Skip to content

Latest commit

 

History

History
789 lines (520 loc) · 62.5 KB

gc-30-day-cloud-guardrails.md

File metadata and controls

789 lines (520 loc) · 62.5 KB
Raw

GC Cloud Guardrails

Overview

As part of the Government of Canada (GC) Cloud Operationalization Framework, the GC has provided a set of minimum guardrails to be implemented within the first 30-days of standing up a cloud environment. From the GC Cloud Guardrails repository:

The purpose of the guardrails is to ensure that departments and agencies are implementing a preliminary baseline set of controls within their cloud-based environments. These minimum guardrails are to be implemented within the GC-specified initial period (e.g. 30 days) upon receipt of an enrollment under the GC Cloud Services Framework Agreement.

This document identifies the key considerations as part of each guardrail and provides information on how an Azure Landing Zones for Canadian Public Sector (ALZCPS) deployment meets (or could meet) each consideration.

Azure Active Directory Required Configuration and Recommendations

Many of the guardrails contain identity and access management requirements. However, configuration of Azure Active Directory (Azure AD) is a prerequisite to deploying a landing zone using the ALZCPS project. Key configuration information is contained within our architecture documentation.

With an appropriately configured Azure AD, 34% of the guardrail considerations are covered.

Azure AD Logging and Monitoring

When configuring your Azure AD tenant, ensure that:

NOTE: Azure AD P1/P2 is required to ingest sign-in logs to Microsoft Sentinel.

To create alerts from sign-in logs, refer to:

Azure AD Recommendations

The following features provide native solutions to several guardrails, including:

  • Protect Root / Global Admins Account
  • Management of Administrative Privileges
  • Cloud Console Access
  • Enterprise Monitoring Accounts

Azure AD Conditional Access (Azure AD P1/P2 Required)

Consider implementing Azure AD Conditional Access to create fine-tuned access policies with contextual factors such as user, device, location, and real-time risk information to control what a specific user can access, and how and when they have access.

Refer to Plan a Conditional Access deployment to get started.

Azure AD Identity Protection (Azure AD P2 Required)

Consider implementing Azure AD Identity Protection to detect, investigate, and remediate suspicious user and sign-in behavior in your environment.

When configuring Azure AD Identity Protection, ensure that:

Azure AD Privileged Identity Management (Azure AD P2 Required)

Consider implementing Azure AD Privileged Identity Management (PIM) to provide time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access to important resources in your organization

When configuring Azure AD PIM, ensure that Azure AD PIM alerts are configured.

Refer to Plan a Privileged Identity Management deployment to get started.

Azure AD Access Reviews (Azure AD P2 Required)

Consider implementing Azure AD Access Reviews to efficiently manage group memberships, access to enterprise applications, and role assignments. User's access can be reviewed on a regular basis to make sure only the right people have continued access.

Refer to Plan an Azure Active Directory access reviews deployment to get started.

User and Entity Behavioral Analytics

Consider enabling User and Entity Behavioral Analytics within Microsoft Sentinel to identify anomalous activity and help you determine if an asset has been compromised (usage fees apply).

ALZCPS Identity Management Policies

The following policies related to identity management are enabled by default in ALZCPS deployments:

Guardrails

1. Protect Root / Global Admins Account

GC Guardrail Documentation

1.1 Implement multi-factor authentication (MFA) mechanism for root/master account.

This consideration can be met by appropriately configuring your Azure AD instance. Review the following tutorial: Secure user sign-in events with Azure AD Multi-Factor Authentication

Azure AD Conditional Access is a native solution that can help to meet this consideration.

Multi-factor authentication controls are implemented as listed in ALZCPS Identity Management Policies.

Relevant Links:

1.2 Document a break glass emergency account management procedure. Including names of users with root or master account access.

Documentation exercises are out of scope. GC intranet users can reference the break-glass emergency account procedure document.

Relevant Links:

1.3 Obtain signature from Departmental Chief Information Officer (CIO) and Chief Security Officer (CSO) to confirm acknowledgement and approval of the break glass emergency account management procedures.

Documentation exercises are out of scope. GC intranet users can reference the break-glass emergency account procedure document.

Relevant Links:

1.4 Implement a mechanism for enforcing access authorizations.

This consideration can be met by appropriately configuring your Azure AD instance. Specifically, creating and assigning users to appropriate Azure AD groups and then granting permissions to those groups.

The following native solutions can help to meet this consideration:

Access authorization controls are implemented as listed in ALZCPS Identity Management Policies.

Relevant Links:

1.5 Configure appropriate alerts on root/master accounts to detect a potential compromise, in accordance with the GC Event Logging Guidance.

This consideration can be met by appropriately configuring your Azure AD instance. See Azure AD Logging and Monitoring and the GC Event Logging Guidance.

The following native solutions can help to meet this consideration:

Related Links:

2. Management of Administrative Privileges

GC Guardrail Documentation

2.1 Document a process for managing accounts, access privileges, and access credentials for organizational users, non-organizational users (if required), and processes based on the principles of separation of duties and least privilege (for example, operational procedures and active directory).

Documentation exercises are out of scope.

The following native solutions can help to meet this consideration:

Relevant Links:

2.2 Implement a mechanism for enforcing access authorizations.

This consideration can be met by appropriately configuring your Azure AD instance. Specifically, creating and assigning users to appropriate Azure AD groups and then granting permissions to those groups.

The following native solutions can help to meet this consideration:

Access authorization controls are implemented as listed in ALZCPS Identity Management Policies.

Relevant Links:

2.3 Implement a mechanism for uniquely identifying and authenticating organizational users, non-organizational users (if applicable), and processes (for example, username and password).

This consideration can be met by appropriately configuring your Azure AD instance.

Controls for authenticating organizational users, non-organizational users, and processes are implemented as listed in ALZCPS Identity Management Policies.

Relevant Links:

2.4 Implement a multi-factor authentication mechanism for privileged accounts (for example, username, password and one-time password) and for external facing interfaces.

This consideration can be met by appropriately configuring your Azure AD instance. Review the following tutorial: Secure user sign-in events with Azure AD Multi-Factor Authentication

Azure AD Conditional Access is a native solution that can help to meet this consideration.

Multi-factor authentication controls are implemented as listed in ALZCPS Identity Management Policies.

Relevant Links:

2.5 Change default passwords.

This consideration can be met by appropriately configuring your Azure AD instance.

Password controls are implemented as listed in ALZCPS Identity Management Policies.

Relevant Links:

2.6 Ensure that no custom subscription owner roles are created.

As described in the Microsoft Cloud Adoption Framework design recommendations, there is one custom owner role created:

  • Custom - Landing Zone Subscription Owner

However, this is not truly a "subscription owner", as it has limited permissions and is unable to manage RBAC and networking.

Role-related controls are implemented as listed in ALZCPS Identity Management Policies.

2.7 Configure password policy in accordance with GC Password Guidance.

This consideration can be met by appropriately configuring your Azure AD instance.

Password controls are implemented as listed in ALZCPS Identity Management Policies.

Relevant Links:

2.8 Minimize number of guest users; add only if needed.

Out of scope.

Relevant Links:

2.9 Determine access restrictions and configuration requirements for GC-issued endpoint devices, including those of non-privileged and privileged users, and configure access restrictions for endpoint devices accordingly. Note: Some service providers may offer configuration options to restrict endpoint device access. Alternatively, organizational policy and procedural instruments can be implemented to restrict access.

This consideration can be met by appropriately configuring your Azure AD instance.

The following native solutions can help to meet this consideration:

Access restriction controls are implemented as listed in ALZCPS Identity Management Policies.

3. Cloud Console Access

GC Guardrail Documentation

3.1 Implement multi-factor authentication mechanism for privileged accounts and remote network (cloud) access.

This consideration can be met by appropriately configuring your Azure AD instance. Review the following tutorial: Secure user sign-in events with Azure AD Multi-Factor Authentication

Azure AD Conditional Access is a native solution that can help to meet this consideration.

Multi-factor authentication controls are implemented as listed in ALZCPS Identity Management Policies.

Relevant Links:

3.2 Determine access restrictions and configuration requirements for GC managed devices, including those of non-privileged and privileged users, and configure access restrictions for endpoint devices accordingly.

This consideration can be met by appropriately configuring your Azure AD instance.

The following native solutions can help to meet this consideration:

Access restriction controls are implemented as listed in ALZCPS Identity Management Policies.

3.3 Ensure that administrative actions are performed by authorized users following a process approved by Chief Security Officer (CSO) (or delegate) and designated official for cyber security. This process should incorporate the use of trusted devices and a risk-based conditional access control policy with appropriate logging and monitoring enabled.

The following native solutions can help to meet this consideration:

For logging and monitoring, see Azure AD Logging and Monitoring.

Access-control controls are implemented as listed in ALZCPS Identity Management Policies.

Relevant Links:

3.4 Implement a mechanism for enforcing access authorizations.

This consideration can be met by appropriately configuring your Azure AD instance. Specifically, creating and assigning users to appropriate Azure AD groups and then granting permissions to those groups.

The following native solutions can help to meet this consideration:

Access authorization controls are implemented as listed in ALZCPS Identity Management Policies.

Relevant Links:

3.5 Implement password protection mechanisms to protect against password brute force attacks.

This consideration can be met by appropriately configuring your Azure AD instance. Specifically, configuring Azure AD smart lockout or by implementing a passwordless authentication deployment.

Password controls are implemented as listed in ALZCPS Identity Management Policies.

Relevant Links:

4. Enterprise Monitoring Accounts

GC Guardrail Documentation

4.1 Assign roles to approved GC stakeholders to enable enterprise visibility. Roles include billing reader, policy contributor/reader, security reader, and global reader.

This consideration can be met by appropriately configuring your Azure AD instance. Specifically, by assigning the appropriate RBAC roles.

Role-related controls are implemented as listed in ALZCPS Identity Management Policies.

Relevant Links:

4.2 Ensure that multi-factor authentication mechanism for enterprise monitoring accounts is enabled.

This consideration can be met by appropriately configuring your Azure AD instance. Review the following tutorial: Secure user sign-in events with Azure AD Multi-Factor Authentication

Azure AD Conditional Access is a native solution that can help to meet this consideration.

Relevant Links:

5. Data Location

GC Guardrail Documentation

5.1 As per the Directive on Service and Digital "Ensuring computing facilities located within the geographic boundaries of Canada or within the premises of a Government of Canada department located abroad, such as a diplomatic or consular mission, be identified and evaluated as a principal delivery option for all sensitive electronic information and data under government control that has been categorized as Protected B, Protected C or is Classified."

ALZCPS deployments restrict resource deployments by default to the locations "canadacentral" or "canadaeast".

The following policies related to data location are enabled by default in ALZCPS deployments:

Relevant Links:

6. Protection of Data-at-Rest

GC Guardrail Documentation

6.1 Seek guidance from privacy and access to information officials within institutions before storing personal information in cloud-based environments.

Institutional policy guidance exercises are out of scope.

6.2 Implement an encryption mechanism to protect the confidentiality and integrity of data when data are at rest in your solution's storage.

Most Azure services that support encryption at rest typically support offloading the management of encryption keys to Azure. The Azure resource provider creates the keys, places them in secure storage, and retrieves them when needed. This means that the service has full access to the keys and the service has full control over the credential lifecycle management. However, there are various supported encryption models, including:

Refer to this list to see encryption models are supported by each service.

The following policies related to protection of information at rest are enabled by default in ALZCPS deployments:

Relevant Links:

6.3 Use CSE-approved cryptographic algorithms and protocols, in accordance with ITSP.40.111 and ITSP.40.062.

Azure provides the ability to use CSE-approved algorithms and protocols. However, policy enforcement is not possible across all use-cases as it is dependant upon the individual application architecture. For example, the default certificate signing algorithm within Azure AD is SHA-256. However, if an application only supports SHA-1, Azure AD can be manually configured to sign SAML responses using SHA-1 for that application.

The following policies related to approved cryptographic algorithms are enabled by default in ALZCPS deployments:

Relevant Links:

6.4 Implement key management procedures.

Most Azure services that support encryption at rest typically support offloading the management of encryption keys to Azure. The Azure resource provider creates the keys, places them in secure storage, and retrieves them when needed. This means that the service has full access to the keys and the service has full control over the credential lifecycle management. Customer-managed key scenarios are supported within ALZCPS in the Healthcare and Machine Learning archetypes. See Key management in Azure for more details on platform-managed and customer-managed keys.

The following policies related to key management are enabled by default in ALZCPS deployments:

Relevant Links:

7. Protection of Data-in-Transit

GC Guardrail Documentation

7.1 Implement an encryption mechanism to protect the confidentiality and integrity of data when data are in transit to and from your solution.

For client applications, this is specific to the application architecture and determined risk profiles. Azure PaaS services can be audited for compliance via Azure Policy. Azure offers many mechanisms for keeping data private as it moves from one location to another..

The following policies related to protection of data in transit are enabled by default in ALZCPS deployments:

Relevant Links:

7.2 Use CSE-approved cryptographic algorithms and protocols.

Azure provides the ability to use CSE-approved algorithms and protocols. However, policy enforcement is not possible across all use-cases as it is dependant upon the individual application architecture. For example, the default certificate signing algorithm within Azure AD is SHA-256. However, if an application only supports SHA-1, Azure AD can be manually configured to sign SAML responses using SHA-1 for that application.

The following policies related to approved cryptographic algorithms are enabled by default in ALZCPS deployments:

Relevant Links:

7.3 Encryption of data in transit by default (e.g. TLS v1.2, etc.) for all publicly accessible sites and external communications as per the direction on Implementing HTTPS for Secure Web Connections (ITPIN 2018-01).

TLS 1.2 is set as the minimum TLS version in the following deployed resources:

  • App Service
  • SQL Database
  • Storage

The following policies related to encryption of data in transit for publicly accessible sites and external communications are enabled by default in ALZCPS deployments:

Relevant Links:

7.4 Encryption for all access to cloud services (e.g. Cloud storage, Key Management systems, etc.).

The following policies related to encryption for access to cloud services are enabled by default in ALZCPS deployments:

Relevant Links:

7.5 Consider encryption for internal zone communication in the cloud based on risk profile and as per the direction in CCCS network security zoning guidance in ITSG-22 and ITSG-38.

For client applications, this is specific to the application architecture and determined risk profiles. Azure PaaS services can be audited for compliance via Azure Policy. Azure offers many mechanisms for keeping data private as it moves from one location to another.

As an additional layer of protection, Azure Private Link enables access to Azure PaaS Services (for example, Azure Storage and SQL Database) and Azure hosted customer-owned/partner services over a private endpoint in your virtual network. Azure Private Link is enabled on all supported PaaS services in an ALZCPS deployment.

The following policies related to information flow enforcement are enabled by default in ALZCPS deployments:

Relevant Links:

7.6 Implement key management procedures.

See Key management in Azure for details on platform-managed and customer-managed keys.

The following policies related to key management are enabled by default in ALZCPS deployments:

Relevant Links:

8. Segment and Separate

GC Guardrail Documentation

8.1 Develop a target network security design that considers segmentation via network security zones, in alignment with ITSG-22 and ITSG-38.

The ALZCPS network design implements separate hub virtual networks that allow for segmenting management operations. However, it is up to the implementer to determine how these networks should be enhanced to meet their specific security needs.

The following policies related to network security are enabled by default in ALZCPS deployments:

Relevant Links:

8.2 Implement increased levels of protection for management interfaces.

ALZCPS adheres to boundary protection policies for management interfaces. This includes the use of Azure Private Link, routing traffic to a deployed firewall, and disabling public network access to sensitive resources.

For custom applications, it is up to the implementer to identify management interfaces which may need increased levels of protection.

The following policies related to protection for management interfaces are enabled by default in ALZCPS deployments:

9. Network Security Services

GC Guardrail Documentation

9.1 Ensure that egress/ingress points to and from GC cloud-based environments are managed and monitored. Use centrally provisioned network security services where available.

ALZCPS provides two default firewall configurations:

For logging and monitoring, review the Azure Firewall Archetype Log Analytics Integration documentation.

The following policies related to boundary protection are enabled by default in ALZCPS deployments:

Relevant Links:

9.2 Implement network boundary protection mechanisms for all external facing interfaces that enforce a deny-all or allow-by-exception policy.

When using the Azure Firewall Archetype, please review the pre-configured Azure Firewall Rules.

The following policies related to boundary protection are enabled by default in ALZCPS deployments:

9.3 Perimeter security services such as boundary protection, intrusion prevention services, proxy services, TLS traffic inspection, etc. must be enabled based on risk profile, in alignment with GC Secure Connectivity Requirements and ITSG-22 and ITSG-38.

The required/available security services will depend on the deployed workload, such as the firewall used, and any additional requirements of the workload based on risk profile. When deploying using ALZCPS:

The following policies related to perimeter security services are enabled by default in ALZCPS deployments:

Relevant Links:

9.4 Ensure that access to cloud storage services is protected and restricted to authorized users and services.

For the archetypes provided in ALZCPS, we provide Private Endpoints for storage accounts. Further controls may be required to limit access to specific users and groups as needed.

The following policies related to access to cloud storage services are enabled by default in ALZCPS deployments:

Relevant Links:

10. Cyber Defense Services

GC Guardrail Documentation

10.1 Sign an MOU with CCCS.

This is out of scope.

Relevant Links:

10.2 Implement cyber defense services where available.

The required/available cyber defense services will depend on the deployed workload, such as the firewall used, and any additional requirements of the workload based on risk profile. When deploying using ALZCPS:

The following policies related to to cyber defense services are enabled by default in ALZCPS deployments:

Relevant Links:

11. Logging and Monitoring

GC Guardrail Documentation

11.1 Implement adequate level of logging and reporting, including a security audit log function in all information systems.

In ALZCPS deployments, the default configuration collects logs from VMs and PaaS services into a central Log Analytics Workspace.

The included Log Analytics Workspace solutions include:

  • AgentHealthAssessment
  • AntiMalware
  • AzureActivity
  • ChangeTracking
  • Security
  • SecurityInsights
  • ServiceMap
  • SQLAdvancedThreatProtection
  • SQLAssessment
  • SQLAdvancedThreatProtection
  • Updates
  • VMInsights

For VMs, diagnostic logs are collected using the Microsoft Monitoring Agent which is deployed by default via Azure Policy.

For PaaS services, diagnostics settings are turned on.

The following policies related to to logging and reporting are enabled by default in ALZCPS deployments:

Relevant Links:

11.2 Identify the events within the solution that must be audited in accordance with GC Event Logging.

Review GC Event Logging.

11.3 Configure alerts and notifications to be sent to the appropriate contact/team in the organization.

ALZCPS sets up email notifications for the following alerts by default:

  • Service Health Alerts
  • Subscription Budget Alerts

Further configuration is required to set up appropriate alerts and notifications for any deployment.

Relevant Links:

11.4 Configure or use an authoritative time source for the time-stamp of the audit records generated by your solution components.

Azure PaaS Services and Azure Marketplace Windows VMs use time.windows.com as the default authoritative time source.

Since early 2021, Azure Marketplace Linux VMs use the chronyd service to synchronize with the host time (time.windows.com).

There are two standard time-stamp columns within Azure Monitor logs:

  • TimeGenerated, which contains the date and time that the record was created by the data source.
  • _TimeReceived, which contains the date and time that the record was received by the Azure Monitor ingestion point in the Azure cloud.

The following policies related to to time stamps are enabled by default in ALZCPS deployments:

Relevant Links:

11.5 Continuously monitor system events and performance.

In ALZCPS deployments, the default configuration collects logs from VMs and PaaS services into a central Log Analytics Workspace.

The included Log Analytics Workspace solutions include:

  • AgentHealthAssessment
  • AntiMalware
  • AzureActivity
  • ChangeTracking
  • Security
  • SecurityInsights
  • ServiceMap
  • SQLAdvancedThreatProtection
  • SQLAssessment
  • SQLVulnerabilityAssessment
  • Updates
  • VMInsights

For VMs, diagnostic logs are collected using the Microsoft Monitoring Agent which is deployed by default via Azure Policy.

For PaaS services, diagnostics settings are turned on.

Additionally, Microsoft Defender for Cloud is enabled by default on all supported solutions.

The following policies related to to logging and reporting are enabled by default in ALZCPS deployments:

Relevant Links:

12. Configuration of Cloud Marketplaces

GC Guardrail Documentation

12.1 Only GC approved cloud marketplace products are to be consumed. Turning on the commercial marketplace is prohibited.

The private marketplace is not enabled by default. Once enabled, only approved public marketplace offerings are allowed.

Relevant Links:

12.2 Submit requests to add third-party products to marketplace to SSC Cloud Broker.

This is out of scope.

Relevant Links: