SecureSky 2023 Mid-Year Azure Compliance Trends

Topic Summary

This blog discusses security configurations in Microsoft Azure, based on findings collected by SecureSky's multi-Cloud Threat Exposure Management (CTEM) Platform in 2022-2023. Clients across all verticals with hybrid cloud environments ranging from recent migrations to mature and complex environments are represented.    

Our Platform evaluated our clients' security configurations against industry best practices, published benchmarks, and regulatory mandates, to establish a baseline before initiating our hardening activities. SecureSky understands that many clients engage with us to assist them with improving their security posture. Thus, our initial findings could be skewed lower than the total Azure population. However, most of our results indicate that settings do not deviate from "out of the box" default settings, as well as align with Microsoft's Secure Score averages across Microsoft's client base.  

Whether your cloud environment is at an early or later stage of maturity, we believe these findings can offer insight to gap areas for all administrators. 

We continue to see modest year-over-year improvements across all industries, with the total average for adherence to best practices being 45% in 2022, up from 37% in 2021. However, as you can see below, all verticals still fall short of security best practices, with some sectors falling significantly below the average. As noted above, our findings align with Microsoft Secure Score averages published by Microsoft, meaning most deployments are woefully lacking in a secure configuration.   

Key Findings Snapshot - 2022

Visibility  

• Cloud visibility has doubled since 2021 (17% to 38.5%), still leaving a 61% coverage gap

• Only 10% of serverless resources have granular logging and protection policies enabled

Identity Management 

• 77% of accounts use weak authentication (SMS)
• Fewer than 11% of accounts use phishing-resistant MFA

Privileged Management 

• 30% of accounts are over-privileged
• Under 20% of priviliged accounts are using Just-in-Time access

Microsoft XDR  

• 95% of clients are considering consolidating to Microsoft's XDR to reduce cost
• Less than 50% of the Microsoft XDR capabilities are utilized

Cloud Resources  

• 62% of VMs don't follow best practices configurations
• 90% of authentication keys are exposed
• 70% of companies do not manage application connections and priviliges

Trends Summary

In 2022 and the first half of 2023, SecureSky observed a response to the increasing volume of cyber attacks, new government mandates, strict and prescriptive insurance requirements of using modern protocols, and the forcing of more robust authentication methods. With that in mind, in this blog, SecureSky has identified trends within higher-level security categories rather than individual checks or findings. Normalizing our results enables us to define comparable data and align each set with the National Institute of Technology Cyber Security Framework (NIST CSF). These higher-level categories are:  

• User and API Access / Identity and Entitlements  
• Data Storage and Access Controls  
• Application Configuration  
• OS / Containers  
• Network Security  

We also categorized recommendations with the NIST CSF functions (Identity, Protect, Detect, Respond, and Recover). 

Deeper Dive

In analyzing security program pillars across all elements of the cloud stack ("shared responsibility" model), SecureSky garnered additional critical insights, including: 

• With the increasing volume of attacks targeting cloud environments and new compliance and security mandates, we have seen significate improvement in logging and monitoring traditional cloud components such as VMs, networks, authentication, and security products from last year has increased 2x.  
  

Unfortunately, monitoring serverless resources, automation, configuration drifts, and validation of native controls are rarely enabled or validated. For example, while many clients' legacy firewalls and traditional endpoints provided adequate logging as they moved to the cloud, most companies are not leveraging cloud-native auditing capabilities, detection, and automation to provide visibility and protection from lateral movement, keys/secret and privileged access, or SaaS activity.  

• Also, secure application configuration has increased from 13% in 2021 to 48% in 2022/23. Phishing and credential theft have forced this focus on securing SaaS and workload-hosted applications such as M365, Salesforce, ServiceNow, and forklifted applications, also supported by a 15% improvement in secure configuration of Cloud VM and Network infrastructure.   
• In 2021 and 2022, we also see organizations focused on replacing and restricting legacy protocols and enforcing MFA across the organization as SaaS Applications expanded and removing workers became the "norm."   
  • Reference Link: https://blog.securesky.com/microsoft-legacy-authentication-deprecation
• Although all organizations in SecureSky’s group have used Conditional Access Policies (CAP) to simplify MFA enforcement to reduce access risk, 79% of organizations have failed to follow best practices of account management and enforcing strong authentication, causing exposures that can allow successful account takeover. Today's modern IT environments need to embrace a continuous threat and exposure management approach that includes run-time visibility and validation of controls.
  • Reference Link: https://blog.securesky.com/multi-factor-authentication-effectiveness-analysis 

The examples below illustrate common issues observed throughout 2022/23 of weak account management, authentication, and misalignment with cloud security best practices. 

 [caption] 79% of organizations failed in basic account management, and enforcement of strong authentication led to compromises. 

[caption] 15% adoption of strong authentication and access control exposes organizations. 

Although improved from last year, the lack of hardened security configuration management by each element of the cloud stack, commonly called the "shared responsibility" model by many cloud service providers, is still insufficient, see illustrated below.  

Note in the graphic below that the inherent "risk" a cloud service customer assumes from the provider grows as you travel up the stack, with the customer assuming all the risk for security controls at the User & API Access, Identity and Entitlement, Data Storage and Access Controls, and Application Configuration levels. Although there has been a 16% improvement since last year, it is both surprising and highly concerning the avg percentages of sufficiently hardened security configurations across customer-responsible categories still hover around 50% 

2022-23

We also evaluated the NIST categories (functions) as they align with our assessment findings:  

Identify and Protect

Client Protected Controls have increased from last year (2021 34% to 55% in 2022/23), showing slight progress due to the challenge to keep up with cloud changes, security improvements, and changing and evolving attack vectors.  

Detect and Respond

As mentioned above, there was a significant increase in general logging from 17% to 38.5% of activity logging but did fall short with only 9.8% visibility to modern cloud infrastructure due to the continued complexity and challenge of monitoring and interpreting modern cloud environments. To address the visibility gap, organizations have increased the use of Microsoft native controls and Defender products suite —unfortunately, only one-half (50.2%) of the product's features aligned with security best practices. 

Microsoft Security Solutions

In the past several years, Microsoft has developed into a significant security player, with the substantial magnitude of their email, productivity tools, Windows operating system, Azure, and dozens of security acquisitions that have strengthened their integrated security solution.   Combining Microsoft's software capabilities with their global threat insight by collecting and analyzing trillions of security signals and protecting billions of systems daily, they have become a leader across multiple security categories. Many may believe this was "overnight," but they have been building the foundation and tools for a decade.   As part of this extreme focus, Microsoft Security has evolved, they have made numerous revisions to branding, product categories, product names, and licensing options like all companies in these changing times, they are quickly consolidating a fragmented and acronym-rich market into one product line. 

While these multiple gyrations to naming conventions might be confusing, nothing should deter buyers from recognizing the powerful capabilities of Microsoft Security and the advantages gained from tightly integrating identity, device, and multi-cloud (IaaS and SaaS) security controls and threat detection. 

Microsoft's current XDR/Defender services suite includes Microsoft XDR, Azure AD, and Microsoft Sentinel, as shown below. 

Below illustrates the deployment summary of the Microsoft XDR suite configuration compared to the security best practices settings. 

Learn more about The Modern Enterprise-Level Security Stack in our free eBook (securesky.com). For more information on the Microsoft Security Suite, check out our blog to dive into the various Microsoft Defender technologies.

[caption] Only 58.2% of the Installed Defender is configured according to security best practices. 

Conclusion

SecureSky is starting to see a positive shift in organizations' hardening of their cloud infrastructure, primarily due to Insurance, compliance, and government mandates. Security resources have the desire to deploy new security products and features, but rapid changes in cloud environments and limited resources challenge the staff and create exposures. 

Unfortunately, while there have been granular improvements in this area, these broad/flawed policies and incomplete deployments leave clients' cloud environments at high risk.   

SecureSky continues to see significant gaps in Activity Monitoring, Detection and Response, and configurations across all elements of the cloud stack ("shared responsibility" illustration), representing a high risk. The most gaps identified in the environments were found in Identity and access management, key management, application logging, and security product configuration representing the most opportunity for organizations to improve their cloud security posture.  

Recommendations

Throughout this blog, we have stressed the importance of proper configuration and visibility as part of your tactical roadmap. With the dynamic nature of cloud environments, we also stress the importance of continuous assessments to ensure the ongoing validation of security-hardened configurations.   

For more strategic recommendations, see our eBook, The Modern Enterprise-Level Security Stack, which includes the following recommendations apply to securing all cloud environments:  

1. Understand the capabilities and roadmaps of security tools and audit settings available from your cloud provider(s) compared with your current security technology stack. In cloud migration planning and deployments, incorporate security measures in your strategies. Base your future-state objectives on proven and peer-reviewed configuration standards like Center for Internet Security (CIS) benchmarks.  
   
   1. Reference Link:  https://blog.securesky.com/the-cloud-balancing-act-improving-business-outcomes-without-degrading-your-security-posture 
2. Review your existing cloud licensing to find redundant functionality you may be paying for twice. This redundancy may be between your legacy security technology stack and cloud-native functionality included with your current licenses. Determine if the tools available provide adequate cloud coverage to assess risk or security control status in real-time and offer automation capabilities for security posture management enforcement and threat response. 
3. Develop, deploy, validate, and improve your modern security architecture, extending your zero-trust model to include cloud resources, and invest in training and optimizing security controls to detect, investigate and respond to threats using new automated techniques. Roadmap continuous improvement into your control schema, for example moving from weak to stronger MFA methodologies. 
   
   1. Reference Link: https://blog.securesky.com/zero-trust-maturity-model-ztmm-2.0-a-transition-to-zta  
      
4. Extend your enterprise risk program to include data flows and other risk factors associated with each cloud environment, for example, authentication policies, access controls, file sharing, guest users, and application connections. Expand your exposure management practices to include Cloud Security Posture Management (CSPM), SaaS Security Posture Management (SSPM), and, most importantly, control and policy validation. In terms of continuous control validation, ensure your controls are not only in place but also effective, for example measuring how often users are asked to MFA based on their privileges and blast radius.
   
   1. Reference Link: https://blog.securesky.com/multi-factor-authentication-effectiveness-analysis 
5. Train corporate leaders and Board members on their upcoming regulatory and compliance requirements related to enterprise and cloud security.  As discussed throughout this paper, major IaaS and SaaS providers are or will soon be more secure than on-premises solutions because they tightly integrate operational and security tools, automate functions that were once almost exclusively manual, and collect and apply massive amounts of threat intelligence. The caveat to this, of course, is the ability of IT and security practitioners to take advantage of these capabilities.  

Appendix

User and API Access / Identity and Entitlements 

This category covers users, user permissions, Azure Active Directory settings, groups and roles, Multi-Factor Authentication settings, guest users, and their permissions, among a few settings assessed. Identity and Access Management (IAM), controls to ensure approved individuals can access specific resources at certain times, is a subcategory in this category.  

Data Storage and Access Controls (including Key Management)  

This category compares SQL Server, PostgreSQL, and MySQL settings against industry best practices, ranging from encryption settings for databases, firewall rules, network access, Azure Key Vault, Kubernetes, resource locks, and security-related settings within the Microsoft Azure Storage Account service.  

Application Configuration  

This category covers security-related settings with the Microsoft Azure Application Service and includes everything from programming language version support, remote file transfer configuration, and application secrets storage settings.  

OS / Containers  

Settings within this category pertain to virtual machine disk encryption settings, patching and updates, virtual machine extension provisioning, and general virtual machine security settings.  

Network Security  

This category looks at Network Security Group rules for misconfigurations, default rule settings, and remote protocol-specific configuration settings.  

Protective Controls  

Settings within this category look at whether an organization subscribes to the extra security settings as part of the standard tier and whether an organization takes full advantage of the various settings within this area of Microsoft Azure. This includes Microsoft (Defender for Cloud, Microsoft Defender Endpoint, Defender for Storage, etc.), third-party products, and cloud-native security policy and control settings.  

Activity Monitoring, Detection, and Response  

Diagnostic and Activity log settings are the primary focus of this category, where logs are stored and the configuration settings of those storage mechanisms.   Also, as the category name indicates, it includes Detection and Response enablement.  

In future postings, this blog will be discussing more mid-year cybersecurity compliance trends based on our findings along with recommendations on how to comply with best practices in 2023. If you would like more information about SecureSky and our proactive managed security services, please do not hesitate to reach out to our experts at https://securesky.com/contact-us/. 

SecureSky's core assessment does not include an evaluation of patch management of workloads. However, we see confusion in interpreting the "shared responsibility" model related to patching and inconsistency between cloud and on-premises environments.