Security risks for these multi-cloud
deployments are better managed
when organizations establish a
consistent set of best practices and
security controls across providers.
1. Identity and Access Management (IAM)
The CTP Azure Foundations Benchmark rules for IAM provide recommenda-
tions and validations pertaining to the utilization of Azure Role-Based Access
Control (RBAC) roles. Minimizing the use of subscription-level roles such as
“Owner,” and introducing resource group-level roles allows you to implement
the principle of “least privilege” for access to Azure resources. This reduces the
risk of accidental changes and limits the damage that can result from an acci-
dent or error.
Also, the CTP Azure Foundations Benchmark rules for IAM recommend and
validate the use of Managed Service Identity (MSI). The Azure MSI is one of the
latest controls added to the Azure IAM toolset and is analogous to AWS IAM
instance roles used to supply credentials to get access to AWS resources. Man-
aged Service Identity allows you to keep credentials outside your code and
thus solve the pesky “bootstrap identity” problem.
The rules guiding the use of multi-factor authentication (MFA) are part of the
CTP Azure Foundations Benchmark as well.
2. Logging and Real-time Monitoring
The CTP Azure Benchmark rules control appropriate handling of Azure Activ-
ity Logs for further analysis and processing in Security Information and Event
Management (SIEM) systems. The Azure Activity Logs contain information
about events that have occurred in your Azure resources, such as create,
update, or deleted resource events.
WINTER 2018 | THE DOPPLER | 13