9781803238555 Flipbook PDF

No description

---

127 Views
78 Downloads
FLIP PDF 1.02MB

DOWNLOAD FLIP

REPORT DMCA

Mastering Azure Security Second Edition

Keeping your Microsoft Azure workloads safe

Mustafa Toroman Tom Janetscheck

BIRMINGHAM—MUMBAI

Mastering Azure Security Second Edition

Copyright © 2022 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews. Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book. Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information. Group Product Manager: Vijin Boricha Publishing Product Manager: Shrilekha Malpani Senior Editor: Athikho Sapuni Rishana Content Development Editor: Sayali Pingale Technical Editor: Arjun Varma Copy Editor: Safis Editing Associate Project Manager: Neil Dmello Proofreader: Safis Editing Indexer: Tejal Daruwale Soni Production Designer: Ponraj Dhandapani Marketing Coordinator: Sanjana Gupta First published: March 2022 Production reference: 1240322 Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK. 978-1-80323-855-5 www.packt.com

Contributors About the authors Mustafa Toroman is a solution architect focused on cloud-native applications and migrating existing systems to the cloud. He is very interested in DevOps processes and cybersecurity, and he is also an Infrastructure as Code enthusiast and DevOps Institute Ambassador. Mustafa often speaks at international conferences about cloud technologies. He has been an MVP for Microsoft Azure since 2016 and a C# Corner MVP since 2020. Mustafa has also authored several books about Microsoft Azure and cloud computing, all published by Packt. Thanks to my patient wife, who tolerates my never-ending side projects. Without her putting up with me, I would not be able to do a fraction of what I do. I would also like to thank my family for all the support, my mother for making great sacrifices for me to be here today, my father for believing in me, my brother for being who he is. Another thank you to Bakir, my mentor who steered me in the direction I am still on. Thank you to my Infra team; although I left, you are my brothers and the best team in the world. I would like to thank Sasa and Adis for being my faithful advisors. And last but not least, thanks to Tom for being my partner in crime on this one.

Tom Janetscheck is a senior program manager at Microsoft's Cloud Security CxE team for Microsoft Defender for Cloud. Prior to this, he has been working in different internal and external IT and consulting roles for almost two decades, with a strong focus on cloud infrastructure, architecture, and security. As a well-known international conference speaker, tech blogger, and book author, and as one of the founders and organizers of the Azure Saturday community conferences, the former Microsoft MVP is actively taking his experience into international tech communities. In his spare time, Tom is an enthusiastic motorcyclist, scuba diver, guitarist, bassist, rookie drummer, and station officer at a local fire department. I would like to thank my wife and sons for always supporting me in whatever I do and for being my bastion of calm; I would also like to thank my great friend, Mustafa Toroman, for collaborating on this project, and also thanks to my great friend and team lead, Yuri Diogenes, for always pushing and helping me to overcome limits! Thanks to our wider team's manager, Rebecca Halla, my director, Nicholas DiCola, and our entire Defender for Cloud CxE team: Bojan, Fernanda, Future, Liana, Safeena, Shay, and Stan – you folks definitely rock and it's my pleasure to work with all of you every day! Also, thank you to the entire Defender for Cloud Engineering/Dev teams for your dedication, enthusiasm, and partnership to make Defender for Cloud the great platform it is today. Last but not least, special thanks to Ben Kliger who encouraged me to move out of my comfort zone and to take the step into Defender for Cloud engineering, this move changed my life!

About the reviewer Matt Hansen is a cloud solution architect at Microsoft who focuses on Azure infrastructure and security. He has been involved in the industry for 15 years as an engineer and architect and has been working with Azure since 2013. Matt serves as a subject matter expert, advisory committee member, and Adjunct Professor for cloud and security technologies. Matt holds over 50 industry certifications, including CCSP, CISSP, Azure Security Engineer, Azure Network Engineer, and has held all versions of the Azure Solutions architecture certifications. Matt holds a BS in network engineering, an MS in engineering management, and an MS in information systems security. I attribute much of my accomplishments in life, including this, to my wonderful wife, Heather, who has supported me through everything I've done; I wouldn't be where I am today without you. I also want to thank Packt for this wonderful opportunity. The world of cybersecurity is ever-changing, and I'm excited to have been a part of this book, enabling organizations to build safe and secure environments on Microsoft Azure.

Table of Contents Preface

Section 1: Identity and Governance

1

An Introduction to Azure Security Exploring the shared responsibility model

4

On-premises IaaS PaaS SaaS Division of security in the shared responsibility model

5 5 5 5

Physical security

7

5

Azure network Azure infrastructure availability Azure infrastructure integrity Azure infrastructure monitoring Understanding Azure security foundations Summary Questions

9 10 12 13 14 15 16

Parameters Policy assignments Initiative definitions Initiative assignments Policy exemptions Policy best practices

31 34 35 35 35 37

Defining Azure blueprints

38

Blueprint definitions Blueprint publishing

38 39

2

Governance and Security Understanding governance in Azure Using common sense to avoid mistakes Using management locks Using management groups for governance Understanding Azure Policy

26 29

Mode

31

20 22 23

viii Table of Contents

Azure Resource Graph

45

Querying Azure Resource Graph with PowerShell

46

Querying Azure Resource Graph with the Azure CLI Advanced queries

48 49

Summary Questions

51 51

Understanding role-based access control

85

Creating custom RBAC roles

89

3

Managing Cloud Identities Exploring passwords and passphrases

54

Dictionary attacks and password protection

56

Understanding MFA

59

Protecting admin accounts with Azure AD PIM 94

How to enable MFA in Azure AD 61 MFA activation from a user's perspective 64

Managing Azure AD roles in PIM Managing Azure resources with PIM

Introducing security defaults Using Conditional Access

67 70

Named locations Custom controls Terms of use Conditional Access policies

71 72 73 74

Hybrid authentication and Single Sign-On Understanding passwordless authentication

Introducing Azure AD Identity Protection

79

Azure AD Identity Protection at a glance 79

Global settings

Licensing considerations Summary Questions

95 100

101 105 106

108 108 109

Section 2: Cloud Infrastructure Security

4

Azure Network Security Understanding Azure Virtual Network

114

Connecting on-premises networks with Azure

123

Creating an S2S connection Connecting a VNet to another VNet VNet service endpoints

Private endpoints

124 128 131

134

Table of Contents ix

Considering other VNet security options Azure Firewall deployment and configuration Azure DDoS protection Azure Bastion Hub-and-spoke network topology

134 135 139 140 141

Hub VNet Understanding Azure Application Gateway Understanding Azure Front Door

141 142 145

Summary Questions

145 145

Using Azure Key Vault in deployment scenarios

157

5

Azure Key Vault Understanding Azure Key Vault 148 Understanding access policies

Understanding service-toservice authentication

149

150

Understanding managed identities for Azure resources 152

Creating an Azure Key Vault and secret 157 Azure VM deployment 160

Summary Questions

165 165

6

Data Security Technical requirements Understanding Azure Storage Understanding Azure virtual machine disks

168 168 174

Working on Azure SQL Database177 Summary 186 Questions 187

Section 3: Security Management

7

Microsoft Defender for Cloud Introducing Microsoft Defender for Cloud 192

Enabling Microsoft Defender for Cloud's enhanced security

Enabling Microsoft Defender for Cloud 197 Using auto-provisioning to deploy extensions 200

Cloud Security Posture Management with Defender for Cloud

203

207

x Table of Contents Working with recommendations How to prioritize remediation Working with resource exemptions

Custom policies and (regulatory) compliance Using the regulatory compliance dashboard Working with regulatory compliance standards

209 213 215

218 220 222

Cloud workload protection and multi-cloud capabilities 224

Microsoft Defender for Servers Microsoft Defender for Containers Threat detection summary

Automating security Continuous export Workflow automation REST APIs Multi-cloud capabilities in Microsoft Defender for Cloud

Summary Questions

224 234 234

235 235 237 241 241

243 243

8

Microsoft Sentinel Introduction to SIEM Getting started with Microsoft Sentinel Configuring data connectors and retention Working with Microsoft Sentinel dashboards Setting up rules and alerts

245 247

Microsoft Sentinel automation 258 Creating workbooks 261

249

Using threat hunting and notebooks Advanced threat detection Using community resources

262 264 266

251 252

Summary Questions

266 266

Storage account access keys Summary Questions

282 283 284

9

Security Best Practices Log Analytics design considerations Understanding Azure SQL Database security features Security in Azure App Service

Assessments

269 271 273

Index Other Books You May Enjoy

Preface Security is integrated into every cloud, but most users take cloud security for granted. Revised to cover product updates up to early 2022, this book will help you understand Microsoft Azure's shared responsibility model that can address any challenge, cybersecurity in the cloud, and how to design secure solutions in Microsoft Azure.

Who this book is for This book is for Azure cloud professionals, Azure architects, and security professionals looking to implement safe and secure cloud services using Azure Security Center and other Azure security features. A fundamental understanding of security concepts and prior exposure to the Azure Cloud will assist with understanding the key concepts covered in the book.

What this book covers Chapter 1, An Introduction to Azure Security, covers how the cloud is changing the concept of IT, and security is not an exception. Cybersecurity requires a different approach in the cloud, and we need to understand what the differences are, new threats, and how to tackle them. Chapter 2, Governance and Security, goes into how to create policies and rules in Microsoft Azure in order to create standards, enforce these policies and rules, and maintain quality levels. Chapter 3, Managing Cloud Identities, explains why identity is one of the most important parts of security. With the cloud, identity is even more expressed than ever before. You'll learn how to keep identities secure and safe in Microsoft Azure and how to keep track of access rights and monitor any anomalies in user behavior. Chapter 4, Azure Network Security, covers how the network is the first line of defense in any environment. Keeping resources safe and unreachable by attackers is a very important part of security. You'll learn how to achieve this in Microsoft Azure with built-in or custom tools. Chapter 5, Azure Key Vault, explains how to manage secrets and certificates in Azure and deploy resources to Microsoft Azure with Infrastructure as Code in a secure way.

xii

Preface

Chapter 6, Data Security, covers how to protect data in the cloud with additional encryption using Microsoft or your own encryption key. Chapter 7, Microsoft Defender for Cloud, covers how to use Defender for Cloud to detect threats in Microsoft Azure, on-premises and in other clouds, and how to view assessments, reports, and recommendations in order to increase cloud security. Chapter 8, Microsoft Sentinel, covers how to use Microsoft Sentinel to monitor security for your Azure and on-premise resources, including detecting threats before they happen and using artificial intelligence to analyze and investigate threats. Using Microsoft Sentinel to automate responses to security threats and stop them immediately is also covered. Chapter 9, Security Best Practices, introduces best practices for Azure security, including how to set up a bulletproof Azure environment, finding the hidden security features that are placed all over Azure, and other tools that may help you increase security in Microsoft Azure.

To get the most out of this book You will require the following software, which is open source and free to use, except for Microsoft Azure, which is subscription-based and billed based on usage per minute. However, even for Microsoft Azure, a trial subscription can be used.

If you are using the digital version of this book, we advise you to type the code yourself or access the code via the GitHub repository (link available in the next section). Doing so will help you avoid any potential errors related to the copy/pasting of code.

Download the color images We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: https://static.packt-cdn.com/ downloads/9781803238555_ColorImages.pdf.

Download the example code files

xiii

Download the example code files You can download the example code files for this book from GitHub at https:// github.com/PacktPublishing/Mastering-Azure-Security-SecondEdition. In case there's an update to the code, it will be updated on the existing GitHub repository. We also have other code bundles from our rich catalog of books and videos available at https://github.com/PacktPublishing/. Check them out!

Conventions used There are a number of text conventions used throughout this book. Code in text: Indicates code words in the text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "Behind the parameters section, there is a resource section in which the key vault reference is defined."

A block of code is set as follows: # Grant your user account access rights to Azure Key Vault secrets Set-AzKeyVaultAccessPolicy ' -VaultName $kvName ' -ResourceGroupName $rgName ' -UserPrincipalName (Get-AzContext).account.id ' -PermissionsToSecrets get, set

Bold: Indicates a new term, an important word, or words that you see on screen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "Click on Review + create and after the final validation is passed, click Create." Tips or Important Notes Appear like this.

xiv

Preface

Get in touch Feedback from our readers is always welcome. General feedback: If you have questions about any aspect of this book, mention the book title in the subject of your message and email us at [email protected]. Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata, selecting your book, clicking on the Errata Submission Form link, and entering the details. Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material. If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors. packtpub.com.

Share Your Thoughts Once you've read Mastering Azure Security, we'd love to hear your thoughts! Scan the QR code below to go straight to the Amazon review page for this book and share your feedback.

https://packt.link/r/1803238550

Your review is important to us and the tech community and will help us make sure we're delivering excellent quality content.

Section 1: Identity and Governance This section deals with cybersecurity in the cloud, as well as how to create and enforce policies in Azure and how to manage and secure identities in Azure. This part of the book comprises the following chapters: • Chapter 1, An Introduction to Azure Security • Chapter 2, Governance and Security • Chapter 3, Managing Cloud Identities