Azure_Security_Benchmark_v3.0 |
IM-8 |
Azure_Security_Benchmark_v3.0_IM-8 |
Microsoft cloud security benchmark IM-8 |
Identity Management |
Restrict the exposure of credential and secrets |
Shared |
**Security Principle:**
Ensure that application developers securely handle credentials and secrets:
- Avoid embedding the credentials and secrets into the code and configuration files
- Use key vault or a secure key store service to store the credentials and secrets
- Scan for credentials in source code.
Note: This is often governed and enforced through a secure software development lifecycle (SDLC) and DevOps security process
**Azure Guidance:**
Ensure that secrets and credentials are stored in secure locations such as Azure Key Vault, instead of embedding them into the code and configuration files.
- Implement Azure DevOps Credential Scanner to identify credentials within the code.
- For GitHub, use the native secret scanning feature to identify credentials or other form of secrets within the code.
Clients such as Azure Functions, Azure Apps services, and VMs can use managed identities to access Azure Key Vault securely. See Data Protection controls related to the use of Azure Key Vault for secrets management.
**Implementation and additional context:**
How to setup Credential Scanner:
https://secdevtools.azurewebsites.net/helpcredscan.html
GitHub secret scanning:
https://docs.github.com/github/administering-a-repository/about-secret-scanning |
n/a |
link |
3 |
Azure_Security_Benchmark_v3.0 |
PV-5 |
Azure_Security_Benchmark_v3.0_PV-5 |
Microsoft cloud security benchmark PV-5 |
Posture and Vulnerability Management |
Perform vulnerability assessments |
Shared |
**Security Principle:**
Perform vulnerabilities assessment for your cloud resources at all tiers in a fixed schedule or on-demand. Track and compare the scan results to verify the vulnerabilities are remediated. The assessment should include all type of vulnerabilities, such as vulnerabilities in Azure services, network, web, operating systems, misconfigurations, and so on.
Be aware of the potential risks associated with the privileged access used by the vulnerability scanners. Follow the privileged access security best practice to secure any administrative accounts used for the scanning.
**Azure Guidance:**
Follow recommendations from Microsoft Defender for Cloud for performing vulnerability assessments on your Azure virtual machines, container images, and SQL servers. Microsoft Defender for Cloud has a built-in vulnerability scanner for virtual machine scan. Use a third-party solution for performing vulnerability assessments on network devices and applications (e.g., web applications)
Export scan results at consistent intervals and compare the results with previous scans to verify that vulnerabilities have been remediated. When using vulnerability management recommendations suggested by Microsoft Defender for Cloud, you can pivot into the selected scan solution's portal to view historical scan data.
When conducting remote scans, do not use a single, perpetual, administrative account. Consider implementing JIT (Just In Time) provisioning methodology for the scan account. Credentials for the scan account should be protected, monitored, and used only for vulnerability scanning.
Note: Azure Defender services (including Defender for server, container registry, App Service, SQL, and DNS) embed certain vulnerability assessment capabilities. The alerts generated from Azure Defender services should be monitored and reviewed together with the result from Microsoft Defender for Cloud vulnerability scanning tool.
Note: Ensure your setup email notifications in Microsoft Defender for Cloud.
**Implementation and additional context:**
How to implement Microsoft Defender for Cloud vulnerability assessment recommendations: https://docs.microsoft.com/azure/security-center/security-center-vulnerability-assessment-recommendations
Integrated vulnerability scanner for virtual machines:
https://docs.microsoft.com/azure/security-center/built-in-vulnerability-assessment
SQL vulnerability assessment:
https://docs.microsoft.com/azure/azure-sql/database/sql-vulnerability-assessment
Exporting Microsoft Defender for Cloud vulnerability scan results:
https://docs.microsoft.com/azure/security-center/built-in-vulnerability-assessment#exporting-results |
n/a |
link |
4 |
New_Zealand_ISM |
06.2.6.C.01 |
New_Zealand_ISM_06.2.6.C.01 |
New_Zealand_ISM_06.2.6.C.01 |
06. Information security monitoring |
06.2.6.C.01 Resolving vulnerabilities |
|
n/a |
Agencies SHOULD analyse and treat all vulnerabilities and subsequent security risks to their systems identified during a vulnerability assessment. |
|
7 |