Design and Deploy a Secure Azure Environment: Mapping the NIST Cybersecurity Framework to Azure Services

Table of Contents
About the Author
About the Technical Reviewer
Acknowledgments
Introduction
Chapter 1: Get Started with Azure Security
	Introduction to Cybersecurity
		What Is a Cybersecurity Attack?
		Why Are Cyberattacks Executed?
		A Closer Look at Cybersecurity
		Cybersecurity Risk Analysis
		Threat Landscape
		Attack Vectors
		Security Breaches
		Data Breaches
		Malware
		Known Mitigation Strategies
			Multifactor Authentication
			Browser Security
			Threat Intelligence
		Cryptography
		Authentication and Authorization
		Threats to Network Security
		Threats to Application Security
		Applications with Untrustworthy Origins
		Vulnerabilities in Embedded Applications
			Open-Source Vulnerabilities
			Zero-Day Vulnerabilities
		Browser-Based Threats
			Cookie-Based Attacks
			Typosquatting
		Threats to Device Security
		Device Threat Vectors
			Phone, Laptop, or Tablet
			USB Drives
			Always-On Home Assistant Devices
			Device Vulnerabilities
	Getting Started with Cloud Computing
		Top Benefits of Cloud Computing
		Three Delivery Models of Cloud Computing
	Microsoft Azure Overview
		Azure Regions
		Azure Geography
		Azure Availability Zones
		Azure Management Groups
		Azure Subscriptions
		Azure Resource Groups
		Azure Resource Manager
		Azure Management Offerings
		Microsoft Azure Portal
		Microsoft Azure PowerShell
		Microsoft Azure CLI
		Microsoft Azure Cloud Shell
		Microsoft ARM Templates
		Microsoft Azure Mobile App
		Azure Monitoring Offerings
		Microsoft Azure Advisor
		Microsoft Azure Security Capabilities
		Microsoft Sentinel
		Microsoft Defender for Cloud
		Azure Resource Manager
		Application Insights
		Azure Monitor
		Azure Monitor Logs
		Azure Advisor
		Azure-Based Application Security Capabilities
		Penetration Testing
		Web Application Firewall
		Authentication and Authorization in Azure App Service
		Layered Security Architecture
		Web Server Diagnostics and Application Diagnostics
		Azure-Based Storage Security Capabilities
		Azure Role-Based Access Control (Azure RBAC)
		Shared Access Signature
		Encryption in Transit
		Encryption at Rest
		Storage Analytics
		Enabling Browser-Based Clients Using CORS
		Azure Network Security Capabilities
		Azure Network Communication with the Internet
		Azure Communication Between Azure Resources
		Azure Network Communication with the Private Cloud
		Filter Network Traffic
		Route Network Traffic
		Integrate Azure Services
		Other Network Services
		Azure Compute Security Capabilities
		Azure Confidential Computing
		Anti-malware and Antivirus
		Hardware Security Module
		Virtual Machine Backup
		Azure Site Recovery
		SQL VM TDE
		VM Disk Encryption
		Virtual Networking
		Patch Updates
		Security Policy Management and Reporting
		Azure Identify Security Capabilities
		Azure Active Directory (Azure AD)
		Azure Active Directory External Identities
		Azure Active Directory Domain Services
		Azure Apps and Data Security Capabilities
		Overview of the NIST CSF
	Summary
Chapter 2: Design and Deploy Security for Infrastructure, Data, and Applications
	Design and Deploy a Strategy for Securing Infrastructure Components
		Azure Data Centers and Network
		Azure Data Center Physical Security
		Azure Infrastructure Availability
	Cloud Security Shared Responsibility Model
	Foundation of Cloud Infrastructure and Endpoint Security
	Securing Virtual Machines
		Antimalware
		Protect Sensitive Data
		Organize Your Keys and Secrets with Key Vault
		Virtual Machine Disks for Linux and Windows Can Be Encrypted
		Build More Compliant Solutions
		Shield Network Traffic from Threats
	Securing Containers
		Use a Private Registry
		A Publicly Available Container Image Does Not Guarantee Security
		Monitor and Scan Container Images
		Protect Credentials
	Securing Hosts
	Securing Networks
		Microsoft Cloud Security Benchmark for Network Security
		Deploy Network Segmentation
		Protect Cloud Native Services with Network Security Controls
		Implement a Firewall at the Edge of the Enterprise Network
		Implement Intrusion Detection/Protection System
		Implement DDOS Protection
		Implement Web Application Firewall
		Follow Simplicity in Network Security Configuration
		In General, Disable Unused Services
		Have a Private Connectivity Between On-Premises and Azure
		Implement DNS Security
	Securing Storage
		Deploy Shared Access Signatures
		Govern Azure AD Storage Authentication
		Azure Storage Encryption for Data at Rest
	Securing Endpoints
		Microsoft Cloud Security Benchmark for Endpoint Security
		Adopt Endpoint Detection and Response (EDR)
		Deploy Modern Anti-malware Software
		Have a Release Parodic Recycle for Anti-Malware Software and Signatures
	Securing Backup and Recovery
		Microsoft Cloud Security Benchmark for Backup and Recovery
		Deploy Scheduled Automated Backups
		Safeguard Backup and Recovery
		Monitor Backups
		Periodically Test Backups
	Design and Deploy a Strategy for Securing Identify
		Microsoft’s Azure Active Directory
		Authentication Choices
		Cloud Authentication
		Federated Authentication
		Azure AD Identify Protection
		Azure AD Privileged Identify Protection
		Microsoft Cloud Security Benchmark for Identify
		Identify and Authenticate Users Using a Centralized System
		Authentication and Identify Systems Need to Be Protected
		Automate and Secure Application Identify Management
		Servers and Services Must Be Authenticated
		Access Applications Using Single Sign-On (SSO)
		Ensure Strong Authentication Controls Are in Place
		Resource Access Can Be Restricted Based on Conditions
		Ensure That Credentials and Secrets Are Not Exposed
		Existing Applications Can Be Accessed Securely by Users
		Microsoft Cloud Security Benchmark for Privileged Access
		Ensure That Highly Privileged and Administrative Users Are Separated and Limited
		Permissions and Accounts Should Not Be Granted Standing Access
		Life-Cycle Management of Identities and Entitlements
		Reconcile User Access Regularly
		Emergency Access Should Be Set Up
		Workstations with Privileged Access Should Be Used
		Use the Least Privilege Principle (Just-Enough Administration)
		Specify Access Method for Cloud Provider Support
	Design and Deploy a Strategy for Securing Apps and Data
		Software Frameworks and Secure Coding Libraries Should Be Used
		Conduct a Vulnerability Scan
		When Designing an Application, Use Threat Modeling
		Keep Your Attack Surface as Small as Possible
		Identify Identify as the Primary Security Perimeter
		For Important Transactions, Reauthentication Should Be Required
		Ensure the Security of Keys, Credentials, and Other Secrets by Using a Key Management Solution
		Make Sure Sensitive Data Is Protected
		Make Sure Fail-Safe Measures Are in Place
		Ensure That Errors and Exceptions Are Handled Correctly
		Alerts and Logging Should Be Used
		Modernize
		Microsoft Cloud Security Benchmark for DevOps
		Analyze Threats
		Ensure the Security of the Software Supply Chain
		Infrastructure for DevOps That Is Secure
		DevOps Pipeline Should Include Static Application Security Testing
		Dynamic Application Security Testing Should Be Incorporated Into the DevOps Pipeline
		DevOps Life-Cycle Security Is Enforced
		Monitoring and Logging Should Be Enabled in DevOps
	Getting Started with Microsoft SecOps
		Category 1: Preparation, Planning, and Prevention
		Category 2: Monitoring, Detection, and Response
		Category 3: Recovery, Refinement, and Compliance
		Microsoft SOC Function for Azure Cloud
		Microsoft Azure Security Operations Center
		SecOps Tools
	Summary
Chapter 3: Design and Deploy an Identify Solution
	Introduction to NIST Identify
	Asset Management (ID.AM)
	Azure Mapping for Asset Management (ID.AM)
		Microsoft Defender for Cloud
			Asset Inventory
			Software Inventory
			How to Enable It
		Azure AD Registered Devices
			How to Enable It
		IoT Hub Identify Registry
		Microsoft Intune
			How to Enable It
		Azure Service Map
			How to Enable It
		Azure Network Watcher and Network Security Group
			How to Enable It
		Azure Information Protection
			How to Enable It
		Azure AD Privilege Identify Management
			How to Enable It
		Privilege Access Management
			How to Enable It
	Business Environment (ID.BE)
		Privilege Access Workstation
		Microsoft Azure Bastion
		Azure Reliability by Design
	Governance (ID.GV)
		Microsoft Incident Response and Shared Responsibility
		Microsoft and General Data Protection Regulation
		Microsoft Compliance Manager
		Azure Policy
	Risk Assessment (ID.RA)
		Risk Assessment for Microsoft Azure
		Vulnerability Assessments in Microsoft Defender for Cloud
		AD Risk Management
		Design and Implementation of Active Directory
		Microsoft Sentinel
			How to Enable It
		Microsoft Threat Modeling Tool
		Microsoft Threat Management
		Azure Monitor
		Cybersecurity Operations Services
	Summary
Chapter 4: Design and Deploy a Protect Solution: Part 1
	Introduction to NIST Protect
	Identify Management, Authentication, and Access Control (PR.AC)
		Key Aspects of IDM
		Methods of Authentication
	Azure Mapping for PR.AC
		Azure AD
			How It Works
			Design Considerations
			How To Enable It
		Azure IoT
			Design Considerations
			How To Enable It
		Conditional Access
			How To Enable It
		Azure AD’s Application Proxy
			How It Works
			How To Enable It
		Just Enough Administration
			How To Enable It
		Managed and Protected Physical Access to Assets
	Awareness and Training (PR.AT)
	Azure Mapping for PR.AT
	Summary
Chapter 5: Design and Deploy a Protect Solution: Part 2
	Data Security
	Azure Mapping for Data Security
		Azure Disk Encryption
			How It Works
			Design Considerations
			How to Enable It
		Azure Storage Service Encryption
			How It Works
			Design Considerations
			How to Enable It
		Azure Key Vault
			How to Enable It
		Azure Information Protection
			How It Works
			Design Considerations
			How to Enable It
		Azure Backup Encryption
			How It Works
			Design Considerations
			How to Enable It
		Azure VPN Gateway
			Design Considerations
			How to Enable It
		Azure Site-to-Site VPN
			Design Considerations
			How to Enable It
		Azure Point-to-Site VPN
			How It Works
			Design Considerations
			How to Enable It
		Azure ExpressRoute
			How It Works
			Design Considerations
			How to Enable It
		Azure WAF
			How It Works
			Design Considerations
			How to Enable It
		Microsoft Purview DLP
			How It Works
			Design Considerations
			How to Enable It
		Data Segregation
	Summary
Chapter 6: Design and Deploy a Protect Solution: Part 3
	Information Protection Processes and Procedures (PR.IP)
	Azure Mapping for PR.IP
		Azure Automation Desired State Configuration
			How It Works
			Design Considerations
			How to Enable It
		PowerShell Desired State Configuration
			How It Works
			How to Enable It
		Microsoft SDL
			How to Enable It
		Security and Compliance in Office 365
			How to Enable It
		Office 365 Secure Score
			Design Considerations
			How to Enable It
		Azure Site Recovery
			Design Considerations
			How to Enable It
		Vulnerabilities Assessment
			How to Enable It
	Protective Technology (PR.PT)
	Azure Mapping for PR.PT
		Azure Security Information and Event Management
			How to Enable It
		AD Log Analytics
			Design Considerations
			How to Enable It
		Microsoft BitLocker
			Design Considerations
			How to Enable It
		Microsoft AppLocker
			Design Considerations
			How to Enable It
		Azure Network Security Services
			Design Considerations
			How to Enable It
		Microsoft Defender for Identify
			Design Considerations
			How to Enable It
	Summary
Chapter 7: Design and Deploy a Detect Solution
	Incident Detection in Cybersecurity
	Introduction to NIST Detect
	Anomalies and Events (DE.AE)
		Example 1: Cybersecurity Security Professional at Midsize Client
		Example 2: Cybersecurity Analyst Working for a Financial Institution
	Azure Mapping to Anomalies and Events (DE.AE)
		Azure Sentinel
			Design Considerations
			How to Enable It
	Security Continuous Monitoring (DE.CM)
	Getting Started with DevSecOps
		DevSecOps Continuous Monitoring
	Azure Mapping to Security Continuous Monitoring (DE.CM)
		Azure Monitor
			Design Considerations
			How to Enable It
		Azure AD Conditional Access
			How It Works
				Design Considerations
			How to Enable It
		Microsoft Defender for Cloud
			Design Considerations
			How to Enable It
		Microsoft Defender for Endpoint
			Design Considerations
			How to Enable It
		Azure Policy
			How to Enable It
		Detection Processes (DE.DP)
		Azure Mapping to DE.DP
		Azure AD Identify Protection
			Design Considerations
			How to Enable It
		Microsoft Defender ATP
			How It Works
				Design Considerations
			How to Enable It
		Microsoft Red Team
	Summary
Chapter 8: Design and Deploy a Respond Solution
	Incident Response in Cybersecurity
	Introduction to NIST Respond
		Response Planning (RS.RP)
			Example: NIST CSF Response Plan
			Azure Mapping to Response Planning (RS.RP)
				Preparation
				Detection and Analysis
				Containment, Eradication, and Recovery
				Post-Incident Activity
			Microsoft Azure Security Response in the Cloud
				What Is Azure Security Control: Incident Response?
				Key Features of Azure Security Control: Incident Response
				Benefits of Azure Security Control: Incident Response
			How to Build the Response Plan
		Communications (RS.CO)
			Azure Mapping to Response Communication (RS.CO)
				Communications in the Real World
		Analysis (RS.AN)
			Azure Mapping to Response Communication (RS.AN)
			Microsoft Incident Response
				Threat Intelligence
				Advanced Threat Detection
				Security Incident and Event Management
				Security Automation and Orchestration
				Incident Response Playbooks
		Mitigation (RS.MI)
			Design Considerations
		Azure Security Center
			How to Enable It
	Summary
Chapter 9: Design and Deploy a Recovery Solution
	Cybersecurity Incident Recovery
	Introduction to NIST Recovery
		Example: Data Breach
		Overview of the NIST CSF Recovery Module
		Example: Recovering from a Ransomware Attack
	Azure Mapping to NIST Recovery
		Benefits of Azure Recovery Services
	Azure Backup
		Key Components of Azure Backup
		Overview of Supported Elements
		Protect Against Ransomware
	Azure Backup Security Features Overview
		Azure VM Backup
			How to Backup, Restore, and Manage Azure VM Using Azure Backup
		Azure Disk Backup
			How to Backup, Restore, and Manage Azure Disk Backup using Azure Backup
		Azure Blob Backup
			How to Back Up and Restore Azure Blob Storage Using Azure Backup
		Azure File Share Backup
			How to Back Up and Restore Azure File Share Using Azure Backup
		Azure Backup for Database
		Azure Backup for Azure Kubernetes Service
		Azure Offline Backup
	Azure Site Recovery
		Key Features of Azure Site Recovery
		Site Recovery Services
		Azure Site Recovery in the Event of a Cybersecurity Incident
		Recovery Plans
		The Modernization of Disaster Recovery Failovers/Failbacks On-Premises
		Azure Traffic Manager and Azure Site Recovery
		Azure ExpressRoute with Azure Site Recovery
		Azure Virtual Machine Recovery with Azure Site Recovery
		Overall Security Integration Component with Azure Site Recovery
		How to Set Up Disaster Recovery for an Azure VM to a Secondary Azure Region
		Azure Security Baselines for Azure Site Recovery
		Backup and Restore Plan to Protect Against Ransomware
	Summary
Index