This post to wrap up my session at TechEd Sydney 2014 : DCI315 Azure VM Security and Compliance Management with Configuration Manager and SCM.
In this blog post series we will dispell some of the myths and dive into Azure VM Security.
With Azure AU Geo launched on TechEd Sydney 2014, Azure now has 19 Regions. More and more enterprises start migrating their workloads into Azure. Most of our clients have the same question – How do we manage security and compliance on Azure VM?
Security for our Azure VMs is shared responsibility between Microsoft and us. The next question is – Who’s responsible for what ?
Below diagram is Shared Responsibility Model diagram which I borrow from Lori Woehler
We will focus on IaaS column from diagram above. Clearly, we have resposibility to look after O/S layer and above. The summary of our responsibilities as IaaS customer as follow:
- Application Security
- Access Control and Data Protection
- Vulnerability Scanning, Penetration Testing
- Logging, Monitoring, Incident Response
- Protection, Patching and Hardening
There is no silver bullet to protect our Azure VM. The pro-active approach has to be taken to secure our Azure environment.This blog post will focus on Protection, Patching and Hardening our Azure VM. Let’s jump to our first focus.
Protect Azure VM
On this post we will use two different technique:
- Using Azure VM Security Extensions (Out-of-the box solution)
- Using Sytem Center Endpoint Protection which is our In-house AV Solution
Azure VM Security Extensions
Details for Azure Security Extensions can be found here. We will use Microsoft Anti-Malware for this post which recently announced its GA. Microsoft Anti-Malware is built on the same anti-malware platform as MSE (Microsoft Security Essentials), Microsoft Forefront Endpoint Protection, Microsoft System Center Endpoint Protection, Windows Intune and Windows Defender.
We can deploy Microsoft Anti-Malware using Portal or Azure PowerShell or Visual Studio.
We will use PowerShell deployment technique for this post. Script below will help us to deploy Microsoft Anti-Malware Security Extensions to existing Azure VM
Script below will check whether Microsoft Anti-Malware has been deployed to Azure VM
System Center Endpoint Protection
System Center Endpoint Protection is one of the security feature from System Center Configuration Manager known as SCCM or ConfigMgr. We will use ConfigMgr 2012 R2 on this post. ConfigMgr 2012 R2 is powerful enterprise-grade tool to maintain configuration, compliance and data protection users computers, notebooks, servers, mobile devices whether they are corporate-connected or cloud-based.
We will focus on Endpoint Protection solution to our Azure VMs. Four things need to be noted:
- Endpoint Protection site system role need to be configured as endpoint protection point
- Create Antimalware Policy and configure it
- Configure Client Device Settings and select Endpoint Protection
- Deploy ConfigMgr Agent with Endpoint Protection Agent and Deploy the Client Device Settings
And we just deployed Anti Malware for our Azure VM
Now what are the major benefits using ConfigMgr – Endpoint Protection instead Microsoft Antimalware VM Security Extensions?
The next post we will focus on Patch and Compliance Management using ConfigMgr and SCM.