Are you doing “cloud security”? I feel that the number of companies operating information systems in the cloud is increasing. On the other hand, there are many cases of information leakage in the cloud.
In this article, we will use Microsoft Azure to explain to cloud operators what kind of security measures and what kind of approach they can take as a security consultant.
Cases of Security Incidents in Azure Users
How many security incidents are occurring in a company that operates the cloud? Gartner’s “5 Things You Must Absolutely Get Right for Secure IaaS and PaaS” research report states, “By 2021, 50% of companies unknowingly make the mistake of exposing some IaaS storage services, network segments, application and APIs to the internet in public settings. It has increased from 25% at the end of 2018”, and the following describes important cloud protection methods in the report:
- Get identity and access management (IAM) permissions right by using cloud-native controls to maintain least privilege access to sensitive data.
-Encrypt all data at rest using customer-controlled keys.
-Use zero trust network access (ZTNA) and microsegmentation to reduce risk and contain breaches.
-Scan continuously for unsecure configurations using cloud security posture management (CSPM) tools.
-Capture and analyze all logs using cloud-native threat detection and enterprise security information and event management (SIEM) tools.
Source:Gartner. 5 Things You Must Absolutely Ger Right for Secure IaaS and PaaS. Tom Croll. 7 May 2020.
There is a document entitled “12 Dangerous Traps: Cloud Security Threats + 2017 Incident Case Studies” published by Cloud Security Alliance Japan Chapter (CSA-JC), as a reference for cases of information leakage that occurred because use of identity and access control privileges in the cloud was not appropriate. The documentation, examples, and control measures, are posted on what kind of security incident would have a business impact based on the actual security incident, so it is good reading material.
So, what is the situation where Azure is not “properly using identity and access control privileges”? As to AWS users, I have seen several news references about security incidents caused by improper configuration of a cloud storage service called Amazon S3. When I was investigating security incidents caused by improper setting of Azure Blob Storage, which is a similar storage service in Azure, I found many cases of security incidents. The following are just a few examples:
- Thousands of customer records exposed after serious data breach
- Cayman Islands Bank Records Exposed in Open Azure Blob
- Exposed Azure bucket leaked passports, IDs of volleyball reporters
Information leaked due to improper settings of Azure Blob Storage includes data such as user IDs, email addresses, credit card numbers, invoices, financial information, system design documents, and other confidential information. The detection was possible because logs were collected, the leak was discovered while analyzing something, or a third party reported the incident. If the logs in Azure are not retrieved, you won’t notice the leak. It is the user’s responsibility to set the log acquisition.
Updated Responsibility Sharing Model
When it comes to the security measures in operating cloud services, it is very important that the boundary of responsibility lies between the user and the cloud provider.
However, in recent years, there are some models of cloud use that have adopted container and serverless architecture, and the responsibility boundary has remained unclear. Recently, Cloud Security Alliance (CSA) announced a responsibility sharing model for new service models that have evolved, such as Managed Kubernetes as a Service (K8s-aaS), Container-as-a-Service (CaaS), Function-as-a-Service (FaaS), and NoCode-as-a-Service (NCaaS), based on traditional SaaS, PaaS and IaaS.
Source:The Evolution of Cloud Computing and the Updated Shared Responsibility
Now that it is clear to what extent security measures need to be taken by cloud users, based on the new responsibility sharing model, it has become necessary to reconfirm security measures in the cloud of your own organization. What can be said about either model is that the user is responsible for the security of data in the cloud.
* To see which cloud services are applicable to each model, check CSA site
Security Approach for Azure Users
A while ago, security was treated as something very annoying. I often heard that “security is only a cost” and “security interferes with development”. However, in this era of cloud usage, security measures have emerged as guardrails that drive businesses, rather than gates that stop businesses. One of them is Microsoft Azure Well-Architected Framework.
Microsoft Azure Well-Architected Framework helps improve the quality of workloads and consists of the following key elements: cost optimization, operation excellence, performance efficiency, reliability, and security. Above all, when it comes to security, Microsoft says that it considers security throughout the life cycle of an application, from design and implementation, to deployment and operation, which is the best guidance in Azure. Microsoft has described the following items in the “Security Design Principles” in Azure to explain a system securely designed:
- Align security priorities with mission
- Build a comprehensive strategy
- Promote simplicity
- Design with the attacker in mind
- Take advantage of native control
- Use ID as primary access control
- Adopt automation
- Focus on protecting information
- Design with resilience in mind
- Baseline and benchmark
- Promote continuous improvement
- Assume zero trust
- Educate and promote security
It is obvious there aren’t many Azure users who can cover all of these principles, but we strongly recommend that you review your system again. However, even if you try to check the security status of Azure usage environment, it may be difficult to figure out where to check. In such a case, you can use a service called Azure Security Center, provided by Microsoft, that evaluates, visualizes, and protects the status of security measures.
Azure Security Center is a service that provides integrated security management and advanced threat protection across cloud workloads. In recent years, it has become a service to cover cloud security posture management (CSPM) and cloud workload protection platform (CWPP), which were born as two new security measures.
Azure Security Center checks according to the Azure Security Benchmark, which gathers the essences of control items defined in CIS Controls v7.1 and NIST SP800-53 r4. NIST SP800-53 is a guideline for “Security and Privacy Controls for Federal Information Systems and Organizations” published by the National Institute of Standards and Technology (NIST).
Figure : Azure Security Center
It is also possible to protect your workload by combining it with Azure Defender, but this feature will be chargeable.
Figure : Azure Defender Plan
First, we recommend evaluating how many security measures are available by default in the Azure environment.
System Hardening Using CIS Benchmarks
To take all possible security measures, it is necessary to check the security measures that cannot be confirmed by Azure Security Center. Here, we will look at what kind of approach can be taken to deal with the built-in vulnerabilities and qualities that are mixed from the design stage (basic design, detail design, operational design, etc.).
The following figure shows the review criteria for each process when the risks from system planning to system/operation test process are tabulated.
By taking security measures from the design process in consideration of Security of Design, it is possible to facilitate maintenance in the post-process and reduce the cost of security measures in the operation process. Here, we will explain the approach of system hardening based on CIS Benchmarks for detailed design.
CIS Microsoft Azure Foundations Benchmarks is the prescriptive guidance provided by CIS for establishing a secure baseline configuration for Azure. It is intended for establishing a foundational level of security for all uses adopting Azure. It may be necessary to make specific adjustments depending on the environment.
This article is intended for system and application administrators, security specialists, auditors, help desks, and those who oversee platform release, who are planning solution development, release evaluation, or secure solutions. The latest release at the time of writing this article is v1.3.0 (released on February 1, 2021). Documents are distributed in MS Excel, MS Word, and PDF format.
Let’s take the first two items listed in CIS Microsoft Azure Foundations as an example:
1.1 Ensure that multi factor authentication is enabled for all privileged users (Level1）
1.2 Ensure that multi factor authentication is enabled for all non privileged users(Level2）
Regarding those two, it is shown that common multi-factor authentication measures are taken, but Level 1 targets privileged users, while Level 2 targets non-privileged users. Level 2 is recommended for environments that require a higher level of security. The documentation mentions the rationale, impact, and auditing methods for further action.
Let’s take the following Azure environment as an example:
- Connect to private cloud via the company’s on-premise base (OA environment) and leased line service
- Internal system in Azure environment can be accessed from OA environment
- Access to storage services with a private link connection is available
CIS Microsoft Azure Foundations Benchmark says “6.5 Ensure that Network Watcher is ‘Enabled’”. Network Watcher is a compelling feature you want to enable if services that monitor resources, diagnose, view metrics, and enable logging in Azure virtual network are disabled, but note that it may incur very high costs depending on the environment when used continuously.
Some organizations may not have the budget and may not be able to enable it immediately. There are many things to consider when enabling it. At this point, it is necessary to consider a rough basic design, detailed design, and operational design.
- How much it costs in the current environment
- How to safely store logs
- How to monitor logs
- How to analyze logs
- How to alert at detection
- What the contact flow in case
- Whether the security measures stop the business
If the operation design process that is not described in CIS Benchmarks is not defined, you will end up only paying for log generation.
You may say “it can be covered with operation”, but it just leaves all inconvenience for the system development side up to the operation staff. It is recommended to build and apply security as a guardrail, that makes it easy for businesses to drive, by designing with Security by Design in mind (basic design, detailed design, operational design) at an earlier phase, rather than taking ad hoc security measures when something happens.
CIS Benchmarks defines the detailed parameters not only of cloud service platform such as AWS, Google Cloud, and Oracle Cloud Infrastructure in addition to Azure, but also each version of products and services such as various OSs, servers, network devices, mobile devices, databases, and applications, and currently provides more than 180 documents.