On July 21st, Microsoft took the final wraps off the Security Center product in Azure. The purpose of this product is to give you a “one stop shop” to check out the compliance of your Azure environment from within the existing Azure ARM portal. As with most products these days, Security Center is an ARM only product. If you still use ASM to manage your environment, you should consider moving over as soon as you can as ASM will be deprecated.
(Quick Azure primer – ARM represents Azure Resource Manager, which is the “Portal V2” and all new cloud product releases are released only into this environment. ARM is reached by using the https://portal.azure.com URL) . ASM represents the original or “Portal V1” functionality and represents Azure Service Management or “Classic”, and can be reached from the https://manage.windowsazure.com URL)
Data Collection must be enabled within the Azure portal. Generally this is turned on by default, but may have been disabled previously if any corporate security policy dictates this. Once enabled, you can then configure which components within Security Center you wish to enable. The image below shows the options available at the time of writing:-
At the initial release, it is possible to monitor the following:-
- System updates
- OS vulnerabilities
- Endpoint protection
- Disk encryption
- Network security groups
- Web Application Firewall (WAF)
- Next generation firewall
- SQL auditing
- SQL Transparent Data Encryption (TDE)
Each module can be enabled or disabled as appropriate. The screen shot above shows the default settings, which for most use cases should be sufficient to get a good handle on the security of your Azure environment. It’s important to note that without data collection being enabled, system updates, OS vulnerabilities and endpoint protection statuses cannot be reported back into Security Center.
Having monitoring and reporting configured is all well and good, but if you don’t have an effective means of communication to the people who can act upon alerts, it’s nothing more than a nice dashboard! From the security policy screen, the next step is to define e-mail addresses and phone numbers of the security team, who can take remedial action if necessary:-
The final step in the security policy configuration is deciding which pricing tier you want to use. Like most Azure products, there are different editions you can choose, depending on your specific requirements and budget. At the time of writing, there is a free tier and also a “paid for” Standard edition, as shown below:-
As you can see from above, the only real difference between the free tier and the Standard edition is the inclusion of “Advanced Detection”. What does this mean? In essence it provides a level of intelligence and analysis over and above the free tier. It’s also worth noting that “connected partner solutions”, which is available in both tiers, means you can integrate certified solutions such as Trend Micro into Security Center for increased visibility. The table below, taken from the Security Center documentation site summarises the main differences:-
|Security policy, assessment, and recommendations|
|Connected partner solutions|
|Basic security alerting|
|Advanced threat detection|
|Daily data allocation||Not applicable||500 MB per day|
|Price||Free||£9.1635 / node / month|
Security Center Pricing
Currently, Security Center is charged per node, which represents a single virtual machine instance. The licence model may well change in the future, so it is well worth consulting the product pages to ensure your knowledge is up to date. Nodes are counted on a daily basis and as with all cloud computing services, if you don’t need it, turn it off or delete it!
Security Center in the real world
Once you have enabled Security Center and you’ve decided which tier to go for (remember a 90 day free trial of Standard is available for you to test), what does it look like? In simple terms, see the screen shot below, taken from a small subscription:-
From this high level dashboard, you can then start drilling down with a single click to see the status of your virtual machine instances and services such as SQL for any obvious security issues. In the virtual machines view (names changed to protect the not so innocent!), system updates and vulnerabilities (amongst others) are immediately highlighted for further action:-
The SQL status pane also shows a simple view of where the security of SQL databases requires remedial action, in this case auditing and TDE are not enabled:-
The Networking pane provides some fairly granular detail on misconfigured or potentially lax security group settings, in the form of internet facing endpoints and network topologies (virtual machines inside vNets):-
The virtual network view provides an even greater level of detail:-
And then within this pane, you can then drill down into a virtual machine with a single click to see the issue reported by Security Center:-
One key point to remember at this stage about Security Center is that it does not perform automated remediation. That’s not to say it won’t in the future, but for now any actions taken must be performed by an administrator. In some ways this is a good thing, as to make changes to Network Security Groups or the configuration of a virtual machine should adhere to your standard corporate Change Management processes.
If you would like to look at Azure Security Center in further detail, get in touch for an impartial chat on what your options are.