Disk Encryption

By Ashwin Venugopal -

 

Azure disk encryption for Windows VMs

Azure Disk Encryption helps you to protect and safeguard your data to meet your organizational security and compliance commitments while using the Bitlocker feature of Windows to provide volume encryption for the OS and data disks of Azure virtual machines (VMs), also it is  integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets.

If you use Azure Security Center, you will be alerted about the non-encrypted VMs as High Severity with a recommendation to encrypt them.

Supported VMs and Operating Systems

Supported VMs

Windows VMs are available in a range of various sizes. Azure Disk Encryption is not available on Basic, A-series VMs, or on virtual machines with less than 2GB of memory, Generation 2 VMs, and Lsv2-series VMs. However, it is available for VMs with premium storage.

Supported operating systems

  • Windows client- Windows 8 and later.
  • Windows Server- Windows Server 2008 R2 and later.  

Networking requirements

To enable Azure Disk Encryption, the VMs must meet the following network endpoint configuration requirements:
  • To get a token to connect to your key vault, the Windows VM must be able to connect to an Azure Active Directory endpoint, [login.microsoftonline.com].
  • To write the encryption keys to your key vault, the Windows VM must be able to connect to the key vault endpoint. 
  • The Windows VM must be able to connect to an Azure storage endpoint that hosts the Azure extension repository and an Azure storage account that hosts the VHD files.
  • If your security policy limits access from Azure VMs to the Internet, then you can resolve the preceding URI and configure a specific rule to allow outbound connectivity to the IPs.

Group Policy requirements

Azure Disk Encryption uses the BitLocker external key protector for Windows VMs. Its policy on domain joined virtual machines with custom group policy must include the following setting:
Configure user storage of BitLocker recovery information⟶ Allow 256-bit recovery key. 
Azure Disk Encryption will fail if custom group policy settings for BitLocker are incompatible or if domain level group policy blocks the AES-CBC algorithm, which is used by BitLocker.

Encryption key storage requirements

Azure Disk Encryption requires an Azure Key Vault to control and manage disk encryption keys as well as secrets. Your key vault and VMs must reside in the same Azure region and subscription.

Azure Disk Encryption for Linux VMs

Azure Disk Encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. It uses the DM-Crypt feature of Linux to provide volume encryption for the OS and data disks of Azure VMs, and is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets.

Supported VMs and Operating Systems

Supported VMs
Linux VMs are available in a range of sizes and once the OS disk encryption process is complete on Linux virtual machines, the VM can be configured to run with less memory. Azure Disk Encryption requires the dm-crypt and vfat modules to be present on the system while removing or disabling vfat from the default image will prevent the system from reading the key volume and obtaining the key needed to unlock the disks on subsequent reboots. System hardening steps that remove the vfat module from the system are not compatible with Azure Disk Encryption.

Windows Defender Credential Guard 

By enabling Windows Defender Credential Guard, you get the following features and solutions:
  • Hardware security enhancement. NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot and virtualization, to help protect credentials. 
  • Virtualization-based security enhancement. NTLM-derived credentials, Kerberos-derived credentials, and other secrets run in a protected environment that is isolated from the running operating system.
  • Better protection against advanced persistent threats. Although Windows Defender Credential Guard provides powerful mitigation, persistent threat attacks will likely shift to new attack techniques, so you should also incorporate Windows Defender Device Guard and other security strategies and architectures.   

Security Center Recommendations

Azure Security Center helps you prevent, detect, and respond to threat with increased visibility into and control over the security of your Azure resources. When Security Center helps safeguard your VMs, the following capabilities are available:
  • OS security settings with the recommended configuration rules
  • System security updates and critical updates that are missing
  • Endpoint protection recommendations
  • Disk encryption validation
  • Vulnerability assessment and remediation
  • Threat detection

Securing Azure Workloads with CIS Benchmark 

Microsoft's cybersecurity group in conjunction with the Center for Internet Security (CIS) has developed best practices to help establish baselines for the Azure platform. A security baseline is a set of basic security objectives which must be met by any given service or system and establishes what you need to do, not how to do it. 
The CIS Microsoft Azure Foundations Security Benchmark guide provides prescriptive guidance for establishing a secure baseline configuration for Azure. It was also tested against the listed Azure services as of March 2018 and the scope of this benchmark is to establish the foundational level of security for anyone adopting Azure.






Comments

Post a Comment

Popular posts from this blog

Deployment (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Microsoft Monitoring Agent (MMA) MMA is used across multiple Microsoft solutions and has undergone a few name changes as its features and functionality have evolved. If it is being considered to be used, then following areas should be covered during a Microsoft Sentinel deployment project: Consider the timelines and the strategy for a migration to AMA (Azure Monitor Agent) before the MMA end-of-life.  Consider the central deployment and management methodology for MMA. Determine which endpoints are in scope for deployment as these affect the log ingestion volume significantly.  Azure Monitor Agent (AMA) Organizations with MMA as the main Microsoft Sentinel agent should start planning the migration to AMA as soon as possible to avoid a rushed migration. One of the main advantages of AMA is the ability to control the log collection policy centrally and apply different policies against different groups of computers, re
Read more

Project Resourcing (Part 2)

By Ashwin Venugopal -
Image
  To read part 1, please click  here Engineering - SIEM The SIEM engineers configures Microsoft Sentinel, including Log Analytics, Logic Apps, workbooks, and playbooks. They are also responsible for the following high-level tasks: Initial configuration of Azure tenant, including provisioning required resources, assigning access roles, and configuring workspace parameters like log retention, resource tagging, and blueprints.  Deployment and configuration of syslog/CEF log collection agents in appropriate locations to collect logs from on-premises devices. Generally, it will be joint effort of both system engineer and SIEM engineer, involving configuration and potential troubleshooting.  Working with system owners to enable log forwarding and configuring any required parsing of log data in Log Analytics.  Working with security operations to create and deploy KQL analytic rules to offer detections for SOC/Computer Security Incident Response Team (CSRIT) use. Tuning of alert rule parameter
Read more

Design Planning (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Complex Organizational Structures SIEM can be an expensive security control, hence, it is common multiple businesses to contribute to the overall expense. Various organizational units may require a level of access to specific dashboards or sets of data. Microsoft Sentinel offers the ability to assign table-level permissions and limit the level of access to the minimum required to perform requisite job functions.  Role-based Access Control (RBAC) Requirements Microsoft Sentinel offers an extensive list of Azure built-in roles that can be used to provide granular access according to the job requirements and permitted level of access. Some of them are various Microsoft Sentinel dedicated roles: Microsoft Sentinel Contributor- Can perform all engineering-related configuration, such as creating alert rules, configuring data connectors, and additional similar tasks.  Microsoft Sentinel Reader- Can query the log data stor
Read more