Azure security baseline for Azure Backup

This security baseline applies guidance from the Azure Security Benchmark version 2.0 to Azure Backup. The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. The content is grouped by the security controls defined by the Azure Security Benchmark and the related guidance applicable to Azure Backup.

Note

Controls not applicable to Azure Backup, and those for which the global guidance is recommended verbatim, have been excluded. To see how Azure Backup completely maps to the Azure Security Benchmark, see the full Azure Backup security baseline mapping file.

Network Security

For more information, see the Azure Security Benchmark: Network Security.

NS-1: Implement security for internal traffic

Guidance: Azure Backup doesn't support deploying directly into a virtual network. Backup can't use network features like network security groups, route tables, or network-dependent appliances like Azure Firewall.

Use Microsoft Sentinel to discover the use of legacy insecure protocols such as:

  • Transport Layer Security (TLS) v1

  • Server Message Block (SMB) v1

  • LAN Manager (LM) or New Technology LAN Manager (NTLM) v1

  • wDigest

  • Unsigned Lightweight Directory Access Protocol (LDAP) Binds

  • Weak ciphers in Kerberos

All offerings enforce TLS 1.2 and above except for Microsoft Azure Recovery Services (MARS) agent backups. For MARS agent backups only, Backup supports TLS 1.1 and older until September 1, 2021. After that, MARS agent backups will also enforce TLS 1.2 and above.

When you back up SQL servers and SAP HANA instances on Azure VMs, you have to allow outbound access to port 443 to access certain fully qualified domain names (FQDNs) or when using service tags.

You can use private endpoints for your Recovery Services vaults. Only networks that contain private endpoints for the vault can access the vault.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

NS-2: Connect private networks together

Guidance: To back up on-premises servers, you can use ExpressRoute or virtual private network (VPN) to connect to Azure.

Use the Azure Backup Community when using Microsoft peering for ExpressRoute. Use private peering when using private endpoints for Backup. Network traffic between peered virtual networks is private and remains on the Azure backbone network.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

NS-3: Establish private network access to Azure services

Guidance: Vault is an Azure resource you can access through the Azure portal, Azure CLI, PowerShell, SDK, and REST. Backup also supports private endpoints for Recovery Services vaults.

Use Azure Private Link for private access to Recovery Services vaults from your virtual networks without crossing the internet. Private access adds a defense-in-depth measure to Azure authentication and traffic security.

Backup doesn't provide the capability to configure virtual network service endpoints.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

NS-6: Simplify network security rules

Guidance: Use Azure Virtual Network service tags to define network access controls for Backup resources on network security groups (NSGs) or Azure Firewall. You can use service tags in place of specific IP addresses when creating security rules. Specify the service tag name in the appropriate rule source or destination field to allow or deny the traffic. Microsoft manages the address prefixes the service tag encompasses, and automatically updates the service tag as addresses change.

For networks that host services that communicate to Backup, allow the 'AzureBackup', 'AzureStorage', and 'AzureActiveDirectory' service tags outbound on your NSGs.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

NS-7: Secure Domain Name Service (DNS)

Guidance: Not applicable. Backup doesn't expose its underlying DNS configurations. Microsoft maintains these settings.

Responsibility: Microsoft

Microsoft Defender for Cloud monitoring: None

Identity Management

For more information, see the Azure Security Benchmark: Identity Management.

IM-1: Standardize Azure Active Directory as the central identity and authentication system

Guidance: Backup uses Azure Active Directory (Azure AD) as its default identity and access management service. Standardize Azure AD to govern your organization's identity and access management in:

  • Microsoft Cloud resources. Resources include:

    • The Azure portal

    • Azure Storage

    • Azure Linux and Windows virtual machines

    • Azure Key Vault

    • Platform-as-a-service (PaaS)

    • Software-as-a-service (SaaS) applications

  • Your organization's resources, such as applications on Azure or your corporate network resources.

Securing Azure AD should be a high priority for your organization's cloud security practice. Azure AD provides an identity secure score to help you compare your identity security posture to Microsoft's best practice recommendations. Use the score to gauge how closely your configuration matches best practice recommendations, and to make improvements in your security posture.

Note: Azure AD supports external identities that allow users without a Microsoft account to sign in to their applications and resources.

Backup uses Azure role-based access control (RBAC) to allow fine-grained access to resources. Backup provides three built-in roles: Backup Contributor, Backup Operator, and Backup Reader.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

IM-2: Manage application identities securely and automatically

Guidance: Backup supports managed identities for its Azure resources. Use managed identities with Backup instead of creating service principals to access other resources.

Backup can natively authenticate to Azure services and resources that support Azure AD authentication. Backup uses a predefined access grant rule instead of credentials hard coded in source code or configuration files.

Backup uses managed identities for doing backup and restore operations on protected data sources in Backup vaults. Backup also uses managed identities to manage security features like encryption with customer-managed keys and private endpoints for Recovery Services vaults.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

IM-3: Use Azure AD single sign-on (SSO) for application access

Guidance: Connect all your users, applications, and devices to Azure AD. Azure AD offers seamless, secure access, and greater visibility and control.

Backup uses Azure AD to provide identity and access management for Azure resources. Identities that can use Azure AD to authenticate to Backup include enterprise identities like employees, and external identities like partners, vendors, and suppliers. Azure AD provides single sign-on (SSO) to manage and secure access to your organization's on-premises and cloud data and resources.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

IM-7: Eliminate unintended credential exposure

Guidance: Use Azure DevOps Credential Scanner to discover credentials within your Backup Azure Resource Manager (ARM) templates. Credential Scanner encourages moving discovered credentials to more secure locations such as Azure Key Vault.

For GitHub, you can use the native secret scanning feature to identify credentials or other secrets in code.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

Privileged Access

For more information, see the Azure Security Benchmark: Privileged Access.

PA-1: Protect and limit highly privileged users

Guidance: The most critical built-in Azure AD roles are the Global Administrator and the Privileged Role Administrator. Users with these two roles can delegate administrator roles.

  • The Global Administrator or Company Administrator has access to all Azure AD administrative features and services that use Azure AD identities.

  • The Privileged Role Administrator can manage role assignments in Azure AD and Azure AD Privileged Identity Management (PIM). This role can manage all aspects of PIM and administrative units.

Limit the number of highly privileged accounts or roles, and protect these accounts at an elevated level. Highly privileged users can directly or indirectly read and modify all your Azure resources.

You can enable just-in-time (JIT) privileged access to Azure resources and Azure AD using Azure AD PIM. JIT grants temporary permissions to perform privileged tasks only when users need it. PIM can also generate security alerts for suspicious or unsafe activity in your Azure AD organization.

The Backup Contributor RBAC role has all permissions to create and manage backups, except deleting the Recovery Services vault and giving access to others. This role is the administrator of backup management, who can do every backup management operation. Review identities who are assigned this role regularly, and configure them with Azure AD PIM.

Note: You might need to govern other critical roles if you assign certain privileged permissions to custom roles. You might want to apply similar controls to the administrator accounts of critical business assets.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

PA-3: Review and reconcile user access regularly

Guidance: Backup uses Azure AD accounts and Azure RBAC for granting permissions to its resources. Review user accounts, and access assignments regularly to ensure the accounts and their access are valid. You can use Azure AD access reviews to review group memberships, enterprise application access, and role assignments. Azure AD reporting can provide logs to help discover stale accounts. You can also create access review report workflows in Azure AD Privileged Identity Management (PIM) to ease the review process.

You can also configure Azure AD PIM to alert you when there are too many administrator accounts. PIM can also identify administrator accounts that are stale or improperly configured.

Backup supports Azure RBAC for fine-grained access management for vaults. Azure Backup provides three built-in RBAC roles to control backup management operations:

  • Backup Contributor - This role has all permissions to create and manage backups, except deleting Recovery Services vaults and giving access to others. This role is the administrator of backup management, who can do every backup management operation.

  • Backup Operator - This role has permission for everything a Backup Contributor does, except removing backups and managing backup policies. This role is the same as Backup Contributor, except it can't do destructive operations, such as stop backup with delete data, or remove registration of on-premises resources.

  • Backup Reader - This role has permission to view all backup management operations. This role is for monitoring.

  • Create an access review of Azure resource roles in Privileged Identity Management (PIM)

  • How to use Azure AD identity and access reviews

  • Azure RBAC for Backup

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

PA-6: Use privileged access workstations

Guidance: Secured, isolated workstations are critical for security of sensitive roles like administrator, developer, and critical service operator. Use highly secured user workstations and Azure Bastion for administrative tasks on Backup resources.

Use Azure AD, Microsoft Defender Advanced Threat Protection (ATP), or Microsoft Intune to deploy a secure and managed user workstation for administrative tasks. You can centrally manage secured workstations to enforce a security configuration that includes:

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

PA-7: Follow the least privilege principle of just enough administration

Guidance: Backup integrates with Azure RBAC to manage its resources. With RBAC, you manage Azure resource access through role assignments. You can assign roles to users, groups, service principals, and managed identities. Certain resources have pre-defined, built-in roles. You can inventory or query these roles through tools like Azure CLI, Azure PowerShell, or the Azure portal.

Always limit the privileges you assign to resources through Azure RBAC to what the roles require. This practice complements the just-in-time (JIT) approach of Azure AD PIM. Review roles and assignments periodically.

Backup integrates with Azure RBAC, and allows using built-in and custom roles to manage access to resources. Use built-in roles to allocate permissions, and only create custom roles when required.

Azure Backup provides three built-in roles to control backup management operations:

  • Backup Contributor - This role has all permissions to create and manage backups, except deleting Recovery Services vaults and giving access to others. This role is the administrator of backup management, who can do every backup management operation.

  • Backup Operator - This role has permission for everything a Backup Contributor does, except removing backups and managing backup policies. This role is the same as Backup Contributor, except it can't do destructive operations, such as stop backup with delete data, or remove registration of on-premises resources.

  • Backup Reader - This role has permission to view all backup management operations. This role is for monitoring.

For more information, see the following references:

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

PA-8: Choose approval process for Microsoft support

Guidance: Backup doesn't support Customer Lockbox. Microsoft works with customers through other methods for approval to access customer data.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

Data Protection

For more information, see the Azure Security Benchmark: Data Protection.

DP-1: Discover, classify, and label sensitive data

Guidance: Azure Backup doesn't have capabilities to classify backed-up data. You can organize your data yourself by using different vaults, and attaching tags to those vaults according to their contents.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

DP-2: Protect sensitive data

Guidance: To protect sensitive data, restrict access to Backup resources by using:

  • Azure RBAC

  • Network-based access controls

  • Specific controls like encryption in Azure services

When backing up Azure IaaS VMs, Azure Backup provides independent and isolated backups to guard against accidental destruction of original data. Backups are stored in a Recovery Services vault with built-in recovery points management.

For consistency, align all types of access control with your enterprise segmentation strategy. Inform your enterprise segmentation strategy by the location of sensitive or business-critical data and systems.

Microsoft treats all customer content in the underlying Microsoft-managed platform as sensitive. Microsoft guards against customer data loss and exposure. Microsoft has default data protection controls and capabilities to ensure that Azure customer data remains secure,

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

DP-3: Monitor for unauthorized transfer of sensitive data

Guidance: Backup supports transferring customer data, but doesn't natively support monitoring for unauthorized transfer of sensitive data. However, you can write alert rules on activity and resource logs for any restore operations that take place from the vault.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

DP-4: Encrypt sensitive information in transit

Guidance: Backup traffic from servers to the Recovery Services vault transfers over a secure HTTPS link. Data is encrypted using Advanced Encryption Standard (AES) 256 when stored in the vault.

Backup supports data encryption in transit with TLS v1.2 or greater. This requirement is optional for traffic on private networks, but critical for traffic on external and public networks. For HTTP traffic, make sure any clients that connect to your Azure resources can use TLS v1.2 or greater.

Disable weak ciphers and obsolete SSL, TLS, and SSH versions and protocols.

Azure encrypts data in transit between Azure data centers by default.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

DP-5: Encrypt sensitive data at rest

Guidance: Backup supports encryption for at-rest data. For on-premises backup, encryption-at-rest uses the passphrase you provide when backing up to Azure. For cloud workloads, data is encrypted at rest by default, using Storage Service Encryption (SSE) and Microsoft-managed keys. Backup also provides options for customer-managed keys to meet regulatory requirements.

When backing up with the MARS agent, or using a Recovery Services vault encrypted with a customer-managed key, only the customer has access to the encryption key. Microsoft doesn't maintain a copy or have access to the key. If the key is misplaced, Microsoft can't recover the backup data.

Responsibility: Shared

Microsoft Defender for Cloud monitoring: None

Asset Management

For more information, see the Azure Security Benchmark: Asset Management.

AM-1: Make sure the security team has visibility into risks for assets

Guidance: Make sure to grant security teams Backup Reader and Reader permissions in your Azure tenant and subscriptions, so they can review Backup configurations and data for security risks.

Monitoring for security risks could be the responsibility of a central security team or a local team, depending on how you structure responsibilities. Always aggregate security insights and risks centrally within an organization.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

AM-2: Make sure the security team has access to asset inventory and metadata

Guidance: Make sure that security teams have access to a continuously updated inventory of assets on Azure, like Backup. Security teams often need this inventory to evaluate their organization's potential exposure to emerging risks, and as an input to continuous security improvements. Create an Azure AD group to contain your organization's authorized security team. and assign it read access to all Backup resources. You can simplify the process with a single high-level role assignment in your subscription.

Apply tags to your Azure resources, resource groups, and subscriptions to logically organize them into a taxonomy. Each tag consists of a name and value pair. For example, you can apply the name "Environment" and the value "Production" to all the resources in production.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

AM-3: Use only approved Azure services

Guidance: Backup supports monitoring and enforcing configurations using Azure Policy. Assign Azure Policy built-in definitions to audit and restrict which services users can provision in your environment. Use Azure Resource Graph to query for and discover resources within subscriptions. You can also use Azure Monitor to create rules that trigger alerts when they detect an unapproved service.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

Logging and Threat Detection

For more information, see the Azure Security Benchmark: Logging and Threat Detection.

LT-1: Enable threat detection for Azure resources

Guidance: Use the Microsoft Defender for Cloud built-in threat detection capability. Enable Microsoft Defender for your DDoS Protection Standard resources. Microsoft Defender provides an extra layer of security intelligence. Microsoft Defender detects unusual and potentially harmful attempts to access or exploit your DDoS Protection resources.

Azure Backup generates activity and resource logs, which you can use to audit actions against Backup resources and detect threats. Forward the Backup logs to your security information and event management (SIEM) system. You can use your SIEM to set up custom threat detections.

Make sure to monitor different types of Azure assets for potential threats and anomalies. Focus on getting high-quality alerts, to reduce false positives for analysts to sort through. You can source alerts from log data, agents, or other data.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

LT-4: Enable logging for Azure resources

Guidance: Activity logs are available automatically. The logs contain all PUT, POST, and DELETE, but not GET, operations for Backup resources. You can use activity logs to find errors when troubleshooting, or to monitor how users modified resources.

Enable Azure resource logs for Backup. You can use Microsoft Defender for Cloud and Azure Policy to enable resource logs and log data collecting. These logs can be critical for investigating security incidents and doing forensic exercises.

Responsibility: Shared

Microsoft Defender for Cloud monitoring: None

LT-5: Centralize security log management and analysis

Guidance: Centralize logging storage and analysis to enable correlation of Backup log data. For each log source, make sure to record:

  • The assigned data owner
  • Access guidance
  • Storage location
  • Tools that process and access the data
  • Data retention requirements

Make sure to integrate Azure activity logs into your central logging. Ingest logs through Azure Monitor to aggregate security data generated by endpoint devices, network resources, and other security systems. In Azure Monitor, use Log Analytics workspaces to query and do analytics. Use Azure Storage accounts for long-term and archival storage.

Enable and onboard data to Microsoft Sentinel or a third-party SIEM. You can use Microsoft Sentinel for “hot” data that you use frequently, and Azure Storage for “cold” data that you use less frequently.

Responsibility: Shared

Microsoft Defender for Cloud monitoring: None

LT-6: Configure log storage retention

Guidance: Use Azure Storage or Log Analytics workspace accounts for long-term and archival storage. For storage accounts or Log Analytics workspaces that store Backup logs, set a log retention period that meets your organization's compliance regulations.

Responsibility: Shared

Microsoft Defender for Cloud monitoring: None

LT-7: Use approved time synchronization sources

Guidance: Backup doesn't support configuring your own time synchronization sources. Backup relies on Microsoft time synchronization sources that aren't exposed to customers for configuration.

Responsibility: Microsoft

Microsoft Defender for Cloud monitoring: None

Posture and Vulnerability Management

For more information, see the Azure Security Benchmark: Posture and Vulnerability Management.

PV-1: Establish secure configurations for Azure services

Guidance: Monitor and enforce secure configurations of your Recovery Services vault by assigning built-in and custom Azure Policy definitions. Where built-in policies don't meet your requirements, use Azure Policy aliases in the "Microsoft.RecoveryServices" namespace to create custom policies.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

PV-2: Sustain secure configurations for Azure services

Guidance: Use Azure Policy to monitor and enforce Backup configurations, such as:

  • Settings for your vaults

  • Encryption using customer-managed keys

  • Using private endpoints for your vaults

  • Deploying diagnostic settings

Use Azure Policy [deny] and [deploy if not exist] to enforce secure configuration across Azure Backup resources.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

PV-6: Do software vulnerability assessments

Guidance: Backup doesn't deploy customer-facing compute resources that support vulnerability assessment tools. Microsoft handles vulnerabilities and assessments for the underlying platform that supports Backup.

Responsibility: Microsoft

Microsoft Defender for Cloud monitoring: None

PV-7: Rapidly and automatically remediate software vulnerabilities

Guidance: Backup doesn't deploy customer-facing compute resources that support vulnerability assessment tools. Microsoft handles vulnerabilities and assessments for the underlying platform that supports Backup.

Responsibility: Microsoft

Microsoft Defender for Cloud monitoring: None

PV-8: Conduct regular attack simulation

Guidance: Conduct penetration testing or red team activities on your Azure resources as needed, and ensure remediation of all critical security findings.

Follow the Microsoft Cloud Penetration Testing Rules of Engagement to ensure your penetration tests don't violate Microsoft policies. Use Microsoft's Red Teaming strategy and execution. Do live site penetration testing against Microsoft-managed cloud infrastructure, services, and applications.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

Backup and Recovery

For more information, see the Azure Security Benchmark: Backup and Recovery.

BR-2: Encrypt backup data

Guidance: Backup supports encryption for at-rest backup data that it manages. Cloud workloads encrypt data at rest by default, using Storage Service Encryption (SSE) and Microsoft-managed keys. Azure Backup provides options for customer-managed keys to meet regulatory requirements.

Responsibility: Shared

Microsoft Defender for Cloud monitoring: The Azure Security Benchmark is the default policy initiative for Microsoft Defender for Cloud and is the foundation for Microsoft Defender for Cloud's recommendations. The Azure Policy definitions related to this control are enabled automatically by Microsoft Defender for Cloud. Alerts related to this control may require an Microsoft Defender plan for the related services.

Azure Policy built-in definitions - Microsoft.RecoveryServices:

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Backup should be enabled for Virtual Machines Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. AuditIfNotExists, Disabled 2.0.0

BR-4: Mitigate risk of lost keys

Guidance: Make sure you have measures in place to prevent and recover from loss of Backup encryption keys. To protect keys against accidental or malicious deletion, enable soft delete and purge protection in your Azure Key Vault.

Responsibility: Shared

Microsoft Defender for Cloud monitoring: None

Next steps