Azure security baseline for Azure HPC Cache

This security baseline applies guidance from the Azure Security Benchmark version 2.0 to Microsoft Azure HPC Cache. The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. The content is grouped by the security controls defined by the Azure Security Benchmark and the related guidance applicable to Azure HPC Cache.

Note

Controls not applicable to Azure HPC Cache, and those for which the global guidance is recommended verbatim, have been excluded. To see how Azure HPC Cache completely maps to the Azure Security Benchmark, see the full Azure HPC Cache security baseline mapping file.

Network Security

For more information, see the Azure Security Benchmark: Network Security.

NS-1: Implement security for internal traffic

Guidance: When you deploy Azure HPC Cache resources, you must create or use an existing virtual network.

Ensure that all Azure virtual networks follow an enterprise segmentation principle that aligns to the business risks. Any system that could incur higher risk for the organization should be isolated within its own virtual network and sufficiently secured with either a network security group (NSG) and/or Azure Firewall.

Two network-related prerequisites should be set up before you can use your cache:

  • A dedicated subnet for the Azure HPC Cache instance

  • DNS support so that the cache can access storage and other resources

The Azure HPC Cache needs a dedicated subnet with these qualities:

  • The subnet must have at least 64 IP addresses available.

  • The subnet cannot host any other VMs, even for related services like client machines.

  • If you use multiple Azure HPC Cache instances, each one needs its own subnet.

The best practice is to create a new subnet for each cache. You can create a new virtual network and subnet as part of creating the cache.

To use HPC Cache with on-premises NAS storage, you must ensure that certain ports in the on-premises network allow unrestricted traffic from the Azure HPC Cache's subnet.

How to create a network security group with security rules:​ /azure/virtual-network/tutorial-filter-network-traffic​​

How to deploy and configure Azure Firewall:​ /azure/firewall/tutorial-firewall-deploy-portal

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

NS-2: Connect private networks together

Guidance: Use Azure ExpressRoute or Azure virtual private network (VPN) to create private connections between Azure datacenters and on-premises infrastructure in a colocation environment. ExpressRoute connections do not go over the public internet, and they offer more reliability, faster speeds, and lower latencies than typical internet connections. For point-to-site VPN and site-to-site VPN, you can connect on-premises devices or networks to a virtual network using any combination of these VPN options and Azure ExpressRoute.

To connect two or more virtual networks in Azure together, use virtual network peering. Network traffic between peered virtual networks is private and is kept on the Azure backbone network.

The HPC Cache resources are connected only to your Azure Virtual Network and are not accessible from Azure’s production internal networks. Therefore, you can access the HPC Cache service directly from your VNet, from peered VNets, or from on-premises over a Virtual Network Gateway (ExpressRoute or VPN Gateway.) Access to the HPC Cache compute resources is only permitted by authorized Service/Engineering personnel requiring audited JIT access.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

NS-3: Establish private network access to Azure services

Guidance: Use Azure Virtual Network service endpoints to provide secure access to HPC Cache. Service endpoints are an optimized route over the Azure backbone network without crossing the internet.

HPC Cache does not support using Azure Private Link to secure its management endpoints to a private network.

Private access is an additional defense-in-depth measure, in addition to authentication and traffic security offered by Azure services.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

NS-4: Protect applications and services from external network attacks

Guidance: Protect your HPC Cache resources against attacks from external networks, including distributed denial of service (DDoS) Attacks, application-specific attacks, and unsolicited and potentially malicious internet traffic.

Azure includes native capabilities for this protection:

  • Use Azure Firewall to protect applications and services against potentially malicious traffic from the internet and other external locations.
  • Protect your assets against DDoS attacks by enabling DDoS standard protection on your Azure virtual networks.
  • Use Microsoft Defender for Cloud to detect misconfiguration risks related to your network resources.

Azure HPC Cache is not intended to run web applications, and does not require you to configure any additional settings or deploy any extra network services to protect it from external network attacks that target web applications.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

NS-6: Simplify network security rules

Guidance: Not applicable; this recommendation is intended for offerings that can be deployed into Azure Virtual Networks, or have the capability to define groupings of allowed IP ranges for efficient management. HPC Cache does not currently support service tags.

The best practice is to create a new subnet for each cache. You can create a new virtual network and subnet as part of creating the cache.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

NS-7: Secure Domain Name Service (DNS)

Guidance: Follow the best practices for DNS security to mitigate against common attacks like dangling DNS, DNS amplifications attacks, DNS poisoning and spoofing, and others.

Azure HPC Cache needs DNS to access resources outside of the cache's private virtual network. If your workflow includes resources outside of Azure, you need to set up and secure your own DNS server in addition to using Azure DNS.

  • To access Azure Blob storage endpoints, Azure-based client machines, or other Azure resources, use Azure DNS.
  • To access on-premises storage, or to connect to the cache from clients outside of Azure, you need to create a custom DNS server that can resolve those hostnames.
  • If your workflow includes both internal and external resources, set up your custom DNS server to forward Azure-specific resolution requests to the Azure DNS server.

When Azure DNS is used as your authoritative DNS service, ensure that DNS zones and records are protected from accidental or malicious modification by using Azure RBAC and resource locks.

If configuring your own DNS server, make sure to follow these security guidelines:

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

Identity Management

For more information, see the Azure Security Benchmark: Identity Management.

IM-1: Standardize Azure Active Directory as the central identity and authentication system

Guidance: Azure HPC Cache is not integrated with Azure Active Directory for internal operations. However, Azure AD can be used to authenticate users in the Azure portal or CLI in order to create, view, and manage HPC Cache deployments and related components.

Azure Active Directory (Azure AD) is the default identity and access management service in Azure. You should standardize Azure AD to govern your organization’s identity and access management in:

  • Microsoft Cloud resources, such as the Azure portal, Azure Storage, Azure Virtual Machine (Linux and Windows), Azure Key Vault, PaaS, and SaaS applications.

  • Your organization's resources, such as applications on Azure or your corporate network resources.

Securing Azure AD should be a high priority in your organization’s cloud security practice. Azure AD provides an identity secure score to help you assess identity security posture relative to Microsoft’s best practice recommendations. Use the score to gauge how closely your configuration matches best practice recommendations, and to make improvements in your security posture.

Note: Azure AD supports external identity that allows users without a Microsoft account to sign in to their applications and resources with their external identity.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

IM-2: Manage application identities securely and automatically

Guidance: HPC Cache uses Azure-managed identities for non-human accounts such as services or automation. It is recommended to use Azure's managed identity feature instead of creating a more powerful human account to access or execute your resources.

HPC Cache can natively authenticate to Azure services/resources that support Azure Active Directory (Azure AD) authentication through predefined access grant rules. This avoids the need to use hard-coded credentials in source code or configuration files.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

IM-3: Use Azure AD single sign-on (SSO) for application access

Guidance: Azure HPC Cache does not integrate with Azure Active Directory (Azure AD) for internal operations. However, Azure AD can be used to authenticate users in the Azure portal or CLI in order to create, view, and manage HPC Cache deployments and related components.

Azure AD provides identity and access management to Azure resources, cloud applications, and on-premises applications. This includes enterprise identities such as employees, as well as external identities such as partners, vendors, and suppliers. This enables single sign-on (SSO) to manage and secure access to your organization’s data and resources on-premises and in the cloud. Connect all your users, applications, and devices to the Azure AD for seamless, secure access and greater visibility and control.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

Privileged Access

For more information, see the Azure Security Benchmark: Privileged Access.

PA-3: Review and reconcile user access regularly

Guidance: Review user accounts and access assignment regularly to ensure that the accounts and their access levels are valid.

Azure HPC Cache can use Azure Active Directory (Azure AD) accounts to manage user access through the Azure portal and related interfaces. Azure AD offers access reviews that help you review group memberships, access to enterprise applications, and role assignments. Azure AD reporting can provide logs to help discover stale accounts. You can also use Azure AD Privileged Identity Management to create access review report workflow to facilitate the review process.

In addition, Azure Privileged Identity Management can be configured to alert when an excessive number of administrator accounts are created, and to identify administrator accounts that are stale or improperly configured.

Note: Some Azure services support local users and roles which are not managed through Azure AD. You will need to manage these users separately.

When using NFS storage targets, you will need to work with your network administrators and firewall managers to verify access settings and ensure that Azure HPC Cache will be able to communicate with the NFS storage systems.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

PA-7: Follow just enough administration (least privilege principle)

Guidance: HPC Cache is integrated with Azure role-based access control (RBAC) to manage its resources. Azure RBAC allows you to manage Azure resource access through role assignments. You can assign these roles to users, groups service principals and managed identities. There are pre-defined built-in roles for certain resources, and these roles can be inventoried or queried through tools such as Azure CLI, Azure PowerShell or the Azure portal.

The privileges you assign to resources through Azure RBAC should be always limited to what is required by the roles. This complements the just-in-time (JIT) approach of Azure Active Directory (Azure AD) Privileged Identity Management (PIM) and should be reviewed periodically.

Use built-in roles to allocate permission and only create custom role when required.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

Data Protection

For more information, see the Azure Security Benchmark: Data Protection.

DP-1: Discover, classify, and label sensitive data

Guidance: HPC Cache manages sensitive data but doesn't have capability to discovery, classify, and labeling sensitive data.

Responsibility: Shared

Microsoft Defender for Cloud monitoring: None

DP-2: Protect sensitive data

Guidance: Protect sensitive data by restricting access using Azure Role Based Access Control (Azure RBAC), network-based access controls, and specific controls in Azure services (such as encryption in SQL and other databases).

To ensure consistent access control, all types of access control should be aligned to your enterprise segmentation strategy. The enterprise segmentation strategy should also be informed by the location of sensitive or business critical data and systems.

For the underlying platform, which is managed by Microsoft, Microsoft treats all customer content as sensitive and guards against customer data loss and exposure. To ensure customer data within Azure remains secure, Microsoft has implemented some default data protection controls and capabilities.

Responsibility: Shared

Microsoft Defender for Cloud monitoring: None

DP-3: Monitor for unauthorized transfer of sensitive data

Guidance: HPC Cache transmits sensitive data but does not support monitoring for unauthorized transfer of sensitive data.

Responsibility: Shared

Microsoft Defender for Cloud monitoring: None

DP-4: Encrypt sensitive information in transit

Guidance: HPC Cache supports data encryption in transit with TLS v1.2 or greater.

While this is optional for traffic on private networks, this is critical for traffic on external and public networks. For HTTP traffic, ensure that any clients connecting to your Azure resources can negotiate TLS v1.2 or greater. For remote management, use SSH (for Linux) or RDP/TLS (for Windows) instead of an unencrypted protocol. Obsoleted SSL, TLS, and SSH versions and protocols, and weak ciphers should be disabled.

By default, Azure provides encryption for data in transit between Azure data centers.

Responsibility: Shared

Microsoft Defender for Cloud monitoring: None

DP-5: Encrypt sensitive data at rest

Guidance: To complement access controls, data at rest should be protected against "out of band" attacks (for example, accessing underlying storage) using encryption. This helps ensure that attackers cannot easily read or modify the data.

Azure provides data at rest encryption by default. For highly sensitive data, you have options to implement additional encryption at rest on all Azure resources where available. Azure manages your encryption keys by default, but Azure provides options to manage your own keys (customer-managed keys) for certain Azure services.

All data stored in Azure, including on the cache disks, is encrypted at rest using Microsoft-managed keys by default. You only need to customize Azure HPC Cache settings if you want to manage the keys used to encrypt your data.

If required for compliance on compute resources, implement a third-party tool, such as an automated host-based Data Loss Prevention solution, to enforce access controls to data even when data is copied off a system.

Responsibility: Shared

Microsoft Defender for Cloud monitoring: None

Asset Management

For more information, see the Azure Security Benchmark: Asset Management.

AM-1: Ensure security team has visibility into risks for assets

Guidance: Ensure security teams are granted Security Reader permissions in your Azure tenant and subscriptions so they can monitor for security risks using Microsoft Defender for Cloud.

Depending on how security team responsibilities are structured, monitoring for security risks could be the responsibility of a central security team or a local team. That said, security insights and risks must always be aggregated centrally within an organization.

Security Reader permissions can be applied broadly to an entire tenant (Root Management Group) or scoped to management groups or specific subscriptions.

Note: Additional permissions might be required to get visibility into workloads and services.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

AM-2: Ensure security team has access to asset inventory and metadata

Guidance: Azure HPC Cache supports using tags. Apply tags to your Azure resources, resource groups, and subscriptions to logically organize them into a taxonomy. Each tag consists of a name and a value pair.

For example, you can apply the name "Environment" and the value "Production" to all the resources in production. Tags can be added when creating a cache as well as after the cache is deployed.

Use Azure Virtual Machine Inventory to automate the collection of information about software on Virtual Machines. Software Name, Version, publisher, and Refresh time are available from the Azure portal. To get access to install date and other information, enable guest-level diagnostics and bring the Windows Event Logs into a Log Analytics Workspace. HPC Cache does not allow running an application or installation of software on its resources.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

AM-3: Use only approved Azure services

Guidance: HPC Cache supports Azure Resource Manager deployments. Use Azure Policy to audit and restrict which services users can provision in your environment. Use Azure Resource Graph to query for and discover resources within their subscriptions. You can also use Azure Monitor to create rules to trigger alerts when a non-approved service is detected.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

Logging and Threat Detection

For more information, see the Azure Security Benchmark: Logging and Threat Detection.

LT-1: Enable threat detection for Azure resources

Guidance: Use the Microsoft Defender for Cloud built-in threat detection capability and enable Microsoft Defender for your HPC Cache resources. Microsoft Defender for HPC Cache provides an additional layer of security intelligence that detects unusual and potentially harmful attempts to access or exploit your cache resources.

Forward any logs from HPC Cache to your SIEM which can be used to set up custom threat detections. Ensure you are monitoring different types of Azure assets for potential threats and anomalies. Focus on getting high-quality alerts to reduce false positives for analysts to sort through. Alerts can be sourced from log data, agents, or other data.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

LT-2: Enable threat detection for Azure identity and access management

Guidance: Azure Active Directory (Azure AD) provides the following user logs that can be viewed in Azure AD reporting or integrated with Azure Monitor, Microsoft Sentinel, or other SIEM/monitoring tools for more sophisticated monitoring and analytics use cases:

  • Sign-ins - The sign-ins report provides information about the usage of managed applications and user sign-in activities.
  • Audit logs - Provide traceability through logs for all changes done by various features within Azure AD. Examples of audit logs include changes made to any resources within Azure AD, like adding or removing users, apps, groups, roles, and policies.
  • Risky sign-ins - A risky sign-in is an indicator for a sign-in attempt that might have been performed by someone who is not the legitimate owner of a user account.
  • Users flagged for risk - A risky user is an indicator for a user account that might have been compromised.

Microsoft Defender for Cloud can also alert on certain suspicious activities such as excessive number of failed authentication attempts, or deprecated accounts in the subscription. In addition to the basic security hygiene monitoring, Microsoft Defender for Cloud’s Threat Protection module can also collect more in-depth security alerts from individual Azure compute resources (virtual machines, containers, app service), data resources (SQL DB and storage), and Azure service layers. This capability allows you to have visibility on account anomalies inside the individual resources.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

LT-3: Enable logging for Azure network activities

Guidance: You can use VPN gateways and their packet capture capability in addition to commonly available packet capture tools to record network packets traveling between your virtual networks.

Deploy a network security group on the network where your Azure HPC Cache resources are deployed. Enable network security group flow logs on your network security groups for traffic auditing.

Your flow logs are retained in a storage account. Enable the Traffic Analytics solution to process and send those flow logs to a Log Analytics workspace. Traffic Analytics provides additional insights into traffic flow for your Azure networks. Traffic Analytics can help you visualize network activity and identify hot spots, identify security threats, understand traffic flow patterns, and pinpoint network misconfigurations.

The cache needs DNS to access resources outside of its virtual network. Depending on which resources you are using, you might need to set up a customized DNS server and configure forwarding between that server and Azure DNS servers.

Implement a third-party solution from Azure Marketplace for DNS logging solution as per your organizations need.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

LT-4: Enable logging for Azure resources

Guidance: Azure HPC Cache resources automatically create activity logs. These logs contain all write operations (PUT, POST, DELETE) but do not include read operations (GET). Activity logs can be used to find an error when troubleshooting, or to monitor how a user in your organization modified a resource.

You also can use Microsoft Defender for Cloud and Azure Policy to enable Azure resource logs for HPC Cache, and to and log data collecting. These logs can be critical for later investigating security incidents and performing forensic exercises.

Responsibility: Shared

Microsoft Defender for Cloud monitoring: None

LT-5: Centralize security log management and analysis

Guidance: Centralize logging storage and analysis to enable correlation. For each log source, ensure that you have assigned a data owner, access guidance, storage location, what tools are used to process and access the data, and data retention requirements.

Ensure you are integrating Azure activity logs into your central logging. Ingest logs via Azure Monitor to aggregate security data generated by endpoint devices, network resources, and other security systems. In Azure Monitor, use Log Analytics workspaces to query and perform analytics, and use Azure Storage accounts for long term and archival storage.

In addition, enable and onboard data to Microsoft Sentinel or a third-party SIEM.

Many organizations choose to use Microsoft Sentinel for “hot” data that is used frequently and Azure Storage for “cold” data that is used less frequently.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

LT-7: Use approved time synchronization sources

Guidance: HPC Cache does not support configuring your own time synchronization sources. The HPC Cache service relies on Microsoft time synchronization sources, which are not exposed to customers for configuration.

Responsibility: Microsoft

Microsoft Defender for Cloud monitoring: None

Posture and Vulnerability Management

For more information, see the Azure Security Benchmark: Posture and Vulnerability Management.

PV-3: Establish secure configurations for compute resources

Guidance: Use Microsoft Defender for Cloud and Azure Policy to establish secure configurations on all compute resources including VMs, containers, and others.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

PV-6: Perform software vulnerability assessments

Guidance: Not applicable; Microsoft performs vulnerability management on the underlying systems that support HPC Cache.

Responsibility: Microsoft

Microsoft Defender for Cloud monitoring: None

PV-8: Conduct regular attack simulation

Guidance: As required, conduct penetration testing or red team activities on your Azure resources and ensure remediation of all critical security findings. Follow the Microsoft Cloud Penetration Testing Rules of Engagement to ensure your penetration tests are not in violation of Microsoft policies. Use Microsoft's strategy and execution of Red Teaming and live site penetration testing against Microsoft-managed cloud infrastructure, services, and applications.

Responsibility: Shared

Microsoft Defender for Cloud monitoring: None

Backup and Recovery

For more information, see the Azure Security Benchmark: Backup and Recovery.

BR-1: Ensure regular automated backups

Guidance: Because Azure HPC Cache is a caching solution and not a storage system, focus on ensuring that data in its storage targets is regularly backed up. Follow standard procedures for Azure Blob containers and for backing up any on-premises storage targets.

To minimize disruption in the event of a regional outage, you can take steps to ensure cross-region data access.

Each Azure HPC Cache instance runs within a particular subscription and in one region. This means that your cache workflow could possibly be disrupted if the region has a full outage. To minimize this disruption, the organization should use back-end storage that is accessible from multiple regions. This storage can be either an on-premises NAS system with appropriate DNS support, or Azure Blob storage that resides in a different region from the cache.

As your workflow proceeds in your primary region, data is saved in the long-term storage outside of the region. If the cache region becomes unavailable, you can create a duplicate Azure HPC Cache instance in a secondary region, connect to the same storage, and resume work from the new cache.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

BR-2: Encrypt backup data

Guidance: Ensure your backups are protected against attacks. This should include encryption of the backups to protect against loss of confidentiality.

For on-premises backup using Azure Backup, encryption-at-rest is provided using the passphrase you provide. For regular Azure service backup, backup data is automatically encrypted using Azure platform-managed keys. You can choose to encrypt the backup using customer-managed keys. In this case, ensure that this customer-managed key in the key vault is also in the backup scope.

Azure HPC Cache also is protected by VM host encryption on the managed disks that hold your cached data, even if you add a customer key for the cache disks. Adding a customer-managed key for double encryption gives an extra level of security for customers with high security needs. Read Server-side encryption of Azure disk storage for details.

Use role-based access control in Azure Backup, Azure Key Vault, or other resources to protect backups and customer-managed keys. Additionally, you can enable advanced security features to require multifactor authentication before backups can be altered or deleted.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

BR-3: Validate all backups including customer-managed keys

Guidance: Periodically ensure that you can restore backed-up customer-managed keys.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

BR-4: Mitigate risk of lost keys

Guidance: Ensure you have measures in place to prevent and recover from loss of keys. Enable soft delete and purge protection in Azure Key Vault to protect keys against accidental or malicious deletion.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

Next steps