Azure security baseline for Azure Cognitive Search

  • Artikel
  • 21 minuter för att läsa

This security baseline applies guidance from the Azure Security Benchmark version 2.0 to Azure Cognitive Search. The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. The content is grouped by the security controls defined by the Azure Security Benchmark and the related guidance applicable to Azure Cognitive Search.

Note

Controls not applicable to Azure Cognitive Search, and those for which the global guidance is recommended verbatim, have been excluded. To see how Azure Cognitive Search completely maps to the Azure Security Benchmark, see the full Azure Cognitive Search security baseline mapping file.

Network Security

For more information, see the Azure Security Benchmark: Network Security.

NS-1: Implement security for internal traffic

Guidance: Ensure that all Microsoft Azure Virtual Network subnet deployments have a network security group applied with rules to implement a "least privileged" access scheme. Allow access only to your application's trusted ports and IP address ranges. Deploy Azure Cognitive Search with an Azure private endpoint, where feasible, to enable private access to your services from your virtual network.

Cognitive Search also supports additional network security functionality for managing network access control lists. Configure your search service to only allow communication with trusted sources by restricting access from specific public IP address ranges using its firewall capability.

Based on your applications and enterprise segmentation strategy, restrict or allow traffic between internal resources based on your network security group rules. For specific, well-defined applications (such as a 3-tier app), this can be a highly secure deny by default

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

NS-3: Establish private network access to Azure services

Guidance: Use Azure Private Link to enable private access to Azure Cognitive Search from your virtual networks without crossing the internet.

Private access is an additional defense in depth measure to the authentication and traffic security offered by Azure services.

Azure Cognitive Search does not provide the capability to configure Virtual Network service endpoints.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

NS-4: Protect applications and services from external network attacks

Guidance: Protect your Azure Cognitive Search resources against attacks from external networks, including distributed denial of service (DDoS) attacks, application-specific attacks, and unsolicited and potentially malicious internet traffic. Use Azure Firewall to protect applications and services against potentially malicious traffic from the internet and other external locations. Protect your assets against DDoS attacks by enabling DDoS standard protection on your Azure virtual networks. Use Microsoft Defender for Cloud to detect misconfiguration risks to your network related resources.

Azure Cognitive Search is not intended to run web applications, and does not require you to configure any additional settings or deploy any extra network services to protect it from external network attacks targeting web applications.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

NS-6: Simplify network security rules

Guidance: Use Azure Virtual Network Service Tags to define network access controls on network security groups or Azure Firewall configured for your Azure Cognitive Search resources. You can use service tags in place of specific IP addresses when creating security rules. By specifying the service tag name in the appropriate source or destination field of a rule, you can allow or deny the traffic for the corresponding service. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change.

Allow or deny traffic to resources by specifying the service tag name (for example, AzureCognitiveSearch) in the appropriate source or destination field of a rule.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

NS-7: Secure Domain Name Service (DNS)

Guidance: Follow the best practices for DNS security to mitigate against common attacks like dangling DNS, DNS amplifications attacks, DNS poisoning and spoofing, etc.

When Azure DNS is used as your authoritative DNS service, ensure DNS zones and records are protected from accidental or malicious modification using Azure RBAC and resource locks.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

Identity Management

For more information, see the Azure Security Benchmark: Identity Management.

IM-1: Standardize Azure Active Directory as the central identity and authentication system

Guidance: Azure Cognitive Search uses Azure Active Directory (Azure AD) as the default identity and access management service. You should standardize Azure AD to govern your organization's identity and access management in:

  • Microsoft Cloud resources, such as the Azure portal, Azure Storage, Azure Virtual Machine (Linux and Windows), Azure Key Vault, PaaS, and SaaS applications.

  • Your organization's resources, such as applications on Azure or your corporate network resources.

Securing Azure AD should be a high priority in your organization's cloud security practice. Azure AD provides an identity secure score to help you assess identity security posture relative to Microsoft's best practice recommendations. Use the score to gauge how closely your configuration matches best practice recommendations, and to make improvements in your security posture.

Note: Azure AD supports external identities that allows users without a Microsoft account to sign in to their applications and resources with their external identity.

Use Azure Active Directory (Azure AD) as the central authentication and authorization system for service level management tasks in Azure Cognitive Search. Access to operations such as index management, index population, and queries on search data are available via API keys.

Azure Cognitive Search provides a couple built-in roles including a Search Service Contributor role that lets you manage Search services, but not access to them.

Access to operations such as index management, index population, and queries on search data are also available via API keys.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

IM-2: Manage application identities securely and automatically

Guidance: Azure Cognitive Search supports managed identities for its Azure resources. Use managed identities with Azure Cognitive Search instead of creating service principals to access other resources. Azure Cognitive Search can natively authenticate to the Azure services/resources that supports Azure AD authentication through a pre-defined access grant rule without using credentials hard coded in source code or configuration files.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

IM-3: Use Azure AD single sign-on (SSO) for application access

Guidance: Azure Cognitive Search uses Azure Active Directory to provide identity and access management to Azure resources, cloud applications, and on-premises applications. This includes enterprise identities, such as employees, as well as external identities like partners, vendors, and suppliers. This enables single sign-on (SSO) to manage and secure access to your organization's data and resources on-premises and in the cloud. Connect all your users, applications, and devices to the Azure AD for seamless, secure access and greater visibility and control.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

IM-7: Eliminate unintended credential exposure

Guidance: Azure Cognitive Search is not intended to store code, however for any ARM templates related to your Azure Cognitive Search deployments it is recommended to implement Credential Scanner on the repositories that store those templates to identify credentials within configurations. Credential Scanner will also encourage moving discovered credentials to more secure locations such as Azure Key Vault.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

Privileged Access

For more information, see the Azure Security Benchmark: Privileged Access.

PA-1: Protect and limit highly privileged users

Guidance: The most critical built-in roles for Azure AD are the Global Administrator and the Privileged Role Administrator, as users assigned to these two roles can delegate administrator roles:

  • Global Administrator / Company Administrator: Users with this role have access to all administrative features in Azure AD, as well as services that use Azure AD identities.

  • Privileged Role Administrator: Users with this role can manage role assignments in Azure AD, as well as within Azure AD Privileged Identity Management (PIM). In addition, this role allows management of all aspects of PIM and administrative units.

Note: You might have other critical roles that need to be governed if you use custom roles with certain privileged permissions assigned. You might also want to apply similar controls to the administrator account of critical business assets.

You should limit the number of highly privileged accounts or roles and protect these accounts at an elevated level. Users with this privilege can directly or indirectly read and modify every resource in your Azure environment.

You can enable just-in-time (JIT) privileged access to Azure resources and Azure AD using Azure AD PIM. JIT grants temporary permissions to perform privileged tasks only when users need it. PIM can also generate security alerts when there is suspicious or unsafe activity in your Azure AD organization.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

PA-3: Review and reconcile user access regularly

Guidance: Azure Cognitive Search uses Azure Active Directory (Azure AD) accounts to manage its resources, review user accounts, and access assignments regularly to ensure the accounts and their access are valid. You can use Azure AD and access reviews to review group memberships, access to enterprise applications, and role assignments. Azure AD reporting can provide logs to help discover stale accounts. You can also use Azure AD Privileged Identity Management (PIM) to create access review report workflows to facilitate the review process.

In addition, Azure AD PIM can also be configured to alert you when an excessive number of administrator accounts are created, and to identify administrator accounts that are stale or improperly configured.

Note: Some Azure services support local users and roles which are not managed through Azure AD. You will need to manage these users separately.

Review diagnostic logs from Azure Cognitive Search for activity in the search service endpoint such as index management, index population, and queries.

Azure Cognitive Search supports the following built-in roles: Search Index Data Contributor, Search Index Data Reader, and Search Service Contributor.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

PA-6: Use privileged access workstations

Guidance: Secured, isolated workstations are critically important for the security of sensitive roles like administrator, developer, and critical service operator. Use highly secured user workstations and/or Azure Bastion for administrative tasks. Use Azure Active Directory (Azure AD), Microsoft Defender Advanced Threat Protection (ATP), and/or Microsoft Intune to deploy a secure and managed user workstation for administrative tasks. The secured workstations can be centrally managed to enforce secured configuration including strong authentication, software and hardware baselines, and restricted logical and network access.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

PA-7: Follow just enough administration (least privilege principle)

Guidance: Azure Cognitive Search is integrated with Azure role-based access control (Azure RBAC) to manage its resources. Azure RBAC allows you to manage Azure resource access through role assignments. You can assign these roles to users, groups service principals, and managed identities. There are pre-defined built-in roles for certain resources, and these roles can be inventoried or queried through tools such as Azure CLI, Azure PowerShell, or the Azure portal. The privileges you assign to resources through the Azure RBAC should be always limited to what is required by the roles. This complements the just-in-time (JIT) approach of Azure AD Privileged Identity Management (PIM) and should be reviewed periodically.

Use built-in roles to allocate permissions and only create custom roles when required.

Azure Cognitive Search uses the Owner, Contributor, and Reader roles, which determine the level of service administration for Active Directory users, groups, and security principals assigned to each role. Azure Cognitive Search uses these three roles to authorize access for search service administration.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

PA-8: Choose approval process for Microsoft support

Guidance: In support scenarios where Microsoft needs to access customer data, Azure Cognitive Search supports Customer Lockbox to provide an interface for you to review and approve or reject customer data access requests.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

Asset Management

For more information, see the Azure Security Benchmark: Asset Management.

AM-1: Ensure security team has visibility into risks for assets

Guidance: Ensure security teams are granted Security Reader permissions in your Azure tenant and subscriptions so they can monitor for security risks using Microsoft Defender for Cloud.

Depending on how security team responsibilities are structured, monitoring for security risks could be the responsibility of a central security team or a local team. That said, security insights and risks must always be aggregated centrally within an organization.

Security Reader permissions can be applied broadly to an entire tenant (Root Management Group) or scoped to management groups or specific subscriptions.

Note: Additional permissions might be required to get visibility into workloads and services.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

AM-2: Ensure security team has access to asset inventory and metadata

Guidance: Ensure that security teams have access to a continuously updated inventory of assets on Azure, like Azure Cognitive Search. Security teams often need this inventory to evaluate their organization's potential exposure to emerging risks, and as an input to continuous security improvements. Create an Azure Active Directory (Azure AD) group to contain your organization's authorized security team and assign them read access to all Azure Cognitive Search resources, which can be simplified by a single high-level role assignment within your subscription.

Apply tags to your Azure resources, resource groups, and subscriptions to logically organize them into a taxonomy. Each tag consists of a name and a value pair. For example, you can apply the name "Environment" and the value "Production" to all the resources in production.

Azure Cognitive Search does not allow running an application or the installation of software on its resources.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

AM-3: Use only approved Azure services

Guidance: Use Azure Policy to audit and restrict which services users can provision in your environment. Use Azure Resource Graph to query for and discover resources within their subscriptions. You can also use Azure Monitor to create rules to trigger alerts when a non-approved service is detected.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

Logging and Threat Detection

For more information, see the Azure Security Benchmark: Logging and Threat Detection.

LT-1: Enable threat detection for Azure resources

Guidance: Analyze and monitor logs from your Azure Cognitive Search service for anomalous behavior. Use Azure Monitor's Log Analytics to review logs and perform queries on log data.

Forward any logs from Azure Cognitive Search to your SIEM, which can be used to set up custom threat detections. Ensure that you are monitoring different types of Azure assets for potential threats and anomalies. Focus on getting high-quality alerts to reduce false positives for analysts to sort through. Alerts can be sourced from log data, agents, or other data.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

LT-2: Enable threat detection for Azure identity and access management

Guidance: Azure Active Directory (Azure AD) provides the following user logs, which can be viewed in Azure AD reporting or integrated with Azure Monitor, Microsoft Sentinel, or other SIEM/monitoring tools for more sophisticated monitoring and analytics use cases:

  • Sign-ins - The sign-ins report provides information about the usage of managed applications and user sign-in activities.
  • Audit logs - Provides traceability through logs for all changes done by various features within Azure AD. Examples of audit logs include changes made to any resources within Azure AD, like adding or removing users, apps, groups, roles, and policies.
  • Risky sign-ins - A risky sign-in is an indicator for a sign-in attempt that might have been performed by someone who is not the legitimate owner of a user account.
  • Users flagged for risk - A risky user is an indicator for a user account that might have been compromised.

Microsoft Defender for Cloud can also trigger alerts on certain suspicious activities, such as excessive number of failed authentication attempts or deprecated accounts in the subscription. In addition to the basic security hygiene monitoring, Microsoft Defender for Cloud's Threat Protection module can also collect more in-depth security alerts from individual Azure compute resources (virtual machines, containers, app service), data resources (SQL DB and storage), and Azure service layers. This capability allows you to have visibility on account anomalies inside individual resources.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

LT-3: Enable logging for Azure network activities

Guidance: Azure Cognitive Search cannot be deployed directly into a virtual network. However, if your client application or data sources are in a virtual network, you can monitor and log traffic for those in-network components, including requests sent to a search service in the cloud.

Enable network security group flow logs for the network security groups protecting Azure Virtual Machines (VM) that will be connecting to your Cognitive Search service. Send logs into an Azure Storage account for traffic audit.

Azure Cognitive Search does not produce or process DNS query logs.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

LT-4: Enable logging for Azure resources

Guidance: Activity logs, which are automatically available, contain all write operations (PUT, POST, DELETE) for your Azure Cognitive Search resources except read operations (GET). Activity logs can be used to find an error when troubleshooting or to monitor how a user in your organization modified a resource.

Enable Azure resource logs for Azure Cognitive Search. You can use Microsoft Defender for Cloud and Azure Policy to enable resource logs and log data collecting. These logs can be critical for investigating security incidents and performing forensic exercises.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: The Azure Security Benchmark is the default policy initiative for Microsoft Defender for Cloud and is the foundation for Microsoft Defender for Cloud's recommendations. The Azure Policy definitions related to this control are enabled automatically by Microsoft Defender for Cloud. Alerts related to this control may require an Microsoft Defender plan for the related services.

Azure Policy built-in definitions - Microsoft.Search:

Name
(Azure portal)		 Description Effect(s) Version
(GitHub)
Resource logs in Search services should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0

LT-5: Centralize security log management and analysis

Guidance: Centralize logging storage and analysis to enable correlation. For each log source, ensure that you have assigned a data owner, access guidance, storage location, what tools are used to process and access the data, and data retention requirements.

Ensure that you are integrating Azure activity logs into your central logging. Ingest logs via Azure Monitor to aggregate security data generated by endpoint devices, network resources, and other security systems. In Azure Monitor, use Log Analytics workspaces to query and perform analytics, and use Azure Storage accounts for long term and archival storage.

In addition, enable and onboard data to Microsoft Sentinel or a third-party SIEM.

Many organizations choose to use Microsoft Sentinel for ‘hot’ data that is used frequently and Azure Storage for ‘cold’ data that is used less frequently.

For applications that may run on Azure Cognitive Search, forward all security-related logs to your SIEM for centralized management.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

LT-6: Configure log storage retention

Guidance: Historical data that feeds into diagnostic metrics is preserved by Azure Cognitive Search for 30 days by default. For longer retention, be sure to enable the setting that specifies a storage option for persisting logged events and metrics.

In Azure Monitor, set your Log Analytics workspace retention period according to your organization's compliance regulations. Use Azure Storage accounts for long-term and archival storage.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

Posture and Vulnerability Management

For more information, see the Azure Security Benchmark: Posture and Vulnerability Management.

PV-1: Establish secure configurations for Azure services

Guidance: Use Azure Policy aliases in the “Microsoft.Search” namespace to create custom policies to audit or enforce the configuration of your Azure Cognitive Search resources. You may also use built-in Azure Policy definitions for Cognitive Search services such as:

  • Enable audit logging for Azure resources.
  • Enable audit logging for public network access.
  • Enable audit logging for the use of private link.

Azure Resource Manager has the ability to export the template in JavaScript Object Notation (JSON), which should be reviewed to ensure that the configurations meet the security requirements for your organization.

You can also use the recommendations from Microsoft Defender for Cloud as a secure configuration baseline for your Azure resources.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

PV-2: Sustain secure configurations for Azure services

Guidance: Use Microsoft Defender for Cloud to monitor your configuration baseline and enforce these configurations using Azure Policy [deny] and [deploy if not exist] effects to maintain secure configuration across your Azure Cognitive Search resources.

Use Azure Policy aliases in the "Microsoft.Search" namespace to create custom policies to alert, audit, and enforce system configurations. Additionally, develop a process and pipeline for managing policy exceptions.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

PV-6: Perform software vulnerability assessments

Guidance: Microsoft performs vulnerability management on the underlying systems that support Azure Cognitive Search.

Responsibility: Microsoft

Microsoft Defender for Cloud monitoring: None

PV-8: Conduct regular attack simulation

Guidance: As required, conduct penetration testing or red team activities on your Azure resources and ensure remediation of all critical security findings.

Follow the Microsoft Cloud Penetration Testing Rules of Engagement to ensure your penetration tests are not in violation of Microsoft policies. Use Microsoft's strategy and execution of Red Teaming and live site penetration testing against Microsoft-managed cloud infrastructure, services, and applications.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

Backup and Recovery

For more information, see the Azure Security Benchmark: Backup and Recovery.

BR-1: Ensure regular automated backups

Guidance: Content stored in Azure Cognitive Search cannot be backed up through Azure Backup or any other built-in mechanism, but you can rebuild an index from application source code and primary data sources, or build a custom tool to retrieve and store indexed content.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

BR-3: Validate all backups including customer-managed keys

Guidance: Azure Cognitive Search currently doesn't support automated backup for data in a search service and must be backed up and restored via a manual process. Periodically perform data restoration of content you have manually backed up to ensure the end-to-end integrity of your backup process.

Periodically ensure that you can restore backed-up customer-managed keys.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

BR-4: Mitigate risk of lost keys

Guidance: Ensure you have measures in place to prevent and recover from loss of keys. Enable soft delete and purge protection in Azure Key Vault to protect keys against accidental or malicious deletion.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: None

Next steps