Integrating with Azure

A short step-by-step guide for integrating Azure into securiCAD

This section describes how securiCAD can be used to analyse your Azure environments. In short, securiCAD can analyse your Azure environment by collecting data, using foreseetis securicad-azure-collector, from the environment, which is then used to perform attack simulations in securiCAD Enterprise.
The collector script uses the public Azure API's to create a representation of the infrastructure. Once completed there will be a file in JSON format available. The Azure collector script is available on pypi.

📘

For information on the latest Azure Collector versions, see our GitHub.

Azure Reader App Registration

To collect the Azure infrastructure configuration needed for creating a securiCAD model (digital twin), an Azure Reader role needs to be added to in the Azure subscription which then is used when using the SDK for fetching the configuration. You can do that using Azure app registration.

The extractor program needs to assume the identity of a security principal assigned a -Reader role on a subscription level to be able to extract your environment. We suggest you either register a new application under App registrations in the Azure Active Directory to create a new Service Principal, or by assigning a system wide Managed Identity for an azure virtual machine (possibly the same machine running securiCAD Enterprise) and give the security principal this permission. The first option is required if you are running locally.

  1. In the Azure console, create a new App Registration and give it a suitable name, e.g. securicad-data-extractor.
  1. Support account types should be Accounts in this organizational directory only.
  1. Collect the individual keys for the fetcher to be able to access the Azure API's. The image below shows the different keys you need. You also need to create a Client Secret.
  1. Creatinging the Client Secret

First go into client credentials shown here:

Then, create New client secret as shown here:

The keys generated should then be stored in a secure place for further use.

🚧

Restricting data collection
The securicad-azure-collector will only be able to collect the data that the RBAC assignment allows it to do. Always follow Best practices for RBAC Assignments when creating your roles and use the appropriate resource restrictions to limit the collected data.

Assigning the Security Principal its permission

As mentioned earlier, assign the newly generated Security Principal (in the case above our App Registration) a Reader role assignment on the subscriptions your wish to collect.

Granting Active Directory Group Member Read (Suggested)

It's ideal to allow the collector to read Active Directory Group members of the groups that have an IAM assignment within the Azure cloud. This will allow the model to connect the security principals that belong to the group within the model. To do this click on API permissions on the App Registration dashboard and grant it the GroupMember.Read.All permission by clicking Add a permission > Microsoft.Graph > Application Permissions > GroupMember.Read.All . Note that an Active Directory Admin will have to approve this permission for it to be granted.

Data Enrichment using Application Insights (Optional)

Application Insights records the traffic in your azure environment and can be used to enrich the securiCAD model by making us of its topology mapping. The topology dump allows the parser to connect services that are communicating to each other through connection strings/keys, as it sees that there are some sort of communication between these services that are not relying on RBAC assignments. To make use of this, set up an Application Insights component in your azure environment, and attach the services that you are about to analyze in securiCAD in their respective configuration page, and let the entire system run for some time.

Collecting the Azure environment configuration

Next, collect all the keys in one place and keep them safe since you now can extract the information on your Azure environment with them.

The keys needed for extraction are Subscription ID, Directory (Tenant) ID, Application Registration Client ID and Secret.

They will then be prepared in a bash script file like this:

 export AZURE_SUBSCRIPTION_ID='xxx'
 export AZURE_TENANT_ID='xxx'
 export AZURE_CLIENT_ID='xxx'
 export AZURE_CLIENT_SECRET='xxx'

Load the environment variables into the shell by running the script like following:
source path/to/environment_variables.bash

Resource taging (Optional)

You may tag your Azure resources with the following key/value pair below in order to logically segment the objects in different simulations once you've created your model. Note that Group: can be represented as a list of several different groups via a comma separated list or a singular value. The value of C/I/A is expected to be an integer between 0-10. The value defines the consequence value if you were to set it as a high value asset. Meaning how critical is Confidentiality, Integrity and Availability for the resource? If it's 0, you may just exclude the corresponding key as well.

The securiCAD Azure Collector will look for the scad key and place the scanned objects in logical groups. These groups can then be used to create CIA simulations, using our enterprise-sdk programmatically. More details about the use case of can be found here.

Generating (downloading) the Azure configuration data

❗️

In the instructions below, make sure that you are using the correct version of the securiCAD Azure Collector. If you are using securiCAD as a service hosted by Foreseeti, always use the latest version of the collector.

❗️

The latest version of the AWS Collector requires Python 3.8 or above. While older versions of Python might still allow you to install the securicad-aws-collector, the collected data will not be compatible with securiCAD.

Install the securiCAD-azure-collector using git:

$ git clone https://github.com/foreseeti/securicad-azure-collector

Install the securicad-azure-collector with pip:

$ pip install securicad-azure-collector

Below is an example of how to run the securiCAD Azure Collector.

$ python3 -m securicad.azure_collector

If output paths aren't specified (run python3 -m securicad.azure_collector --help), the program will dump a timestamped active_directory_YYYY-mm-dd_HH:MM.json file under the environment_files directory, and a file called application_insights_YYYY-mm-dd_HH:MM.json under the same directory if an application insights resource was found within the scope of the provided Azure environment. Again, the application_insights.json can be used to enrich the model by connecting services that communicate to each other through connection strings / keys. This data file is optional, but we suggest running if you are using App Services and Function Apps that are communicating with Azure backend resources where Managed Identities are not used. The resulting JSON files can be uploaded directly into securiCAD Enterprise or by using the securiCAD Enterprise SDK.

👍

Find more examples and collector options on GitHub.