Azure Security Maturity Trends

This blog presents security-related Microsoft Azure assessment findings collected by SecureSky in 2021 against our clients across all verticals ranging from partial cloud migrations to complex cloud-native processing environments.

In our cloud security assessment and remediation support practice, we evaluated our clients’ Azure tenant security configurations against industry best practices and published benchmarks to establish a baseline before performing our hardening activities. SecureSky understands that the reason many clients engage with us is to assist them with improving their security posture, and thus our initial findings in all probability skew to the lower side of the total Azure population. In fact, a majority of our findings indicate that settings do not deviate from “out of the box” default settings.

Whether your Azure environment is at an early or later stage of maturity, we believe these findings can also offer insight for all administrators.

Key Findings Snapshot

13% of applications used best practice configurations 

17% of environments had appropriate monitoring and response capabilities 

30% of all industries comply with best practices 

55% and 57% of security control are established in cloud OS/Containers and Networks 

55% have limited tenant-level access  

In 2021, SecureSky observed subtle changes in Microsoft's enhanced security controls and functionality. With that in mind, in this blog, SecureSky has identified trends within higher-level security categories rather than individual checks or findings themselves. Normalizing our results enables us to define comparable data and align each data set with the National Institute of Technology Cyber Security Framework (NIST CSF). These higher-level categories are: 

• User and API Access / Identity and Entitlements 
• Data Storage and Access Controls 
• Application Configuration 
• OS / Containers 
• Network Security 

Also evaluated across these categories were two Cloud Security Posture Management measurements: 

• Protective Controls Configurations  
• Activity Monitoring, Detection, and Response 

Descriptions of these categories are provided in the Appendix below. 

Summary

Throughout 2021, the biggest improvement in maturity was discovered within User and API Access / Identity and Entitlements category and Azure Active Directory, with user access control driving most of the improvements. Additionally, most organizations have leveraged Conditional Access Policies to simplify MFA deployment to reduce user access risk.

By far the largest opportunity for improvement in Microsoft Azure is in Activity Monitoring, Detection and Response configuration settings (12% compliant), followed closely by Data Storage and Access Controls security settings (25% compliant), including the use of Key Vault. Given the widespread adoption of modern application architectures, the lack of maturity in these areas should garner the most attention from a risk management perspective.

The lack of hardened security configuration management by each element of the cloud stack, commonly called the "shared responsibility" model by many cloud service providers, is illustrated below.

Note in the graphic below that the inherent "risk" a cloud service customer assumes from the provider grows as you travel up the stack, with the customer assuming all the risk for security controls at the User & API Access, Identity and Entitlement, Data Storage and Access Controls, and Application Configuration levels. Given this risk responsibility, it is both surprising and extremely concerning the percentages of sufficiently hardened security configurations in these categories range from a low of 13% to a high of only 47%.

As described above, two measurements were evaluated across all levels, both resulting in troubling conclusions. Overall, across SecureSky clients prior to our working with them to harden their environments and deploy Managed Detection and Response services, only 34% of Protective Controls were deployed, and a mere 17% of configurations to enable adequate visibility and threat detection were in place.

Comparing Microsoft Azure to Microsoft 365 Security Posture

This Azure security analysis is similar to SecureSky's compilation of security configuration findings related to our clients' Microsoft/Office 365 environments (https://blog.securesky.com/2021_security-control-trending), areas of maturation of security practices, as well as many areas of inadequate hardening. Interestingly, in overlapping categories, results are very comparable, for example:

• User and API Access / Identity and Entitlements - results between Microsoft/Office 365 and Azure show that only approximately half of security controls comply in each case.
• Application plug-Ins in Microsoft/Office 365 and Application Configuration in Azure - again, comparing application connections and ongoing application security, both studies indicate a low percentage of controls enabled, which is very concerning considering the rapidly expanding attack vectors at the application connection level.
• Activity Monitoring, Detection and Response – as with the Azure findings described above, SecureSky found a low percentage of organizations have the proper configuration of activity log settings from Microsoft/Office 365. Visibility and response automation is critical to properly detecting and responding to threats and is a rudimentary element of an enterprise security program.

Deeper Dive

In analyzing security program pillars across all elements of the cloud stack ("shared responsibility" model), SecureSky garnered additional critical insights, including:

Data Storage and Access Controls - Encryption and Key Vault Application Service Settings

When analyzing data storage and access controls for such data, a cloud buyer responsibility, and obviously high-risk areas, SecureSky found approximately 50% of companies reviewed attempted to follow encryption best practices. However, most illustrated at least some enablement gaps. Most concerning were severe weaknesses in Key Vault management techniques (16% compliant - deployed but not utilized) in securing applications and data storage.

User and API Access / Identity and Entitlements - Identity and Access Management (IAM)

Identity and Access Management (IAM) settings saw the most significant growth in maturity over the past year. With identity as the new "perimeter," the plethora of information surrounding credential theft leading to Account Take Over (ATO), privilege elevation, and lateral movement has rightfully focused security efforts on IAM.

This maturing confirms that efforts to simplify and enable flexible MFA deployment, with Conditional Access Policies and Just-in-Time privileges, have helped companies adopt modern authentication and reduce legacy protocols to minimize risk.

While widespread adoption of Conditional Access Policies has helped simplify MFA, SecureSky has also found that a lack of policy validation continues to leave companies exposed. Additionally, attackers focus on these flaws in MFA deployments and MFA or the vendor itself, such as the recent Duo and Okta security issues.

Finally, although companies are improving monitoring for certain authentications, we see a lack of focus on service accounts (internal and vendors), guest user access, and most importantly, application connections, creating unnecessary risk while attacks against these vectors continue to increase.

Activity Monitoring, Detection, and Response

As voiced throughout this blog, the most opportunity for improvement is related to logging and monitoring settings. For example, SecureSky observed that while many clients' legacy firewalls and traditional endpoints provided adequate logging, most companies were not taking advantage of native cloud detection and auditing capabilities to get visibility into east-west traffic. In addition, auditing was especially poor in the modern application stack (10%), consisting of PaaS-based services and dynamic workloads.

Conclusion

SecureSky has seen a positive shift in organizations hardening their User and API Access / Identity and Entitlements settings while taking advantage of functionality that helps simplify deployment for Multi-Factor Authentication. More specifically, there has been a positive shift in organizations taking advantage of Conditional Access Policies. Unfortunately, while there have been noticeable maturity improvements in this area, these broad/flawed policies and incomplete deployments leave clients' cloud environments at high risk.

SecureSky continues to see significant gaps in Activity Monitoring, Detection and Response, and Data Storage and Access Controls across all elements of the cloud stack ("shared responsibility" illustration), representing a high risk. The most gaps identified in environments assessed were found in key management and application logging, representing the most opportunity for organizations to improve their cloud security posture.

Recommendations

Throughout this blog, we have stressed the importance of proper configuration and visibility as part of your tactical roadmap. With the dynamic nature of cloud environments, we should also stress the importance of continuous assessments to ensure the ongoing validation of security-hardened configurations.

For more strategic recommendations, see our eBook, The Modern Enterprise-Level Security Stack (https://securesky.com/resources/ebooks/), which includes the following recommendations applicable to securing all cloud environments:

1. Understand the current capabilities and roadmaps of security tools and audit settings available from your cloud provider(s) of choice, compared with your current security technology stack. In cloud migration planning and deployments, incorporate security measures in your strategies.
2. Review your existing cloud licensing to find redundant functionality you may be paying for twice. You may find this type of redundancy as part of your legacy security technology stack and cloud-native functionality that is included with your current licenses. Determine if the tools available to you provide adequate cloud coverage to assess risk or security control status real-time, as well as provide automation capabilities for security posture management enforcement and threat response.
3. Fully deploy your modem security architecture, extend your zero-trust model to include cloud resources and invest in training and optimize security controls to detect, investigate and respond to threats using new automated techniques.
4. Extend and modify your enterprise risk program to include data flows and other risk factors associated with each cloud environment, for example authentication policies, access controls, file sharing, guest users, and application connections.
5. Message corporate leaders on the current and future state of cloud security, and address the upcoming realities with those executives who voice such opinions as “the fox is watching the henhouse,” “we are putting all of our eggs in one basket,” or “the cloud will never be as secure as on-premise.” As discussed throughout this paper, major IaaS and SaaS providers will soon be much more secure than on-premise solutions because of their ability to tightly integrate operational and security tools, automate functions that were once almost exclusively manual and to collect and apply massive amounts of threat intelligence. The caveat to this, of course, is the ability of IT and security practitioners to take advantage of capabilities to address organization their shared responsibilities.

Appendix

User and API Access / Identity and Entitlements
This category covers users, user permissions, Azure Active Directory settings, groups and roles, Multi-Factor Authentication settings, guest users, and their permissions, among a few settings assessed. Identity and Access Management (IAM), controls to ensure approved individuals can access specific resources at certain times, is a subcategory in this category.

Data Storage and Access Controls (including Key Management)
This category compares SQL Server, PostgreSQL, and MySQL settings against industry best practices, ranging from encryption settings for databases, firewall rules, network access, Azure Key Vault, Kubernetes, resource locks, and security-related settings within the Microsoft Azure Storage Account service.

Application Configuration
This category covers security-related settings with the Microsoft Azure Application Service and includes everything from programming language version support, remote file transfer configuration, and application secrets storage settings.

OS / Containers
Settings within this category pertain to virtual machine disk encryption settings, patching and updates, virtual machine extension provisioning, and general virtual machine security settings.

Network Security
This category looks at Network Security Group rules for misconfigurations, default rule settings, and remote protocol-specific configuration settings.

Protective Controls
Settings within this category look at whether an organization subscribes to the extra security settings as part of the standard tier and whether an organization takes full advantage of the various settings within this area of Microsoft Azure. This also includes both Microsoft (Defender for Cloud Apps, Microsoft Defender Endpoint, etc.) and third-party products and cloud-native security policy and controls settings.

Activity Monitoring, Detection and Response
Diagnostic and activity log settings are the primary focus of this category, where logs are stored and the configuration settings of those storage mechanisms.   Also, as the category name indicate it include Detection and Response enablement.

SecureSky’s core assessment does not include evaluation of patch management of workloads, although we do see confusion in the interpretation of the “shared responsibility” model related to patching, as well as inconsistency between cloud and on-premises environments.