Disk Encryption

 

Azure disk encryption for Windows VMs

Azure Disk Encryption helps you to protect and safeguard your data to meet your organizational security and compliance commitments while using the Bitlocker feature of Windows to provide volume encryption for the OS and data disks of Azure virtual machines (VMs), also it is  integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets.

If you use Azure Security Center, you will be alerted about the non-encrypted VMs as High Severity with a recommendation to encrypt them.

Supported VMs and Operating Systems

Supported VMs

Windows VMs are available in a range of various sizes. Azure Disk Encryption is not available on Basic, A-series VMs, or on virtual machines with less than 2GB of memory, Generation 2 VMs, and Lsv2-series VMs. However, it is available for VMs with premium storage.

Supported operating systems

  • Windows client- Windows 8 and later.
  • Windows Server- Windows Server 2008 R2 and later.  

Networking requirements

To enable Azure Disk Encryption, the VMs must meet the following network endpoint configuration requirements:
  • To get a token to connect to your key vault, the Windows VM must be able to connect to an Azure Active Directory endpoint, [login.microsoftonline.com].
  • To write the encryption keys to your key vault, the Windows VM must be able to connect to the key vault endpoint. 
  • The Windows VM must be able to connect to an Azure storage endpoint that hosts the Azure extension repository and an Azure storage account that hosts the VHD files.
  • If your security policy limits access from Azure VMs to the Internet, then you can resolve the preceding URI and configure a specific rule to allow outbound connectivity to the IPs.

Group Policy requirements

Azure Disk Encryption uses the BitLocker external key protector for Windows VMs. Its policy on domain joined virtual machines with custom group policy must include the following setting:
Configure user storage of BitLocker recovery information⟶ Allow 256-bit recovery key. 
Azure Disk Encryption will fail if custom group policy settings for BitLocker are incompatible or if domain level group policy blocks the AES-CBC algorithm, which is used by BitLocker.

Encryption key storage requirements

Azure Disk Encryption requires an Azure Key Vault to control and manage disk encryption keys as well as secrets. Your key vault and VMs must reside in the same Azure region and subscription.

Azure Disk Encryption for Linux VMs

Azure Disk Encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. It uses the DM-Crypt feature of Linux to provide volume encryption for the OS and data disks of Azure VMs, and is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets.

Supported VMs and Operating Systems

Supported VMs
Linux VMs are available in a range of sizes and once the OS disk encryption process is complete on Linux virtual machines, the VM can be configured to run with less memory. Azure Disk Encryption requires the dm-crypt and vfat modules to be present on the system while removing or disabling vfat from the default image will prevent the system from reading the key volume and obtaining the key needed to unlock the disks on subsequent reboots. System hardening steps that remove the vfat module from the system are not compatible with Azure Disk Encryption.

Windows Defender Credential Guard 

By enabling Windows Defender Credential Guard, you get the following features and solutions:
  • Hardware security enhancement. NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot and virtualization, to help protect credentials. 
  • Virtualization-based security enhancement. NTLM-derived credentials, Kerberos-derived credentials, and other secrets run in a protected environment that is isolated from the running operating system.
  • Better protection against advanced persistent threats. Although Windows Defender Credential Guard provides powerful mitigation, persistent threat attacks will likely shift to new attack techniques, so you should also incorporate Windows Defender Device Guard and other security strategies and architectures.   

Security Center Recommendations

Azure Security Center helps you prevent, detect, and respond to threat with increased visibility into and control over the security of your Azure resources. When Security Center helps safeguard your VMs, the following capabilities are available:
  • OS security settings with the recommended configuration rules
  • System security updates and critical updates that are missing
  • Endpoint protection recommendations
  • Disk encryption validation
  • Vulnerability assessment and remediation
  • Threat detection

Securing Azure Workloads with CIS Benchmark 

Microsoft's cybersecurity group in conjunction with the Center for Internet Security (CIS) has developed best practices to help establish baselines for the Azure platform. A security baseline is a set of basic security objectives which must be met by any given service or system and establishes what you need to do, not how to do it. 
The CIS Microsoft Azure Foundations Security Benchmark guide provides prescriptive guidance for establishing a secure baseline configuration for Azure. It was also tested against the listed Azure services as of March 2018 and the scope of this benchmark is to establish the foundational level of security for anyone adopting Azure.






Comments

Popular posts from this blog

Deployment (Part 3)

Deployment (Part 1)

Project Resourcing (Part 2)