Disk Encryption

By Ashwin Venugopal -

 

Azure disk encryption for Windows VMs

Azure Disk Encryption helps you to protect and safeguard your data to meet your organizational security and compliance commitments while using the Bitlocker feature of Windows to provide volume encryption for the OS and data disks of Azure virtual machines (VMs), also it is  integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets.

If you use Azure Security Center, you will be alerted about the non-encrypted VMs as High Severity with a recommendation to encrypt them.

Supported VMs and Operating Systems

Supported VMs

Windows VMs are available in a range of various sizes. Azure Disk Encryption is not available on Basic, A-series VMs, or on virtual machines with less than 2GB of memory, Generation 2 VMs, and Lsv2-series VMs. However, it is available for VMs with premium storage.

Supported operating systems

  • Windows client- Windows 8 and later.
  • Windows Server- Windows Server 2008 R2 and later.  

Networking requirements

To enable Azure Disk Encryption, the VMs must meet the following network endpoint configuration requirements:
  • To get a token to connect to your key vault, the Windows VM must be able to connect to an Azure Active Directory endpoint, [login.microsoftonline.com].
  • To write the encryption keys to your key vault, the Windows VM must be able to connect to the key vault endpoint. 
  • The Windows VM must be able to connect to an Azure storage endpoint that hosts the Azure extension repository and an Azure storage account that hosts the VHD files.
  • If your security policy limits access from Azure VMs to the Internet, then you can resolve the preceding URI and configure a specific rule to allow outbound connectivity to the IPs.

Group Policy requirements

Azure Disk Encryption uses the BitLocker external key protector for Windows VMs. Its policy on domain joined virtual machines with custom group policy must include the following setting:
Configure user storage of BitLocker recovery information⟶ Allow 256-bit recovery key. 
Azure Disk Encryption will fail if custom group policy settings for BitLocker are incompatible or if domain level group policy blocks the AES-CBC algorithm, which is used by BitLocker.

Encryption key storage requirements

Azure Disk Encryption requires an Azure Key Vault to control and manage disk encryption keys as well as secrets. Your key vault and VMs must reside in the same Azure region and subscription.

Azure Disk Encryption for Linux VMs

Azure Disk Encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. It uses the DM-Crypt feature of Linux to provide volume encryption for the OS and data disks of Azure VMs, and is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets.

Supported VMs and Operating Systems

Supported VMs
Linux VMs are available in a range of sizes and once the OS disk encryption process is complete on Linux virtual machines, the VM can be configured to run with less memory. Azure Disk Encryption requires the dm-crypt and vfat modules to be present on the system while removing or disabling vfat from the default image will prevent the system from reading the key volume and obtaining the key needed to unlock the disks on subsequent reboots. System hardening steps that remove the vfat module from the system are not compatible with Azure Disk Encryption.

Windows Defender Credential Guard 

By enabling Windows Defender Credential Guard, you get the following features and solutions:
  • Hardware security enhancement. NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot and virtualization, to help protect credentials. 
  • Virtualization-based security enhancement. NTLM-derived credentials, Kerberos-derived credentials, and other secrets run in a protected environment that is isolated from the running operating system.
  • Better protection against advanced persistent threats. Although Windows Defender Credential Guard provides powerful mitigation, persistent threat attacks will likely shift to new attack techniques, so you should also incorporate Windows Defender Device Guard and other security strategies and architectures.   

Security Center Recommendations

Azure Security Center helps you prevent, detect, and respond to threat with increased visibility into and control over the security of your Azure resources. When Security Center helps safeguard your VMs, the following capabilities are available:
  • OS security settings with the recommended configuration rules
  • System security updates and critical updates that are missing
  • Endpoint protection recommendations
  • Disk encryption validation
  • Vulnerability assessment and remediation
  • Threat detection

Securing Azure Workloads with CIS Benchmark 

Microsoft's cybersecurity group in conjunction with the Center for Internet Security (CIS) has developed best practices to help establish baselines for the Azure platform. A security baseline is a set of basic security objectives which must be met by any given service or system and establishes what you need to do, not how to do it. 
The CIS Microsoft Azure Foundations Security Benchmark guide provides prescriptive guidance for establishing a secure baseline configuration for Azure. It was also tested against the listed Azure services as of March 2018 and the scope of this benchmark is to establish the foundational level of security for anyone adopting Azure.






Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Planning for Implementing SAP Solutions on Azure (Part 2 of 5)

By Ashwin Venugopal -
Image
  To read part 1 please click  here To read part 3 please click  here To read part 4 please click  here To read part 5 please click  here Load Balancing The load balancer uses probe ports to determine as well as route the traffic to an active DBMS node, but of there's any failover then the most common SAP application architecture can automatically reconnect against the private virtual IP address without the need for the SAP application to reconfigure it, while the load balancer redirect the traffic against the private virtual IP address without any need for the SAP application to reconfigure. The loaf balancer also offers an option of DirectServerReturn which if configured, can help in directing the traffic from the DBMS VM to the SAP application layer directly to the application layer without routing through the load balancer. But, if it isn't configured, then the return traffic to the SAP application layer is routed through the load balancer. You can also use Azure Load Balan
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more