Azure security baseline for Azure Data Factory

This security baseline applies guidance from the Azure Security Benchmark version 2.0 to Azure Data Factory. The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. The content is grouped by the security controls defined by the Azure Security Benchmark and the related guidance applicable to Azure Data Factory.

Note

Controls not applicable to Azure Data Factory, and those for which the global guidance is recommended verbatim, have been excluded. To see how Azure Data Factory completely maps to the Azure Security Benchmark, see the full Azure Data Factory security baseline mapping file.

Network Security

For more information, see the Azure Security Benchmark: Network Security.

NS-1: Implement security for internal traffic

Guidance: When you deploy Data Factory resources, create or use an existing virtual network. Ensure that all Azure virtual networks follow an enterprise segmentation principle that aligns to the business risks. Isolate any system that could incur higher risk for the organization within its own virtual network. Secure the system sufficiently with either a network security group (NSG) or Azure Firewall.

Use Microsoft Defender for Cloud Adaptive Network Hardening to recommend network security group configurations. The configurations should limit ports and source IPs based with the reference to external network traffic rules.

Azure-SSIS Integration runtime supports virtual network injection on the customer's virtual network. It abides by all NSG and firewall rules set by the customer in their virtual network. When creating an Azure-SSIS Integration Runtime (IR), you can join it with a virtual network. It will allow Azure Data Factory to create certain network resources, like an NSG and a load balancer. You can also provide your own static public IP address or have Azure Data Factory create one for you. On the NSG that is automatically created by Azure Data Factory, Port 3389 is open to all traffic by default. Lock the port down to make sure that only your administrators have access.

Self-hosted integration runtime (IR) can be set up on IaaS VM within the customer's virtual network. The network traffic is also governed by the customer's NSG and firewall settings.

Based on your applications and enterprise segmentation strategy, restrict or allow traffic between internal resources based on your NSG rules. For specific, well-defined applications like a three-tier app, it can be a highly secure deny-by-default.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

NS-3: Establish private network access to Azure services

Guidance: Use Azure Private Link to enable private access to Data Factory from virtual networks without crossing the internet. Private access adds a defense-in-depth measure to Azure authentication and traffic security.

You can configure private endpoints in the Azure Data Factory Managed Virtual Network to connect to data stores privately.

Data Factory doesn't provide the capability to configure Virtual Network service endpoints.

When you create an Azure-SSIS Integration Runtime (IR), you can join it with a virtual network. It allows Azure Data Factory to create certain network resources, like an NSG and a load balancer. You can also provide your own static public IP address or have Azure Data Factory create one for you. On the NSG that is automatically created by Azure Data Factory, Port 3389 is open to all traffic by default. Lock the port down to ensure that only your administrators have access. You can deploy Self-Hosted IRs on an on-premises machine or Azure VM inside a virtual network. Make sure that your virtual network subnet deployment has an NSG configured to allow only administrative access. Azure-SSIS IR disallows port 3389 outbound by default at the Windows Firewall Rule on each IR node for protection. You can secure your virtual network-configured resources by associating an NSG with the subnet and setting strict rules.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

NS-4: Protect applications and services from external network attacks

Guidance: Protect your Data Factory resources against attacks from external networks, including:

  • Distributed denial of service (DDoS) attacks.

  • Application-specific attacks.

  • Unsolicited and potentially malicious internet traffic.

Use Azure Firewall to protect applications and services against potentially malicious traffic from the internet and other external locations. Protect your assets against DDoS attacks by enabling DDoS standard protection on your Azure virtual networks. Use Microsoft Defender for Cloud to detect misconfiguration risks to your network-related resources.

Data Factory isn't intended to run web applications. It doesn't require you to configure any other settings or deploy any extra network services to protect it from external network attacks targeting web applications.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

NS-6: Simplify network security rules

Guidance: Use Azure Virtual Network service tags to define network access controls for Data Factory resources in NSGs or Azure Firewall. You can use service tags in place of specific IP addresses when creating security rules. Specify a service tag name in the appropriate rule source or destination field to allow or deny traffic for the service. Microsoft manages the address prefixes the service tag encompasses, and automatically updates the service tag as addresses change.

Azure integration runtime's IP range is listed under service tags. It's applicable to Data movement (copy), external and pipeline activities but not to Data flows executions.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

NS-7: Secure Domain Name Service (DNS)

Guidance: Follow the best practices for DNS security to mitigate against common attacks like:

  • Dangling DNS

  • DNS amplification attacks

  • DNS poisoning and spoofing

When you use Azure DNS as your DNS service, make sure to protect DNS zones and records from accidental or malicious changes by using Azure Role-Based Access Control (RBAC) and resource locks.

When using Managed Virtual Network in Data Factory, the connectivity through the private endpoints requires DNS updates. It's managed by Microsoft. Customers can specify the DNS entries while creating the private endpoints in the managed virtual network in Data Factory.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

Identity Management

For more information, see the Azure Security Benchmark: Identity Management.

IM-1: Standardize Azure Active Directory as the central identity and authentication system

Guidance: Data Factory uses Azure AD as its default identity and access management service. Standardize Azure AD to govern your organization's identity and access management in:

  • Microsoft Cloud resources. Resources include:

    • The Azure portal

    • Azure Storage

    • Azure Linux and Windows VMs

    • Azure Key Vault

    • Platform-as-a-service (PaaS)

    • Software-as-a-service (SaaS) applications

  • Your organization's resources, such as applications on Azure or your corporate network resources.

Securing Azure AD should be a high priority for your organization's cloud security practice. Azure AD provides an identity secure score to help you compare your identity security posture to Microsoft's best practice recommendations. Use the score to gauge how closely your configuration matches best practice recommendations, and to make improvements in your security posture.

Note: Azure AD supports external identities that allow users without a Microsoft account to sign in to their applications and resources with their external identity.

Membership of the Data Factory Contributor role lets users do the following things:

  • Create, edit, and delete data factories and child resources like:

    • Datasets

    • Linked services

    • Pipelines

    • Triggers

    • Integration runtimes

  • Deploy Resource Manager templates. Resource Manager deployment is the deployment method used by Data Factory in the Azure portal.

  • Manage App Insights alerts for a data factory.

  • Create support tickets.

If you're running your Self-hosted IR on an Azure VM, you can use managed identities to authenticate to any service that supports Azure AD authentication, including Key Vault, without any credentials in your code. Your code that's running on a VM, can use managed identity to request access tokens for services that support Azure AD authentication.

Data Factory allows you to use Managed identities, Service Principles to authenticate against data stores and compute that support AAD authentication.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

IM-2: Manage application identities securely and automatically

Guidance: Data Factory supports managed identities for its Azure resources. Use managed identities with Data Factory instead of creating service principals to access other resources. Data Factory can natively authenticate to the Azure services and resources that support Azure AD authentication. The authentication is supported through a pre-defined access grant rule. It doesn't use credentials hard-coded in source code or configuration files.

Data Factory recommends using Azure AD to create a service principal with restricted permissions at the resource level to configure service principals with certificate credentials and fall back to client secrets. In both cases, Azure Key Vault can be used to with Azure-managed identities so that the runtime environment like an Azure function can retrieve the credential from the key vault.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

IM-3: Use Azure AD single sign-on (SSO) for application access

Guidance: Data Factory uses Azure AD identity and access management for Azure resources, cloud applications, and on-premises applications. Identities include enterprise identities like employees, and external identities like partners, vendors, and suppliers.

Azure AD provides single sign-on (SSO) to manage and secure access to your organization's on-premises and cloud data and resources.

Connect all your users, applications, and devices to Azure AD. Azure AD offers seamless, secure access, and greater visibility and control.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

IM-7: Eliminate unintended credential exposure

Guidance: Data Factory lets customers deploy and run code or configurations or persist data that potentially contains identities or secrets. Use Credential Scanner to discover these credentials in code, configurations, or data. Credential Scanner encourages moving discovered credentials to secure locations like Azure Key Vault.

For GitHub, you can use the native secret scanning feature to identify credentials or other secrets in code.

If you're using Data Factory's visual UI-based authoring tool, then all credentials and secrets stored in linked services are either directly encrypted by the service or can be referenced by runtime using key vault. So no credentials as such will show up in the JSON code. These credentials can never be retrieved by code or visual UI.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

Privileged Access

For more information, see the Azure Security Benchmark: Privileged Access.

PA-1: Protect and limit highly privileged users

Guidance: The most critical built-in Azure AD roles are the Global Administrator and the Privileged Role Administrator. Users with these two roles can delegate administrator roles.

  • The Global Administrator or Company Administrator has access to all Azure AD administrative features, and services that use Azure AD identities.

  • The Privileged Role Administrator can manage role assignments in Azure AD and Azure AD Privileged Identity Management (PIM). This role can manage all aspects of PIM and administrative units.

Note: You might have other critical roles that need to be governed if you use custom roles with certain privileged permissions assigned. You might also want to apply similar controls to the administrator account of critical business assets.

Limit the number of highly privileged accounts or roles, and protect these accounts at an elevated level. Highly privileged users can directly or indirectly read and modify all your Azure resources.

You can enable just-in-time (JIT) privileged access to Azure resources and Azure AD using Azure AD PIM. JIT grants temporary permissions to carry out privileged tasks only when users need it. PIM can also generate security alerts for suspicious or unsafe activity in your Azure AD organization.

Data Factory Contributor is an Azure AD built-in role that provides full access to Data Factory instance. Consider creating a "Custom role" in case you want to provide less privileged permissions or restrict certain functionalities within Data Factory from such users.

If you're running your Self-hosted Integration Runtime on an Azure VM, you can, additionally, onboard your VM to Microsoft Sentinel. Microsoft Microsoft Sentinel is a scalable, cloud-native, SIEM and SOAR solution. Microsoft Sentinel delivers intelligent security analytics and threat intelligence across the enterprise. It provides a single solution for alert detection, threat visibility, proactive hunting, and threat response.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

PA-3: Review and reconcile user access regularly

Guidance: Data Factory uses Azure AD accounts to manage its resources. Review user accounts and access assignments regularly to ensure the accounts and their access are valid. You can use Azure AD access reviews to review group memberships, enterprise application access, and role assignments.

Azure AD reporting can provide logs to help discover stale accounts. You can also create access review report workflows in Azure AD PIM to ease the review process.

If you're running your self-hosted IR in an Azure VM, you'll need to review the local security groups and users. Make sure that there are no unexpected accounts that could compromise the system.

You can configure Azure AD PIM to alert you when there are too many administrator accounts. PIM can identify administrator accounts that are stale or improperly configured.

Note: Some Azure services support local users and roles that aren't managed through Azure AD. Manage these users separately.

Roles and permissions for Azure Data Factory /azure/data-factory/concepts-roles-permissions

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

PA-6: Use privileged access workstations

Guidance: Secured, isolated workstations are critical for the security of sensitive roles like administrators, developers, and critical service operators. Use highly secured user workstations and Azure Bastion for administrative tasks.

Use Azure AD, Microsoft Defender ATP, or Microsoft Intune to deploy a secure and managed user workstation for administrative tasks. You can centrally manage secured workstations to enforce a security configuration that includes:

  • Strong authentication

  • Software and hardware baselines

  • Restricted logical and network access

For more information, see the following references:

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

PA-7: Follow just enough administration (least privilege principle)

Guidance: Data Factory integrates with Azure RBAC to manage its resources. With RBAC, you manage Azure resource access through role assignments. You can assign roles to users, groups, service principals, and managed identities. Certain resources have pre-defined, built-in roles. You can inventory or query these roles through tools like Azure CLI, Azure PowerShell, or the Azure portal.

Limit the privileges you assign to resources through Azure RBAC to what the roles require. This practice complements the just-in-time (JIT) approach of Azure AD PIM. Review roles and assignments periodically.

Use built-in roles to give permissions. Only create custom roles when required.

You can create a custom role in Azure AD with more restrictive access to Data Factory.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

Data Protection

For more information, see the Azure Security Benchmark: Data Protection.

DP-2: Protect sensitive data

Guidance: Protect sensitive data by restricting access with Azure RBAC, network-based access controls, and specific controls in Azure services. For example, use encryption in SQL and other databases.

For consistency, align all types of access control with your enterprise segmentation strategy. Inform your enterprise segmentation strategy by the location of sensitive or business-critical data and systems.

Microsoft treats all customer content in the underlying Microsoft-managed platform as sensitive. Microsoft guards against customer data loss and exposure. Microsoft has default data protection controls and capabilities to ensure that Azure customer data remains secure.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

DP-4: Encrypt sensitive information in transit

Guidance: To complement access controls, protect data in transit against out-of-band attacks like traffic capture. Use encryption to ensure that attackers can't easily read or modify the data.

Data Factory supports data encryption in transit with Transport Layer Security (TLS) v1.2.

This requirement is optional for traffic on private networks, but is critical for traffic on external and public networks. For HTTP traffic, make sure any clients that connect to your Azure resources can use TLS v1.2 or greater.

For remote management, use secure shell (SSH) for Linux or remote desktop protocol (RDP) and TLS for Windows. Don't use an unencrypted protocol. Disable weak ciphers and obsolete SSL, TLS, and SSH versions and protocols.

Azure encrypts data in transit between Azure data centers by default.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

DP-5: Encrypt sensitive data at rest

Guidance: To complement access controls, Data Factory protects data at rest against out-of-band attacks, such as accessing underlying storage, by using encryption. Encryption helps ensure that attackers can't easily read or modify the data.

Azure provides encryption for data at rest by default. For highly sensitive data, you can implement extra encryption at rest on Azure resources where available. Azure manages your encryption keys by default, but certain Azure services provide options for customer-managed keys.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

Asset Management

For more information, see the Azure Security Benchmark: Asset Management.

AM-1: Ensure security team has visibility into risks for assets

Guidance: Make sure to grant security teams Security Reader permissions in your Azure tenant and subscriptions, so they can monitor for security risks by using Microsoft Defender for Cloud.

Monitoring for security risks could be the responsibility of a central security team or a local team, depending on how you structure responsibilities. Always aggregate security insights and risks centrally within an organization.

You can apply Security Reader permissions broadly to an entire tenant's Root Management Group, or scope permissions to specific management groups or subscriptions.

Note: Visibility into workloads and services might require more permissions.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

AM-2: Ensure security team has access to asset inventory and metadata

Guidance: Make sure that security teams have access to a continuously updated inventory of assets on Azure, like Data Factory. Security teams often need this inventory to evaluate their organization's potential exposure to emerging risks, and as an input to continuous security improvements. Create an Azure AD group to contain your organization's authorized security team and assign them read access to all Data Factory resources, which can be simplified by a single high-level role assignment within your subscription.

Apply tags to your Azure resources, resource groups, and subscriptions to logically organize them into a taxonomy. Each tag consists of a name and value pair. For example, you can apply the name "Environment" and the value "Production" to all the resources in production.

Use Azure Virtual Machine Inventory to automate collecting information about software on VMs. Software Name, Version, Publisher, and Refresh Time are available from the Azure portal. To access install dates and other information, enable guest-level diagnostics and import the Windows Event Logs into a Log Analytics workspace.

Data Factory doesn't allow running an application or the installation of software on its resources. Describe any other features in your offering that allows or supports this functionality, as applicable.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

AM-3: Use only approved Azure services

Guidance: Use Azure Policy to audit and restrict which services users can provision in your environment. Use Azure Resource Graph to query for and discover resources within subscriptions. You can also use Azure Monitor to create rules to trigger alerts when they detect an unapproved service.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

AM-6: Use only approved applications in compute resources

Guidance: If you're running your self-hosted IR in an Azure VM Azure Automation provides complete control during:

  • Deployment

  • Operations

  • Decommissioning of workloads and resources

You may use Change Tracking to identify all software installed on VMs. You can implement your own process or use Azure Automation State Configuration for removing unauthorized software.

Note: Using approved applications only applies if your self-hosted IR is running in an Azure VM.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

Logging and Threat Detection

For more information, see the Azure Security Benchmark: Logging and Threat Detection.

LT-1: Enable threat detection for Azure resources

Guidance: Use the Microsoft Defender for Cloud built-in threat detection capability. Enable Microsoft Defender for your Data Factory resources. Microsoft Defender for Data Factory provides an extra layer of security intelligence. Microsoft Defender detects unusual and potentially harmful attempts to access or exploit your Azure Data Factory resources.

Forward any logs from Data Factory to your SIEM. Use the logs to set up custom threat detections. Make sure that you're monitoring different types of Azure assets for potential threats and anomalies. Focus on getting high-quality alerts to reduce false positives for analysts to sort through. Alerts can be sourced from log data, agents, or other data.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

LT-2: Enable threat detection for Azure identity and access management

Guidance: Azure AD provides the following user logs. You can view the logs in Azure AD reporting. You can integrate the logs with Azure Monitor, Microsoft Sentinel, or other SIEM and monitoring tools for more sophisticated monitoring and analytics use cases.

  • Sign-ins - Information about managed application usage and user sign-in activities.

  • Audit logs - Traceability through logs for all changes made by various Azure AD features. Audit logs include changes made to any resource within Azure AD. Changes include adding or removing users, apps, groups, roles, and policies.

  • Risky sign-ins - An indicator for sign-in attempts by someone who might not be the legitimate owner of a user account.

  • Users flagged for risk - An indicator for a user account that might have been compromised.

Microsoft Defender for Cloud can also alert you about certain suspicious activities like an excessive number of failed authentication attempts. Deprecated accounts in the subscription can also trigger alerts.

In addition to basic security hygiene monitoring, Microsoft Defender for Cloud's Threat Protection module can collect more in-depth security alerts from:

  • Individual Azure compute resources like VMs, containers, and app service.

  • Data resources like Azure SQL Database and Azure Storage.

  • Azure service layers.

This capability gives you visibility into account anomalies in individual resources.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

LT-3: Enable logging for Azure network activities

Guidance: Enable and collect these logs for security analysis:

  • NSG resource logs

  • NSG flow logs

  • Azure Firewall logs

  • Web Application Firewall (WAF) logs

Logs support incident investigations, threat hunting, and security alert generation. You can send the flow logs to an Azure Monitor Log Analytics workspace and use Traffic Analytics to provide insights.

Data Factory doesn't produce or process DNS query logs

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

LT-4: Enable logging for Azure resources

Guidance: Activity logs are available automatically. The logs contain all PUT, POST, and DELETE, but not GET, operations for your Azure Machine Learning resources. You can use activity logs to find errors when troubleshooting, or to monitor how users in your organization modified resources.

Enable Azure resource logs for Data Factory. You can use Microsoft Defender for Cloud and Azure Policy to enable resource logs and log data collecting. These logs can be critical for investigating security incidents and doing forensic exercises.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

LT-5: Centralize security log management and analysis

Guidance: Ingest logs via Azure Monitor to aggregate security data generated by Azure Data Factory. Within Azure Monitor, you can query the Log Analytics workspace that is configured to receive your Azure Data Factory activity logs. Use Azure Storage Accounts for long-term archival log storage or event hubs for exporting data to other systems.

Alternatively, you may enable and on-board data to Microsoft Sentinel or a third-party SIEM. You can also integrate Azure Data Factory with Git to use several source control benefits, like the ability to track and audit changes and the ability to revert changes that introduce bugs.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

LT-6: Configure log storage retention

Guidance: Enable diagnostic settings for Azure Data Factory. If you store logs in a Log Analytics Workspace, set your Log Analytics Workspace retention period according to your organization's compliance regulations. Use Azure Storage Accounts for long-term archival storage.How to enable diagnostic logs in Azure Data Factory:/azure/data-factory/monitor-using-azure-monitor#configure-diagnostic-settings-and-workspaceHow to set log retention parameters for Log Analytics Workspaces:/azure/azure-monitor/platform/manage-cost-storage#change-the-data-retention-period

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

LT-7: Use approved time synchronization sources

Guidance: Not applicable. Data Factory doesn't support configuring your own time synchronization sources.

Data Factory service relies on Microsoft time synchronization sources, and isn't exposed to customers for configuration.

Responsibility: Microsoft

Microsoft Defender for Cloud monitoring: None

Posture and Vulnerability Management

For more information, see the Azure Security Benchmark: Posture and Vulnerability Management.

PV-1: Establish secure configurations for Azure services

Guidance: Define and implement standard security configurations for Azure Data Factory with Azure Policy. Use Azure Policy aliases in the "Microsoft.DataFactory"namespace to create custom policies. Configure the policies to audit or enforce the network configuration of your Azure Data Factory instances.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

PV-2: Sustain secure configurations for Azure services

Guidance: Use Azure Policy [deny] and [deploy if not exist] to enforce secure settings for your Azure HDInsight clusters and related resources.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

PV-3: Establish secure configurations for compute resources

Guidance: Use Microsoft Defender for Cloud and Azure Policy to establish secure configurations on all self-hosted IR running on Azure VMs and containers.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

PV-4: Sustain secure configurations for compute resources

Guidance: If you're running your self-hosted IR in an Azure VM, there are several options for maintaining a secure configuration for VMs for deployment:

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

PV-6: Perform software vulnerability assessments

Guidance: Not applicable. Microsoft carries out vulnerability management on the underlying systems that support Data Factory.

Responsibility: Microsoft

Microsoft Defender for Cloud monitoring: None

PV-7: Rapidly and automatically remediate software vulnerabilities

Guidance: If you're running your self-hosted IR in an Azure VM, use the Azure Update Management solution to manage updates and patches for your VMs. Update Management relies on the locally configured update repository to patch supported Windows systems. Tools like System Center Updates Publisher allow you to publish custom updates into Windows Server Update Services (WSUS). This scenario allows Update Management to patch machines that use Configuration Manager as their update repository with third-party software.

If you running your self-hosted IR in an Azure VM, you can use the native vulnerability scanner. The vulnerability scanner included with Microsoft Defender for Cloud is powered by Qualys. Qualys's scanner is the leading tool for real-time identification of vulnerabilities in your Azure VMs.

When Microsoft Defender for Cloud identifies vulnerabilities, it presents findings and related information as recommendations. The related information includes remediation steps, related CVEs, CVSS scores, and more. You can view the identified vulnerabilities for one or more subscriptions, or for a specific VM.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

PV-8: Conduct regular attack simulation

Guidance: Conduct penetration testing or red team activities on your Azure resources as needed, and ensure remediation of all critical security findings.

Follow the Microsoft Cloud Penetration Testing Rules of Engagement to ensure your penetration tests don't violate Microsoft policies. Use Microsoft's Red Teaming strategy and execution. Do live site penetration testing against Microsoft-managed cloud infrastructure, services, and applications.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

Endpoint Security

For more information, see the Azure Security Benchmark: Endpoint Security.

ES-2: Use centrally managed modern anti-malware software

Guidance: If you're running yourself-hosted IR in an Azure VM, you can use Microsoft Antimalware for Azure Windows VMs to continuously monitor and defend your resources.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

ES-3: Ensure anti-malware software and signatures are updated

Guidance: When self-hosted IR is deployed in Azure VM, Microsoft Antimalware for Azure will automatically install the latest signature, platform, and engine updates by default. Follow recommendations in Microsoft Defender for Cloud: Compute & Apps to ensure all endpoints are up to date with the latest signatures. The Windows OS can be further protected with extra security to limit the risk of virus or malware-based attacks with the Microsoft Defender Advanced Threat Protection service that integrates with Microsoft Defender for Cloud.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

Backup and Recovery

For more information, see the Azure Security Benchmark: Backup and Recovery.

BR-1: Ensure regular automated backups

Guidance: If you're running self-hosted IRs on VMs, enable Azure Backup and configure the VM, and the required frequency and retention period for automatic backups. To back up all code on Azure Data Factory, use source control functionality in Data Factory.

Responsibility: Shared

Microsoft Defender for Cloud monitoring: None

BR-2: Encrypt backup data

Guidance: If you're running your self-hosted IR on Azure VMs, enable Azure Backup and target Azure VMs, and the required frequency and retention periods. These VMs can be backed up using customer-managed keys within Azure Key Vault.

Responsibility: Shared

Microsoft Defender for Cloud monitoring: None

BR-3: Validate all backups including customer-managed keys

Guidance: If you're running self-hosted IR on Azure VMs, ensure the ability to periodically carry out data restoration of content within Azure Backup. If necessary, test restoration of content to an isolated network. Periodically test restoration of backed up customer-managed keys.

Responsibility: Shared

Microsoft Defender for Cloud monitoring: None

BR-4: Mitigate risk of lost keys

Guidance: Ensure you have measures in place to prevent and recover from loss of keys used to encrypt Azure Data Factory metadata. Enable soft delete and purge protection in Azure Key Vault storing the encryption keys for Data Factory to protect keys against accidental or malicious deletion.

Responsibility: Shared

Microsoft Defender for Cloud monitoring: None

Next steps