Share via

Asset Management

Asset management enables organizations to maintain comprehensive visibility and governance over cloud infrastructure through continuous inventory discovery, service approval enforcement, and secure lifecycle controls. Unlike traditional periodic asset audits, modern cloud environments require real-time asset tracking, automated discovery across hybrid infrastructure, and policy-driven governance to address rapid resource provisioning, shadow IT proliferation, and dynamic multicloud deployments that attackers exploit through unmonitored resources and unauthorized services. Organizations implementing robust asset management capabilities maintain accurate security visibility and enforce approved configurations, while those neglecting these controls face unknown attack surface exposure, shadow IT proliferation, and ineffective incident response.

Here are the three core pillars of the Asset Management security domain.

Asset inventory and visibility: Maintain comprehensive, continuously updated inventory of all cloud resources across hybrid and multicloud environments using automated discovery tools. Deploy systematic tagging strategies and track asset risks, security posture, and configuration compliance ensuring security organizations have visibility into potential exposure across cloud, on-premises, and edge infrastructure.

Related controls:

Service approval and application control: Enforce approved services and applications through policy-based controls, adaptive application controls, and change tracking. Prevent unauthorized service provisioning and software execution while maintaining operational flexibility for approved business requirements.

Related controls:

Asset lifecycle and access management: Implement secure asset lifecycle management from provisioning through decommissioning with appropriate access controls and governance using role-based access control, conditional access policies, and resource protection mechanisms limiting asset management capabilities and preventing unauthorized modifications.

Related controls:

AM-1: Track asset inventory and their risks

Security principle

Maintain comprehensive, continuously updated inventory of all assets with automated discovery and classification capabilities. Ensure security organizations have real-time visibility into asset configurations, risk posture, and business criticality across all environments to support effective threat detection, incident response, and compliance verification.

Risk to mitigate

Organizations operating without comprehensive asset inventory and continuous risk monitoring face critical security blind spots that prevent effective threat detection, incident response, and security posture management. Without systematic asset tracking:

  • Unknown attack surface exposure: Security teams cannot protect assets they don't know exist, allowing attackers to exploit unmonitored resources and establish persistent access through shadow IT infrastructure.
  • Incomplete security coverage: Security controls, monitoring, and compliance policies cannot be applied to undiscovered assets, creating gaps in protection and detection capabilities.
  • Ineffective incident response prioritization: Lack of asset criticality classification and business impact assessment prevents appropriate incident prioritization, leading to misallocated resources and delayed response to critical threats.
  • Compliance and audit failures: Regulatory frameworks require comprehensive asset inventories for security controls, change management, and data protection verification-absence of accurate inventory creates compliance violations and failed audits.
  • Stale security risk assessment: Security organizations cannot evaluate exposure to emerging threats without continuously updated asset inventory including configuration details, software versions, and vulnerability status.
  • Resource waste and orphaned assets: Organizations pay for abandoned resources, development environments, and test systems that provide no business value while increasing attack surface and operational costs.

Inadequate asset visibility undermines every security control by preventing accurate understanding of what must be protected.

MITRE ATT&CK

  • Initial Access (TA0001): exploit public-facing application (T1190) targeting unknown or unmonitored internet-facing resources that security teams failed to discover during asset inventory processes.
  • Persistence (TA0003): create account (T1136) establishing persistent access in shadow IT resources and unmonitored subscriptions outside centralized security visibility and governance.
  • Defense Evasion (TA0005): unused/unsupported cloud regions (T1535) deploying malicious infrastructure in cloud regions not included in asset inventory and security monitoring coverage.

AM-1.1: Implement comprehensive asset inventory and discovery

Accurate and comprehensive asset inventory forms the foundation of effective security operations, enabling threat detection, incident response, compliance reporting, and risk management across cloud environments. Without complete visibility, security teams cannot protect assets they don't know exist, leaving blind spots for adversaries to exploit. Automated discovery and classification capabilities ensure inventory remains current as infrastructure scales and evolves, eliminating manual tracking that becomes outdated within days.

Deploy Azure Resource Graph and Microsoft Defender for Cloud asset inventory to maintain comprehensive, continuously updated inventory of all Azure resources with automated discovery and classification capabilities.

Azure Resource Graph query capabilities:

  • Cross-subscription asset discovery: Query all resources across multiple subscriptions and management groups using Kusto Query Language (KQL) aggregating complete asset inventory for security operations and incident response.
  • Asset criticality queries: Query resources by business criticality tags identifying Critical and High-priority assets requiring enhanced security monitoring and faster incident response prioritization.
  • Shadow IT detection queries: Identify resources without required ownership, cost center, or compliance scope tags indicating unapproved provisioning bypassing security review and governance processes.
  • Orphaned resource identification: Query unattached disks, unused public IP addresses, idle virtual machines, and abandoned storage accounts consuming budget without business value for decommissioning.
  • Change history and audit tracking: Track resource creation, modification, and deletion events maintaining historical asset inventory identifying unauthorized changes and configuration drift for compliance reporting.
  • Compliance and policy status queries: Query policy compliance status across subscriptions identifying non-compliant resources requiring remediation grouped by regulatory framework or security baseline.

Microsoft Defender for Cloud asset inventory:

  • Security posture visibility: Comprehensive asset inventory with security recommendations, vulnerability assessments, and compliance status integrated into centralized dashboard.
  • Resource health monitoring: Real-time monitoring of resource health status, security alerts, and configuration drift detection with automatic refresh and updates.
  • Defender plan coverage: Track which resources are protected by specific Defender plans including Defender for Servers, Storage, Containers, and Databases.
  • Regulatory compliance mapping: Asset inventory automatically mapped to regulatory compliance frameworks including PCI-DSS, HIPAA, and ISO 27001 showing coverage and gaps.
  • Integration with security workflows: Export asset inventory data to Microsoft Sentinel, Logic Apps, and external SIEM platforms for security automation and correlation.

AM-1.2: Extend inventory to hybrid and multicloud environments

Hybrid and multicloud environments fragment asset visibility across management consoles and security tools, creating blind spots where unmanaged resources harbor vulnerabilities and policy violations. Projecting distributed infrastructure into a unified control plane enables consistent governance, security monitoring, and compliance reporting regardless of hosting location. This unified approach eliminates the operational complexity and security gaps inherent in managing separate inventories for each environment.

Unify hybrid and multicloud asset inventory through these capabilities:

Deploy Azure Arc to project on-premises, edge, and multicloud resources into Azure Resource Manager enabling unified asset inventory, governance, and security management across hybrid environments.

Azure Arc-enabled asset discovery:

  • Azure Arc-enabled servers: Onboard Windows and Linux physical servers and virtual machines hosted outside Azure (on-premises, VMware, Hyper-V, AWS EC2, Google Compute Engine) projecting them into Azure as native Azure resources (Azure Arc-enabled servers).
  • Azure Arc-enabled Kubernetes: Connect and manage Kubernetes clusters running anywhere including on-premises, AWS EKS, Google GKE, and other cloud providers with unified governance and GitOps deployment (Azure Arc-enabled Kubernetes).
  • Azure Arc-enabled SQL Managed Instance: Manage Azure Arc-enabled SQL Managed Instance deployments running on-premises or in other clouds with unified inventory, lifecycle management, and security governance (Azure Arc-enabled SQL Managed Instance).
  • Azure Arc-enabled PostgreSQL: Manage Azure Arc-enabled PostgreSQL deployments running on-premises or in other clouds with unified inventory, lifecycle management, and security governance (Azure Arc-enabled PostgreSQL).
  • Azure Arc-enabled VMware vSphere: Discover and manage VMware virtual machines through Azure enabling self-service VM operations with Azure governance and policies (Azure Arc-enabled VMware vSphere).
  • Multicloud connector: Connect AWS and Google Cloud accounts to Azure Arc discovering EC2 instances, S3 buckets, and other cloud resources for unified multicloud inventory (Multicloud connector).

Unified hybrid asset management:

  • Azure Resource Graph integration: Query Azure Arc-enabled resources alongside native Azure resources using Azure Resource Graph providing single-pane inventory across all environments.
  • Consistent tagging across clouds: Apply Azure resource tags to Arc-enabled servers and resources regardless of hosting location enabling consistent classification and organization taxonomy.
  • Hybrid asset grouping: Organize hybrid resources using management groups, resource groups, and subscriptions applying governance hierarchy to non-Azure infrastructure.
  • Cross-cloud dependency mapping: Visualize dependencies between Azure, on-premises, AWS, and Google Cloud resources identifying connectivity requirements and migration candidates.
  • Centralized asset reporting: Generate unified asset inventory reports aggregating Azure-native, Arc-enabled servers, Kubernetes clusters, and multicloud resources in single dashboard.

Azure Arc security and governance:

  • Microsoft Defender for Cloud integration: Extend Defender for Cloud security posture assessment, vulnerability scanning, and threat protection to Arc-enabled servers and Kubernetes clusters.
  • Azure Policy enforcement: Apply Azure Policy to hybrid and multicloud resources ensuring consistent security baselines, compliance requirements, and configuration standards across all environments.
  • Azure Monitor integration: Collect logs, metrics, and performance data from Arc-enabled resources into Azure Monitor and Log Analytics for unified monitoring and alerting.
  • Azure Update Manager: Centralize patch management for Arc-enabled Windows and Linux servers using Azure Update Manager ensuring consistent security patching across hybrid infrastructure.
  • Microsoft Sentinel correlation: Stream security events from Arc-enabled servers to Microsoft Sentinel correlating hybrid infrastructure security signals with cloud-native Azure security telemetry.

Endpoint and migration discovery integration:

Microsoft Intune device inventory integration:

  • Endpoint asset discovery: Extend asset inventory to corporate-managed endpoints including Windows, macOS, iOS, and Android devices using Microsoft Intune providing unified visibility across cloud infrastructure and endpoint devices.
  • Device compliance status: Track device compliance status alongside cloud resource inventory identifying non-compliant endpoints requiring remediation before granting access to sensitive resources.
  • Conditional access integration: Correlate Intune device compliance with Azure resource access policies ensuring only compliant managed devices can access asset management interfaces and sensitive data.
  • Hardware and software inventory: Collect hardware specifications, installed applications, and security configurations from managed endpoints complementing cloud resource inventory for comprehensive asset visibility.

Azure Migrate discovery integration:

  • Pre-cloud assessment: Use Azure Migrate for agentless discovery of on-premises VMware, Hyper-V, physical servers, and AWS/GCP virtual machines identifying migration candidates and dependencies before Azure onboarding.
  • Dependency mapping: Visualize application dependencies and network connectivity patterns across on-premises infrastructure informing migration planning and Azure resource provisioning strategies.
  • Performance and sizing data: Collect performance metrics and utilization data from on-premises workloads enabling right-sizing recommendations and cost optimization for Azure migrations.
  • Migration readiness assessment: Assess migration readiness including compatibility checks, cost estimates, and security considerations establishing baseline inventory before cloud adoption.

Tagging strategy:

Implement systematic resource tagging strategy using Azure Resource Tags to logically organize assets by business context, criticality, ownership, and compliance requirements.

Strategic tagging framework:

  • Business criticality tags: Classification of resources by business impact levels (Critical, High, Medium, Low) enabling risk-based security prioritization and incident response.
  • Data classification tags: Tagging resources based on data sensitivity levels (Public, Internal, Confidential, Highly Confidential) supporting data protection policies and compliance requirements.
  • Environment tags: Clear separation of production, staging, development, and test environments preventing accidental impact to production systems during security operations.
  • Cost center and ownership tags: Business unit, cost center, and technical owner assignments enabling accountability, chargeback, and rapid stakeholder notification during security incidents.
  • Compliance scope tags: Tagging resources subject to specific regulatory requirements (PCI-DSS, HIPAA, SOX, GDPR) triggering appropriate security controls and audit procedures.

Tag enforcement and governance:

  • Azure Policy tag enforcement: Automated tag requirement policies preventing resource creation without mandatory tags and ensuring consistent taxonomy across organization.
  • Tag inheritance: Resource group and subscription-level tags automatically inherited by child resources ensuring consistent classification without manual tagging burden.
  • Tag value validation: Azure Policy validation of tag values against approved lists preventing typos and ensuring standardized classification across the organization.
  • Tag audit and remediation: Regular audit of tag compliance with automated remediation workflows adding missing tags based on resource characteristics and security assessments.

AM-1.3: Grant security organization inventory access

Security teams require comprehensive visibility across all assets to detect threats, investigate incidents, and measure risk posture without depending on infrastructure teams for access or manual data collection. Appropriate read-only permissions enable security operations while preventing privilege escalation or operational disruption. Centralized access management ensures security organizations maintain visibility even as cloud environments grow and organizational structures evolve.

Configure security team asset visibility through these permissions:

  • Ensure security organizations have appropriate permissions to view and monitor asset inventory using Security Reader role, Azure RBAC, and management group scoping for comprehensive visibility without excessive privileges.

Security organization permission strategy:

  • Security Reader role assignment: Grant Security Reader role at management group or subscription scope enabling security teams to view resources, security alerts, and recommendations without modification capabilities.
  • Management group scoping: Apply permissions at Root Management Group level for enterprise-wide security visibility or scope to specific business units based on organizational structure.
  • Defender for Cloud access: Ensure security teams have access to Defender for Cloud asset inventory, security recommendations, and compliance dashboards for centralized risk visibility.
  • Azure Resource Graph query access: Provide security analysts access to Azure Resource Graph Explorer for custom asset discovery queries and security research without requiring resource-level permissions.
  • Log Analytics Reader access: Grant security teams Log Analytics Reader permissions for security log analysis and threat hunting without access to modify workspace configurations.

Operational security integration:

  • Automated inventory sharing: Export asset inventory to security information and event management (SIEM) platforms and security orchestration tools for correlation and automation.
  • Continuous monitoring integration: Integrate asset inventory with Microsoft Sentinel for real-time security monitoring, threat detection, and automated response to asset-related risks.
  • Security metrics and reporting: Provide security leadership with dashboards and reports showing asset growth, security posture trends, and risk exposure across cloud environment.

AM-1.4: Monitor asset risks and security posture

Static asset inventory provides insufficient security visibility when threats and configurations change continuously across dynamic cloud environments. Continuous risk monitoring transforms inventory data into actionable security intelligence, identifying emerging vulnerabilities, configuration drift, and compliance violations before adversaries exploit them. Automated assessment enables security teams to prioritize remediation based on actual risk rather than reacting to incidents after exploitation.

Establish continuous asset risk monitoring through these capabilities:

  • Implement continuous risk monitoring using Microsoft Defender for Cloud Secure Score, Azure Security Baseline, and vulnerability assessment to track asset security posture and emerging risks.

Continuous risk assessment:

  • Secure Score monitoring: Track Microsoft Defender for Cloud Secure Score across subscriptions and management groups measuring overall security posture and control effectiveness.
  • Security recommendation tracking: Monitor security recommendations by severity level with prioritization based on asset criticality, potential impact, and threat intelligence.
  • Vulnerability assessment integration: Automated vulnerability scanning for virtual machines using Qualys or Microsoft Defender Vulnerability Management with risk-based remediation prioritization.
  • Compliance dashboard monitoring: Track regulatory compliance status for assets subject to PCI-DSS, HIPAA, ISO 27001, and other frameworks with gap analysis and remediation tracking.
  • Configuration drift detection: Automated detection of security configuration changes and policy violations with alerts for unauthorized modifications or non-compliant configurations.

Threat intelligence and risk correlation:

  • Microsoft Threat Intelligence integration: Automatic correlation of asset inventory with Microsoft threat intelligence identifying resources potentially targeted by known threat actors or campaigns.
  • Security alert aggregation: Centralized aggregation of security alerts from Defender for Cloud, Microsoft Sentinel, and Microsoft Defender XDR mapped to specific assets for comprehensive risk visibility.
  • Attack surface analysis: Continuous analysis of internet-facing assets, open ports, and network exposure with risk scoring based on vulnerability status and threat landscape.

Implementation example

An organization with hybrid cloud infrastructure operating across Azure, on-premises data centers, and AWS discovered they lacked comprehensive visibility into their complete asset inventory, creating compliance risks and unknown security exposures.

Challenge: The organization struggled with fragmented asset visibility across multiple environments. Cloud resources deployed in Azure, on-premises servers in regional data centers, and AWS workloads existed in separate management silos without unified inventory. Security teams lacked comprehensive visibility into asset criticality, vulnerability status, and compliance posture. Regulatory audits identified gaps in asset tracking required for PCI-DSS and HIPAA compliance. Shadow IT proliferation created unmonitored resources consuming budget while exposing the organization to security risks.

Solution approach:

  • Unified inventory platform: Deployed Azure Resource Graph queries discovering all Azure resources across multiple subscriptions with daily automated inventory updates. Implemented Azure Arc-enabled servers onboarding 500+ on-premises Windows and Linux servers plus 200+ AWS EC2 instances enabling unified inventory management. Configured multicloud connector for AWS integration discovering EC2 instances, S3 buckets, and RDS databases projecting them into Azure Resource Graph for consolidated asset visibility.
  • Asset classification and governance: Implemented mandatory tagging strategy using Azure Policy requiring business criticality, data classification, cost center, and compliance scope tags on all resources including Arc-enabled servers before provisioning. Established business criticality classification with Critical tag for business-critical systems, High for sensitive data storage, Medium for internal applications, and Low for development environments.
  • Security visibility and monitoring: Configured Microsoft Defender for Cloud asset inventory with Security Reader role granted to security operations center (SOC) team at Root Management Group level for enterprise-wide visibility across Azure and Arc-enabled resources. Deployed vulnerability assessment using Microsoft Defender Vulnerability Management across all Azure and Arc-enabled virtual machines with automated remediation workflows. Extended Azure Policy enforcement to Arc-enabled servers applying security baselines, encryption requirements, and diagnostic logging policies.
  • Executive reporting: Created Azure Workbooks dashboards for security leadership showing asset inventory, Secure Score, vulnerability status, and compliance posture across Azure, on-premises, and AWS environments with automated daily updates and trend analysis.

Outcome: Complete asset visibility achieved across Azure, on-premises, and AWS with comprehensive vulnerability scanning of previously unmonitored systems. Compliance audit preparation time reduced substantially while identifying and decommissioning orphaned resources recovering significant cloud spend.

Criticality level

Must have.

Control mapping

  • NIST SP 800-53 Rev.5: CM-8, CM-8(1), CM-8(2), CM-8(3), PM-5, RA-2
  • PCI-DSS v4: 2.4.1, 2.4.2, 12.5.2
  • CIS Controls v8.1: 1.1, 1.2, 1.3, 1.4, 2.1
  • NIST CSF v2.0: ID.AM-1, ID.AM-2, ID.AM-4
  • ISO 27001:2022: A.5.9, A.8.1, A.8.2
  • SOC 2: CC6.1, CC7.2

AM-2: Use only approved services

Azure Policy: See Azure built-in policy definitions: AM-2.

Security principle

Enforce service approval processes restricting which cloud services users can provision through policy-based controls and monitoring. Ensure all deployed services undergo security review, compliance validation, and proper configuration hardening before production use, preventing shadow IT and unauthorized service sprawl.

Risk to mitigate

Uncontrolled cloud service provisioning creates significant security risks through shadow IT, configuration vulnerabilities, and compliance violations. Without service approval enforcement:

  • Shadow IT security gaps: Unapproved services bypass security review processes, operate without security monitoring, and lack proper configuration hardening creating exploitable vulnerabilities.
  • Compliance framework violations: Unvetted services may not meet regulatory requirements for data protection, audit logging, or encryption leading to compliance failures and potential regulatory sanctions.
  • Increased attack surface: Each new service type expands attack surface with unique security configurations, APIs, and integration points that security teams lack expertise to properly secure.
  • Cost overruns and budget waste: Uncontrolled service provisioning leads to duplicate capabilities, unused resources, and unexpected charges undermining financial governance and budget predictability.
  • Operational complexity: Proliferation of service types increases operational complexity, training requirements, and support burden while fragmenting security monitoring and incident response capabilities.
  • Data governance failures: Unapproved storage services and databases bypass data classification policies, retention requirements, and encryption standards creating data protection gaps.

Lack of service approval enforcement allows technology sprawl that undermines security, compliance, and operational efficiency.

MITRE ATT&CK

  • Initial Access (TA0001): valid accounts (T1078) using legitimate user credentials to provision unapproved services with security misconfigurations that attackers exploit for initial access.
  • Resource Development (TA0042): acquire infrastructure (T1583) provisioning unapproved cloud services to establish attack infrastructure, command-and-control capabilities, or malicious workloads bypassing security review processes.
  • Defense Evasion (TA0005): unused/unsupported cloud regions (T1535) deploying malicious infrastructure in unapproved cloud regions outside security monitoring coverage.

AM-2.1: Implement Azure Policy service restrictions

Unrestricted service provisioning enables users to deploy unsupported, insecure, or non-compliant cloud services that bypass security review and introduce vulnerabilities into production environments. Each unapproved service expands the attack surface with potentially misconfigured security settings, unpatched software, or unmonitored access points that adversaries exploit. Enforcing approved service catalogs ensures only security-validated, operationally-supported services reach production while maintaining controlled innovation in development environments.

Control service provisioning through these enforcement mechanisms:

  • Deploy Azure Policy with deny policies and audit policies to restrict service provisioning to approved Azure service types with exceptions for approved innovation projects and development environments.

Service restriction policy framework:

  • Allowed resource types policy: Define comprehensive allowed resource types policy listing approved Azure services including virtual machines, storage accounts, databases, and platform services.
  • Denied resource types policy: Explicit deny policies for services prohibited due to security concerns, compliance restrictions, or operational limitations with clear documentation of rationale.
  • Regional restriction policies: Restrict resource provisioning to approved Azure regions based on data residency requirements, compliance mandates, and operational support capabilities.
  • SKU and tier restrictions: Limit resource SKUs and service tiers to approved configurations ensuring cost control and security feature availability.
  • Preview service controls: Restrict or prohibit preview and beta services in production environments while allowing controlled usage in development subscriptions for evaluation.

Policy scope and enforcement:

  • Management group policy assignment: Apply service restriction policies at management group level for enterprise-wide enforcement with inheritance to all child subscriptions.
  • Environment-based exemptions: Grant policy exemptions for development and sandbox subscriptions enabling innovation while maintaining production environment controls.
  • Policy enforcement mode: Configure deny effect for production enforcement preventing non-compliant resource provisioning versus audit mode for visibility and compliance reporting.
  • Exception request workflow: Establish formal exception request process for legitimate business requirements with security review, time-limited approvals, and compensating controls.

Azure Arc hybrid policy enforcement:

  • Policy extension to Arc-enabled servers: Apply Azure Policy guest configuration to Arc-enabled servers enforcing security baselines, software restrictions, and compliance requirements on hybrid infrastructure.
  • Kubernetes policy enforcement: Deploy Azure Policy for Kubernetes on Arc-enabled Kubernetes clusters controlling pod security, image registries, and resource configurations across multicloud environments.
  • Cross-cloud service approval: Use Azure Arc and Azure Policy to enforce approved service patterns on multicloud resources preventing unapproved AWS services or Google Cloud configurations.
  • Hybrid compliance reporting: Unified policy compliance dashboard showing Azure-native, Arc-enabled servers, and multicloud resources compliance status with approved service catalog.

AM-2.2: Monitor and alert on unapproved service usage

Policy enforcement prevents unapproved provisioning but detecting existing non-compliant resources and monitoring for policy violations enables security teams to identify exceptions, respond to violations, and maintain continuous compliance visibility. Real-time detection transforms reactive compliance audits into proactive security operations, enabling rapid response to potential security risks introduced through unapproved services. Automated alerting ensures security teams address violations before adversaries discover and exploit misconfigured resources.

Detect and respond to unapproved services through these monitoring capabilities:

  • Implement Azure Monitor alert rules and Microsoft Defender for Cloud recommendations to detect unapproved service provisioning attempts and existing non-compliant resources.

Unapproved service detection:

  • Azure Activity Log monitoring: Monitor Azure Activity Log for resource creation events comparing against approved service catalog with real-time alerting on policy violations.
  • Azure Policy compliance dashboard: Track policy compliance status across subscriptions identifying resources in non-compliant state requiring remediation or decommissioning.
  • Defender for Cloud recommendations: Leverage Defender for Cloud security recommendations identifying resources requiring configuration changes or services operating outside security baselines.
  • Custom alert rules: Create custom Azure Monitor alert rules for specific service types or configuration patterns requiring security team notification and investigation.

Alert and response workflows:

  • Microsoft Teams and email notifications: Automated notifications to security operations and resource owners when unapproved services are provisioned or policy violations detected.
  • Azure Logic Apps integration: Automated workflows triggering security review tickets, stakeholder notifications, and escalation procedures for policy violation remediation.
  • Microsoft Sentinel integration: Stream Azure Policy compliance data and service provisioning events to Microsoft Sentinel for security correlation and threat detection.

Implementation example

A healthcare organization operating under HIPAA compliance requirements faced challenges with unauthorized cloud services deployed without proper security validation, creating compliance risks and audit findings.

Challenge: Developers deployed Azure services without formal security assessment, resulting in HIPAA audit findings identifying unapproved services processing protected health information (PHI). The organization lacked centralized service approval processes and technical enforcement mechanisms preventing unauthorized deployments. Compliance teams discovered Azure Cognitive Services and Azure OpenAI Service processing PHI without completing required risk assessments. Shadow IT proliferation created compliance gaps with 40+ service types deployed without documented security controls or encryption validation.

Solution approach:

  • Governance framework: Established Service Validation Board composed of security, compliance, and engineering leadership reviewing new service requests with mandatory security assessment, compliance validation, and data classification analysis. Created service catalog documenting approved services with security baselines, encryption requirements, compliance controls, and approved use cases.
  • Technical enforcement: Deployed Allowed Resource Types Policy at management group level restricting provisioning to approved compute (Virtual Machines, Azure Kubernetes Service, Container Instances), storage (Blob Storage, Azure Files, Queue Storage), database (Azure SQL Database, Cosmos DB, Azure Database for PostgreSQL), and networking (Virtual Network, Network Security Groups, Application Gateway, Azure Firewall) services. Implemented Regional Restriction Policy limiting deployment to approved Azure regions matching HIPAA data residency requirements. Configured SKU Restriction Policies preventing premium-tier and ultra-performance SKUs in development and test subscriptions.
  • Continuous monitoring: Created Azure Monitor alert rules for policy violation attempts with Azure Logic Apps workflows creating ServiceNow incidents and notifying resource owners and security operations team. Granted policy exemptions for innovation sandbox subscriptions enabling evaluation of new services without production restrictions.
  • Developer enablement: Published Infrastructure-as-Code templates including Terraform modules and Bicep templates for approved services with security configurations pre-applied accelerating compliant resource deployment.

Outcome: Full service approval compliance achieved with Azure Policy preventing unauthorized deployments protecting PHI exposure. HIPAA audit findings eliminated while maintaining developer productivity through predictable approval processes.

Criticality level

Should have.

Control mapping

  • NIST SP 800-53 Rev.5: CM-7, CM-7(1), CM-7(2), SA-3, SA-8
  • PCI-DSS v4: 1.2.6, 2.2.7, 6.3.2
  • CIS Controls v8.1: 2.3, 2.7, 4.1
  • NIST CSF v2.0: ID.AM-3, PR.IP-1, PR.PT-3
  • ISO 27001:2022: A.5.23, A.8.9, A.8.19
  • SOC 2: CC6.1, CC6.6, CC7.2

AM-3: Ensure security of asset lifecycle management

Azure Policy: See Azure built-in policy definitions: AM-3.

Security principle

Implement secure asset lifecycle management from provisioning through decommissioning with security-by-default configurations, change control processes, and systematic disposal procedures. Ensure all lifecycle phases include security validation, audit logging, and approval workflows for high-impact modifications to prevent security degradation and maintain compliance.

Risk to mitigate

Inadequate asset lifecycle management creates security vulnerabilities throughout resource provisioning, modification, and decommissioning processes. Without proper lifecycle controls:

  • Insecure resource provisioning: Resources deployed without security hardening, encryption, monitoring, or network controls operate in vulnerable state from inception creating immediate attack surface.
  • Configuration drift and unauthorized changes: Uncontrolled resource modifications bypass security review processes leading to misconfigurations, compliance violations, and security control degradation.
  • Orphaned resource accumulation: Resources persist after projects end or teams disband consuming budget while creating unmonitored attack surface with stale credentials and outdated security patches.
  • Incomplete decommissioning: Improper resource deletion leaves data remnants, storage accounts, network configurations, and identity assignments creating data exposure risks and compliance violations.
  • Privilege escalation through lifecycle gaps: Attackers exploit lifecycle management weaknesses to provision malicious resources, modify security configurations, or maintain persistence after detection attempts.
  • Audit trail gaps: Inadequate lifecycle documentation prevents forensic investigation, compliance demonstration, and root cause analysis of security incidents involving resource changes.

Poor lifecycle management allows security vulnerabilities to persist from resource creation through entire operational lifespan.

MITRE ATT&CK

  • Persistence (TA0003): create or modify system process (T1543) exploiting weak lifecycle controls to deploy persistent backdoors during resource provisioning without security review.
  • Privilege Escalation (TA0004): abuse elevation control mechanism (T1548) modifying resource permissions and access controls during lifecycle changes to gain unauthorized elevated privileges.
  • Defense Evasion (TA0005): impair defenses (T1562) disabling security monitoring and logging during resource modification processes bypassing detection capabilities.

AM-3.1: Implement secure resource provisioning

Resources deployed without security hardening from inception create immediate vulnerabilities that persist throughout their operational lifetime, as retrofitting security controls after deployment proves technically complex and operationally disruptive. Security-by-default provisioning through infrastructure-as-code ensures consistent protective configurations apply automatically, preventing the configuration gaps that adversaries exploit. Automated security validation before deployment blocks insecure configurations before they reach production, transforming security from reactive remediation into proactive prevention.

Establish secure-by-default provisioning through these mechanisms:

  • Deploy Azure Deployment Stacks, Azure Resource Manager templates, and Terraform with security-hardened configurations ensuring resources are deployed with proper security controls from inception.

Secure-by-default provisioning:

  • Azure Deployment Stacks for governance: Use Azure Deployment Stacks to combine Azure Policy assignments, RBAC role assignments, and resource templates into governed bundles. Deployment Stacks create deny assignments (DenyDelete or DenyWriteAndDelete) protecting managed resources and governance artifacts from unauthorized modification or deletion while enabling controlled updates through infrastructure-as-code.
  • Infrastructure-as-code security: Hardened ARM templates and Terraform modules with encryption enabled, diagnostic logging configured, network security groups applied, and private endpoints deployed by default.
  • Policy-driven provisioning: Azure Policy automatically applies security configurations during resource creation including encryption requirements, diagnostic settings, and tagging mandates.
  • Private network default: Resources deployed with private endpoints and service endpoints by default disabling public internet access unless explicitly required and approved.
  • Security scanning integration: Automated security scanning of infrastructure-as-code templates using tools like Checkov, Terrascan, or Microsoft Defender for Cloud DevOps Security before deployment.

Provisioning approval workflows:

  • Azure DevOps approval gates: Require security team approval for production deployments involving sensitive data, internet-facing resources, or high-privilege configurations.
  • Change Advisory Board review: High-impact resource provisioning undergoes change advisory board review including security, compliance, and operations stakeholder evaluation.
  • Cost and security threshold triggers: Automated approval requirement triggers for resources exceeding cost thresholds or security sensitivity levels requiring leadership authorization.

AM-3.2: Implement asset lifecycle change control

Uncontrolled resource modifications bypass security review processes, enabling adversaries to disable protective controls, escalate privileges, or maintain persistence through configuration changes that evade detection. Change control transforms ad-hoc modifications into governed workflows with security validation, audit trails, and automated enforcement preventing unauthorized changes. Continuous configuration monitoring detects drift from approved baselines, ensuring resources maintain security posture throughout their operational lifecycle rather than degrading over time.

Govern resource modifications through these change control mechanisms:

  • Establish change control processes using Azure Policy, Azure Resource Locks, and Azure Activity Log monitoring to govern resource modifications and prevent unauthorized security configuration changes.

Change control and governance:

  • Azure Resource Locks: Deploy CanNotDelete or ReadOnly locks on production resources preventing accidental deletion or modification without explicit lock removal approval requiring documented change request and security review.
  • Azure Policy deny effects: Policies preventing security configuration degradation including disabling encryption, removing diagnostic settings, exposing resources to public internet, or modifying network security group rules without approval.
  • Change tracking and audit: Azure Activity Log integration with Microsoft Sentinel tracking all resource modifications with security correlation, anomaly detection, and automated alerting for high-risk configuration changes.
  • Configuration drift detection: Azure Policy Guest Configuration detecting unauthorized configuration changes and triggering automated remediation workflows or security team notifications for production systems.
  • Identity lifecycle management: Use Microsoft Entra ID Governance for automated identity lifecycle workflows managing service principal and managed identity provisioning, access reviews, and deprovisioning aligned with asset lifecycle stages.

AM-3.3: Implement systematic resource decommissioning

Improper resource decommissioning leaves data remnants, orphaned configurations, and stale credentials that create long-term security exposure and compliance violations even after projects end. Formal decommissioning procedures ensure complete removal of resources with proper data handling, access revocation, and audit trail preservation preventing unauthorized access to abandoned assets. Automated detection of orphaned resources eliminates the accumulation of forgotten infrastructure that consumes budget while creating unmonitored attack surface.

Execute secure resource decommissioning through these procedures:

  • Establish formal decommissioning procedures using Azure Resource Manager, Azure Policy, and data retention policies ensuring secure resource deletion with proper data handling and audit trail preservation.

Secure decommissioning procedures:

  • Data backup and retention: Verify backup completion and retention policy compliance before resource deletion ensuring business continuity and regulatory compliance requirements.
  • Access revocation: Remove all role assignments, managed identities, service principals, and key vault access policies associated with resources before deletion.
  • Network dependency validation: Verify no active network dependencies, peering relationships, or DNS records preventing safe resource removal.
  • Compliance and legal hold check: Validate no legal holds, regulatory retention requirements, or active investigations requiring resource preservation before deletion.
  • Soft delete enablement: Leverage soft delete capabilities for key vaults, storage accounts, and databases providing recovery window for accidental deletion.

Orphaned resource detection:

  • Azure Advisor cost recommendations: Leverage Azure Advisor identifying unused resources including unattached disks, idle virtual machines, and unused public IP addresses.
  • Azure Resource Graph queries: Custom queries discovering orphaned resources based on activity patterns, last access times, and resource utilization metrics.
  • Automated decommissioning workflows: Azure Automation runbooks identifying and decommissioning orphaned development resources after configurable idle periods with owner notification.

Implementation example

An organization with 3,000+ cloud resources across Azure and on-premises infrastructure faced challenges with lifecycle management creating security incidents from misconfigured resources and excessive costs from orphaned infrastructure.

Challenge: Development teams deployed resources without standardized security configurations resulting in 25% of new deployments missing encryption or logging requirements. Production resources lacked deletion protection with three significant incidents where critical resources were accidentally deleted causing business disruption. The organization maintained 400+ orphaned resources including unattached disks, unused public IP addresses, and idle virtual machines consuming $120,000 annually. Change management processes relied on manual reviews unable to detect security configuration drift. Resource decommissioning lacked formal procedures leading to incomplete data deletion and lingering access permissions.

Solution approach:

  • Provisioning standardization: Deployed Azure Deployment Stacks with security-hardened resource templates ensuring encryption enabled, private endpoints configured, and diagnostic logging activated for all production resources configured with a DenyDelete deny assignment. Published Infrastructure-as-Code templates and modules with security baselines pre-applied preventing misconfiguration at provisioning time.
  • Change protection: Implemented Azure Resource Locks on all production resource groups preventing accidental deletion and unauthorized modifications to critical infrastructure. Established change control board reviewing high-impact modifications including identity provider changes, network security group modifications, and administrative privilege assignments. Deployed Azure Policy deny effects preventing security configuration regression including policies blocking public internet access enablement, encryption disablement, and diagnostic logging removal.
  • Decommissioning governance: Deployed decommissioning checklists in Azure DevOps requiring data backup verification, access revocation confirmation, and compliance team signoff before production resource deletion. Implemented soft delete policies for key vaults, storage accounts, and databases providing 90-day recovery window.
  • Orphaned resource management: Created Azure Automation runbooks scanning for orphaned resources weekly identifying and decommissioning abandoned resources including unattached disks, unused public IPs, and idle virtual machines after 30-day idle period with owner notification.

Outcome: Provisioning compliance improved substantially with automatic security configurations through deployment stacks while resource locks eliminated accidental deletions. Orphaned resource cleanup recovered significant infrastructure costs and configuration drift incidents decreased through Azure Policy deny effects.

Criticality level

Should have.

Control mapping

  • NIST SP 800-53 Rev.5: CM-3, CM-3(1), CM-4, SA-3, SA-4(10)
  • PCI-DSS v4: 6.3.1, 6.4.1, 6.4.2, 12.3.3
  • CIS Controls v8.1: 4.1, 4.2, 15.1, 15.2
  • NIST CSF v2.0: PR.IP-1, PR.IP-3, PR.MA-1
  • ISO 27001:2022: A.5.31, A.8.1, A.8.32
  • SOC 2: CC6.1, CC6.6, CC8.1

AM-4: Limit access to asset management

Security principle

Enforce least-privilege access to asset management capabilities through role-based access controls, conditional access policies, and resource protection mechanisms. Limit users' ability to create, modify, or delete assets based on business justification, requiring strong authentication, secure workstations, and time-limited elevated access for administrative operations affecting production infrastructure.

Risk to mitigate

Excessive access to asset management capabilities creates risks of accidental resource deletion, malicious infrastructure modification, and privilege escalation attacks. Without proper access controls:

  • Accidental production impact: Overprivileged users accidentally delete production resources, modify critical network configurations, or disable security monitoring causing business disruption.
  • Insider threat amplification: Malicious insiders with excessive asset management permissions can delete audit logs, exfiltrate data, deploy malicious infrastructure, or sabotage systems.
  • Privilege escalation pathways: Attackers compromising accounts with asset management permissions escalate privileges by modifying RBAC assignments, creating service principals, or deploying resources with elevated access.
  • Compliance and audit failures: Lack of least-privilege access controls violates regulatory requirements for separation of duties and creates audit findings in SOX, PCI-DSS, and HIPAA assessments.
  • Credential theft impact: Compromised credentials with broad asset management access enable attackers to cause maximum damage across cloud environment before detection.
  • Change control bypass: Excessive permissions allow users to bypass change control processes, approval workflows, and security review procedures for infrastructure modifications.

Overprivileged access to infrastructure management amplifies impact of both accidental errors and malicious activities.

MITRE ATT&CK

  • Privilege Escalation (TA0004): valid accounts (T1078) using compromised accounts with asset management permissions to escalate privileges by modifying role assignments or creating high-privilege identities.
  • Impact (TA0040): resource hijacking (T1496) leveraging asset management permissions to deploy cryptocurrency mining infrastructure or other resource-intensive malicious workloads.
  • Defense Evasion (TA0005): impair defenses (T1562) using infrastructure permissions to disable security monitoring, delete diagnostic logs, or remove security agents preventing detection.

AM-4.1: Implement role-based access control for asset management

Broad infrastructure permissions enable both accidental misconfigurations and intentional abuse with impact amplified across numerous resources, making privilege management critical to limiting security incident blast radius. Least-privilege access through role-based controls ensures personnel access only resources required for legitimate job functions, reducing exposure from compromised credentials or malicious insiders. Just-in-time activation transforms standing administrative access into temporary, audited elevation events that dramatically reduce the window of opportunity for credential theft exploitation.

Implement least-privilege asset management through these access controls:

  • Deploy Azure RBAC with least-privilege role assignments, custom roles, and resource-level scoping limiting asset management capabilities to authorized personnel with business justification.

Least-Privilege Role Strategy:

  • Reader role as default: Grant Reader role to general users providing visibility into resources without modification capabilities supporting operational awareness.
  • Resource-specific Contributor roles: Use service-specific Contributor roles (Virtual Machine Contributor, Storage Account Contributor) instead of broad Contributor role limiting scope of permissions.
  • Custom role definitions: Create custom RBAC roles with minimal required permissions for specific job functions avoiding over-permissioned built-in roles.
  • Resource group and resource scoping: Scope role assignments to specific resource groups or individual resources instead of subscription-wide assignments reducing blast radius.
  • Time-limited assignments: Implement temporary role assignments with expiration dates for project-based access requiring periodic revalidation.

Privileged access management:

  • Microsoft Entra Privileged Identity Management (PIM): Require just-in-time activation for Owner and Contributor roles with approval workflows, justification requirements, and maximum duration limits (Microsoft Entra Privileged Identity Management).
  • Microsoft Entra ID Governance: Implement Microsoft Entra ID Governance for periodic access reviews of asset management permissions ensuring least-privilege access through automated access certifications and entitlement management.
  • Emergency access accounts: Maintain break-glass accounts with Owner permissions secured with offline credentials, monitored access, and regular validation procedures.
  • Separation of duties: Separate permissions for resource provisioning, security configuration, and network management preventing single-person high-risk changes.

AM-4.2: Implement Conditional Access for Azure management

Validating user identity alone provides insufficient protection for infrastructure management when adversaries operate from compromised devices, untrusted networks, or anomalous locations that indicate credential theft. Conditional Access policies enforce device compliance, network restrictions, and risk-based controls ensuring infrastructure management occurs only from trusted contexts that meet security standards. Multi-factor authentication combined with device and location validation creates defense-in-depth that prevents infrastructure compromise even when credentials are stolen.

Enforce context-aware infrastructure access through these policies:

  • Deploy Microsoft Entra Conditional Access policies restricting access to Azure Resource Manager based on device compliance, network location, and risk level with multi-factor authentication requirements.

Conditional Access policy requirements:

  • Multi-factor authentication enforcement: Require MFA for all access to Azure Management App (Azure Resource Manager API) preventing credential-based attacks on infrastructure management.
  • Compliant device requirement: Restrict Azure management access to Intune-managed compliant devices preventing asset management from unmanaged personal devices.
  • Privileged Access Workstation (PAW): Require access to Owner and Contributor roles from dedicated privileged access workstations with enhanced security configurations.
  • Network location restrictions: Limit Azure management access to corporate network locations or approved VPN connections blocking access from untrusted networks.
  • Risk-based access control: Block or require additional authentication for Azure management access from unfamiliar locations, risky sign-ins, or anonymous IP addresses.

Conditional Access block scenarios:

  • Block access policy: Implement "Block Access" policy for Microsoft Azure Management App for users who should never access Azure infrastructure management.
  • Session duration limits: Configure short session lifetime for privileged access requiring frequent reauthentication for sustained infrastructure management activities.
  • Terms of use requirement: Require acceptance of terms of use outlining acceptable use policies and security responsibilities before Azure management access.

AM-4.3: Implement resource locks and immutability

Role-based access control limits who can modify infrastructure, but preventing accidental or malicious destruction of critical resources requires enforcement beyond permissions through immutability controls. Resource locks transform governance from permission management into technical enforcement that blocks deletion or modification even from accounts with Owner privileges, preventing irreversible data loss from human error or compromised credentials. Deployment Stacks extend protection to governance artifacts themselves, ensuring security policies and role assignments cannot be removed by the very privileges they control.

Enforce resource immutability through these protection mechanisms:

  • Deploy Azure Resource Locks and Azure Deployment Stacks deny settings preventing resource deletion or modification even by users with Owner permissions requiring explicit policy change through governed process.

Resource lock strategy:

  • CanNotDelete locks: Apply CanNotDelete locks to production resources preventing accidental deletion while allowing configuration modifications for operational flexibility.
  • ReadOnly locks: Deploy ReadOnly locks on sensitive infrastructure including network security groups, virtual networks, and identity resources preventing any modifications without lock removal.
  • Inherited locks: Apply locks at resource group or subscription level with inheritance to child resources simplifying governance and preventing lock bypass through new resource creation.
  • Lock removal approval workflow: Require security team approval and change management process for lock removal with audit logging and justification documentation.

Azure Deployment Stacks deny settings:

  • Deployment stack deny assignments: Deployment stacks with deny settings preventing modification or deletion of managed resources even by subscription owners ensuring infrastructure immutability.
  • DenyDelete mode: Deployment stacks configured with DenyDelete protecting policy assignments, role assignments, and deployed resources from removal while allowing configuration updates.
  • DenyWriteAndDelete mode: Deployment stacks with DenyWriteAndDelete preventing any modifications to governance configurations requiring stack update through controlled infrastructure-as-code process.

Implementation example

A financial services organization processing $2B+ in daily transactions faced challenges with asset management access controls creating SOX compliance risks and security incidents from unauthorized infrastructure changes.

Challenge: Application teams possessed excessive permissions with Contributor role assigned at subscription level enabling unauthorized access to financial transaction processing systems across multiple resource groups. Three security incidents occurred where developers accidentally modified production network security groups causing payment processing disruptions. SOX audit findings identified insufficient access controls with 40+ users possessing permanent Owner permissions without business justification. External attackers compromised developer credentials and accessed Azure management portal from non-corporate locations without additional security verification. Critical infrastructure lacked deletion protection with risk of accidental removal of payment processing resources.

Solution approach:

  • Least privilege access: Implemented Azure RBAC custom roles granting application teams Resource-Specific Contributor permissions scoped to their resource groups without subscription-wide access. Removed subscription-level Contributor assignments affecting 40+ users reducing excessive permissions by 85%.
  • Just-in-time access: Deployed Privileged Identity Management requiring just-in-time activation for Contributor and Owner roles with manager approval workflow and 8-hour time-limited access duration. Eliminated standing privileged access for routine operations.
  • Access protection: Configured Microsoft Entra Conditional Access policies requiring MFA, compliant device, and corporate network location for all Azure management access preventing external access attempts. Established privileged access workstation program with dedicated hardened VMs for infrastructure management activities isolated from standard corporate network.
  • Resource protection: Applied CanNotDelete locks to all production resource groups protecting financial transaction processing systems from accidental deletion. Deployed ReadOnly locks on network security groups, virtual networks, and ExpressRoute circuits preventing unauthorized network configuration changes. Configured Deployment Stacks with DenyWriteAndDelete for governance resources including Policy assignments, RBAC roles, and security baseline configurations.

Outcome: Full SOX compliance achieved with all audit findings remediated through least privilege RBAC and resource lock enforcement. Unauthorized infrastructure changes and external access attempts eliminated through Conditional Access policies while maintaining operational efficiency with just-in-time privileged access activation.

Criticality level

Must have.

Control mapping

  • NIST SP 800-53 Rev.5: AC-2, AC-2(1), AC-5, AC-6, AC-6(1), AC-6(5)
  • PCI-DSS v4: 7.2.2, 7.2.4, 7.2.5, 8.2.2
  • CIS Controls v8.1: 5.4, 6.1, 6.7, 6.8
  • NIST CSF v2.0: PR.AC-4, PR.AC-7, PR.PT-3
  • ISO 27001:2022: A.5.15, A.5.16, A.5.18, A.8.2
  • SOC 2: CC6.1, CC6.2, CC6.3

AM-5: Use only approved applications in virtual machine

Security principle

Enforce application control through allow list policies and behavioral monitoring ensuring only authorized software executes on compute assets. Prevent unauthorized software execution including malware, unapproved tools, and outdated applications while maintaining operational flexibility for approved business applications and administrative tasks.

Risk to mitigate

Uncontrolled software execution on virtual machines creates security vulnerabilities through malware, unauthorized tools, and outdated software. Without application control:

  • Malware and ransomware execution: Lack of application allow listing allows malware, ransomware, and other malicious software to execute freely once attackers gain system access.
  • Unauthorized administrative tools: Attackers install remote access tools, network scanners, credential dumping utilities, and other post-exploitation tools supporting attack progression.
  • Unapproved commercial software: Users install unlicensed software, personal tools, and unapproved applications creating legal liability, security vulnerabilities, and support challenges.
  • Outdated vulnerable software: Legacy applications and outdated software versions persist on systems containing known vulnerabilities exploitable by attackers.
  • Insider threat tool usage: Malicious insiders install data exfiltration tools, encryption utilities, and system sabotage applications without detection.
  • Cryptocurrency mining and abuse: Compromised systems execute cryptocurrency miners, botnet clients, and other resource-intensive malicious applications degrading performance.

Uncontrolled application execution enables attackers to deploy full post-exploitation toolkit once initial access is achieved.

MITRE ATT&CK

  • Execution (TA0002): user execution (T1204) tricking users into executing malicious software that bypasses application control mechanisms or exploits policy gaps.
  • Defense Evasion (TA0005): masquerading (T1036) disguising malicious executables as legitimate applications attempting to bypass application allow listing controls.
  • Credential Access (TA0006): OS credential dumping (T1003) executing credential theft tools like Mimikatz harvesting credentials from memory for privilege escalation.

AM-5.1: Implement adaptive application controls

Unrestricted application execution enables adversaries to deploy post-exploitation toolkits immediately upon gaining initial access, transforming minor compromises into complete system control before detection. Application control allow listing inverts traditional antivirus defense by defining approved software and blocking everything else, preventing unknown malware and living-off-the-land techniques that evade signature-based detection. Machine learning-powered adaptive controls eliminate the operational burden of manual policy maintenance by automatically adjusting allow lists as legitimate applications evolve while maintaining protection against unauthorized software.

Establish executable restriction through these application controls:

  • Deploy Microsoft Defender for Cloud adaptive application controls automatically generating application allow lists based on observed behavior with continuous learning and enforcement capabilities.

Adaptive application control implementation:

  • Automated allow list generation: Machine learning-powered analysis of application execution patterns generating recommended allow lists for virtual machine groups.
  • Audit mode learning period: Initial deployment in audit mode observing application execution patterns without enforcement building comprehensive application baseline.
  • Enforcement mode activation: Transition to enforcement mode blocking unauthorized application execution after baseline establishment with ongoing learning and automatic rule updates.
  • File integrity monitoring: Integration with file integrity monitoring detecting unauthorized application installation attempts and configuration file modifications.
  • Publisher-based rules: Application allow list rules based on publisher certificates, file hashes, and path specifications balancing security with operational flexibility.

Application control policy configuration:

  • Group-based policies: Organize virtual machines into groups based on application requirements applying tailored application control policies per server role.
  • Recommended rule acceptance: Review and accept adaptive application control recommendations with security team validation before enforcement activation.
  • Custom rule addition: Add custom allow list rules for business-specific applications, scripts, and administrative tools not automatically discovered during learning phase.
  • Alert and violation monitoring: Monitor application control violations in Defender for Cloud with automated alerts for unauthorized execution attempts requiring investigation.

AM-5.2: Implement software inventory and change tracking

Application control prevents unauthorized software execution but detecting software installations, configuration changes, and system modifications provides the visibility required to identify control bypasses, policy violations, and emerging threats. Comprehensive software inventory enables vulnerability management by identifying outdated applications requiring patches while change tracking reveals unauthorized modifications that indicate compromise or insider activity. Continuous monitoring transforms point-in-time inventory snapshots into security intelligence that detects anomalous changes before they escalate into incidents.

Monitor software and configuration changes through these capabilities:

Change tracking capabilities:

  • Software inventory collection: Automated collection of installed software including application names, versions, publishers, and installation dates across Windows and Linux virtual machines using Azure Monitor Agent.
  • File change monitoring: Track changes to critical files and directories detecting unauthorized software installation, configuration modifications, and malware deployment with configurable file path monitoring.
  • Windows service monitoring: Monitor Windows service changes detecting unauthorized service installations and configuration modifications indicating malware or persistence mechanisms with configurable collection frequency.
  • Registry change tracking: Windows registry monitoring detecting persistence mechanisms, configuration changes, and malware-related registry modifications with support for HKEY_LOCAL_MACHINE registry hives.
  • Linux daemon monitoring: Track Linux daemon and systemd service changes identifying unauthorized background processes and persistence mechanisms across supported Linux distributions.

Inventory analysis and alerting:

  • Software approval comparison: Compare discovered software against approved application catalog identifying unapproved applications requiring investigation or removal through Log Analytics queries.
  • Vulnerability correlation: Correlate software inventory with vulnerability databases identifying outdated software requiring patching or replacement integrated with Microsoft Defender Vulnerability Management.
  • Change alert rules: Configure Azure Monitor alert rules triggering notifications when critical files change, unauthorized software installs, or registry modifications occur with customizable thresholds.
  • Log Analytics integration: Change tracking data automatically stored in Log Analytics workspace enabling advanced KQL queries, Azure Workbooks dashboards, and Microsoft Sentinel correlation.

AM-5.3: Control script execution and administrative tools

PowerShell, Python, and other scripting languages provide adversaries with powerful execution environments that bypass traditional executable controls while offering extensive system access and obfuscation capabilities. Administrative tools designed for legitimate system management become post-exploitation utilities in attacker hands, enabling credential theft, lateral movement, and persistence establishment. Restricting script execution to signed, authorized code and limiting administrative tool access to approved personnel prevents adversaries from leveraging built-in capabilities for malicious purposes while maintaining operational flexibility through constrained execution environments.

Control scripting and administrative access through these restrictions:

  • Implement PowerShell script execution policies, AppLocker, and Windows Defender Application Control restricting execution of scripts and administrative tools to authorized personnel and scenarios.

Script execution controls:

  • PowerShell execution policy: Configure PowerShell execution policy requiring script signing for remote scripts while maintaining flexibility for signed administrative scripts.
  • PowerShell Constrained Language Mode: Deploy PowerShell Constrained Language Mode limiting PowerShell capabilities preventing malicious script execution while allowing approved administrative tasks.
  • Script block logging: Enable PowerShell Script Block Logging capturing all executed PowerShell code for security monitoring and forensic investigation.
  • Just Enough Administration (JEA): Implement Just Enough Administration endpoints limiting administrative PowerShell capabilities to specific approved cmdlets and parameters.

Administrative tool restrictions:

  • Windows Defender Application Control (WDAC): Deploy Windows Defender Application Control policies allowing only approved administrative tools, system utilities, and business applications to execute.
  • AppLocker rule configuration: Configure AppLocker publisher rules, path rules, and hash rules controlling execution of administrative tools and utilities.
  • Living-off-the-land binary (LOLBin) controls: Restrict execution of system binaries commonly abused by attackers including regsvr32, rundll32, and mshta.

Implementation example

A healthcare organization processing protected health information (PHI) across 500+ Windows servers faced challenges with application control creating ransomware vulnerability and HIPAA compliance gaps.

Challenge: The organization experienced two ransomware incidents where attackers executed unauthorized encryption tools on file servers causing business disruption and triggering HIPAA breach notification requirements. Security teams lacked visibility into installed applications across 500+ servers with unknown software proliferation creating compliance risks. Developers installed unapproved administrative tools including remote access utilities and debugging software on production servers exposing PHI to unauthorized access. PowerShell scripts executed without logging or restrictions enabling attackers to perform reconnaissance and lateral movement undetected. HIPAA audit findings identified insufficient controls over application execution and lack of software inventory management.

Solution approach:

  • Application control deployment: Deployed Microsoft Defender for Cloud adaptive application controls across all Windows servers with 30-day audit mode learning period before enforcement activation. Configured application control policies organized by server roles including web servers, database servers, file servers, and domain controllers with tailored allow lists per workload type blocking unauthorized execution attempts including ransomware and hacking tools.
  • Change monitoring: Implemented Change Tracking and Inventory using Azure Monitor Agent monitoring software installations, file modifications, and registry changes across virtual machines with Microsoft Sentinel integration for security correlation. Created Azure Monitor alert rules for application control violations identifying attempted malware execution and unauthorized tool usage requiring security team investigation.
  • Script execution controls: Enabled PowerShell script block logging and constrained language mode on all virtual machines capturing PowerShell commands for security analysis and blocking malicious script execution attempts. Deployed Windows Defender Application Control policies on domain controllers and certificate authority servers preventing unauthorized administrative tool execution protecting Active Directory infrastructure.

Outcome: Ransomware incidents eliminated through application control enforcement blocking unauthorized execution attempts. HIPAA audit findings resolved while PowerShell monitoring enabled detection of lateral movement and reconnaissance activities improving incident investigation speed.

Criticality level

Should have.

Control mapping

  • NIST SP 800-53 Rev.5: CM-7(2), CM-7(5), SC-18, SI-3, SI-4
  • PCI-DSS v4: 5.2.1, 5.2.2, 5.3.3, 11.5.1
  • CIS Controls v8.1: 2.3, 2.5, 2.6, 10.5
  • NIST CSF v2.0: PR.DS-6, PR.PT-2, DE.CM-4
  • ISO 27001:2022: A.8.7, A.8.12, A.8.19
  • SOC 2: CC6.1, CC6.6, CC7.2
  • Last updated on