Azure Security Baseline for Backup

The Azure Security Baseline for Backup contains recommendations that will help you improve the security posture of your deployment.

The baseline for this service is drawn from the Azure Security Benchmark version 1.0, which provides recommendations on how you can secure your cloud solutions on Azure with our best practices guidance.

For more information, see Azure Security Baselines overview.

Network Security

For more information, see Security Control: Network Security.

1.1: Protect resources using Network Security Groups or Azure Firewall on your Virtual Network

Guidance: Not applicable; you cannot associate a virtual network, subnet or Network Security group with a Recovery Services vault. When backing up an Azure virtual machine, data is transferred over the Azure backbone. When backing up from an on-premises machine, an encrypted tunnel is created with a specific endpoint in Azure and credentials are used to pre-encrypt the data before it is sent through the encrypted tunnel.

Azure Security Center monitoring: Not applicable

Responsibility: Not applicable

1.2: Monitor and log the configuration and traffic of Vnets, Subnets, and NICs

Guidance: Not applicable; you cannot associate a virtual network, subnet or Network Security group with a Recovery Services vault. When backing up an Azure virtual machine, data is transferred over the Azure backbone. When backing up from an on-premises machine, an encrypted tunnel is created with a specific endpoint in Azure and credentials are used to pre-encrypt the data before it is sent through the encrypted tunnel.

Azure Security Center monitoring: Not applicable

Responsibility: Not applicable

1.3: Protect critical web applications

Guidance: Not applicable; this recommendation is intended for web applications running on Azure App Service or compute resources.

Azure Security Center monitoring: Not applicable

Responsibility: Not applicable

1.4: Deny communications with known malicious IP addresses

Guidance: The endpoints used by Azure Backup (including the Microsoft Azure Recovery Services agent) are all managed by Microsoft. You are responsible for any additional controls you wish to deploy to your on-premises systems.

Azure Security Center monitoring: Not applicable

Responsibility: Microsoft

1.5: Record network packets and flow logs

Guidance: Not applicable; you cannot associate a virtual network, subnet or Network Security group with a Recovery Services vault. When backing up an Azure virtual machine, data is transferred over the Azure backbone. When backing up from an on-premises machines, an encrypted tunnel is created with a specific endpoint in Azure and credentials are used to pre-encrypt the data before it is sent through the encrypted tunnel..

Azure Security Center monitoring: Not applicable

Responsibility: Not applicable

1.6: Deploy network based intrusion detection/intrusion prevention systems (IDS/IPS)

Guidance: The endpoints used by Azure Backup (including the Microsoft Azure Recovery Services agent) are all managed by Microsoft. You are responsible for any additional controls you wish to deploy to your on-premises systems.

Azure Security Center monitoring: Not applicable

Responsibility: Customer

1.7: Manage traffic to web applications

Guidance: Not applicable; this recommendation is intended for web applications running on Azure App Service or compute resources.

Azure Security Center monitoring: Not applicable

Responsibility: Not applicable

1.8: Minimize complexity and administrative overhead of network security rules

Guidance: If you are using the MARS agent on an Azure Virtual Machine, use the AzureBackup service tag on your NSG or Azure Firewall to allow outbound access to Azure Backup.

Azure Security Center monitoring: Not applicable

Responsibility: Customer

1.9: Maintain standard security configurations for network devices

Guidance: Not applicable; the endpoints used by Azure Backup (including the Microsoft Azure Recovery Services agent) are all managed by Microsoft.

Azure Security Center monitoring: Not applicable

Responsibility: Not applicable

1.10: Document traffic configuration rules

Guidance: If you are using the MARS agent on an Azure Virtual Machine, associate that VM with a network security group use the description to specify the business need for the rule

Azure Security Center monitoring: Not applicable

Responsibility: Customer

1.11: Use automated tools to monitor network resource configurations and detect changes

Guidance: If you are using the MARS agent on an Azure Virtual Machine that is being protected by an NSG or Azure Firewall, use Azure Activity Log to monitor configuration of the NSG or Firewall. You may create alerts within Azure Monitor that will trigger when changes to these resources take place.

Azure Security Center monitoring: Not applicable

Responsibility: Customer

Logging and Monitoring

For more information, see Security Control: Logging and Monitoring.

2.1: Use approved time synchronization sources

Guidance: Not applicable; Microsoft maintains the time source used for Azure resources, such as Azure Backup, for timestamps in the logs.

Azure Security Center monitoring: Not applicable

Responsibility: Microsoft

2.2: Configure central security log management

Guidance: For control plane audit logging, enable Azure Activity Log diagnostic settings and send the logs to a Log Analytics workspace, Azure event hub, or Azure storage account for archive. Using Azure Activity Log data, you can determine the "what, who, and when" for any write operations (PUT, POST, DELETE) performed at the control plane level for your Azure resources.

Also, ingest logs via Azure Monitor to aggregate security data generated by Azure Backup. Within the Azure Monitor, use Log Analytics workspace(s) to query and perform analytics, and use storage accounts for long-term/archival storage. Alternatively, you may enable, and on-board data to Azure Sentinel or a third-party Security Incident and Event Management (SIEM).

Azure Security Center monitoring: Currently not available

Responsibility: Customer

2.3: Enable audit logging for Azure resources

Guidance: For control plane audit logging, enable Azure Activity Log diagnostic settings and send the logs to a Log Analytics workspace, Azure event hub, or Azure storage account for archive. Using Azure Activity Log data, you can determine the "what, who, and when" for any write operations (PUT, POST, DELETE) performed at the control plane level for your Azure resources.

Additionally, Azure Backup sends diagnostics events that can be collected and used for the purposes of analysis, alerting and reporting. You can configure diagnostics settings for a Recovery Services vault via the Azure portal. You can send one or more diagnostics events to a Storage Account, Event Hub, or a Log Analytics workspace.

Azure Security Center monitoring: Currently not available

Responsibility: Customer

2.4: Collect security logs from operating systems

Guidance: Not applicable; this recommendation is intended for compute resources.

Azure Security Center monitoring: Not applicable

Responsibility: Not applicable

2.5: Configure security log storage retention

Guidance: In Azure Monitor, set log retention period for Log Analytics workspaces associated with your Azure Recovery Services vaults according to your organization's compliance regulations.

Azure Security Center monitoring: Not applicable

Responsibility: Customer

2.6: Monitor and review Logs

Guidance: Azure Backup provides built-in monitoring and alerting capabilities in a Recovery Services vault. These capabilities are available without any additional management infrastructure. You can also increase the scale of your monitoring and reporting by using Azure Monitor.

Enable Azure Activity Log diagnostic settings and send the logs to a Log Analytics workspace. Perform queries in Log Analytics to search terms, identify trends, analyze patterns, and provide many other insights based on the Activity Log Data that may have been collected for Recovery Services vaults.

Azure Security Center monitoring: Not applicable

Responsibility: Customer

2.7: Enable alerts for anomalous activity

Guidance: Azure Backup provides built-in monitoring and alerting capabilities in a Recovery Services vault. These capabilities are available without any additional management infrastructure. You can also increase the scale of your monitoring and reporting by using Azure Monitor.

Alerts are primarily scenarios where users are notified so that they can take relevant action. The Backup Alerts section shows alerts generated by Azure Backup service. These alerts are defined by the service and you cannot custom create any alerts.

You can also onboard a Log Analytics workspace to Azure Sentinel as it provides a security orchestration automated response (SOAR) solution. This allows for playbooks (automated solutions) to be created and used to remediate security issues. Additionally, you can create custom log alerts in your Log Analytics workspace using Azure Monitor.

Azure Security Center monitoring: Not applicable

Responsibility: Customer

2.8: Centralize anti-malware logging

Guidance: Not applicable; Azure Backup does not process or produce anti-malware related logs.

Azure Security Center monitoring: Not applicable

Responsibility: Not applicable

2.9: Enable DNS query logging

Guidance: Not applicable; Azure Backup does not process or produce DNS-related logs.

Azure Security Center monitoring: Not applicable

Responsibility: Not applicable

2.10: Enable command-line audit logging

Guidance: Not applicable; this recommendation is intended for compute resources.

Azure Security Center monitoring: Not applicable

Responsibility: Not applicable

Identity and Access Control

For more information, see Security Control: Identity and Access Control.

3.1: Maintain an inventory of administrative accounts

Guidance: Azure Active Directory (AD) has built-in roles that must be explicitly assigned and are queryable. Use the Azure AD PowerShell module to perform ad hoc queries to discover accounts that are members of administrative groups.

Supporting documentation:

Azure Security Center monitoring: Yes

Responsibility: Customer

3.2: Change default passwords where applicable

Guidance: Azure AD does not have the concept of default passwords. Other Azure resources requiring a password forces a password to be created with complexity requirements and a minimum password length, which differs depending on the service. You are responsible for third-party applications and marketplace services that may use default passwords.

Azure Security Center monitoring: Not applicable

Responsibility: Customer

3.3: Use dedicated administrative accounts

Guidance: Create standard operating procedures around the use of dedicated administrative accounts. Use Azure Security Center Identity and Access Management to monitor the number of administrative accounts.

Additionally, to help you keep track of dedicated administrative accounts, you may use recommendations from Azure Security Center or built-in Azure Policies, such as: There should be more than one owner assigned to your subscription Deprecated accounts with owner permissions should be removed from your subscription External accounts with owner permissions should be removed from your subscription

Azure Security Center monitoring: Yes

Responsibility: Customer

3.4: Use single sign-on (SSO) with Azure Active Directory

Guidance: Use an Azure app registration (service principal) to retrieve a token that can be used to interact with your Recovery Services vaults via API calls.

Azure Security Center monitoring: Not applicable

Responsibility: Customer

3.5: Use multi-factor authentication for all Azure Active Directory based access

Guidance: When you perform critical operations in Azure Backup, you have to enter a security PIN, available on the Azure portal. Enabling Azure Multi-Factor Authentication adds a layer of security. Only authorized users with valid Azure credentials, and authenticated from a second device, can access the Azure portal.

Azure Security Center monitoring: Yes

Responsibility: Customer

3.6: Use dedicated machines (Privileged Access Workstations) for all administrative tasks

Guidance: Use a Privileged Access Workstation (PAW) with Azure Multi-Factor Authentication (MFA) configured to log into and configure your Azure Backup-enabled resources.

Azure Security Center monitoring: Not applicable

Responsibility: Customer

3.7: Log and alert on suspicious activity from administrative accounts

Guidance: Use Azure Active Directory (AD) Privileged Identity Management (PIM) for generation of logs and alerts when suspicious or unsafe activity occurs in the environment.

In addition, use Azure AD risk detections to view alerts and reports on risky user behavior.

Azure Security Center monitoring: Yes

Responsibility: Customer

3.8: Manage Azure resources from only approved locations

Guidance: Use Conditional Access Named Locations to allow access to the Azure portal from only specific logical groupings of IP address ranges or countries/regions.

Azure Security Center monitoring: Not applicable

Responsibility: Customer

3.9: Use Azure Active Directory

Guidance: Use Azure Active Directory (AD) as the central authentication and authorization system for your Azure Backup instances. Azure AD protects data by using strong encryption for data at rest and in transit. Azure AD also salts, hashes, and securely stores user credentials.

Azure Security Center monitoring: Yes

Responsibility: Customer

3.10: Regularly review and reconcile user access

Guidance: Azure Active Directory (AD) provides logs to help you discover stale accounts. In addition, use Azure Identity Access Reviews to efficiently manage group memberships, access to enterprise applications, and role assignments. User access can be reviewed on a regular basis to make sure only the right Users have continued access.

Azure Security Center monitoring: Yes

Responsibility: Customer

3.11: Monitor attempts to access deactivated accounts

Guidance: Use Azure Active Directory (AD) as the central authentication and authorization system for your Azure Backup instances. Azure AD protects data by using strong encryption for data at rest and in transit. Azure AD also salts, hashes, and securely stores user credentials.

You have access to Azure AD sign-in activity, audit and risk event log sources, which allow you to integrate with Azure Sentinel or a third-party SIEM.

You can streamline this process by creating diagnostic settings for Azure AD user accounts and sending the audit logs and sign-in logs to a Log Analytics workspace. You can configure desired log alerts within Log Analytics.

Azure Security Center monitoring: Not applicable

Responsibility: Customer

3.12: Alert on account login behavior deviation

Guidance: Use Azure Active Directory (AD) as the central authentication and authorization system for your Recovery Services vaults. For account login behavior deviation on the control plane (the Azure portal), use Azure AD Identity Protection and risk detection features to configure automated responses to detected suspicious actions related to user identities. You can also ingest data into Azure Sentinel for further investigation.

Azure Security Center monitoring: Not applicable

Responsibility: Customer

3.13: Provide Microsoft with access to relevant customer data during support scenarios

Guidance: Currently not available; Customer Lockbox is not yet supported for Azure Backup.

Azure Security Center monitoring: Currently not available

Responsibility: Customer

Data Protection

For more information, see Security Control: Data Protection.

4.1: Maintain an inventory of sensitive Information

Guidance: Use tags to assist in tracking Azure resources that store or process sensitive information.

Azure Security Center monitoring: Not applicable

Responsibility: Customer

4.2: Isolate systems storing or processing sensitive information

Guidance: When backing up Azure IaaS VMs, Azure Backup provides independent and isolated backups to guard against accidental destruction of original data. Backups are stored in a Recovery Services vault with built-in management of recovery points.

Implement separate subscriptions and/or management groups for development, test, and production Recovery Services Vaults. Resources should be separated by VNet/Subnet, tagged appropriately, and secured by an NSG or Azure Firewall. Resources storing or processing sensitive data should be sufficiently isolated. For Virtual Machines storing or processing sensitive data, implement policy and procedure(s) to turn them off when not in use.

Supporting documentation:

Azure Security Center monitoring: Not applicable

Responsibility: Customer

4.3: Monitor and block unauthorized transfer of sensitive information

Guidance: Currently not available; data identification, classification, and loss prevention features are not yet available for Azure Backup.

Microsoft manages the underlying infrastructure for Azure Backup and has implemented strict controls to prevent the loss or exposure of customer data.

Azure Security Center monitoring: Currently not available

Responsibility: Shared

4.4: Encrypt all sensitive information in transit

Guidance: Backup traffic from servers to the Recovery Services vault is transferred over a secure HTTPS link and encrypted using Advanced Encryption Standard (AES) 256 when stored in the vault.

Azure Security Center monitoring: Not applicable

Responsibility: Microsoft

4.5: Use an active discovery tool to identify sensitive data

Guidance: Currently not available; data identification, classification, and loss prevention features are not yet available for Azure Backup.

Microsoft manages the underlying infrastructure for Azure Backup and has implemented strict controls to prevent the loss or exposure of customer data.

Azure Security Center monitoring: Currently not available

Responsibility: Currently not available

4.6: Use Azure RBAC to control access to resources

Guidance: Azure role-based access control (Azure RBAC) enables fine-grained access management for Azure. Using Azure RBAC, you can segregate duties within your team and grant only the amount of access to users that they need to perform their jobs.

Azure Backup provides three built-in roles to control backup management operations: Backup Contributor, Backup Operator, and Backup Reader. You can map Backup built-in roles to various backup management actions.

Azure Security Center monitoring: Currently not available

Responsibility: Customer

4.7: Use host-based data loss prevention to enforce access control

Guidance: Not applicable; this recommendation is intended for compute resources. Microsoft manages the underlying infrastructure for Azure Backup and has implemented strict controls to prevent the loss or exposure of customer data.

Azure Security Center monitoring: Not applicable

Responsibility: Microsoft

4.8: Encrypt sensitive information at rest

Guidance: Azure Backup supports encryption for at-rest data. For on-premises backup, encryption-at-rest is provided using the passphrase you provide when backing up to Azure. For cloud workloads, data is encrypted-at-rest using Storage Service Encryption (SSE). Microsoft does not decrypt the backup data at any point.

When backing up with the MARS agent or using a Recovery Services vault encrypted with a customer-managed key, only you have access to the encryption key. Microsoft never maintains a copy and doesn't have access to the key. If the key is misplaced, Microsoft can't recover the backup data.

Azure Security Center monitoring: Not applicable

Responsibility: Shared

4.9: Log and alert on changes to critical Azure resources

Guidance: Use Azure Monitor with the Azure Activity log to create alerts for when changes take place to production Azure Recovery Services vaults as well as other critical or related resources.

Azure Security Center monitoring: Not applicable

Responsibility: Customer

Vulnerability Management

For more information, see Security Control: Vulnerability Management.

5.1: Run automated vulnerability scanning tools

Guidance: Not yet available; vulnerability assessment in Azure Security Center is not yet available for Azure Backup.

Underlying platform scanned and patched by Microsoft. Review security controls available for Azure Backup to reduce service configuration related vulnerabilities.

Azure Security Center monitoring: Currently not available

Responsibility: Customer

5.2: Deploy automated operating system patch management solution

Guidance: Not applicable; this recommendation is intended for compute resources.

Azure Security Center monitoring: Not applicable

Responsibility: Not applicable

5.3: Deploy automated third-party software patch management solution

Guidance: Not applicable; this recommendation is intended for compute resources.

Azure Security Center monitoring: Not applicable

Responsibility: Not applicable

5.4: Compare back-to-back vulnerability scans

Guidance: Not applicable; this recommendation is intended for compute resources.

Azure Security Center monitoring: Not applicable

Responsibility: Not applicable

5.5: Use a risk-rating process to prioritize the remediation of discovered vulnerabilities

Guidance: Currently not available; security configurations for Azure Backup are not yet supported in Azure Security Center.

Azure Security Center monitoring: Currently not available

Responsibility: Customer

Inventory and Asset Management

For more information, see Security Control: Inventory and Asset Management.

6.1: Use Azure Asset Discovery

Guidance: Use Azure Resource Graph to query/discover all resources (such as compute, storage, network, ports, and protocols) within your subscription(s). Ensure appropriate (read) permissions in your tenant and enumerate all Azure subscriptions as well as resources within your subscriptions.

Although classic Azure resources may be discovered via Resource Graph, it is highly recommended to create and use Azure Resource Manager resources going forward.

Azure Security Center monitoring: Not applicable

Responsibility: Customer

6.2: Maintain asset metadata

Guidance: Apply tags to Azure resources giving metadata to logically organize them into a taxonomy.

Azure Security Center monitoring: Not applicable

Responsibility: Customer

6.3: Delete unauthorized Azure resources

Guidance: Use tagging, management groups, and separate subscriptions, where appropriate, to organize and track Azure resources. Reconcile inventory on a regular basis and ensure unauthorized resources are deleted from the subscription in a timely manner.

In addition, use Azure Policy to put restrictions on the type of resources that can be created in customer subscription(s) using the following built-in policy definitions: Not allowed resource types Allowed resource types

Azure Security Center monitoring: Not applicable

Responsibility: Customer

6.4: Maintain an inventory of approved Azure resources and software titles

Guidance: Define approved Azure resources and approved software for compute resources.

Azure Security Center monitoring: Not applicable

Responsibility: Customer

6.5: Monitor for unapproved Azure resources

Guidance: Use Azure Policy to put restrictions on the type of resources that can be created in your subscription(s).

Use Azure Resource Graph to query/discover resources within their subscription(s). Ensure that all Azure resources present in the environment are approved.

Azure Security Center monitoring: Not applicable

Responsibility: Customer

6.6: Monitor for unapproved software applications within compute resources

Guidance: Not applicable; this recommendation is intended for compute resources.

Azure Security Center monitoring: Not applicable

Responsibility: Not applicable

6.7: Remove unapproved Azure resources and software applications

Guidance: Not applicable; this recommendation is intended for compute resources.

Azure Security Center monitoring: Not applicable

Responsibility: Not applicable

6.8: Use only approved applications

Guidance: Not applicable; this recommendation is intended for compute resources.

Azure Security Center monitoring: Not applicable

Responsibility: Not applicable

6.9: Use only approved Azure services

Guidance: Use Azure Policy to put restrictions on the type of resources that can be created in customer subscription(s) using the following built-in policy definitions: Not allowed resource types Allowed resource types

Azure Security Center monitoring: Not applicable

Responsibility: Customer

6.10: Implement approved application list

Guidance: Not applicable; this recommendation is intended for compute resources.

Azure Security Center monitoring: Not applicable

Responsibility: Not applicable

6.11:
Limit users' ability to interact with Azure Resource Manager via scripts

Guidance: Configure Azure Conditional Access to limit users' ability to interact with Azure Resource Manager by configuring "Block access" for the "Microsoft Azure Management" App.

Azure Security Center monitoring: Not applicable

Responsibility: Customer

6.12: Limit users' ability to execute scripts within compute resources

Guidance: Not applicable; this recommendation is intended for compute resources.

Azure Security Center monitoring: Not applicable

Responsibility: Not applicable

6.13: Physically or logically segregate high risk applications

Guidance: Not applicable; this recommendation is intended for web applications running on Azure App Service or compute resources.

Azure Security Center monitoring: Not applicable

Responsibility: Not applicable

Secure Configuration

For more information, see Security Control: Secure Configuration.

7.1: Establish secure configurations for all Azure resources

Guidance: Define and implement standard security configurations for your Recovery Services vault with Azure Policy. Use Azure Policy aliases in the "Microsoft.RecoveryServices" namespace to create custom policies to audit or enforce the configuration of your Recovery Services vaults.

Azure Security Center monitoring: Not applicable

Responsibility: Customer

7.2: Establish secure operating system configurations

Guidance: Not applicable; this guideline is intended for compute resources.

Azure Security Center monitoring: Not applicable

Responsibility: Not applicable

7.3: Maintain secure Azure resource configurations

Guidance: Use Azure Policy [deny] and [deploy if not exist] to enforce secure settings across your Azure resources.

Azure Security Center monitoring: Not applicable

Responsibility: Customer

7.4: Maintain secure operating system configurations

Guidance: Not applicable; this guideline is intended for compute resources.

Azure Security Center monitoring: Not applicable

Responsibility: Not applicable

7.5: Securely store configuration of Azure resources

Guidance: If using custom Azure Policy definitions, use Azure DevOps or Azure Repos to securely store and manage your code.

Azure Security Center monitoring: Not applicable

Responsibility: Customer

7.6: Securely store custom operating system images

Guidance: Not applicable; this guideline is intended for compute resources.

Azure Security Center monitoring: Not applicable

Responsibility: Not applicable

7.7: Deploy system configuration management tools

Guidance: Use built-in Azure Policy definitions as well as Azure Policy aliases in the "Microsoft.RecoveryServices" namespace to create custom policies to alert, audit, and enforce system configurations. Additionally, develop a process and pipeline for managing policy exceptions.

Azure Security Center monitoring: Not applicable

Responsibility: Customer

7.8: Deploy system configuration management tools for operating systems

Guidance: Not applicable; this guideline is intended for compute resources.

Azure Security Center monitoring: Not applicable

Responsibility: Not applicable

7.9: Implement automated configuration monitoring for Azure services

Guidance: Use built-in Azure Policy definitions as well as Azure Policy aliases in the "Microsoft.RecoveryServices" namespace to create custom policies to alert, audit, and enforce system configurations. Use Azure Policy [audit], [deny], and [deploy if not exist] to automatically enforce configurations for your Azure resources.

Azure Security Center monitoring: Not applicable

Responsibility: Customer

7.10: Implement automated configuration monitoring for operating systems

Guidance: Not applicable; this guideline is intended for compute resources.

Azure Security Center monitoring: Not applicable

Responsibility: Not applicable

7.11: Manage Azure secrets securely

Guidance: When setting up the MARS agent, store your encryption passphrase within Azure Key Vault.

Azure Security Center monitoring: Not applicable

Responsibility: Customer

7.12: Manage identities securely and automatically

Guidance: Not applicable; Managed Identities not supported for Azure Backup.

Azure Security Center monitoring: Not applicable

Responsibility: Not applicable

7.13: Eliminate unintended credential exposure

Guidance: Implement Credential Scanner to identify credentials within code. Credential Scanner will also encourage moving discovered credentials to more secure locations such as Azure Key Vault.

Azure Security Center monitoring: Not applicable

Responsibility: Customer

Malware Defense

For more information, see Security Control: Malware Defense.

8.1: Use centrally managed anti-malware software

Guidance: Not applicable; this recommendation is intended for compute resources.Microsoft anti-malware is enabled on the underlying host that supports Azure services (for example, Azure Backup), however it does not run on customer content.

Azure Security Center monitoring: Not applicable

Responsibility: Not applicable

8.2: Pre-scan files to be uploaded to non-compute Azure resources

Guidance: Microsoft Antimalware is enabled on the underlying host that supports Azure services (for example, Azure Backup), however it does not run on your content.

Pre-scan any files being uploaded to non-compute Azure resources, such as App Service, Data Lake Storage, and Blob Storage.

Use Azure Security Center's Threat detection for data services to detect malware uploaded to storage accounts.

Azure Security Center monitoring: Not applicable

Responsibility: Customer

8.3: Ensure anti-malware software and signatures are updated

Guidance: Not applicable; this guideline is intended for compute resources.

Azure Security Center monitoring: Not applicable

Responsibility: Not applicable

Data Recovery

For more information, see Security Control: Data Recovery.

9.1: Ensure regular automated back ups

Guidance: Not applicable; this recommendation is intended for resources being backed up and not Azure Backup itself.

Azure Security Center monitoring: Not applicable

Responsibility: Not applicable

9.2: Perform complete system backups and backup any customer managed keys

Guidance: Locally redundant storage (LRS) replicates your data three times (it creates three copies of your data) in a storage scale unit in a datacenter. All copies of the data exist within the same region. LRS is a low-cost option for protecting your data from local hardware failures.Geo-redundant storage (GRS) is the default and recommended replication option. GRS replicates your data to a secondary region (hundreds of miles away from the primary location of the source data). GRS costs more than LRS, but GRS provides a higher level of durability for your data, even if there's a regional outage.

Backup customer managed keys within Azure Key Vault.

Azure Security Center monitoring: Not applicable

Responsibility: Customer

9.3: Validate all backups including customer managed keys

Guidance: Test restoration of backed up customer managed keys.

Azure Security Center monitoring: Not applicable

Responsibility: Customer

9.4: Ensure protection of backups and customer managed keys

Guidance: For on-premises backup, encryption-at-rest is provided using the passphrase you provide when backing up to Azure. For Azure VMs, data is encrypted-at-rest using Storage Service Encryption (SSE). You may enable soft-delete in Key Vault to protect keys against accidental or malicious deletion.

Azure Security Center monitoring: Yes

Responsibility: Customer

Incident Response

For more information, see Security Control: Incident Response.

10.1: Create an incident response guide

Guidance: Build out an incident response guide for your organization. Ensure that there are written incident response plans that define all roles of personnel as well as phases of incident handling/management from detection to post-incident review.

Azure Security Center monitoring: Not applicable

Responsibility: Customer

10.2: Create an incident scoring and prioritization procedure

Guidance: Security Center assigns a severity to each alert to help you prioritize which alerts should be investigated first. The severity is based on how confident Security Center is in the finding or the analytic used to issue the alert as well as the confidence level that there was malicious intent behind the activity that led to the alert.

Additionally, clearly mark subscriptions (for ex. production, non-prod) and create a naming system to clearly identify and categorize Azure resources.

Azure Security Center monitoring: Yes

Responsibility: Customer

10.3: Test security response procedures

Guidance: Conduct exercises to test your systems’ incident response capabilities on a regular cadence. Identify weak points and gaps and revise plan as needed.

Azure Security Center monitoring: Not applicable

Responsibility: Customer

10.4: Provide security incident contact details and configure alert notifications for security incidents

Guidance: Security incident contact information will be used by Microsoft to contact you if the Microsoft Security Response Center (MSRC) discovers that the customer's data has been accessed by an unlawful or unauthorized party. Review incidents after the fact to ensure that issues are resolved.

Azure Security Center monitoring: Yes

Responsibility: Customer

10.5: Incorporate security alerts into your incident response system

Guidance: Export your Azure Security Center alerts and recommendations using the Continuous Export feature. Continuous Export allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion. You may use the Azure Security Center data connector to stream the alerts Sentinel.

Azure Security Center monitoring: Not applicable

Responsibility: Customer

10.6: Automate the response to security alerts

Guidance: Use the Workflow Automation feature in Azure Security Center to automatically trigger responses via "Logic Apps" on security alerts and recommendations.

Azure Security Center monitoring: Not applicable

Responsibility: Customer

Penetration Tests and Red Team Exercises

For more information, see Security Control: Penetration Tests and Red Team Exercises.

11.1: Conduct regular penetration testing of your Azure resources and ensure remediation of all critical security findings within 60 days

Guidance: - Follow the Microsoft Rules of Engagement to ensure your Penetration Tests are not in violation of Microsoft policies

Azure Security Center monitoring: Not applicable

Responsibility: Shared

Next steps