The SpheraCloud Deployment Model #
The following details the deployment and implementation elements associated with the proposed NIST SP 800-171 deployment model.
A complete mapping of EVERY NIST 800-171 requirement and how the SpheraCloud system meets or exceeds each guideline from a technical perspective can be viewed here.
Deployment Diagram #
Threat Security Model #
AZURE RESOURCE MANAGER #
ARM allows us to work with all the associated resources for Sphera cloud and its component applications as a group – allowing us to deploy, update, or delete all the resources for an application as a single coordinated operation. Using templates, we can easily and effectively create and manage a deployment scenario that works automatically for different environments such as development, UAT, and production. These deployments can even be coordinated as part of the Azure devOps CI/CD pipeline (with appropriate configuration and permissioning) to automatically occur. An added benefit of using ARM is that it provides security, auditing, and tagging features out of the box that will help us manage and track resource utilization after deployments. It also will provide consistency in the physical and logical layout of each environment and the ability to smoothly test deployment processes long before they hit production.
BASTION HOST #
The bastion host acts as a single point of entry for engineering and devOps users which can be used to access the deployed resources in a given environment. The bastion host provides a secure connection to deployed resources by allowing only remote traffic from public IP addresses on a safe list (Sphera addresses). To permit remote desktop traffic, the source of the traffic must be defined within the NSG (Network Security Group).
As part of the future deployment architecture, the assumption is being made that the bastion host will be created as a VM which is domain joined to the Sphera AAD (Azure Active Directory) with the following software installed:
- Antimalware extension.
- Azure Diagnostics extension.
- Azure Disk Encryption using Key Vault.
- An auto-shutdown policy to reduce consumption of VM resources when not in use.
- Windows Defender Credential Guard is enabled so that credentials and other secrets run in a protected environment that is isolated from the running operating system.
WEB APPS #
Web Apps is an Azure App Service feature. Sphera can use it to build and host web applications in any programming language without managing infrastructure – a benefit considering the variety of languages supported across our product portfolio. It offers auto-scaling and high availability. It supports Windows and Linux and enables automated deployments from GitHub, Azure DevOps, or any Git repo.
APPLICATION SERVICE ENVIRONMENT #
App Service Environment is an Azure native App Service feature. It provides a fully isolated and dedicated environment for securely running App Service applications at a high scale.
The App Service environment is isolated to run only a single application. It’s always deployed into a virtual network. Because of the isolation feature, the reference architecture has complete tenant isolation, and it’s removed from Azure’s multitenant environment. Customers have fine-grained control over both inbound and outbound application network traffic. Applications can establish high-speed secure connections over virtual networks to on-premises corporate resources. Additionally, Sphera can “auto-scale” with App Service Environment based on load metrics, available budget, or a defined schedule.
Use of App Service Environment for this architecture provides the following controls and configurations:
- Host inside a secured Azure virtual network and network security rules.
- Self-signed internal load balancer certificate for HTTPS communication. As a best practice, Microsoft recommends the use of a trusted certificate authority for enhanced security.
- Internal load balancing mode (mode 3).
- Disable TLS 1.0.
- Change TLS cipher.
- Control inbound traffic N/W ports.
- Web application firewall – restrict data.
- Allow Azure SQL Database traffic.
VIRTUAL NETWORK #
This reference architecture defines a private virtual network with an address space of 10.200.0.0/16.
Network security groups: NSGs contain access control lists that allow or deny traffic within a virtual network. NSGs can be used to secure traffic at a subnet or individual VM level. The following NSGs exist:
- One NSG for Application Gateway
- One NSG for App Service Environment
- One NSG for SQL Database
- One NSG for bastion host
Each of the NSGs has specific ports and protocols open so that the solution can work securely and correctly. In addition, the following configurations are enabled for each NSG:
- Diagnostic logs and events are enabled and stored in a storage account.
- Azure Monitor logs is connected to the NSG’s diagnostics.
Subnets: Each subnet is associated with its corresponding NSG.
Azure DNS: The Domain Name System (DNS) is responsible for translating (or resolving) a website or service name to its IP address. Azure DNS is a hosting service for DNS domains that provides name resolution by using Azure infrastructure. By hosting domains in Azure, users can manage DNS records by using the same credentials, APIs, tools, and billing as other Azure services. Azure DNS also supports private DNS domains.
Azure Load Balancer: Load Balancer can be used by customers to scale their applications and create high availability for services. Load Balancer supports inbound and outbound scenarios. It provides low latency and high throughput and scales up to millions of flows for all TCP and UDP applications.
DATA IN TRANSIT #
Azure encrypts all communications to and from Azure data centers by default. All transactions to Azure Storage through the Azure portal occur via HTTPS.
DATA AT REST #
The reference application architecture protects data at rest through encryption, database auditing, and other measures.
Azure Storage: To meet requirements for encrypted data at rest, all Storage uses Storage Service Encryption. This feature helps protect and safeguard data in support of organizational security commitments and compliance requirements defined by NIST SP 800-171.
Azure Disk Encryption: Disk Encryption uses the BitLocker feature of Windows to provide volume encryption for data disks. The solution integrates with Key Vault to help control and manage the disk-encryption keys.
Azure SQL Database: The SQL Database instance uses the following database security measures:
- Active Directory authentication and authorization enables identity management of database users and other Microsoft services in one central location.
- SQL database auditing tracks database events and writes them to an audit log in an Azure storage account.
- SQL Database is configured to use transparent data encryption. It performs real-time encryption and decryption of the database, associated backups, and transaction log files to protect information at rest. Transparent data encryption provides assurance that stored data hasn’t been subject to unauthorized access.
- Firewall rules prevent all access to database servers until proper permissions are granted. The firewall grants access to databases based on the originating IP address of each request.
- SQL Threat Detection enables the detection and response to potential threats as they occur. It provides security alerts for suspicious database activities, potential vulnerabilities, SQL injection attacks, and anomalous database access patterns.
- Encrypted columns ensure that sensitive data never appears as plain text inside the database system. After data encryption is enabled, only client applications or application servers with access to the keys can access plain-text data.
- Dynamic data masking limits sensitive data exposure by masking the data to nonprivileged users or applications. It can automatically discover potentially sensitive data and suggest the appropriate masks to be applied. Dynamic data masking helps to reduce access so that sensitive data doesn’t exit the database via unauthorized access. Customers are responsible for adjusting settings to adhere to their database schema.
IDENTITY MANAGEMENT #
Sphera devOps and Engineering Identity management: The following technologies provide capabilities to manage access to data in the Azure environment for devOps and engineers (Sphera designated):
- Azure AD is Microsoft’s multitenant cloud-based directory and identity management service. All users for this solution are created in Azure AD and include users who access the SQL database.
- Azure RBAC can be used by administrators to define fine-grained access permissions. With it, they can grant only the amount of access that users need to perform their jobs. Instead of giving every user unrestricted access for Azure resources, administrators can allow only certain actions for accessing resources and data. Subscription access is limited to the subscription administrator.
- Azure Active Directory Privileged Identity Management can be used to minimize the number of users who have access to certain information. Administrators can use Azure AD Privileged Identity Management to discover, restrict, and monitor privileged identities and their access to resources. This functionality also can be used to enforce on-demand, just-in-time administrative access when needed (Firecall).
- Azure Active Directory Identity Protection detects potential vulnerabilities that affect an organization’s identities. It configures automated responses to detected suspicious actions related to an organization’s identities. It also investigates suspicious incidents to take appropriate action to resolve them.
Customer Identity Management: The following technologies, in conjunction with some of those mentioned above, will allow for customer access to the applications:
- Authentication to the application is performed by using Azure AD B2C. For more information, see how to integrate applications with Azure AD B2C. The database column encryption also uses Azure AD B2C to authenticate the application to SQL Database. For more information, see how to protect sensitive data in SQL Database.
SECURITY #
Secrets management: The solution uses Key Vault for the management of keys and secrets. Key Vault helps safeguard cryptographic keys and secrets used by cloud applications and services. The following Key Vault capabilities help protect data:
- Advanced access policies are configured on a need basis.
- Key Vault access policies are defined with minimum required permissions to keys and secrets.
- All keys and secrets in Key Vault have expiration dates
- All keys in Key Vault are protected by specialized hardware security modules. The key type is a hardware security-module-protected 2048-bit RSA key.
- All users and identities are granted minimum required permissions by using RBAC.
- Diagnostics logs for Key Vault are enabled with a retention period of at least 365 days.
- Permitted cryptographic operations for keys are restricted to the ones required.
Azure Security Center: With Security Center, we can centrally apply and manage security policies across workloads, limit exposure to threats, and detect and respond to attacks. Security Center also accesses existing configurations of Azure services to provide configuration and service recommendations to help improve security posture and protect data.
Security Center uses a variety of detection capabilities to alert Sphera of potential attacks that target our environments. These alerts contain valuable information about what triggered the alert, the resources targeted, and the source of the attack. Security Center has a set of predefined security alerts that are triggered when a threat or suspicious activity takes place. We can use custom alert rules to define new security alerts based on data that’s already collected from the production environment.
Security Center provides prioritized security alerts and incidents. Security Center makes it simpler for us to discover and address potential security issues. A threat intelligence report is generated for each detected threat. Incident response teams can use the reports when they investigate and remediate threats.
Azure Application Gateway: The reference architecture reduces the risk of security vulnerabilities by using an application gateway with a web application firewall configured and the OWASP rule set enabled. Additional capabilities include:
- End-to-end-SSL.
- Enable SSL offload.
- Disable TLS v1.0 and v1.1.
- Web application firewall (prevention mode).
- Prevention mode with OWASP 3.0 rule set.
- Enable diagnostics logging.
- Custom health probes.
- Security Center and Azure Advisor provide additional protection and notifications. Security Center also provides a reputation system.
LOGGING AND AUDITING #
Azure services extensively log system and user activity, as well as system health:
- Activity logs: Activity logs provide insight into operations performed on resources in a subscription. Activity logs can help determine an operation’s initiator, time of occurrence, and status.
- Diagnostic logs: Diagnostic logs include all logs emitted by every resource. These logs include Windows event system logs, Storage logs, Key Vault audit logs, and Application Gateway access and firewall logs. All diagnostic logs write to a centralized and encrypted Azure storage account for archival. We can configure the retention period, up to 730 days, to meet our application specific requirements.
Azure Monitor logs: Logs are consolidated in Azure Monitor logs for processing, storing, and dashboard reporting. After the data is collected, it’s organized into separate tables for each data type within Log Analytics workspaces. In this way, all data can be analyzed together,regardless of its original source. Security Center integrates with Azure Monitor logs. Sphera can use Kusto queries to access our security event data and combine it with data from other services.
The following Azure monitoring solutions are included as a part of this architecture:
- Active Directory assessment: The Active Directory Health Check solution assesses the risk and health of server environments on a regular interval. It provides a prioritized list of recommendations specific to the deployed server infrastructure.
- SQL assessment: The SQL Health Check solution assesses the risk and health of server environments on a regular interval. It provides customers with a prioritized list of recommendations specific to the deployed server infrastructure.
- Agent Health: The Agent Health solution reports how many agents are deployed and their geographic distribution. It also reports how many agents are unresponsive and the number of agents that submit operational data.
- Activity Log Analytics: The Activity Log Analytics solution assists with analysis of the Azure activity logs across all Azure subscriptions for a customer.
Azure Automation: Automation stores, runs, and manages runbooks. In this solution, runbooks help collect logs from SQL Database. Sphera can use the Automation Change Tracking solution to easily identify changes in the environment.
Azure Monitor: Monitor helps users track performance, maintain security, and identify trends. Sphera can use it to audit, create alerts, and archive data. We also can track API calls in their Azure resources.
Application Insights: Application Insights is an extensible application performance management service for web developers on multiple platforms. Application Insights detects performance anomalies. Sphera can use it to monitor the live web application. Application Insights includes powerful analytics tools to help us diagnose issues and understand what users do with our apps. It’s designed to help customers continuously improve performance and usability.
VPN AND/OR EXPRESSROUTE #
A secure VPN tunnel or ExpressRoute must be configured to securely establish a connection to the resources deployed as a part of this PaaS web application reference architecture. By appropriately setting up a VPN or ExpressRoute, Sphera can add a layer of protection for data in transit.
By implementing a secure VPN tunnel with Azure, a virtual private connection between an on-premises network and an Azure virtual network can be created. This connection takes place over the Internet and allows Sphera to securely “tunnel” information inside an encrypted link between our network and Azure. Site-to-site VPN is a secure, mature technology that has been deployed by enterprises of all sizes for decades. The IPsec tunnel mode is used in this option as an encryption mechanism.
Because traffic within the VPN tunnel traverses the Internet with a site-to-site VPN, Microsoft offers another even more secure connection option. ExpressRoute is a dedicated WAN link between Azure and an on-premises location or an Exchange hosting provider. ExpressRoute connections connect directly to our telecommunication provider. As a result, the data doesn’t travel over the Internet and isn’t exposed to it. These connections offer more reliability, faster speeds, lower latencies, and higher security than typical connections.
Best practices for implementing a secure hybrid network that extends an on-premises network to Azure are available.