Microsoft recently announced the availability of the Azure Security Center which is designed to provide a single place to view your security stance for resources deployed to Azure.

In this post I’m going to walk you through what’s initially available and see how it can start helping you today.

Who ever said “no” to something that’s free?

The core features (today) are free. Yes – free. This isn’t just preview pricing either. During preview even the Standard Tier is free until early 2016.

The free tier will give you the ability to understand your VM and networking security stance for zero dollars down and I can’t think of a single scenario where you wouldn’t use it.

The rest of this blog will cover the free tier only.

What can you do today?

Right now the Security Center is primarily aimed at the components of Azure that provide Infrastructure-as-a-Service (IaaS) features such Virtual Machines, Virtual Networks with some limited support for Azure SQL Databases as well.

Arguably, IaaS components such as VMs are also the ones that you can most easily misconfigure such that you create a security hole in your environment. Many of the other Azure services are secure by design and make it very hard to leave yourself exposed (you’ll notice I didn’t say impossible).

In order to use the Security Center you must first enable it for your Subscription (simply selecting “Security Center” in the Azure Portal will prompt you to do this) and once enabled you must set up a Policy.

A Policy determines what the Security Center will monitor, and can include any of the following:

  • Virtual Machines
  • Networking
    • ACLs on open endpoints for “classic” VMs
    • Network Security Groups are configured. Inbound rules are analysed
    • Inbound port 80/443 is protected with a WAF
  • Azure SQL Database
    • Auditing is enabled at Server/Database level
    • Encryption is enabled at Database level.

Remediating VMs

If your scan highlights issues with VMs you can remediate these issues from right in the Security Center. Let’s take a look at fixing missing antimalware.

Firstly we click on the Virtual machines resource health entry.

Lot's of issues!

Which opens the Virtual machines view. Here I only have one VM, but you could image a fleet of VMs here in various states.

At this point I can click on a particular status (such as missing Antimalware).

All Virtual Machine Statuses

Which gives me the option to remediate the problem. In our scenario it is installing Antimalware. Note that I can select one or more VMs to remediate in a single action if I wish.

Install Antimalware

I even get a choice of Antimalware software…

Select your Antimalware

Now I configure the Antimalware the way I need to be when installed.

Configure Antimalware

When I switch back to the VM details blade I can see that the extension is being deployed.

Install Status

Now it’s installed I’m just waiting for the outputs from the antimalware scan.

Missing Scan Data

Eventually when the scan takes place this option will turn Green (hopefully I don’t have any malware on my VMs!)

While I was doing the above, the Windows Server also installed a round of Windows Updates and rebooted, which resulted in the health status of its updates changing from High to Low.

Missing Updates

I can see at a glance that I still have 13 pending updates to deploy though none are critical as the Severity is ranked as ‘Low’. I can drill into this further and look at the actual pending set of updates and open the details of each individual update and decide if I really need to deploy it or not.

Note: you can also monitor Linux machines, though you don’t get the same deep metrics around updates and AV as you do with Windows.

Remediating Networks

As well as VMs we can also manage VNets deployed (both on the v1 “classic” platform and the new v2 “ARM” platform).

Drilling into our network stance we can immediately see some things that might need attention.

Network Status

We can see a recommendation here about what needs fixing.

NIC Status

Drilling in once more exposes the NSGs applying here and a clear description of why this configuration is sub-optimal.

NSG Rules

I will add source address restrictions to these endpoints and when re-scanned by the Security Center this issue will no longer show. I could, of couse, dismiss this issue if I was aware of it and happy to accept (a public application is likely to have to accept inbound traffic from any host).

Source Address

Remediating Azure SQL Databases

The final service we can manage today is the Azure SQL Database PaaS offering. The new v12 SQL Database engine has introduced new features such as encryption which is top of many enterprise’s data security list.

At a glance we can see which databases (and servers) we should be looking more closely at.

SQL Database Warnings

For this post I’m looking only at the auditing capabilities which, when set at the server, are inherited by hosted databases. This feature is available for the classic v11 (or v2) engine and the new v12 engine too.

Enable Auditing

I can open the server and see further details about any recommendations and when I click on the recommendation I can remediate it by performing an action – in this case I can configure auditing for this Azure SQL Database instance.

Auditing Settings

After I’ve applied the new settings and a short period of time has passed (to allow the Security Center analytics process to run) I can now see how my security stance has changed.

SQL Remediated

I could further increase my security by switching on Transparent Data Ecnryption (TDE). As with the other recommendations I could choose to suppress this warning because I may not need encryption. If I do change my mind at a later time I can always come back and switch it on (and unmute the warning).

Summary

The Azure Security Center is so new it still has that “new car smell” about it and it is also early days for the coverage that it offers for the multitude of Azure service offerings. Over time hopefully the services covered will expand and we’ll have an even better way to protect ourselves.

As I said at the start of this post – given the free service tier provides good value, I can’t see why you wouldn’t be using it.

Happy days!

Category:
Azure Infrastructure, Cloud Infrastructure, Security
Tags:
, , ,

Join the conversation! 5 Comments

  1. I setup azure security center in my subscription-“it is showing vm agent is missing”for all server.I am sure vm agent is installed on each server when we installed.we have initialized “data collection”-ASC is still detecting only one server out of 100 running vm

    Fyi-We are using expressrout premimum and using force tunneling to move internet traffic to datacenter.Is there any limitation in ASC.Please help

    Reply
    • Hi Rahul. This is message relates to the security center monitoring agent which is different to the VM Agent you would have deployed. Depending on the number of servers you have it will take some time to deploy the security center agent out to all VMs and to then start to collect metrics from it.

      Reply
  2. Hi,
    I want to assign view permissions to one user on Security Center. Please let me know on what resource the permissions has to be assigned.

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: