machines or with an on-premises network by provisioning the pool in a subnet of an Azure virtual network. And you can use Azure Private Link to enable private access to Batch from your virtual networks without crossing the internet. The Azure Private Link service is secured and accepts connections only from authenticated and authorized private endpoints. Configuring private endpoints for Azure Batch doesn't limit the offering's capabilities but it is more secure.

Responsibility: Customer

Azure Security Center monitoring: None

NS-4: Protect applications and services from external network attacks

Guidance: Azure resources are protected from external network attacks including distributed denial of service (DDoS) Attacks, application-specific attacks and unsolicited and potentially malicious internet traffic.

Use Azure Firewall to protect applications and services in your virtual networks against potentially malicious traffic from the internet and other external locations. Protect your assets against DDoS attacks by enabling DDoS standard protection on your Azure virtual networks. Use Azure Security Center to detect misconfiguration risks to your network related resources.

Responsibility: Shared

Azure Security Center monitoring: None

NS-5: Deploy intrusion detection/intrusion prevention systems (IDS/IPS)

Guidance: Use Azure Firewall threat intelligence-based filtering to alert on and/or block traffic to and from known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. When payload inspection is required, you can deploy a third-party intrusion detection/intrusion prevention system (IDS/IPS) from Azure Marketplace with payload inspection capabilities. Alternately, you can use host-based IDS/IPS or a host-based endpoint detection and response (EDR) solution in conjunction with or instead of network-based IDS/IPS.

Responsibility: Customer

Azure Security Center monitoring: None

NS-6: Simplify network security rules

Guidance: Azure Batch supports built-in Azure Virtual Network Service Tags to define network access controls on network security groups or Azure Firewall configured for your Batch resources. You can use the service tag 'BatchNodeManagement' in place of specific IP addresses when creating network security rules for management traffic for deployments dedicated to Azure Batch. In addition you can achieve network isolation and protect Azure resources from the general Internet while accessing Azure services that have public endpoints. By specifying the service tag name in the appropriate source or destination field of a rule, you can allow or deny the traffic for the corresponding service. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change.

Network service groups(NSGs) is useful to define inbound and outbound traffic rules . Use tags for NSGs ,other related network security and traffic flow associated with Azure batch pools. IPs used in Azure batch services are IPv4 and Pv6.

Responsibility: Customer

Azure Security Center monitoring: None

NS-7: Secure Domain Name Service (DNS)

Guidance: When Azure DNS is used as your authoritative DNS service, ensure DNS zones and records are protected from accidental or malicious modification using Azure RBAC and resource locks. Azure Activity logs can be monitored to know how a user in your organization modified a resource or to find an error when troubleshooting. When using private endpoints with Azure Batch we recommend that you integrate your private endpoint with a private DNS zone. You can also use your own DNS servers or create DNS records by using the host files on your virtual machines.

Responsibility: Customer

Azure Security Center monitoring: None

Identity Management

For more information, see the Azure Security Benchmark: Identity Management.

IM-1: Standardize Azure Active Directory as the central identity and authentication system

Guidance: Azure Active Directory (Azure AD) is used as Batch's default authentication and authorization system you should standardize Azure AD to govern your organization's identity and access management. Batch account access supports two methods of authentication: Shared Key and Azure Active Directory (Azure AD). We strongly recommend using Azure AD for Batch account authentication. Some Batch capabilities require this method of authentication, including many of the security-related features.

Securing Azure AD should be a high priority in your organization’s cloud security practice. Azure AD provides an identity secure score to help you assess identity security posture relative to Microsoft’s best practice recommendations. Use the score to gauge how closely your configuration matches best practice recommendations, and to make improvements in your security posture.

Responsibility: Customer

Azure Security Center monitoring: None

IM-2: Manage application identities securely and automatically

Guidance: Azure Batch supports managed identities for its Azure resources. Use managed identities with Batch instead of creating service principals to access other resources. Batch can natively authenticate to the Azure services/resources that supports Azure AD authentication through a pre-defined access grant rule without using credentials hard coded in source code or configuration files.

Batch recommends using Azure AD to create a service principal with restricted permissions at the resource level to configure service principals with certificate credentials and fall back to client secrets. In both cases, Azure Key Vault can be used to in conjunction with Azure-managed identities so that the runtime environment (such as an Azure Batch pools) can retrieve the credential from the key vault.

Responsibility: Customer

Azure Security Center monitoring: None

IM-3: Use Azure AD single sign-on (SSO) for application access

Guidance: Azure Batch uses Azure Active Directory to provide identity and access management to its resources. This includes enterprise identities, such as employees, as well as external identities like partners, vendors, and suppliers. This enables single sign-on (SSO) to manage and secure access to your organization's data and resources on-premises and in the cloud. Connect all your users, applications, and devices to the Azure AD for seamless, secure access and greater visibility and control.

Responsibility: Customer

Azure Security Center monitoring: None

IM-4: Use strong authentication controls for all Azure Active Directory based access

Guidance: Azure Batch uses Azure Active Directory (Azure AD), which supports strong authentication controls through multi-factor authentication (MFA) and strong passwordless methods.

  • Multi-factor authentication - Enable Azure AD MFA, and then follow Azure Security Center Identity and Access Management recommendations for best practices in your MFA setup. MFA can be enforced on all, select users, or at the per-user level based on sign-in conditions and risk factors.
  • Passwordless authentication - Three passwordless authentication options are available: Windows Hello for Business, Microsoft Authenticator app, and on-premises authentication methods such as smart cards.

For administrators and privileged users, ensure the highest level of the strong authentication method is used, followed by rolling out the appropriate strong authentication policy to other users.

Responsibility: Customer

Azure Security Center monitoring: None

IM-5: Monitor and alert on account anomalies

Guidance: Azure Batch is integrated with Azure Active Directory, which provides the following data sources for its users:

  • Sign-ins - The sign-ins report provides information about the usage of managed applications and user sign-in activities.
  • Audit logs - Provides traceability through logs for all changes done by various features within Azure AD. Examples of audit logs include changes made to any resource within Azure AD, like adding or removing users, apps, groups, roles, and policies.
  • Risky sign-ins - A risky sign-in is an indicator for a sign-in attempt that might have been performed by someone who is not the legitimate owner of a user account.
  • Users flagged for risk - A risky user is an indicator for a user account that might have been compromised.

These data sources can be integrated with Azure Monitor, Azure Sentinel, or third-party SIEM systems.

Azure Security Center can also alert you about certain suspicious activities, such as an excessive number of failed authentication attempts or deprecated accounts in the subscription.

Azure Advanced Threat Protection (ATP) is a security solution that can use Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions.

Responsibility: Customer

Azure Security Center monitoring: None

IM-6: Restrict Azure resource access based on conditions

Guidance: Restrict management of your Azure Batch resources by using Azure AD conditional access for more granular access control based on user-defined conditions, such as requiring user logins from certain IP ranges to use MFA. A granular authentication session management can also be used through Azure AD conditional access policy for different use cases. This conditional access will not apply to any shared keys used for client authentication to Batch accounts, but using Azure AD instead of these keys is recommended.

Responsibility: Customer

Azure Security Center monitoring: None

IM-7: Eliminate unintended credential exposure

Guidance: Azure Batch allows customers to run code potentially with identities/secrets. It's recommended to implement Credential Scanner to identify credentials within your Azure Batch code or your configurations. Credential Scanner will also encourage moving discovered credentials to more secure locations like Azure Key Vault.

For GitHub, you can use the native secret scanning feature to identify credentials or other forms of secrets within the code.

Responsibility: Customer

Azure Security Center monitoring: None

Privileged Access

For more information, see the Azure Security Benchmark: Privileged Access.

PA-1: Protect and limit highly privileged users

Guidance: Integrate Authentication for Azure Batch Applications with Azure Active Directory (Azure AD). Create policies and procedures around the use of dedicated administrative roles and permissions.

Also for Azure Batch the user account that run tasks can be set to a certain level which indicates whether a task runs with elevated access. Both an auto-user account and a named user account can run with elevated access. The two options for elevation level are:

  • NonAdmin: The task runs as a standard user without elevated access. The default elevation level for a Batch user account is always NonAdmin.

  • Admin: The task runs as a user with elevated access and operates with full Administrator permissions.

Scope your Azure Batch task elevations appropriately, and avoid using permanent Admin level permissions where possible.

Responsibility: Customer

Azure Security Center monitoring: None

PA-2: Restrict administrative access to business-critical systems

Guidance: Azure Batch uses Azure role-based access control (Azure RBAC) to isolate access to business-critical systems by restricting which accounts are granted privileged access to the subscriptions and management groups they are in.

Ensure that you also restrict access to the management, identity, and security systems that have administrative access to you Azure Batch Resources. Attackers who compromise these management and security systems can immediately weaponize them to compromise business-critical assets.

All types of access controls should be aligned to your enterprise segmentation strategy to ensure consistent access control.

Azure Batch allows for users to create custom Azure RBAC roles based on Batch operations to fit your permission needs, however it is recommended to use built-in roles when possible instead of creating custom roles.

Responsibility: Customer

Azure Security Center monitoring: None

PA-3: Review and reconcile user access regularly

Guidance: Azure Batch uses Azure Active Directory (Azure AD) to provide authentication to manage its resources. Review user accounts, and access assignments regularly to ensure the accounts and their access are valid. You can use Azure AD and access reviews to review group memberships, access to enterprise applications, and role assignments. Azure AD reporting can provide logs to help discover stale accounts. You can also use Azure AD Privileged Identity Management (PIM) to create access review report workflows to facilitate the review process.

In addition, Azure AD PIM can also be configured to alert you when an excessive number of administrator accounts are created, and to identify administrator accounts that are stale or improperly configured.

Note: Some Azure services support local users and roles which are not managed through Azure AD such as Azure Batch shared keys. You should instead use Azure AD where possible as you will need to manage these keys separately when used.

Responsibility: Customer

Azure Security Center monitoring: None

PA-4: Set up emergency access in Azure AD

Guidance: Azure Batch uses Azure Active Directory (Azure AD) for user authentication for managing its resources. To prevent being accidentally locked out of your Azure AD organization, set up an emergency access account for access when normal administrative accounts cannot be used. Emergency access accounts are usually highly privileged, and they should not be assigned to specific individuals. Emergency access accounts are limited to emergency or 'break glass' scenarios where normal administrative accounts can't be used.

You should ensure that the credentials (such as password, certificate, or smart card) for emergency access accounts are kept secure and known only to individuals who are authorized to use them only in an emergency.

Responsibility: Customer

Azure Security Center monitoring: None

PA-5: Automate entitlement management

Guidance: Azure Batch is integrated with Azure Active Directory (Azure AD) and Azure RBAC to manage access its resources. Use Azure AD entitlement management features to automate access request workflows, including access assignments, reviews, and expiration. Dual or multi-stage approval is also supported.

Responsibility: Customer

Azure Security Center monitoring: None

PA-6: Use privileged access workstations

Guidance: Secured, isolated workstations are critically important for the security of sensitive roles like administrator, developer, and critical service operator. Use highly secured user workstations and/or Azure Bastion for administrative tasks taken on Azure Batch resources. Use Azure Active Directory (Azure AD), Microsoft Defender Advanced Threat Protection (ATP), and/or Microsoft Intune to deploy a secure and managed user workstation for administrative tasks. The secured workstations can be centrally managed to enforce secured configuration including strong authentication, software and hardware baselines, and restricted logical and network access.

Responsibility: Customer

Azure Security Center monitoring: None

PA-7: Follow just enough administration (least privilege principle)

Guidance: Azure Batch is integrated with Azure role-based access control (Azure RBAC) to manage its resources. Azure RBAC allows you to manage Azure resource access through role assignments. You can assign these roles to users, groups service principals, and managed identities. There are pre-defined built-in roles for certain resources, and these roles can be inventoried or queried through tools such as Azure CLI, Azure PowerShell, or the Azure portal. The privileges you assign to resources through the Azure RBAC should be always limited to what is required by the roles. This complements the just-in-time (JIT) approach of Azure AD Privileged Identity Management (PIM) and should be reviewed periodically.

Use built-in roles to allocate permissions to your Azure Batch resources. Azure Batch allows for users to create custom Azure RBAC roles based on Batch operations to fit your permission needs, however it is recommended to use built-in roles when possible instead of creating custom roles.

Responsibility: Customer

Azure Security Center monitoring: None

PA-8: Choose approval process for Microsoft support

Guidance: Batch doesn't support customer lockbox. Microsoft may work with customers through non-lockbox method to approval to access customer data associated to Azure Batch resource in support scenarios.

Responsibility: Customer

Azure Security Center monitoring: None

Data Protection

For more information, see the Azure Security Benchmark: Data Protection.

DP-1: Discovery, classify and label sensitive data

Guidance: For Azure Storage Accounts associated with your Azure Batch Pool(s) which may contain job and task output which have sensitive information, mark them as sensitive using tags and secure them with Azure best-practices.

Data identification, classification, and loss prevention features are not yet available for Azure Storage or compute resources. Implement third-party solution if required for compliance purposes.

For the underlying Azure Batch platform which is managed by Microsoft, Microsoft treats all customer content as sensitive and goes to great lengths to guard against customer data loss and exposure. To ensure customer data within Azure remains secure, Microsoft has implemented and maintains a suite of robust data protection controls and capabilities.

Responsibility: Shared

Azure Security Center monitoring: None

DP-2: Protect sensitive data

Guidance: Azure Batch allows customers to manage their job and task output content. Batch supports Azure RBAC for managing access to account, job, task and pool resources. Protect sensitive data by restricting access using Azure role-based access control (Azure RBAC).

To ensure consistent access control, all types of access control should be aligned with your enterprise segmentation strategy. The enterprise segmentation strategy should also be informed by the location of sensitive or business critical data and systems. Implement separate subscriptions and/or management groups for development, test, and production. Azure Batch Pools should be separated by separate virtual networks, tagged appropriately, and secured with an network security groups (NSG). Azure Batch data should be contained within a secured Azure Storage Account.

For the underlying platform (managed by Microsoft), Microsoft treats all customer content as sensitive and guards against customer data loss and exposure. To ensure customer data within Azure remains secure, Microsoft has implemented some default data protection controls and capabilities.

Responsibility: Customer

Azure Security Center monitoring: None

DP-3: Monitor for unauthorized transfer of sensitive data

Guidance: For Azure Storage Accounts associated with your Azure Batch Pool(s) which contain sensitive information, mark them as sensitive using Tags and secure them with Azure best-practices.

Data identification, classification, and loss prevention features are not yet available for Azure Storage or compute resources. Implement third-party solution if required for compliance purposes.

For the underlying platform which is managed by Microsoft, Microsoft treats all customer content as sensitive and goes to great lengths to guard against customer data loss and exposure. To ensure customer data within Azure remains secure, Microsoft has implemented and maintains a suite of robust data protection controls and capabilities.

Responsibility: Shared

Azure Security Center monitoring: None

DP-4: Encrypt sensitive information in transit

Guidance: Encrypt all sensitive information in transit. Microsoft Azure resources will negotiate TLS 1.2 by default. Ensure that any clients connecting to your Azure Batch Pools or data stores (Azure Storage Accounts) are able to negotiate TLS 1.2 or greater.

Ensure HTTPS is required for accessing the Storage Account containing your Azure Batch data.

Responsibility: Shared

Azure Security Center monitoring: None

DP-5: Encrypt sensitive data at rest

Guidance: To complement access controls, Batch encrypts data at rest to protect against 'out of band' attacks (such as accessing underlying storage) using encryption. This helps ensure that attackers cannot easily read or modify the data.

Azure provides encryption for data at rest by default. For highly sensitive data, you have options to implement additional encryption at rest on all Azure resources where available. Azure manages your encryption keys by default, but Azure also provides options to manage your own keys (customer-managed keys) for certain Azure services to meet regulatory requirements.

Responsibility: Customer

Azure Security Center monitoring: None

Asset Management

For more information, see the Azure Security Benchmark: Asset Management.

AM-1: Ensure security team has visibility into risks for assets

Guidance: Ensure security teams are granted Security Reader permissions in your Azure tenant and subscriptions so they can monitor for security risks using Azure Security Center related to Azure Batch.

Depending on how security team responsibilities are structured, monitoring for security risks could be the responsibility of a central security team or a local team. That said, security insights and risks must always be aggregated centrally within an organization.

Security Reader permissions can be applied broadly to an entire tenant (Root Management Group) or scoped to management groups or specific subscriptions.

Note: Additional permissions might be required to get visibility into workloads and services.

Responsibility: Customer

Azure Security Center monitoring: None

AM-2: Ensure security team has access to asset inventory and metadata

Guidance: Ensure that security teams have access to a continuously updated inventory of assets on Azure, like Batch. Security teams often need this inventory to evaluate their organization's potential exposure to emerging risks, and as an input to continuous security improvements. Create an Azure Active Directory (Azure AD) group to contain your organization's authorized security team and assign them read access to all Batch resources, which can be simplified by a single high-level role assignment within your subscription. Apply tags to Azure Batch resources to add additional organizationally required metadata, this can help to logically organize Batch resources according to a desired taxonomy. At the Batch account level, metadata tags can be added for important security metadata. However, Pools or other batch resources do not inherit these tags.

Responsibility: Customer

Azure Security Center monitoring: None

AM-3: Use only approved Azure services

Guidance: Use Azure Policy to audit and restrict which services (such as Azure Batch) users can provision in your environment. Use Azure Resource Graph to query for and discover resources within their subscriptions. You can also use Azure Monitor to create rules to trigger alerts when a non-approved service is detected.

Responsibility: Customer

Azure Security Center monitoring: None

AM-4: Ensure security of asset lifecycle management

Guidance: Establish or update security policies that address asset lifecycle management processes for potentially high impact modifications to you Azure Batch resources. These modifications include but are not limited to: changes to Azure RBAC to Batch resources, changes to your virtual network or network security group rules where Batch resources are deployed, or the removal of other key resource configurations like encryption or logging.

Remove any Azure Batch resources when they are no longer needed.

Responsibility: Customer

Azure Security Center monitoring: None

AM-5: Limit users' ability to interact with Azure Resource Manager

Guidance: Use Azure Conditional Access to limit users' ability to interact with Azure Resources Manager by configuring "Block access" for the "Microsoft Azure Management" App.

Responsibility: Customer

Azure Security Center monitoring: None

AM-6: Use only approved applications in compute resources

Guidance: Azure Batch allows users to install software on its compute nodes. Batch does not at this point offer any capabilities to restrict or create an 'allow list' of software that can be ran on its nodes. Managing and installing software on Batch is can be done via the Azure portal or Batch Management APIs. The customer is responsible for defining proper access through Azure RBAC to restrict who can update Batch nodes to prevent the installation of malicious or dangerous applications.

Responsibility: Customer

Azure Security Center monitoring: None

Logging and Threat Detection

For more information, see the Azure Security Benchmark: Logging and Threat Detection.

LT-1: Enable threat detection for Azure resources

Guidance: Forward any diagnostic and activity logs from Azure Batch to your SIEM which can be used to set up custom threat detections. Ensure you are monitoring different types of Azure assets for potential threats and anomalies. Focus on getting high-quality alerts to reduce false positives for analysts to sort through. Alerts can be sourced from log data, agents, or other data.

Azure Security Center does not provide vulnerability assessments for Azure Batch resources via Defender, however it does give security-based recommendations for Batch.

Responsibility: Customer

Azure Security Center monitoring: None

LT-2: Enable threat detection for Azure identity and access management

Guidance: Azure Active Directory (Azure AD) provides the following user logs, which can be viewed in Azure AD reporting or integrated with Azure Monitor, Azure Sentinel, or other SIEM/monitoring tools for more sophisticated monitoring and analytics use cases:

  • Sign-ins - The sign-ins report provides information about the usage of managed applications and user sign-in activities.
  • Audit logs - Provides traceability through logs for all changes done by various features within Azure AD. Examples of audit logs include changes made to any resources within Azure AD, like adding or removing users, apps, groups, roles, and policies.
  • Risky sign-ins - A risky sign-in is an indicator for a sign-in attempt that might have been performed by someone who is not the legitimate owner of a user account.
  • Users flagged for risk - A risky user is an indicator for a user account that might have been compromised.

Azure Security Center can also trigger alerts on certain suspicious activities, such as excessive number of failed authentication attempts or deprecated accounts in the subscription. In addition to the basic security hygiene monitoring, Azure Security Center's Threat Protection module can also collect more in-depth security alerts from individual Azure compute resources (virtual machines, containers, app service), data resources (SQL DB and storage), and Azure service layers. This capability allows you to have visibility on account anomalies inside individual resources.

Responsibility: Customer

Azure Security Center monitoring: None

LT-3: Enable logging for Azure network activities

Guidance: Enable and collect network security group (NSG) resource logs, NSG flow logs, Azure Firewall logs, and Web Application Firewall (WAF) logs for security analysis to support incident investigations, threat hunting, and security alert generation. You can send the flow logs to an Azure Monitor Log Analytics workspace and then use Traffic Analytics to provide insights.

Batch does not produce or process DNS query logs.

Responsibility: Customer

Azure Security Center monitoring: None

LT-4: Enable logging for Azure resources

Guidance: Activity logs, which are automatically available, contain all write operations (PUT, POST, DELETE) for your Azure Batch resources except read operations (GET). Activity logs can be used to find an error when troubleshooting or to monitor how a user in your organization modified a resource.

Enable Azure resource logs for Azure Batch for the following log types: 'ServiceLog', 'AllMetrics'. These logs can be critical for investigating security incidents and performing forensic exercises. These logs must be explicitly enabled for each Batch account you want to monitor, or you may use Azure Policy to enable resource logs and log data collecting at scale.

For Azure Batch resource level monitoring, use the Azure Batch APIs to monitor or query the status of your resources including jobs, tasks, nodes, and pools.

Responsibility: Customer

Azure Security Center monitoring: The Azure Security Benchmark is the default policy initiative for Security Center and is the foundation for Security Center's recommendations. The Azure Policy definitions related to this control are enabled automatically by Security Center. Alerts related to this control may require an Azure Defender plan for the related services.

Azure Policy built-in definitions - Microsoft.Batch:

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Resource logs in Batch accounts should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0

LT-5: Centralize security log management and analysis

Guidance: Centralize logging storage and analysis to enable correlation. For each log source, ensure that you have assigned a data owner, access guidance, storage location, what tools are used to process and access the data, and data retention requirements.

Ensure that you are integrating Azure activity logs into your central logging. Ingest logs via Azure Monitor to aggregate security data generated by endpoint devices, network resources, and other security systems. In Azure Monitor, use Log Analytics workspaces to query and perform analytics, and use Azure Storage accounts for long term and archival storage.

In addition, enable and onboard data to Azure Sentinel or a third-party SIEM.

Many organizations choose to use Azure Sentinel for 'hot' data that is used frequently and Azure Storage for 'cold' data that is used less frequently.

For applications that may run on Batch, forward all security-related logs to your SIEM for centralized management.

Responsibility: Customer

Azure Security Center monitoring: None

LT-6: Configure log storage retention

Guidance: Ensure that any storage accounts or Log Analytics workspaces used for storing Azure Batch logs have the log retention period set according to your organization's compliance regulations.

Responsibility: Customer

Azure Security Center monitoring: None

LT-7: Use approved time synchronization sources

Guidance: Batch does not support configuring your own time synchronization sources.

Batch service relies on Microsoft time synchronization sources, and is not exposed to customers for configuration.

Responsibility: Microsoft

Azure Security Center monitoring: None

Incident Response

For more information, see the Azure Security Benchmark: Incident Response.

IR-1: Preparation – update incident response process for Azure

Guidance: Ensure your organization has processes to respond to security incidents, has updated these processes for Azure, and is regularly exercising them to ensure readiness.

Responsibility: Customer

Azure Security Center monitoring: None

IR-2: Preparation – setup incident notification

Guidance: Set up security incident contact information in Azure Security Center. This contact information is used by Microsoft to contact you if the Microsoft Security Response Center (MSRC) discovers that your data has been accessed by an unlawful or unauthorized party. You also have options to customize incident alert and notification in different Azure services based on your incident response needs.

Responsibility: Customer

Azure Security Center monitoring: None

IR-3: Detection and analysis – create incidents based on high quality alerts

Guidance: Ensure you have a process to create high-quality alerts and measure the quality of alerts. This allows you to learn lessons from past incidents and prioritize alerts for analysts, so they don't waste time on false positives.

High-quality alerts can be built based on experience from past incidents, validated community sources, and tools designed to generate and clean up alerts by fusing and correlating diverse signal sources.

Azure Security Center provides high-quality alerts across many Azure assets. You can use the ASC data connector to stream the alerts to Azure Sentinel. Azure Sentinel lets you create advanced alert rules to generate incidents automatically for an investigation.

Export your Azure Security Center alerts and recommendations using the export feature to help identify risks to Azure resources. Export alerts and recommendations either manually or in an ongoing, continuous fashion.

Responsibility: Customer

Azure Security Center monitoring: None

IR-4: Detection and analysis – investigate an incident

Guidance: Ensure analysts can query and use diverse data sources as they investigate potential incidents, to build a full view of what happened. Diverse logs should be collected to track the activities of a potential attacker across the kill chain to avoid blind spots. You should also ensure insights and learnings are captured for other analysts and for future historical reference.

The data sources for investigation include the centralized logging sources that are already being collected from the in-scope services and running systems, but can also include:

  • Network data - use network security groups' flow logs, Azure Network Watcher, and Azure Monitor to capture network flow logs and other analytics information.

  • Snapshots of running systems:

    • Use Azure virtual machine's snapshot capability to create a snapshot of the running system's disk.

    • Use the operating system's native memory dump capability to create a snapshot of the running system's memory.

    • Use the snapshot feature of the Azure services or your software's own capability to create snapshots of the running systems.

Azure Sentinel provides extensive data analytics across virtually any log source and a case management portal to manage the full lifecycle of incidents. Intelligence information during an investigation can be associated with an incident for tracking and reporting purposes.

Responsibility: Customer

Azure Security Center monitoring: None

IR-5: Detection and analysis – prioritize incidents

Guidance: Provide context to analysts on which incidents to focus on first based on alert severity and asset sensitivity.

Azure Security Center assigns a severity to each alert to help you prioritize which alerts should be investigated first. The severity is based on how confident Security Center is in the finding or the analytics used to issue the alert, as well as the confidence level that there was malicious intent behind the activity that led to the alert.

Additionally, mark resources using tags and create a naming system to identify and categorize Azure resources, especially those processing sensitive data. It is your responsibility to prioritize the remediation of alerts based on the criticality of the Azure resources and environment where the incident occurred.

Responsibility: Customer

Azure Security Center monitoring: None

IR-6: Containment, eradication and recovery – automate the incident handling

Guidance: Automate manual repetitive tasks to speed up response time and reduce the burden on analysts. Manual tasks take longer to execute, slowing each incident and reducing how many incidents an analyst can handle. Manual tasks also increase analyst fatigue, which increases the risk of human error that causes delays, and degrades the ability of analysts to focus effectively on complex tasks.

Use workflow automation features in Azure Security Center and Azure Sentinel to automatically trigger actions or run a playbook to respond to incoming security alerts. The playbook takes actions, such as sending notifications, disabling accounts, and isolating problematic networks.

Responsibility: Customer

Azure Security Center monitoring: None

Posture and Vulnerability Management

For more information, see the Azure Security Benchmark: Posture and Vulnerability Management.

PV-1: Establish secure configurations for Azure services

Guidance: Use Azure Security Center to configure built-in Azure Policy for Azure Batch to audit and enforce configurations of your Batch resources.

For any scenarios where built-in policy definitions do not exist, you can use Azure Policy aliases in the "Microsoft.Batch" namespace to create custom policies to audit or enforce the configuration of your Azure Batch accounts and pools.

You can use Azure Blueprints to automate deployment and configuration of services and application environments including Azure Resources Manager templates, Azure RBAC controls, and policies, in a single blueprint definition.

Responsibility: Customer

Azure Security Center monitoring: None

PV-2: Sustain secure configurations for Azure services

Guidance: Use built-in Azure Policy [deny] and [deploy if not exist] to enforce secure settings for the Azure resources related to your Batch account and pools (such as virtual networks, subnets, Azure Firewalls, Azure Storage Accounts, etc.). You may also use Azure Policy aliases from the following namespaces to create custom policies:

Responsibility: Customer

Azure Security Center monitoring: None

PV-3: Establish secure configurations for compute resources

Guidance: Customers are allowed to use custom operating system images for Batch. In addition Azure Batch allows users to install and load arbitrary software on its compute nodes.

When using the virtual machine configuration for your Azure Batch pools use custom images that are hardened to your organization's needs and store them in a shared image gallery for lifecycle management. You can set up a secure image build process using Azure automation tools such as Azure Image Builder.

Responsibility: Customer

Azure Security Center monitoring: None

PV-4: Sustain secure configurations for compute resources

Guidance: Customers are allowed to use custom operating system images for Batch. In addition Azure Batch allows users to install and load arbitrary software on its compute nodes.

To sustain your securely configured Azure Batch compute resources, establish policy to require your Azure Batch pools use only your approved secured images. You can also leverage Azure API or CLI with a re-occuring Azure Automation runbook to scan for unapproved or misconfigured Azure Batch resources.

Responsibility: Customer

Azure Security Center monitoring: None

PV-5: Securely store custom operating system and container images

Guidance: If using custom images for your Azure Batch pools, use Role-based access control (RBAC) to ensure only authorized users may access the images. Store container images in Azure Container Registry and use Azure RBAC to ensure that only authorized users have access.

Responsibility: Customer

Azure Security Center monitoring: None

PV-6: Perform software vulnerability assessments

Guidance: For Azure Batch Pool nodes, you are responsible for managing any vulnerability management solution used, Azure Batch does not provide native vulnerability assessment capabilities.

However, if you have a Rapid7, Qualys, or any other vulnerability management platform subscription, you may manually install vulnerability assessment agents on Batch pool nodes and manage nodes through the respective portal.

Responsibility: Customer

Azure Security Center monitoring: None

PV-7: Rapidly and automatically remediate software vulnerabilities

Guidance: Prioritize using a common risk scoring program (for example, Common Vulnerability Scoring System) or the default risk ratings provided by your third-party scanning tool, and then tailor your environment using context for which applications present a high security risk and which applications present a high security risk and which ones require high uptime.

Currently there is no native customer-facing vulnerability scanning for Azure Batch, for the underlying platform hosting Batch Microsoft ensures vulnerabilities are remediated. For software running ontop on Batch you can leverage Azure API or CLI with a re-occuring Azure Automation runbook to scan and update any potentially vulnerable software running on your Azure Batch nodes.

Responsibility: Shared

Azure Security Center monitoring: None

PV-8: Conduct regular attack simulation

Guidance: As required, conduct penetration testing or red team activities on your Azure resources and ensure remediation of all critical security findings.

Follow the Microsoft Cloud Penetration Testing Rules of Engagement to ensure your penetration tests are not in violation of Microsoft policies. Use Microsoft's strategy and execution of Red Teaming and live site penetration testing against Microsoft-managed cloud infrastructure, services, and applications.

Responsibility: Shared

Azure Security Center monitoring: None

Endpoint Security

For more information, see the Azure Security Benchmark: Endpoint Security.

ES-2: Use centrally managed modern anti-malware software

Guidance: Azure Batch nodes can run any executable or script that is supported by the operating system environment of the node. Use Windows Defender on your individual Azure Batch pool nodes in the case of Windows operating systems, or provide your own anti-malware solution if you are using Linux.

Responsibility: Shared

Azure Security Center monitoring: None

ES-3: Ensure anti-malware software and signatures are updated

Guidance: Ensure anti-malware signatures are updated rapidly and consistently. Follow recommendations in Azure Security Center: "Compute & Apps" to ensure all endpoints are up to date with the latest signatures. Azure Batch nodes can run any executable or script that is supported by the operating system environment of the node. Use Windows Defender on your individual Azure Batch pool nodes in the case of Windows operating systems and ensure automatic update is enabled. Or provide your own anti-malware solution if you are using Linux. Microsoft Antimalware will automatically install the latest signatures and engine updates by default. For Linux, use third-party antimalware solution.

Responsibility: Customer

Azure Security Center monitoring: None

Backup and Recovery

For more information, see the Azure Security Benchmark: Backup and Recovery.

BR-1: Ensure regular automated backups

Guidance: When using an Azure Storage Account for the Azure Batch Pool data store, choose the appropriate redundancy option (LRS,ZRS, GRS, RA-GRS) and backup your storage account in an Azure Backup Vault on a regular cadence.

Responsibility: Customer

Azure Security Center monitoring: None

BR-2: Encrypt backup data

Guidance: When using an Azure Storage Account for the Azure Batch Pool data store it is automatically encrypted at rest with Microsoft-managed keys. Azure also provides organizations have a regulatory need to user their own customer-managed keys for encrypting Azure Batch Storage, store these keys in an Azure Key Vault.

Responsibility: Customer

Azure Security Center monitoring: None

BR-3: Validate all backups including customer-managed keys

Guidance: If you are managing your own keys for Azure Storage Accounts or any other resource related to your Azure Batch implementation, periodically test restoration of backed up keys.

Responsibility: Customer

Azure Security Center monitoring: None

BR-4: Mitigate risk of lost keys

Guidance: If Azure Key Vault is being used to hold any keys related to Azure Batch Pool Storage Accounts, enable Soft-Delete in Azure Key Vault to protect keys against accidental or malicious deletion.

Responsibility: Customer

Azure Security Center monitoring: None

Governance and Strategy

For more information, see the Azure Security Benchmark: Governance and Strategy.

GS-1: Define asset management and data protection strategy

Guidance: Ensure you document and communicate a clear strategy for continuous monitoring and protection of systems and data. Prioritize discovery, assessment, protection, and monitoring of business-critical data and systems.

This strategy should include documented guidance, policy, and standards for the following elements:

  • Data classification standard in accordance with the business risks
  • Security organization visibility into risks and asset inventory
  • Security organization approval of Azure services for use
  • Security of assets through their lifecycle
  • Required access control strategy in accordance with organizational data classification
  • Use of Azure native and third-party data protection capabilities
  • Data encryption requirements for in-transit and at-rest use cases
  • Appropriate cryptographic standards

For more information, see the following references:

Responsibility: Customer

Azure Security Center monitoring: None

GS-2: Define enterprise segmentation strategy

Guidance: Establish an enterprise-wide strategy to segmenting access to assets using a combination of identity, network, application, subscription, management group, and other controls.

Carefully balance the need for security separation with the need to enable daily operation of the systems that need to communicate with each other and access data.

Ensure that the segmentation strategy is implemented consistently across control types including network security, identity and access models, and application permission/access models, and human process controls.

Responsibility: Customer

Azure Security Center monitoring: None

GS-3: Define security posture management strategy

Guidance: Continuously measure and mitigate risks to your individual assets and the environment they are hosted in. Prioritize high value assets and highly-exposed attack surfaces, such as published applications, network ingress and egress points, user and administrator endpoints, etc.

Responsibility: Customer

Azure Security Center monitoring: None

GS-4: Align organization roles, responsibilities, and accountabilities

Guidance: Ensure that you document and communicate a clear strategy for roles and responsibilities in your security organization. Prioritize providing clear accountability for security decisions, educating everyone on the shared responsibility model, and educate technical teams on technology to secure the cloud.

Responsibility: Customer

Azure Security Center monitoring: None

GS-5: Define network security strategy

Guidance: Establish an Azure network security approach as part of your organization's overall security access control strategy.

This strategy should include documented guidance, policy, and standards for the following elements:

  • Centralized network management and security responsibility
  • Virtual network segmentation model aligned with the enterprise segmentation strategy
  • Remediation strategy in different threat and attack scenarios
  • Internet edge and ingress and egress strategy
  • Hybrid cloud and on-premises interconnectivity strategy
  • Up-to-date network security artifacts (such as network diagrams, reference network architecture)

For more information, see the following references:

Responsibility: Customer

Azure Security Center monitoring: None

GS-6: Define identity and privileged access strategy

Guidance: Establish an Azure identity and privileged access approaches as part of your organization's overall security access control strategy.

This strategy should include documented guidance, policy, and standards for the following elements:

  • A centralized identity and authentication system and its interconnectivity with other internal and external identity systems
  • Strong authentication methods in different use cases and conditions
  • Protection of highly privileged users
  • Anomaly user activities monitoring and handling
  • User identity and access review and reconciliation process

For more information, see the following references:

Responsibility: Customer

Azure Security Center monitoring: None

GS-7: Define logging and threat response strategy

Guidance: Establish a logging and threat response strategy to rapidly detect and remediate threats while meeting compliance requirements. Prioritize providing analysts with high-quality alerts and seamless experiences so that they can focus on threats rather than integration and manual steps.

This strategy should include documented guidance, policy, and standards for the following elements:

  • The security operations (SecOps) organization's role and responsibilities
  • A well-defined incident response process aligning with NIST or another industry framework
  • Log capture and retention to support threat detection, incident response, and compliance needs
  • Centralized visibility of and correlation information about threats, using SIEM, native Azure capabilities, and other sources
  • Communication and notification plan with your customers, suppliers, and public parties of interest
  • Use of Azure native and third-party platforms for incident handling, such as logging and threat detection, forensics, and attack remediation and eradication
  • Processes for handling incidents and post-incident activities, such as lessons learned and evidence retention

For more information, see the following references:

Responsibility: Customer

Azure Security Center monitoring: None

Next steps