Azure secure score best practices

Transcript

1. azure secure score best practices Ø Azure Secure Score helps

   organizations assess their overall security posture and identify areas for improvement or exemption. Ø Some best practices for using Azure Secure Score include:

2. Best Practices Azure Secure Score ü 1+ Global Administrator Accounts

   (One used as a backup) Ø There is currently one Global Admin, but another should be created/assigned as a backup option. ü Risk Policies (User-Risk, Sign-in Risk) Ø Blocks and notifies administrators when A User or Sign-in Attempt is considered risky or unusual Ø Examples include impossible travel, compromised credentials, number of attempts, etc. . ü Block Legacy Authentication Ø Prevents password spray, and other password cracking techniques. Ø Applied by Conditional Access Policy for all cloud apps and Tenant. ü Require MFA for Admin Accounts and PIM Roles Ø Additional MFA required for checking out PIM roles. Ø Adds another layer of protection to Privileged roles and helps prevent privilege escalation.

3. Best Practices Azure Secure Score ü Implement Named Locations and

   Trusted Networks Ø Improves your ability to assign Conditional Access Policies to users and Cloud apps Ø Improves network segmentation and Firewall/NSG scalability. Ø Identifies safe networks and subnets ---- Ranges, IPs, or Subnets. ü Plan and assign PIM Roles and Reviews: Ø Roles should be applied to only certain users, with a manager or Administrator to approve/deny the requests. Ø Approvers/Assignees should be chosen and trained on how to check out/request PIM roles when needed. ü Implement and Create Alert Rules Ø Groups of managers or administrators who should be notified of any security alerts. These will be the first responders of potential threats and breaches. Ø Needs to be leveraged using Log Analytics Workspaces in Azure. ü Leverage Azure Key Vault Ø Store application keys and certificates in Key Vault and use Managed Identities to access the information.

4. Role Based Access Best Practices Azure Secure Score 87% Azure

   AD/D365/Exchange Roles: ü Admin Roles and Assignments should be mapped out and given access ONLY when needed. ü Reader Roles to be applied to users who only need to view or export information. ü Access Reviews and Approvals should be implemented for Roles with the most privilege. ü Access Reviews should be done monthly or 60 days at the latest. ü Limit eDiscovery Access and Queries to only authorized administrators or no one (eDiscovery Management Administrator + Compliance Administrator)

5. Secure score best practices Azure Key Vault What is Azure

   Key Vault? Azure Key Vault is a centralized vault that stores your application secrets. Key Vault helps you control your applications' secrets by keeping them in a central location and by providing secure access, permissions control, and logging capabilities. It's useful for the following scenarios: ü Secrets Management. Ø You can use Key Vault to securely store tokens, passwords, certificates, Application Programming Interface (API) keys, and other secrets. ü Key Management. Ø You can also use Key Vault as a key management solution. Key Vault makes it easier to create and control the encryption keys used to encrypt your data. ü Certificate Management. Ø Key Vault lets you create, manage, and deploy public & private (SSL/ TLS) certificates for Azure, and connected, resources more easily. Ø It also stores secrets backed by hardware security modules (HSMs).