At Microsoft Ignite we're sharing the many new capabilities our teams have built to improve security with Azure Security Center and the Azure Platform. We have a long list of new innovations, and this blog provides our general direction and summarizes some of our favorite new features. For more information, you can read all the details in our Azure Security Center Community post.
Turn on the protection you need with Azure Security Center
Azure Security Center provides unified infrastructure security management that strengthens security posture and provides advanced threat protection across your workloads running in Azure, on-premises, and in other clouds. It enables continuous assessment of security posture, protects against cyberattacks using Microsoft’s vast threat intelligence, and helps implement security faster with integrated controls.
With Security Center, you can monitor the security of machines, networks, and Azure services using hundreds of built-in security assessments or create your own in a central dashboard.
Extending Azure Security Center’s coverage with a platform for community and partners
A constantly evolving threat landscape requires new approaches to protection, cloud security posture, enterprise-scale deployment, and automation. Through partnering with members of the Microsoft Intelligent Security Association, Microsoft is able to leverage a vast knowledge pool to defend against a world of increasing cybersecurity threats.
Leverage all of Security Center's capabilities against built-in and partner recommendations. Azure Security Center's simple onboarding flow connects existing solutions, including Check Point CloudGuard, CyberArk, and Tenable, enabling you to view all security posture recommendations in a single place. Run unified reports and export Security Center’s recommendations for connected partner products.
We invite users to contribute and help improve policies and configurations used in Security Center through the Azure Security Center community menu for additional scripts, content, and community resources.
Enhanced threat protection for cloud resources
Threat protection detects and prevents attacks across a wide variety of services, from infrastructure as a service (IaaS) layer to platform as a service (PaaS) resources in Azure, including Azure IoT and Azure App Service, and on-premises virtual machines.
Stream threat detection findings to Azure Sentinel for investigation, threat hunting, correlation with signals from other security solutions, and security operations center (SOC) level management.
The latest threat protection capabilities include:
- Threat protection and vulnerability assessment support for SQL Server hosted on an Azure Virtual Machine.
- Vulnerability assessment capabilities for VMs is part of our virtual machine protection offering (powered by Qualys) at no additional cost. Security Center collects the vulnerabilities and displays them as part of the secure score.
- Threat protection suite for containers focusing on Azure Kubernetes Service (AKS) includes scanning of container images for vulnerabilities, secure configuration of the AKS cluster, and threat detection on the Kubernetes runtime activities.
- Threat protection for Azure Key Vault is in preview in North America regions. This provides an additional layer of security intelligence that detects unusual and potentially harmful attempts to access or exploit your encryption keys, certificates, and secrets in Azure Key Vault.
Threat protection for Azure Storage offers new detections powered by Microsoft Threat Intelligence for detecting malware uploads to Azure Storage using hash reputation analysis and suspicious access from an active Tor exit node (an anonymizing proxy.) You can now view detected malware across storage accounts using Azure Security Center.
Cloud security posture management enhancements
Misconfiguration is the most common cause of security breaches for cloud workloads. Security Center provides a bird’s eye security posture view across your Azure environment, enabling you to continuously monitor and improve your security posture using the Azure secure score. Security Center helps manage and enforce your security policies to identify and fix misconfigurations across different resources and maintain compliance.
Secure score simplified: Use the updated, percentage based secure score to get better visibility into the secure score controls and provide a more reliable method for calculating the score.
Address misconfigurations faster with new quick-fix capabilities.
Add custom assessments, created in Azure Policy, into the secure score and monitor their compliance state in Security Center.
Automatically assess compliance state against a new set of regulatory standards, including NIST SP 800-53 R4, SWIFT CSP CSCF v2020, Canada Federal PBMM, and UK Official together with UK NHS.
Misconfigurations are the leading source of attacks and improving your secure score can make a remarkable difference in your overall security posture.
Implement security faster with Azure Security Center
To enable large organizations to leverage Security Center’s findings in enterprise-scale, Azure Security Center continues to provide clear APIs, automation, and management capabilities that can help customers connect Security Center to workflows, processes, and tools used across the organization.
A new capability in Security Center enables the creation of rich workflows using Azure Logic Apps and policies trigger based on a recommendation or alert. Configure a logic app to perform a custom action supported by the vast community of Logic App connectors, or use one of the templates provided, including to send an email or open a service ticket.
Security from the ground up
In addition to Azure Security Center updates, we have several additional enhancements for Azure platform security. To empower you to do more, we are continuously enhancing the platform services to improve existing offerings and address your feedback.
Here are some of the exciting updates coming to the platform.
Extension of Customer Lockbox for Microsoft Azure beyond virtual machines
Customer Lockbox provides customers the capability to control Azure support engineers' access to workloads that contain customer data This expanded support now provides customers control over access to their data for a larger set of Azure offerings.
New services and scenarios, available in preview:
- Azure Storage
- Azure SQL Database
- Azure Data Explorer
- Memory dumps and managed disks for Azure Virtual Machines
- Transferring Azure subscriptions
Release of Microsoft Secure Code Analysis toolkit to help you build secure code
With the Microsoft Security Code Analysis extension, you can infuse security analysis tools including Credential Scanner, BinSkim, and others into your Azure DevOps continuous integration and delivery (CI/CD) pipelines. Increase developer productivity and simplify security through easily configurable build tasks that abstract away the complexities (installing, updating, maintaining, and running) from analysis tools without relinquishing control over them.
This product is now available via Unified Support. Customers can sign up using their existing credit or paying the service fee. To learn more please visit the Microsoft Secure Code Analysis documentation page.
Azure Disk Encryption in more places, and more services offering customer-managed keys
Azure Disk Encryption enables you to encrypt your Azure Virtual Machine disks with your keys safeguarded in Azure Key Vault. Previously this capability was available through PowerShell and CLI. We have now added this capability to the Azure portal, which makes it very easy to use. We have also added support for the latest versions of the common Linux distros on Azure, including Red Hat Enterprise Linux 7.6 and 7.7 as well as CentOS Linux 7.6 and 7.7.
The following services recently announced preview for customer-managed keys for encryption at rest.
- Azure Event Hubs
- Azure Managed Disks
- Power BI
For a full list of services offering encryption with customer-managed keys, see the Azure Data Encryption-at-Rest documentation page.
New Azure policies to manage certificates across your organization, currently in preview
Large organizations have thousands of certificates in key vaults distributed across thousands of applications and subscriptions. If you are responsible for security and compliance across the organization, you need a simple way to set rules across all these certificates, prove that those rules were followed, and flag violations. Azure policy helps with this. We have added new policies in preview for certificates in Azure Key Vault.
- Issuer Policy: Flag certificates that are (or are not) issued by a particular issuer.
- Key Type Policy: Flag certificates that are (or are not) protected by a RSA or ECC key pairs.
- Key Size Policy: Flag certificates that are (or are not protected) by a key of a certain size.
- Expiry Policy: Flag certificates that are (or are not) renewed within “X” number of days of their expiry date.
- Validity Lifespan Policy: Flag certificates that have (or do not have) Validity Lifespan that is less than, or more than, or equal to "X" number of years.
For more information see the documentation for Azure Key Vault governance policies.
Azure Key Vault Virtual Machine extension now generally available
The Azure Key Vault Virtual Machine extension makes it easier for apps running on virtual machines to use certificates from a key vault, by abstracting the common tasks as well as best practices—authenticate, handle common network errors, cache, periodically refresh the certificate from the key vault, and bind the certificate for Transport Layer Security (TLS).
Free Azure managed certificates for your domains on Azure
We want to make sure there are no reasons not to use TLS in your Azure applications. Azure now provides TLS certificates at no cost to you for your custom domains hosted on the following services. Azure renews these certificates automatically.
- Azure CDN managed certificates (generally available.)
- Azure Front Door managed certificates (generally available.)
- Azure App Service managed certificates for both web apps and functions (currently in preview.)
We will expand this to other Azure PaaS services in the future.
Note that this is just one of your options. If you have a need to use certificates from a different certificate authority (CA), then you have the option to configure these Azure services to use a certificate you manage in your key vault.
With these additions, Azure continues to provide a secure foundation and gives you built-in security tools and intelligent insights to help you rapidly improve your security posture in the cloud. Azure Security Center strengthens its role as the unified security management and advanced threat protection solution for your hybrid cloud.
For Azure app developers:
- Use the Microsoft Secure Code Analysis toolkit to inspect your code for security issues.
- Enable TLS for your Azure CDN, Front Door, and App Service (web app and function) resources.
- Evaluate the new Azure Virtual Machine extension for Azure Key Vault to simplify how your app uses certificates from Azure Key Vault (for Windows and Linux).
For users responsible for security across their organizations:
- Evaluate Azure Policy, including the new Key Vault policies, to ensure developers across your organization follow the rules you set for security and compliance.
Security can’t wait. Get started with Azure Security Center today and visit Azure Security Center Tech Community, where you can engage with other security-minded users like yourselves.
Azure. Invent with purpose.