Azure security baseline for Azure IoT Hub
This security baseline applies guidance from the Azure Security Benchmark version 1.0 to Azure IoT Hub. The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. The content is grouped by the security controls defined by the Azure Security Benchmark and the related guidance applicable to Azure IoT Hub. Controls not applicable to Azure IoT Hub have been excluded.
To see how Azure IoT Hub completely maps to the Azure Security Benchmark, see the full Azure IoT Hub security baseline mapping file.
Network security
For more information, see the Azure Security Benchmark: Network security.
1.1: Protect Azure resources within virtual networks
Guidance: IoT Hub is a multi-tenant Platform-as-a-Service (PaaS), different customers share the same pool of compute, networking, and storage hardware resources. IoT Hub's hostnames map to a public endpoint with a publicly routable IP address over the internet. Different customers share this IoT Hub public endpoint, and IoT devices in over wide-area networks and on-premises networks can all access it. Microsoft designed the service for complete isolation between each tenant's data, and works continuously to ensure this result.
IoT Hub features including message routing, file upload, and bulk device import/export also require connectivity from IoT Hub to a customer-owned Azure resource over its public endpoint. These connectivity paths collectively make up the egress traffic from IoT Hub to customer resources.
Recommend restricting connectivity to your Azure resources (including Azure IoT Hub) through a virtual network that you own and operate to reduce connectivity exposure in an isolated network and enable on-premises network connectivity directly to Azure backbone network. Use Azure Private Link and Azure Private Endpoint, where feasible, to enable private access to your services from other virtual networks.
Once private access is established, disable public network access for the IoT Hub for additional security. This network level control is enforced on a specific IoT hub resource, ensuring isolation. To keep the service active for other customer resources using the public path, its public endpoint remains resolvable, IP addresses discoverable, and ports remain open. This is not a cause for concern as Microsoft integrates multiple layers of security to ensure complete isolation between tenants.
Keep open hardware ports in your devices to a bare minimum to avoid unwanted access. Additionally, build mechanisms to prevent or detect physical tampering of the device.
Responsibility: Customer
Azure Security Center monitoring: None
1.2: Monitor and log the configuration and traffic of virtual networks, subnets, and NICs
Guidance: Use Azure Security Center and follow the network protection recommendations to help secure your Azure network resources. Enable network security group flow logs and send the logs to an Azure Storage account for auditing. You can also send the flow logs to a Log Analytics workspace and then use Traffic Analytics to provide insights into traffic patterns in your Azure cloud. Some advantages of Traffic Analytics are the ability to visualize network activity, identify hot spots and security threats, understand traffic flow patterns, and pinpoint network misconfigurations.
Responsibility: Customer
Azure Security Center monitoring: None
1.3: Protect critical web applications
Guidance: Not applicable; this recommendation is intended for web applications running on Azure App Service or compute resources.
Responsibility: Not Applicable
Azure Security Center monitoring: None
1.4: Deny communications with known malicious IP addresses
Guidance: Block known malicious IPs with IoT Hub IP filter rules. Malicious attempts are also recorded and alerted via Azure Security Center for IoT.
Azure DDoS Protection Basic is already enabled and available for no additional cost as part of IoT Hub. Always-on traffic monitoring, and real-time mitigation of common network-level attacks, provide the same defenses utilized by Microsoft's online services. The entire scale of Azure's global network can be used to distribute and mitigate attack traffic across regions.
Responsibility: Customer
Azure Security Center monitoring: None
1.5: Record network packets
Guidance: Not applicable; this recommendation is intended for offerings that produce network packets that can be recorded and viewed by customers. IoT Hub does not produce network packets that are customer facing, and is not designed to deploy directly into Azure virtual networks.
Responsibility: Not Applicable
Azure Security Center monitoring: None
1.6: Deploy network-based intrusion detection/intrusion prevention systems (IDS/IPS)
Guidance: Select an offer from Azure Marketplace that supports IDS/IPS functionality with payload inspection capabilities. When payload inspection is not a requirement, Azure Firewall threat intelligence can be used. Azure Firewall threat intelligence-based filtering is used to alert on and/or block traffic to and from known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed.
Deploy the firewall solution of your choice at each of your organization's network boundaries to detect and/or block malicious traffic.
Responsibility: Customer
Azure Security Center monitoring: None
1.7: Manage traffic to web applications
Guidance: Not applicable; this recommendation is intended for web applications running on Azure App Service or compute resources.
Responsibility: Not Applicable
Azure Security Center monitoring: None
1.8: Minimize complexity and administrative overhead of network security rules
Guidance: For resources that need access to your Azure IoT Hub, use Virtual Network service tags to define network access controls on network security Groups or Azure Firewall. You can use service tags in place of specific IP addresses when creating security rules. By specifying the service tag name (for example, AzureIoTHub) in the appropriate source or destination field of a rule, you can allow or deny the traffic for the corresponding service. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change.
Responsibility: Customer
Azure Security Center monitoring: None
1.9: Maintain standard security configurations for network devices
Guidance: Define and implement standard security configurations for network resources associated with your Azure IoT Hub namespaces with Azure Policy. Use Azure Policy aliases in the "Microsoft.Devices" and "Microsoft.Network" namespaces to create custom policies to audit or enforce the network configuration of your Machine Learning namespaces.
Responsibility: Customer
Azure Security Center monitoring: None
1.10: Document traffic configuration rules
Guidance: Use tags for network resources associated with your Azure IoT Hub deployment in order to logically organize them into a taxonomy.
Responsibility: Customer
Azure Security Center monitoring: None
1.11: Use automated tools to monitor network resource configurations and detect changes
Guidance: Use Azure Activity Log to monitor network resource configurations and detect changes for network resources related to Azure IoT Hub. Create alerts within Azure Monitor that will trigger when changes to critical network resources take place.
Responsibility: Customer
Azure Security Center monitoring: None
Logging and Monitoring
For more information, see the Azure Security Benchmark: Logging and monitoring.
2.2: Configure central security log management
Guidance: Ingest logs via Azure Monitor to aggregate security data generated by Azure IoT Hub. In Azure Monitor, use Log Analytics workspaces to query and perform analytics, and use storage accounts for long-term/archival storage. Alternatively, you can enable and on-board data to Azure Sentinel or a third-party Security Incident and Event Management (SIEM).
Azure Security Center monitoring: Yes
Responsibility: Customer
Azure Security Center monitoring: None
2.3: Enable audit logging for Azure resources
Guidance: Enable Azure IoT diagnostic settings on Azure resources for access to audit, security, and resource logs. Activity logs, which are automatically available, include event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.
Responsibility: Customer
Azure Policy built-in definitions - Microsoft.Devices:
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Resource logs in IoT Hub should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 3.0.1 |
2.4: Collect security logs from operating systems
Guidance: Not applicable; this recommendation is intended for compute resources.
Responsibility: Not Applicable
Azure Security Center monitoring: None
2.5: Configure security log storage retention
Guidance: In Azure Monitor, set the log retention period for Log Analytics workspaces associated with your Azure IoT Hub instances according to your organization's compliance regulations.
Responsibility: Customer
Azure Security Center monitoring: None
2.6: Monitor and review Logs
Guidance: Analyze and monitor logs for anomalous behavior and regularly review the results from your Azure IoT Hub. Use Azure Monitor and a Log Analytics workspace to review logs and perform queries on log data.
Alternatively, you can enable and on-board data to Azure Sentinel or a third-party SIEM.
Responsibility: Customer
Azure Security Center monitoring: None
2.7: Enable alerts for anomalous activities
Guidance: Use Azure Security Center for IoT with a Log Analytics workspace for monitoring and alerting on anomalous activity found in security logs and events. Alternatively, you can enable and on-board data to Azure Sentinel. You can also define operational alerts with Azure Monitor that may have security implications, such as when traffic drops unexpectedly.
Responsibility: Customer
Azure Security Center monitoring: None
2.8: Centralize anti-malware logging
Guidance: Not applicable; Azure IoT Hub does not process or produce anti-malware related logs.
Responsibility: Not Applicable
Azure Security Center monitoring: None
2.9: Enable DNS query logging
Guidance: Not applicable; Azure IoT Hub does not process or produce DNS-related logs.
Responsibility: Not Applicable
Azure Security Center monitoring: None
2.10: Enable command-line audit logging
Guidance: Not applicable; this recommendation is intended for compute resources.
Responsibility: Not Applicable
Azure Security Center monitoring: None
Identity and Access Control
For more information, see the Azure Security Benchmark: Identity and Access Control.
3.1: Maintain an inventory of administrative accounts
Guidance: Azure role-based access control (Azure RBAC) allows you to manage access to Azure IoT hub through role assignments. You can assign these roles to users, groups service principals, and managed identities. There are pre-defined built-in roles for certain resources, and these roles can be inventoried or queried through tools such as Azure CLI, or Azure PowerShell, or the Azure portal.
How to get a directory role in Azure Active Directory (Azure AD) with PowerShell
How to get members of a directory role in Azure AD with PowerShell
Responsibility: Customer
Azure Security Center monitoring: None
3.2: Change default passwords where applicable
Guidance: Access management to Azure IoT Hub resources is controlled through Azure Active Directory (Azure AD). Azure AD does not have the concept of default passwords.
Responsibility: Customer
Azure Security Center monitoring: None
3.3: Use dedicated administrative accounts
Guidance: Create standard operating procedures around the use of dedicated administrative accounts.
You can also enable just-in-time access to administrative accounts by using Azure Active Directory (Azure AD) Privileged Identity Management and Azure Resource Manager.
Responsibility: Customer
Azure Security Center monitoring: None
3.5: Use multi-factor authentication for all Azure Active Directory based access
Guidance: Enable Azure Active Directory (Azure AD) multifactor authentication to protect your overall Azure tenant, benefiting all services. IoT Hub service doesn't have multifactor authentication support.
Responsibility: Customer
Azure Security Center monitoring: None
3.6: Use dedicated machines (Privileged Access Workstations) for all administrative tasks
Guidance: Use a secure privileged access workstation (PAW) for administrative tasks that require elevated privileges.
Responsibility: Customer
Azure Security Center monitoring: None
3.7: Log and alert on suspicious activities from administrative accounts
Guidance: Use Azure Active Directory (Azure AD) security reports and monitoring to detect when suspicious or unsafe activity occurs in the environment. Use Azure Security Center to monitor identity and access activity.
Responsibility: Customer
Azure Security Center monitoring: None
3.8: Manage Azure resources only from approved locations
Guidance: For users accessing IoT Hub, conditional access isn't supported. To mitigate this, use Azure Active Directory (Azure AD) named locations to allow access only from specific logical groupings of IP address ranges or countries/regions for your overall Azure tenant, benefitting all services including IoT Hub.
Responsibility: Customer
Azure Security Center monitoring: None
3.9: Use Azure Active Directory
Guidance: For user access to IoT Hub, Use Azure Active Directory (Azure AD) as the central authentication and authorization system. Azure AD protects data by using strong encryption for data at rest and in transit. Azure AD also salts, hashes, and securely stores user credentials.
For device and service access, IoT Hub uses security tokens and Shared Access Signature (SAS) tokens to authenticate devices and services to avoid sending keys on network.
- How to create and configure an Azure AD instance Responsibility: Customer
Azure Security Center monitoring: None
3.10: Regularly review and reconcile user access
Guidance: Azure Active Directory (Azure AD) provides logs to help discover stale accounts. In addition, use Azure AD identity and access reviews to efficiently manage group memberships, access to enterprise applications, and role assignments. User access can be reviewed on a regular basis to make sure only the right users have continued access.
Use Azure AD Privileged Identity Management (PIM) for generation of logs and alerts when suspicious or unsafe activity occurs in the environment.
- Understand Azure AD reporting
- How to use Azure AD identity and access reviews
- Deploy Azure AD Privileged Identity Management (PIM)
Responsibility: Customer
Azure Security Center monitoring: None
3.11: Monitor attempts to access deactivated credentials
Guidance: You have access to Azure Active Directory (Azure AD) sign-in activity, audit, and risk event log sources, which allow you to integrate with any SIEM/monitoring tool.
You can streamline this process by creating diagnostic settings for Azure AD user accounts and sending the audit logs and sign-in logs to a Log Analytics workspace. You can configure desired alerts within Log Analytics workspace.
User Azure Monitor resource logs to monitor unauthorized connection attempts in the Connections category.
Responsibility: Customer
Azure Security Center monitoring: None
3.12: Alert on account login behavior deviation
Guidance: Use Azure Active Directory (Azure AD) Identity Protection features to configure automated responses to detected suspicious actions related to user identities. You can also ingest data into Azure Sentinel for further investigation.
Responsibility: Customer
Azure Security Center monitoring: None
3.13: Provide Microsoft with access to relevant customer data during support scenarios
Guidance: In support scenarios where Microsoft needs to access customer data, it will be requested directly from the customer.
Responsibility: Customer
Azure Security Center monitoring: None
Data Protection
For more information, see the Azure Security Benchmark: Data Protection.
4.1: Maintain an inventory of sensitive Information
Guidance: Use tags to assist in tracking Azure resources that store or process sensitive information.
Responsibility: Customer
Azure Security Center monitoring: None
4.2: Isolate systems storing or processing sensitive information
Guidance: Implement isolation using separate subscriptions and management groups for individual security domains such as environment type and data sensitivity level. You can restrict the level of access to your Azure resources that your applications and enterprise environments demand. You can control access to Azure resources via Azure RBAC.
Responsibility: Customer
Azure Security Center monitoring: None
4.3: Monitor and block unauthorized transfer of sensitive information
Guidance: Use a third-party solution from Azure Marketplace in network perimeters to monitor for unauthorized transfer of sensitive information and block such transfers while alerting information security professionals.
For the underlying platform managed by Microsoft, Microsoft treats all customer content as sensitive and guards against customer data loss and exposure. To ensure customer data within Azure remains secure, Microsoft has implemented and maintains a suite of robust data protection controls and capabilities.
Responsibility: Customer
Azure Security Center monitoring: None
4.4: Encrypt all sensitive information in transit
Guidance: IoT Hub uses Transport Layer Security (TLS) to secure connections from IoT devices and services. Three versions of the TLS protocol are currently supported, namely versions 1.0, 1.1, and 1.2. It is strongly recommended that you use TLS 1.2 as the preferred TLS version when connecting to IoT Hub.
Follow Azure Security Center recommendations for encryption at rest and encryption in transit, where applicable.
Responsibility: Customer
Azure Security Center monitoring: None
4.5: Use an active discovery tool to identify sensitive data
Guidance: Data identification, classification, and loss prevention features are not yet available for Azure IoT Hub. Implement a third-party solution if required for compliance purposes.
For the underlying Azure platform managed by Microsoft, Microsoft treats all customer content as sensitive and goes to great lengths to guard against customer data loss and exposure. To ensure customer data within Azure remains secure, Microsoft has implemented and maintains a suite of robust data protection controls and capabilities.
Responsibility: Customer
Azure Security Center monitoring: None
4.6: Use Azure RBAC to manage access to resources
Guidance: For control plane user access to IoT Hub, use Azure RBAC to control access. For data plane access to IoT Hub, use shared access policies for IoT Hub.
Responsibility: Customer
Azure Security Center monitoring: None
4.9: Log and alert on changes to critical Azure resources
Guidance: Use Azure Monitor with the Azure Activity log to create alerts for when changes take place to production instances of Azure IoT Hub and other critical or related resources.
Responsibility: Customer
Azure Security Center monitoring: None
Vulnerability Management
For more information, see the Azure Security Benchmark: Vulnerability Management.
5.3: Deploy an automated patch management solution for third-party software titles
Guidance: Not applicable; this guideline is intended for compute resources.
Responsibility: Not Applicable
Azure Security Center monitoring: None
5.4: Compare back-to-back vulnerability scans
Guidance: Not applicable; this guideline is intended for compute resources.
Responsibility: Not Applicable
Azure Security Center monitoring: None
5.5: Use a risk-rating process to prioritize the remediation of discovered vulnerabilities
Guidance: Not applicable; this guideline is intended for compute resources.
Responsibility: Not Applicable
Azure Security Center monitoring: None
Inventory and Asset Management
For more information, see the Azure Security Benchmark: Inventory and Asset Management.
6.1: Use automated asset discovery solution
Guidance: Not applicable; this guideline is intended for compute resources.
Responsibility: Not Applicable
Azure Security Center monitoring: None
6.2: Maintain asset metadata
Guidance: Apply tags to Azure resources (not all resources support tags, but most do) to logically organize them into a taxonomy.
Responsibility: Customer
Azure Security Center monitoring: None
6.3: Delete unauthorized Azure resources
Guidance: Use tagging, management groups, and separate subscriptions where appropriate, to organize and track assets. Reconcile inventory on a regular basis and ensure unauthorized resources are deleted from the subscription in a timely manner.
Responsibility: Customer
Azure Security Center monitoring: None
6.4: Define and maintain an inventory of approved Azure resources
Guidance: Create an inventory of approved Azure resources and approved software for compute resources as per your organizational needs.
Each IoT Hub has an identity registry that can be used to create per-device resources in the service. Individual or groups of device identities can be added to an allowlist, or a blocklist, enabling complete control over device access.
Responsibility: Customer
Azure Security Center monitoring: None
6.5: Monitor for unapproved Azure resources
Guidance: Use Azure Policy to put restrictions on the type of resources that can be created in your subscriptions.
Use Azure Resource Graph to query for and discover resources within their subscriptions. Ensure that all Azure resources present in the environment are approved.
Responsibility: Customer
Azure Security Center monitoring: None
6.6: Monitor for unapproved software applications within compute resources
Guidance: Not applicable; this recommendation is intended for compute resources.
Responsibility: Not Applicable
Azure Security Center monitoring: None
6.7: Remove unapproved Azure resources and software applications
Guidance: Not applicable; this recommendation is intended for compute resources.
Responsibility: Not Applicable
Azure Security Center monitoring: None
6.8: Use only approved applications
Guidance: Not applicable; this recommendation is intended for compute resources.
Responsibility: Not Applicable
Azure Security Center monitoring: None
6.9: Use only approved Azure services
Guidance: Use Azure Policy to put restrictions on the type of resources that can be created in customer subscriptions using the following built-in policy definitions:
- Not allowed resource types
- Allowed resource types
In addition, use the Azure Resource Graph to query/discover resources within the subscriptions.
Responsibility: Customer
Azure Security Center monitoring: None
6.10: Maintain an inventory of approved software titles
Guidance: Not applicable; this recommendation is intended for compute resources.
Responsibility: Not Applicable
Azure Security Center monitoring: None
6.11: Limit users' ability to interact with Azure Resource Manager
Guidance: Use Azure Active Directory (Azure AD) Conditional Access to limit users' ability to interact with Azure Resource Manager by configuring "Block access" for the "Azure Management" App.
Responsibility: Customer
Azure Security Center monitoring: None
6.12: Limit users' ability to execute scripts in compute resources
Guidance: Not applicable; this recommendation is intended for compute resources.
Responsibility: Not Applicable
Azure Security Center monitoring: None
6.13: Physically or logically segregate high risk applications
Guidance: Not applicable; this recommendation is intended for web applications running on Azure App Service or compute resources.
Responsibility: Not Applicable
Azure Security Center monitoring: None
Secure Configuration
For more information, see the Azure Security Benchmark: Secure Configuration.
7.1: Establish secure configurations for all Azure resources
Guidance: Define and implement standard security configurations for your Azure Iot Hub service with Azure Policy. Use Azure Policy aliases in the "Microsoft.Devices" namespace to create custom policies to audit or enforce the configuration of your Azure IoT Hub services.
Azure Resource Manager has the ability to export the template in JavaScript Object Notation (JSON), which should be reviewed to ensure that the configurations meet the security requirements for your organization.
You can also use the recommendations from Azure Security Center as a secure configuration baseline for your Azure resources.
Responsibility: Customer
Azure Security Center monitoring: None
7.2: Establish secure operating system configurations
Guidance: Not applicable; this guideline is intended for compute resources.
Responsibility: Not Applicable
Azure Security Center monitoring: None
7.3: Maintain secure Azure resource configurations
Guidance: Use Azure Policy [deny] and [deploy if not exist] to enforce secure settings across your Azure resources. In addition, you can use Azure Resource Manager templates to maintain the security configuration of your Azure resources required by your organization.
- Understand Azure Policy effects
- Create and manage policies to enforce compliance
- Azure Resource Manager templates overview
Responsibility: Customer
Azure Security Center monitoring: None
7.4: Maintain secure operating system configurations
Guidance: Not applicable; this guideline is intended for compute resources.
Responsibility: Not Applicable
Azure Security Center monitoring: None
7.5: Securely store configuration of Azure resources
Guidance: If using custom Azure Policy definitions for your Azure IoT Hub or related resources, use Azure Repos to securely store and manage your code.
Responsibility: Customer
Azure Security Center monitoring: None
7.6: Securely store custom operating system images
Guidance: Not applicable; this guideline is intended for compute resources.
Responsibility: Not Applicable
Azure Security Center monitoring: None
7.7: Deploy configuration management tools for Azure resources
Guidance: Use Azure Policy aliases in the "Microsoft.Devices" namespace to create custom policies to alert, audit, and enforce system configurations. Additionally, develop a process and pipeline for managing policy exceptions.
Responsibility: Customer
Azure Security Center monitoring: None
7.8: Deploy configuration management tools for operating systems
Guidance: Not applicable; this guideline is intended for compute resources.
Responsibility: Not Applicable
Azure Security Center monitoring: None
7.9: Implement automated configuration monitoring for Azure resources
Guidance: Use Azure Security Center to perform baseline scans for your Azure Resources. Additionally, use Azure Policy to alert and audit Azure resource configurations.
Responsibility: Customer
Azure Security Center monitoring: None
7.10: Implement automated configuration monitoring for operating systems
Guidance: Not applicable; this guideline is intended for compute resources.
Responsibility: Not Applicable
Azure Security Center monitoring: None
7.11: Manage Azure secrets securely
Guidance: IoT Hub uses security tokens and Shared Access Signature (SAS) tokens to authenticate devices and services to avoid sending keys on network.
Use managed identities in conjunction with Azure Key Vault to simplify secret management for your cloud applications.
Responsibility: Customer
Azure Security Center monitoring: None
7.12: Manage identities securely and automatically
Guidance: IoT Hub uses security tokens and Shared Access Signature (SAS) tokens to authenticate devices and services to avoid sending keys on the network.
Use managed identities to provide Azure services with an automatically managed identity in Azure Active Directory (Azure AD). Managed identities allow you to authenticate to any service that supports Azure AD authentication, including Key Vault, without any credentials in your code.
Responsibility: Customer
Azure Security Center monitoring: None
7.13: Eliminate unintended credential exposure
Guidance: Implement Credential Scanner to identify credentials within code. Credential Scanner will also encourage moving discovered credentials to more secure locations such as Azure Key Vault.
Responsibility: Customer
Azure Security Center monitoring: None
Malware Defense
For more information, see the Azure Security Benchmark: Malware Defense.
8.2: Pre-scan files to be uploaded to non-compute Azure resources
Guidance: Microsoft Anti-malware is enabled on the underlying host that supports Azure services (for example, Azure IoT Hub), however it does not run on customer content.
It is your responsibility to pre-scan any content being uploaded to non-compute Azure resources. Microsoft cannot access customer data, and therefore cannot conduct anti-malware scans of customer content on your behalf.
Responsibility: Customer
Azure Security Center monitoring: None
Data Recovery
For more information, see the Azure Security Benchmark: Data Recovery.
9.1: Ensure regular automated back ups
Guidance: Azure IoT Hub service provides methods and framework to make your IoT Hub services highly available and recoverable from disasters based on specific business objectives.
Responsibility: Customer
Azure Security Center monitoring: None
9.2: Perform complete system backups and backup any customer-managed keys
Guidance: Azure IoT Hub recommends the secondary IoT hub must contain all device identities that can connect to the solution. The solution should keep geo-replicated backups of device identities, and upload them to the secondary IoT hub before switching the active endpoint for the devices. The device identity export functionality of IoT Hub is useful in this context.
Responsibility: Customer
Azure Security Center monitoring: None
9.3: Validate all backups including customer-managed keys
Guidance: Azure IoT Hub recommends the secondary IoT hub must contain all device identities that can connect to the solution. The solution should keep geo-replicated backups of device identities, and upload them to the secondary IoT hub before switching the active endpoint for the devices. The device identity export functionality of IoT Hub is useful in this context.
Periodically perform data restoration of content in backup. Ensure that you can restore backed-up customer-managed keys.
Responsibility: Customer
Azure Security Center monitoring: None
9.4: Ensure protection of backups and customer-managed keys
Guidance: Enable soft delete and purge protection in Key Vault to protect keys against accidental or malicious deletion. If Azure Storage is used to store backups, enable soft delete to save and recover your data when blobs or blob snapshots are deleted.
Responsibility: Customer
Azure Security Center monitoring: None
Incident Response
For more information, see the Azure Security Benchmark: Incident Response.
10.1: Create an incident response guide
Guidance: Develop an incident response guide for your organization. Ensure there are written incident response plans that define all the roles of personnel as well as the phases of incident handling and management from detection to post-incident review.
Azure Security Center monitoring: Not Applicable
Responsibility: Customer
Azure Security Center monitoring: None
10.2: Create an incident scoring and prioritization procedure
Guidance: Azure Security Center assigns a severity to each alert to help you prioritize which alerts should be investigated first. The severity is based on how confident Security Center is in the finding or the analytically used to issue the alert as well as the confidence level that there was malicious intent behind the activity that led to the alert.
Additionally, mark subscriptions using tags and create a naming system to identify and categorize Azure resources, especially those processing sensitive data. It's your responsibility to prioritize the remediation of alerts based on the criticality of the Azure resources and environment where the incident occurred.
Responsibility: Customer
Azure Security Center monitoring: None
10.3: Test security response procedures
Guidance: Conduct exercises to test your systems' incident response capabilities on a regular cadence to help protect your Azure resources. Identify weak points and gaps and then revise your response plan as needed.
Responsibility: Customer
Azure Security Center monitoring: None
10.4: Provide security incident contact details and configure alert notifications for security incidents
Guidance: Security incident contact information will be used by Microsoft to contact you if the Microsoft Security Response Center (MSRC) discovers that your data has been accessed by an unlawful or unauthorized party. Review incidents after the fact to ensure that issues are resolved.
Responsibility: Customer
Azure Security Center monitoring: None
10.5: Incorporate security alerts into your incident response system
Guidance: Export your Azure Security Center alerts and recommendations using the continuous export feature to help identify risks to Azure resources. Continuous export allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion. You can use the Azure Security Center data connector to stream the alerts to Azure Sentinel.
Responsibility: Customer
Azure Security Center monitoring: None
10.6: Automate the response to security alerts
Guidance: Use workflow automation feature Azure Security Center to automatically trigger responses to security alerts and recommendations to protect your Azure resources.
Responsibility: Customer
Azure Security Center monitoring: None
Penetration Tests and Red Team Exercises
For more information, see the Azure Security Benchmark: Penetration tests and red team exercises.
11.1: Conduct regular penetration testing of your Azure resources and ensure remediation of all critical security findings
Guidance: Follow the Microsoft Cloud Penetration Testing Rules of Engagement to ensure your penetration tests are not in violation of Microsoft policies. Use Microsoft's strategy and execution of Red Teaming and live site penetration testing against Microsoft-managed cloud infrastructure, services, and applications.
Responsibility: Shared
Azure Security Center monitoring: None
Next steps
- See the Azure Security Benchmark V2 overview
- Learn more about Azure security baselines