Overview
Microsoft Azure is a cloud hosting platform that offers cloud computing and infrastructure services.
Secureframe scans various Azure resources and configurations to ensure compliance and automatically gather evidence.
Connecting the Integration
To integrate Azure with Secureframe, navigate to Integrations and search for “Azure” on the “Available Integrations” page. Click “Connect” and follow the steps in the connection form.
Secureframe now integrates with both Organization & Subscription. To connect a Subscription, an Organization must also be connected.
Connecting at different levels of the hierarchy (Organization & Account)
Azure allows users to manage connections at various levels in the hierarchy e.g. Management groups and subscriptions. Secureframe allows you to integrate with the Organization level as well as the subscription (child) connection in order to:
- Make it easier to pull in and set up multiple account connections under an organization at once, allowing you to save time
- Provide a cleaner experience in organizing and managing the different levels of the hierarchy enabled in your Azure account
- Make it easier to identify accounts by automatically discovering accounts associated to your organization
- Make it easier to exclude the accounts that you do not want to sync with Secureframe
Manage connections/sync
You can now easily manage your subscription (child) connections directly from the Integrations page.
- To sync all accounts under a connection click the sync button
- In order to sync or manage only specific accounts under a connection, click the # of connections
- You can now view and manage the settings, rename the connection, reconnect and archive a subscription(child) account directly from this screen
Migrating existing connections in Secureframe to Parent/Child connections
If you already have multiple Azure accounts set up as separate connections in Secureframe and you want to take advantage of managing your connections through the parent/child connection. Follow these steps.
-
- Archive any individual existing subscription connections you have that you are expecting to be pulled in by the organization connection. Note: if you have any subscription connections that you’re not expecting to be brought in by the organization connection, you do not need to archive those subscription accounts in Secureframe.
-
- Click the kebab menu on individual subscription accounts
- Click archive
-
- Once your connections have been archived, click on available connections, search for “Azure” and click “add connection” or “connect” under Azure.
- Follow the steps outlined in the connection form under “Azure Management Group”.
- Click “retrieve subscriptions” (step 9) in the connection form to retrieve the list of all subscription accounts, where you will be able to select from the list of subscription accounts any that you do not want to integrate with Secureframe.
- Click start connection. When completed you will now be able to see the number of child connections under an organization account (and their details) directly in the main integrations page.
- When you click on the number of child (subscription) connections, you will be able to see details of the subscription connections and be able to:
- Filter through child connections
- Sync individual child connections or sync all subscription accounts under the organization
- Rename the connection (organization or subscription connection)
- Exclude any individual subscription connections you don’t want integrated with Secureframe
- Archive any individual existing subscription connections you have that you are expecting to be pulled in by the organization connection. Note: if you have any subscription connections that you’re not expecting to be brought in by the organization connection, you do not need to archive those subscription accounts in Secureframe.
Azure test permissions error
What is this error?
There are some permissions that the Azure integration purposefully does not initially ask for, for a variety of reasons. This includes the permissions necessary for certain tests related to KeyVault keys and secrets.
How can I resolve this error?
You will need to provide us with an additional role called Key Vault Reader.
You can read more about the specific permissions in Key Vault Reader here.
Please note that according to the Azure documentation, this role "cannot read sensitive values such as secret contents or key material. Only works for key vaults that use the 'Azure role-based access control' permission model."
How to provide Key Vault Reader permissions:
Click "Access Control (IAM)"
Click "Add".
Click "Add role assignment".
Search for Key Vault Reader.
Click "view" on the "Key Vault Reader" row.
Click "Select Role".
Click "Next".
Click "Select members".
Select Secureframe.
Click "Select".
Click "Next".
Click "Review + assign".
Alternatively you may create a custom role with the following permissions and assign it to the Secureframe member:
- actions: "Microsoft.KeyVault/vaults/*/read"
- dataActions: "Microsoft.KeyVault/vaults/*/read",
"Microsoft.KeyVault/vaults/secrets/readMetadata/action"
How safe is it to grant these permissions?
Support cannot say what is right for your environment and your level of risk tolerance. Please review the required permissions along with the benefits of these tests and have a conversation with your security staff.
SOC 2 controls covered by connecting Azure
The following SOC 2 controls are automatically covered by connecting your Azure account:
- The company maintains a list of system components, owners, and their business function
- The company uses logging and monitoring software to collect data from servers and endpoints, detect potential security threats and unusual system activity, and monitor system performance
- The company uses alerting software to notify impacted teams of potential security and availability events
- Production infrastructure is restricted to users with a unique account, SSH key or access key
- Administrative access to production servers, databases, and internal administrative tools is restricted based on the principle of least privilege. Internal user access to systems and applications with customer data requires two-factor authentication in the form of user ID/password, and one-time passcode
- Passwords are required to be a minimum length
- Users are assigned unique IDs to access sensitive information
- Service data is encrypted at rest and in transit
- Encryption is used to protect the transmission of data over the internet
- System tools monitor company load balancers and notify the appropriate personnel of any events or outages based on predetermined criteria. Any issues are tracked through resolution in accordance with the Incident Response Plan
- The system is configured to operate across availability zones to support continuous availability
- Physical security controls are inherited via Azure
- Full backups are performed daily and retained in accordance with the Backup Policy
- Management has implemented intrusion prevention and detection tools to monitor network traffic to the production environment
- Firewall configurations and security groups ensure available networking ports and protocols are restricted according to the approved business rules
Available Azure Tests
Below is the list of all available tests for Azure:
| Test Title | Test Description |
| Global action restriction for file service access (Azure) | Azure file shares do not allow full write, delete, or read access control list permissions. |
| Limited number of security groups (Azure) | Azure accounts must not have excessive or redundant network security groups beyond what is necessary for business justified traffic. |
| User endpoint inventory (Airwatch) | Inventory of production user endpoints managed by Aiwatch is maintained. |
| Cloud infrastructure asset inventory (Azure) | Inventory of Azure cloud infrastructure assets is maintained. |
| Resource account limit threshold (Azure) | Monitor the total number of Azure resources in accordance to the account limit. |
| VM instance threshold (Azure) | Monitor the total number of Azure virtual machine (VM) instances in accordance to the availability set limit. |
| VM instance region threshold (Azure) | Monitor the total number of Azure virtual machine (VM) instances in accordance to the region limit. |
| LBs with backend resources (Azure) | Monitor the number of Azure load balancers without backend resources. |
| Resource location match (Azure) | Azure resource locations match resource group locations through policy. |
| SSH key rotation for cloud service providers (Azure) | Azure SSH keys are rotated at least every 365 days |
| Unique access keys for cloud service providers (Azure) | Accounts are limited to unique access keys in Azure. |
| Access key rotation for cloud service providers (Azure) | Azure access keys are rotated at least every 365 days. |
| Cryptographic key rotation for cloud service providers (Azure) | Azure cryptographic keys are configured to rotate on a periodic basis. |
| Account lockout for cloud service providers (Azure) | Repeated access attempts to Azure is limited by enforcing and account lockout policy on the user id after no more than 6 attempts. |
| Lockout duration for cloud service providers (Azure) | Azure accounts are locked for at least 30 minutes or until an administrator enables their ID. |
| Session timeout for cloud service providers (Azure) | Azure user sessions are timed out after 15 minutes of inactivity. |
| Password reuse for cloud service providers (Azure) | At minimum, the previous four passwords for Azure is prevented from being reused. |
| Password age for cloud service provider accounts (Azure) | Azure password policy is configured to require passwords to be reset regularly. |
| Vendor-supplied network defaults for cloud service providers (Azure) | Vendor-supplied network defaults are removed from Azure |
| Password reset for cloud service provider accounts (Azure) | Password for first time use is set to a unique value and requires a change immediately after use in Azure. |
| Hard drive encryption for user endpoints (Airwatch) | Validate that all in-scope devices are configured to enforce hard drive encryption. |
| Anti-malware enforcement for user endpoints (Airwatch) | Anti-malware on user endpoints is enforced via AirWatch |
| Screen lock enforcement for user endpoints (Airwatch) | Screens lock on production user endpoints after a maximum of 15 minutes of inactivity, enforced via AirWatch |
| Automatic security update enforcement for user endpoints (Airwatch) | Automatic security updates are enforced on user endpoints via AirWatch |
| Firewall enforcement for user endpoints (Airwatch) | Local firewall cannot be disabled by the user and log continuously on production user endpoints, enforced via AirWatch |
| Password policy enforcement for user endpoints (Airwatch) | Validate that all in-scope devices are configured to enforce strong passwords. |
| Anti-malware for cloud infrastructure (Azure) | Anti-malware on production Azure servers is utilized, scans adhere to a routine scan schedule, virus definitions are regularly updated, and logs are continuously generated. This includes the ability to scan files in real time. |
| Load balancers for cloud infrastructure traffic (Azure) | Load balancers are utilized in Azure. |
| Firewalls for web application(s) (Azure) | Web application firewalls are implemented in front of sensitive public-facing components in Azure. |
| VM availability sets (Azure) | Azure virtual machines (VM) are configured to enable availability sets. |
| File service BYOK encryption at rest (Azure) | Azure file services are encrypted via a customer-provided key. |
| Blob service BYOK encryption at rest (Azure) | Azure blob services are encrypted via a customer-provided key. |
| Activity log container public access restriction (Azure) | Azure Activity log containers must be configured to restrict public access. |
| Storage account non-trusted Microsoft service restriction (Azure) | Azure storage accounts are configured to allow for trusted Microsoft services access. |
| SQL server audit retention policy (Azure) | Azure SQL servers must have an audit retention policy. |
| Storage account non-trusted network restriction (Azure) | Azure storage account access is restricted to only trusted networks. |
| Administrator security alerts are configured (Azure) | Email notifications for security alerts are set up in Azure. |
| MySQL server SSL connection (Azure) | Azure MySQL servers are configured to use SSL connections. |
| PostgreSQL server SSL connection (Azure) | Azure PostgreSQL servers are configured to use SSL connections. |
| PostgreSQL server connection logs (Azure) | Azure PostgreSQL servers have connection logs enabled. |
| PostgreSQL server duration logs (Azure) | Azure PostgreSQL servers have duration logs enabled. |
| VM agents for Defender for Cloud (Azure) | Azure VMs must have agents installed to leverage Defender for Cloud. |
| Virtual Machine automated patching (Azure) | Validate that your Azure Virtual Machines (VMs) are configured to perform automated patching. This test is considered passing if all Azure VMs are configured to automatically apply patches. |
| Microsoft Defender for Cloud (Azure) | Azure Microsoft Defender for Cloud uses adaptive application controls. |
| App Services HTTPS connection (Azure) | Azure App Services are configured to enable HTTPS only connections. |
| SQL server public access restriction (Azure) | Azure SQL servers are configured to restrict public access. |
| Storage account HTTPS connection (Azure) | Azure storage accounts are configured to enable HTTPS only connections. |
| Storage account AAD authentication (Azure) | Azure file shares are configured to enable Azure Active Directory (AAD) authentication. |
| Microsoft Defender autoprovisioning (Azure) | Azure Microsoft Defender for Cloud autoprovisions agents and extensions. |
| Microsoft Defender alerts for SQL (Azure) | Azure Microsoft Defender alerts must be sent to SQL admin for monitoring purposes. |
| Blob container public access restriction (Azure) | Azure Blob containers are configured to restrict public access. |
| Log Profile archiving (Azure) | Azure Log Profile must be configured to export activity data from the control and management planes, which can be referenced during an incident. |
| Event Hub log retention (Azure) | Azure logs must be retained for at least 365 days. |
| Network security group port restriction (HDFS NameNode WebUI) (Azure) | Azure Network security groups must be configured for least functionality (HDFS NameNode WebUI). |
| Activity log storage account encryption at rest (Azure) | Azure activity log storage accounts are encrypted via a customer-provided key. |
| Storage account encryption at rest (Azure) | Azure storage accounts are configured to encrypt data-at-rest. |
| SQL server transparent data encryption at rest (Azure) | Azure SQL servers are configured to utilize customer-managed transparent data encryption (TDE) protector. |
| CDN endpoint logging (Azure) | Azure logging must be enabled for all CDN endpoints. |
| Blob container data restrictions (Azure) | Azure Blob containers are configured to restrict data deletion and modification. |
| Kubernetes cluster RBAC authentication (Azure) | Azure Kubernetes clusters are configured to enable Azure role-based access control (RBAC) for authentication. |
| App Services client certificates (Azure) | Azure App Services are configured to enable client certificates. |
| Container registry administrator account is disabled | Container registries are configured to disable the administrator account |
| Virtual Machine disk encryption at rest (Azure) | Azure virtual machines (VM) are configured to enable disk encryption. |
| PostgreSQL server disconnection logs (Azure) | Azure PostgreSQL servers have disconnection logs enabled. |
| PostgreSQL server error reporting and logging (Azure) | Azure PostgreSQL servers have error reporting and logging enabled. |
| App service managed identities (Azure) | Azure App Service uses managed identities from Azure Active Directory. |
| App Services HTTP 2.0 connection (Azure) | Azure App Services is configured to enable HTTP 2.0. |
| Virtual Machine OS disk encryption at rest (Azure) | Azure virtual machines (VM) are configured to enable VM OS disk encryption. |
| Centralized key vault storage (Azure) | Store all Azure keys in Key Vault. |
| VM scale set multiple zone configuration (Azure) | Azure virtual machine (VM) scale sets are configured for multiple zones. |
| Key vault soft delete and purge protection (Azure) | Azure key vaults are configured to enable soft delete and purge protection settings. |
| App Services patching (PHP) (Azure) | Validate that Azure App Services are configured with the latest version of PHP. This test is considered passing if all Azure App Services are operating on the latest available version of PHP. |
| Audit action groups enabled for SQL servers (Azure) | Azure audit action groups must be enabled on all SQL servers. |
| Network Security Group log routing (Azure) | Azure Network Security Group logs must be routed to Azure Monitor for log monitoring and management |
| Network security group port restriction (Telnet) (Azure) | Azure Network security groups must be configured for least functionality (Telnet). |
| Network security group port restriction (CIFS) (Azure) | Azure Network security groups must be configured for least functionality (CIFS). |
| Network security group port restriction (NetBIOS) (Azure) | Azure Network security groups must be configured for least functionality (NetBIOS). |
| Network security group port restriction (VNC Server) (Azure) | Azure Network security groups must be configured for least functionality (VNC Server). |
| Network security group port restriction (RDP) (Azure) | Azure Network security groups must be configured for least functionality (RDP). |
| Network security group port restriction (Kibana) (Azure) | Azure Network security groups must be configured for least functionality (Kibana). |
| Network Watcher enabled (Azure) | Azure virtual networks must have network watcher enabled. |
| Key Vault log monitoring (Azure) | Azure Key Vault Log Analytics logs must be routed to Azure Monitor for log monitoring and management |
| App Services patching (Python) (Azure) | Validate that Azure App Services are configured with the latest version of Python. This test is considered passing if all Azure App Services are operating on the latest available version of Python. |
| Virtual network subnets (Azure) | Azure virtual networks are configured with multiple subnets. |
| Network security group port restriction (VNC Client) (Azure) | Azure Network security groups must be configured for least functionality (VNC Client). |
| Network security group port restriction (RPC) (Azure) | Azure Network security groups must be configured for least functionality (RPC). |
| Network security group port restriction (Salt) (Azure) | Azure Network security groups must be configured for least functionality (Salt). |
| Network security group port restriction (SMTP) (Azure) | Azure Network security groups must be configured for least functionality (SMTP). |
| Network security group port restriction (Oracle) (Azure) | Azure Network security groups must be configured for least functionality (Oracle). |
| Network security group port restriction (Docker) (Azure) | Azure Network security groups must be configured for least functionality (Docker). |
| Network security group port restriction (DNS) (Azure) | Azure Network security groups must be configured for least functionality (DNS). |
| Network security group port restriction (MySQL) (Azure) | Azure Network security groups must be configured for least functionality (MySQL). |
| Network security group port restriction (HDFS NameNode) (Azure) | Azure Network security groups must be configured for least functionality (HDFS NameNode). |
| Network security group port restriction (FTP) (Azure) | Azure Network security groups must be configured for least functionality (FTP). |
| CDN endpoint origin HTTPS connection (Azure) | Azure content delivery network (CDN) endpoints with custom origin are configured to enable HTTPS. |
| Microsoft Defender protection for SQL servers (Azure) | Azure Microsoft Defender is enabled for all SQL servers. |
| SQL database backup retention (Azure) | Azure SQL databases are configured to enable backups to be restored to a recent restore point. |
| Security group traffic denial by default (Azure) | Default security group rules in Azure are configured to deny all traffic by default. |
| Load Balancer log monitoring (Azure) | Azure Load Balancer Log Analytics logs must be routed to Azure Monitor for log monitoring and management. |
| Network security group port restriction (SSH) (Azure) | Azure Network security groups must be configured for least functionality (SSH). |
| Network security group port restriction (PostgreSQL) (Azure) | Azure Network security groups must be configured for least functionality (PostgreSQL). |
| Network security group port whitelisting (Azure) | Azure Network security groups must be configured for least functionality. |
| Network security group port restriction (Oracle Auto Data Warehouse) (Azure) | Azure Network security groups must be configured for least functionality (Oracle Auto Data Warehouse). |
| Network security group port restriction (Windows SMB over TCP) (Azure) | Azure Network security groups must be configured for least functionality (Windows SMB over TCP). |
| Load Balancer HTTPS ports (Azure) | Azure load balancers are configured to only accept connections on HTTPS ports. |
| Network Security Group logging (Azure) | Azure Network Security Group logs must be sent to the Log Analytics workspace |
| VM scale set autoscaling (Azure) | Azure virtual machine (VM) scale sets are configured to enable autoscale. |
| Policy assignment alerting (Azure) | Azure Alerts service alerts on policy assignment create, update, or delete events |
| App Services encryption in transit via TLS 1.2 (Azure) | Validate that Azure App Services are configured with Transport Layer Security (TLS) 1.2 protocol. This test is considered passing if all Azure App Services are operating on TLS 1.2 protocol. |
| Security Solution alerting (Azure) | Azure alerts must be configured for the detection of Security Solution event deletion, creation, and modifications. |
| AKS cluster patching (Kubernetes) (Azure) | Validate that Azure Kubernetes Service (AKS) clusters are configured with the latest version. This test is considered passing if all AKS clusters are operating on the latest available version. |
| App Services patching (Java) (Azure) | Validate that Azure App Services are configured with the latest version of Java. This test is considered passing if all Azure App Services are operating on the latest available version of Java. |
| SQL instance availability zones scaling (Azure) | Azure SQL instances are configured to scale across multiple availability zones. |
| Security policy alerting (Azure) | Azure Alerts service alerts on security policy rule create or update events |
| SQL server firewall rule alerting (Azure) | Secureframe is updating this test to use the latest Azure SDK |
| Virtual Network alerting (Azure) | Azure Alerts service alerts on Virtual Network create, update, or delete events |
| Cosmos DB uses private endpoints (Azure) | Azure Cosmos databases are configured to use private endpoints. |
| Cosmos DB is configured for least functionality (Azure) | Azure Cosmos databases firewall rules are configured to deny by default and allow by exception. |
| Cosmos DB encryption at rest (Azure) | Azure Cosmos databases are configured to use AES-256 to encrypt data at rest. |
| Cosmos DB CMK encryption at rest (Azure) | Azure Cosmos databases are configured to use customer-managed keys to encrypt data at rest. |
| Cosmos DB encryption in transit (Azure) | Azure Cosmos databases are configured to use TLS 1.2 protocol to encrypt data in transit. |
| Cosmos DB patching (Azure) | Azure Cosmos databases are automatically upgraded and patched. |
| Cosmos DB backups (Azure) | Azure Cosmos databases are configured to enable automatic backup. |
| Cosmos DB backup retention (Azure) | Azure Cosmos databases are configured to enable backups to be restored to a recent restore point. |
| Cosmos DB high availability (Azure) | Azure Cosmos databases are configured to support high availability. |
| Cosmos DB monitoring (Azure) | Azure Cosmos database logs are configured to support after-the-fact investigations. |
| Minimum password length for cloud service providers (Azure) | Azure password policy is configured to require a minimum length of 8 characters |
| Activity log storage account encryption at rest (Azure) | Azure activity log storage accounts are encrypted at rest. |
| Least privilege for cloud service providers (Azure) | Personnel are assigned unique accounts for Azure and access is restricted based on principle of least privilege. |
| Unique SSH keys for cloud service providers (Azure) | Users are limited to unique SSH keys in Azure. |
| Identity verification prior to password reset for cloud service providers (Azure) | Azure user identity is verified before modifying authentication credentials. |
| Single primary function per server (Azure) | Only one primary function per server is implemented in Azure. |
| Secured network-related configuration files (Azure) | Azure network-related configuration files are secured from unauthorized access. |
| Storage services encryption at rest (Azure) | Azure storage services and logs are encrypted at rest |
| Secure encryption key generation, distribution, and storage (Azure) | Azure encryption keys are securely generate, distributed, and stored |
| Anti-spoofing and IP forgery protection (Azure) | Anti-spoofing measures are utilized to detect and block forged IP addresses in Azure. |
| Private IP and routing information protection (Azure) | Private IP addresses and routing information in Azure are protected from unauthorized parties. |
| Remote access encryption (Azure) | Remote access sessions are encrypted (Azure). |
| Audit log timestamps (Azure) | Internal system clock are used to generate timestamps for audit logs. Timestamps are based on UTC with a specified level of granularity. |
| Inherited physical security controls (Azure) | Physical Security controls are inherited by the Cloud Service Provider (Azure). |
| Device identifiers (Azure) | Devices are uniquely identified and authenticated to the system (Azure). |
| Symbol password requirement for cloud service providers (Azure) | Azure password policy is configured to require symbol characters. |
| Uppercase password requirement for cloud service providers (Azure) | Azure password policy is configured to require uppercase characters. |
| Numeric password requirement for cloud service providers (Azure) | Azure password policy is configured to require numeric characters. |
| Lowercase password requirement for cloud service providers (Azure) | Azure password policy is configured to require lowercase characters. |
| App Services patching (.NET Framework) (Azure) | Validate that Azure App Services are configured with the latest version of .NET. This test is considered passing if all Azure App Services are operating on the latest available version of .NET. |
| Log Storage Alerting (Azure) | The organization notifies/alerts appropriate personnel when log storage volume reaches capacity. |
<%= heading %>
Comments
0 comments
Article is closed for comments.