Azure security baseline for Azure Data Box

This security baseline applies guidance from the Azure Security Benchmark version 2.0 to Azure Data Box. The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. The content is grouped by the security controls defined by the Azure Security Benchmark and the related guidance applicable to Azure Data Box.

Note

Controls not applicable to Azure Data Box, and those for which the global guidance is recommended verbatim, have been excluded. To see how Azure Data Box completely maps to the Azure Security Benchmark, see the full Azure Data Box security baseline mapping file.

Network Security

For more information, see the Azure Security Benchmark: Network Security.

NS-1: Implement security for internal traffic

Guidance: Azure Data Box doesn't support deploying directly into a virtual network. You can't apply certain networking features with the offering's resources, such as:

  • Network security groups (NSGs)
  • Route tables
  • Other network-dependent appliances, such as an Azure Firewall

By default, Data Box uses TLS 1.2. If any of your systems haven't enabled TLS 1.2, Data Box lets you enable TLS 1.1/1.0 through the local UI.

Storage accounts with virtual networks are supported. Do you want to allow Data Box to work with secured storage accounts? Then enable the trusted services within the storage account network's firewall settings.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

NS-7: Secure Domain Name Service (DNS)

Guidance: Follow the best practices for DNS security. These practices mitigate against common attacks, such as:

  • Dangling DNS
  • DNS amplifications attacks
  • DNS poisoning and spoofing

When you use Azure DNS as your authoritative DNS service, make sure DNS zones and records are protected from accidental or malicious modification. Use Azure role-based access control (RBAC) and resource locks.

Data Box recommends you bring your own certificates. If you choose to use the default device-generated certificates, you'll need to follow the guidelines described in this document.

Add a reference about DNS configurations that customers can manage.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

Identity Management

For more information, see the Azure Security Benchmark: Identity Management.

IM-1: Standardize Azure Active Directory as the central identity and authentication system

Guidance: Data Box uses local authentication for:

  • Controlling device access through a device unlock passkey.

  • SMB credentials to copy data in and out of the device.

  • Azure Storage account keys to access Data Box through REST APIs.

  • IP address configuration for NFS access.

For more information, read these articles:

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

IM-2: Manage application identities securely and automatically

Guidance: Azure Data Box recommends you use Azure Active Directory (Azure AD) to create a service principal with restricted permissions at the resource level. Configure service principals with certificate credentials, and fall back to client secrets. In both cases, you can use Azure Key Vault with Azure-managed identities, so the runtime environment (such as an Azure function) can retrieve the credential from the key vault.

Data Box lets you use your own keys for encryption. It also lets you use your own passwords for the device and the shares.

Responsibility: Shared

Microsoft Defender for Cloud monitoring: None

IM-3: Use Azure AD single sign-on (SSO) for application access

Guidance: Azure Data Box uses Azure AD to provide identity and access management to:

  • Azure resources
  • Cloud applications
  • On-premises applications

This management includes:

  • Enterprise identities, such as employees.
  • External identities, such as partners, vendors, and suppliers.

With this identity and access management, single sign-on (SSO) can manage and secure access to your organization's data and resources. The access applies for both on-premises and the cloud. Connect all your users, applications, and devices to Azure AD. Azure AD offers seamless, secure access, plus greater visibility and control.

To create the Data Box resource, Data Box uses Azure AD to authenticate the subscription.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

Privileged Access

For more information, see the Azure Security Benchmark: Privileged Access.

PA-1: Protect and limit highly privileged users

Guidance: By default, there are no highly privileged users. You may in rare cases need to open a support session (with elevated privileges). This support session requires coordination with Microsoft support personnel.

Customers won't need to use and manage Azure AD highly privileged accounts, such as local-level admin accounts for Data Box.

Responsibility: Shared

Microsoft Defender for Cloud monitoring: None

PA-3: Review and reconcile user access regularly

Guidance: To create and manage a Data Box resource, a customer needs to sign in using Azure AD-based subscription.

You can use these built-in roles:

  • Data Box Reader. This role has read-only access to orders, as defined by the scope. The role can only view details of an order. It can’t access other details related to storage accounts. It also can't edit the order details, such as address.

  • Data Box Contributor. If the customer already has write access to a storage account, this role can create an order to transfer data to that account. If the customer doesn't have access to a storage account, they can't create a Data Box order to copy data to the account. This role doesn't define any storage account-related permissions. It doesn't grant access to storage accounts.

  • Data Box resource creation and management

  • Built-in RBAC roles for Data Box

Responsibility: Shared

Microsoft Defender for Cloud monitoring: None

PA-7: Follow just enough administration (least privilege principle)

Guidance: Azure Data Box integrates with Azure RBAC to manage its resources.

You can control who can access your Data Box order when it's first created. To control the access to the Data Box order, you may set up Azure roles at various scopes.

The two built-in roles that can be defined for the Azure Data Box service are:

  • Data Box Reader. This role has read-only access to orders, as defined by the scope. The role can only view the details of an order. It can’t access any other details that are related to storage accounts. Nor can it edit the order details, such as address.

  • Data Box Contributor. If the customer already has write access to a storage account, this role can create an order to transfer data to that account. If the customer doesn't have access to a storage account, they can't create a Data Box order to copy data to the account. This role doesn't define any storage account-related permissions. It also doesn't grant access to storage accounts.

  • Built-in RBAC roles for Data Box resource

Responsibility: Shared

Microsoft Defender for Cloud monitoring: None

PA-8: Choose approval process for Microsoft support

Guidance: In support scenarios where Microsoft needs to access customer data, Azure Data Box supports Customer Lockbox. Customer Lockbox provides an interface for you to review, and then approve or reject, customer data access requests.

Responsibility: Shared

Microsoft Defender for Cloud monitoring: None

Data Protection

For more information, see the Azure Security Benchmark: Data Protection.

DP-2: Protect sensitive data

Guidance: Protect sensitive data by restricting access using:

  • Azure RBAC.
  • Network-based access controls.
  • Specific controls in Azure services (such as encryption).

To ensure consistent access control, align all types of access control with your enterprise segmentation strategy. Inform your enterprise segmentation strategy with the location of sensitive, or business-critical, data and systems.

For the underlying Microsoft-managed platform, Microsoft treats all customer content as sensitive. It guards against customer data loss and exposure. To make sure customer data within Azure remains secure, Microsoft uses some default data protection controls and capabilities.

Data Box encrypts all data at rest and all data in transit.

Responsibility: Shared

Microsoft Defender for Cloud monitoring: None

DP-4: Encrypt sensitive information in transit

Guidance: Data Box supports SMB encryption. NFS is also supported, but customers need to pre-encrypt their data when using this protocol.

To complement access controls, protect data in transit against 'out of band' attacks (such as traffic capture) using encryption. This action ensures that attackers can't easily read or modify the data.

Azure Data Box supports data encryption in transit with TLS v1.2 or greater.

While this capability is optional for traffic on private networks, it's critical for traffic on external and public networks. For HTTP traffic, make sure clients that connect to your Azure resources can negotiate TLS v1.2 or greater. For remote management, use SSH (for Linux) or RDP/TLS (for Windows) instead of an unencrypted protocol. Disable weak ciphers, and obsolete versions of the following protocols:

  • SSL
  • TLS
  • SSH

By default, Azure provides encryption for data in transit between Azure data centers.

Responsibility: Shared

Microsoft Defender for Cloud monitoring: None

DP-5: Encrypt sensitive data at rest

Guidance: To complement access controls, Azure Data Box encrypts data at rest to protect against 'out of band' attacks (such as accessing underlying storage) that use encryption. This action helps ensure that attackers can't easily read or modify the data.

Azure provides encryption for data at rest by default. For highly sensitive data, you may implement extra encryption at rest on all Azure resources where available. Azure manages your encryption keys by default. But it also lets you manage your own keys (customer-managed keys) for certain Azure services to meet regulatory requirements.

Responsibility: Shared

Microsoft Defender for Cloud monitoring: None

Asset Management

For more information, see the Azure Security Benchmark: Asset Management.

AM-1: Ensure security team has visibility into risks for assets

Guidance: Grant Security Reader permissions to security teams in your Azure tenant and subscriptions. Then security teams can monitor for security risks using Microsoft Defender for Cloud.

Based on how you structure the security team responsibilities, a central security team or a local team could be responsible for monitoring security risks. Always aggregate security insights and risks centrally within an organization.

You can apply Security Reader permissions broadly to an entire tenant (Root Management Group). Or you can scope those permissions to management groups or specific subscriptions.

Note: To get visibility into workloads and services, extra permissions might be required.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

AM-2: Ensure security team has access to asset inventory and metadata

Guidance: Make sure security teams have access to a continuously updated inventory of assets on Azure, like Azure Data Box. Security teams often need this inventory to evaluate their organization's potential exposure to emerging risks. Those teams also need the inventory as an input to continuous security improvements.

Create an Azure AD group to contain your organization's authorized security team. Then assign the group read access to all Azure Data Box resources. You can simplify this process into a single high-level role assignment within your subscription.

Azure Data Box doesn't use tags. Customers can't apply or use tags for resource metadata to logically organize them in a taxonomy.

Using Azure virtual machine inventory, automate the collection of information about software on Virtual Machines. The Azure portal makes the following information fields available:

  • Software Name
  • Version
  • Publisher
  • Refresh Time

To get access to install dates and other information, enable guest-level diagnostics. Then bring the Windows Event Logs into a Log Analytics Workspace.

Azure Data Box doesn't allow running an application or installing software on its resources.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

AM-3: Use only approved Azure services

Guidance: Using Azure Policy, audit and restrict which services users can provision in your environment. With Azure Resource Graph, query for and discover resources within their subscriptions. Also use Azure Monitor to create rules that trigger alerts when an unapproved service is detected.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

Logging and Threat Detection

For more information, see the Azure Security Benchmark: Logging and Threat Detection.

LT-1: Enable threat detection for Azure resources

Guidance: Azure Data Box produces customer-facing resource logs that they can use for threat detection.

Azure Data Box doesn't produce logs that you can use for threat detection. Those logs can't be forwarded to a SIEM tool for monitoring and alerting.

Responsibility: Shared

Microsoft Defender for Cloud monitoring: None

LT-2: Enable threat detection for Azure identity and access management

Guidance: Azure AD provides the following user logs, which can be viewed in Azure AD reporting. For more sophisticated monitoring and analytics use cases, you can integrate them with Azure Monitor, Microsoft Sentinel, or other SIEM/monitoring tools.

  • Sign-ins. The sign-ins report provides information about the usage of managed applications and user sign-in activities.

  • Audit logs. Audit logs provide traceability for all changes done by various features within Azure AD. Examples of audit logs include changes made to any resources within Azure AD, such as adding or removing:

    • Users
    • Apps
    • Groups
    • Roles
    • Policies
  • Risky sign-ins. A risky sign-in indicates a sign-in attempt that might have been done by someone who isn't the user account's legitimate owner.

  • Users flagged for risk. A risky user indicates a user account that might have been compromised.

Microsoft Defender for Cloud can also trigger alerts on certain suspicious activities. These activities may include an excessive number of failed authentication attempts or deprecated accounts in the subscription. Along with basic security hygiene monitoring, Microsoft Defender for Cloud's Threat Protection module can collect more in-depth security alerts from:

  • Individual Azure compute resources (virtual machines, containers, and app service).
  • Data resources (SQL DB and storage).
  • Azure service layers.

With this capability, you have visibility on account anomalies inside individual resources.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

LT-3: Enable logging for Azure network activities

Guidance: Azure Data Box isn't intended to deploy into virtual networks.

You can't use an NSG to enforce or pass through traffic to and from the Azure Data Box resources. For this reason, you can't configure NSG flow logging for Azure Data Box.

Azure Data Box logs all network traffic that it processes for customer access.

Azure Data Box doesn't allow you to configure or expose DNS logging to the customer.

Responsibility: Shared

Microsoft Defender for Cloud monitoring: None

LT-4: Enable logging for Azure resources

Guidance: Activity logs contain all write operations (PUT, POST, and DELETE) for your Azure Data Box resources. These logs are automatically available, but they don't contain read operations (GET). You can use activity logs to find an error when troubleshooting. Or use those logs to monitor how a user in your organization modified a resource.

Data Box generates the following resource logs:

  • Copy logs
  • Audit logs
  • BOM files in import order
  • Verbose logs in export order

Azure Data Box also produces security audit logs for the local admin accounts.

Responsibility: Shared

Microsoft Defender for Cloud monitoring: None

LT-7: Use approved time synchronization sources

Guidance: Data Box uses the default Microsoft NTP server. Connect Azure Data Box to the network that can access the default NTP server. Otherwise, Azure Data Box time could drift if it's disconnected.

Responsibility: Shared

Microsoft Defender for Cloud monitoring: None

Posture and Vulnerability Management

For more information, see the Azure Security Benchmark: Posture and Vulnerability Management.

PV-1: Establish secure configurations for Azure services

Guidance: Azure Data Box doesn't support specific policies in Microsoft Defender for Cloud.

You can set up an Azure policy to enable double encryption for Azure Data Box. Or while you place an order for Data Box, request to enable double encryption for data at rest on the device.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

PV-2: Sustain secure configurations for Azure services

Guidance: Data Box configures and locks all security settings for the device throughout the lifetime of the order.

Responsibility: Microsoft

Microsoft Defender for Cloud monitoring: None

PV-6: Do software vulnerability assessments

Guidance: Not applicable; Azure Data Box doesn't support any vulnerability assessments.

Microsoft does internal vulnerability scanning on Azure Data Box.

Responsibility: Microsoft

Microsoft Defender for Cloud monitoring: None

PV-7: Rapidly and automatically remediate software vulnerabilities

Guidance: Microsoft manages all third-party software updates.

Responsibility: Microsoft

Microsoft Defender for Cloud monitoring: None

PV-8: Conduct regular attack simulation

Guidance: As necessary, conduct penetration testing or red team activities on your Azure resources. Ensure the remediation of all critical security findings.

To ensure your penetration tests aren't in violation of Microsoft policies, follow the Microsoft Cloud Penetration Testing Rules of Engagement. Use Microsoft's strategy and execution of Red Teaming and live site penetration testing against Microsoft-managed:

  • Cloud infrastructure
  • Services
  • Applications

For more information, read the following articles:

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

Endpoint Security

For more information, see the Azure Security Benchmark: Endpoint Security.

ES-2: Use centrally managed modern antimalware software

Guidance: Azure Data Box has Windows Defender enabled.

Responsibility: Microsoft

Microsoft Defender for Cloud monitoring: None

ES-3: Ensure antimalware software and signatures are updated

Guidance: Microsoft enables Windows Defender and maintains the updates on Azure Data Box.

Responsibility: Microsoft

Microsoft Defender for Cloud monitoring: None

Backup and Recovery

For more information, see the Azure Security Benchmark: Backup and Recovery.

BR-3: Validate all backups including customer-managed keys

Guidance: Periodically make sure you can restore customer-managed keys that have been backed up.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

BR-4: Mitigate risk of lost keys

Guidance: Have measures in place to prevent and recover from the loss of keys. Enable soft delete and purge protection in Azure Key Vault. This action protects keys against accidental or malicious deletion.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

Next steps