Published April 2017
This document is for informational purposes only. MICROSOFT/AVYAN MAKES NO
WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS
DOCUMENT.
This document is provided “as-is.” Information and views expressed in this
document, including URL and other Internet website references, may change
without notice. Customers reading this document bear the risk of using it.
This document does not provide customers with any legal rights to any
intellectual property in any Microsoft product. Customers may copy and use this
document for their internal, reference purposes.
NOTE: Certain recommendations in this paper may result in increased data,
network, or compute resource usage, and may increase a customer’s license or
subscription costs.
© 2016 Microsoft/Avyan. All rights reserved.
- Frank Simorjay (Microsoft)
- Gururaj Pandurangi (Avyan Consulting)
This solution is intended as a reference architecture pilot and should not be used as-is for production purposes.
- Achieving PCI / HIPAA Compliance requires Customers to consult with their QSA.
- Please contact [email protected] if you need further info or support on this QuickStart solution.
TBD
- SOLUTION OBJECTIVE AND SCENARIO
- USER SCENARIO
- DEPLOYMENT GUIDE
- DEPLOYMENT ARCHITECTURE
- FREQUENTLY ASKED QUESTIONS AND TROUBLESOOTING GUIDE
The solution is intended to simplify azure adoption, showcase commonly used reference architecture, and teach how to deploy a secure and compliant PaaS solution:
The objective of this solution is to illustrate how 4 tier secure and compliant solution could be deployed as an end-to-end Azure solution.
- Collect, store, and retrieve payment card data while complying with stringent Payment Card Industry, Data Security Standards (PCI DSS) requirements.
- Collect, store, and retrieve healthcare data that complies with requirements for safe patient health information handling practices governed by the Health Insurance Portability and Accountability Act (HIPAA).
- Solution blueprint. The blueprint provides an understanding of how Contoso Health (a fictitious organization) achieved its compliant state. Included in the solution package is a completed PCI – DSS responsibility matrix for Contoso Health.
- Reference architecture. The reference architecture provides the design that was used for the Contoso Health solution.
- Azure Resource Manager (ARM) templates. In this deployment, JavaScript Object Notation (.JSON) files provide Microsoft Azure the ability to automatically deploy the components of the reference architecture after the configuration parameters are provided during setup.
- PowerShell scripts. The scripts created by Avyan Consulting Corp solution help set up the end-to-end solution. The scripts consist of:
- Module installation script that will install required PowerShell modules for the installation. This script will require local administrator rights.
- Global administrator setup script establishes the needed admin user to deploy the solution
- A pre-installation process that establishes user roles and establishes required parameters in Microsoft Active Directory to ensure the correct role-based access control mechanisms are deployed. This process includes configuring separation of duties for core administrators and users.
- A post-installation process that deploys an ARM template, web front-end runtime, and SQL backpack built by the Microsoft SQL team, and revised for this scenario by Avyan Consulting Corp. The Contoso Clinic Demo Application provides the framework for the solution user scenario. The templates and scripts build out a web application and SQL database that use the App Service Environment to provide service isolation from the front end to the back end. The script also establishes a means to manage changes in the environment by creating a dev/test environment. For additional details about the reference architecture, data flow, and configuration, see Section 6 of this document.
For deployment details refer to section DEPLOYMENT GUIDE below
This scenario illustrates how a ficticious medical clinic migrated their patient intake, and payment card processing to Azure.
A small medical clinic called, Contoso Health is ready to move their patient intake and payment system to the cloud. They have selected Microsoft Azure to host the intake process of patients and to allow a clinic manager or receptionist to collect credit card payments from patients for a visit.
The administrator is looking for a solution can be quickly deployabled to achive his goals. He will use this proof-of-concept (POC) to understand how Azure can be used to accomplish the following:
-
Collect, store, and retrieve payment card data while complying with stringent Payment Card Industry, Data Security Standards (PCI DSS) requirements
-
Collect, store, and retrieve healthcare data that complies with requirements for safe patient health information handling practices governed by the Health Insurance Portability and Accountability Act (HIPAA).
Because this is a POC that installs the required elements to operate a service, it is not a customer ready-to-go solution. It requires careful understanding of all the regulations and laws that your organization must abide by.
You will be responsible for conducting appropriate security and compliance reviews of any solution built with the architecture used by this POC, as requirements may vary based on the specifics of your implementation and geography. PCI DSS requires that you work directly with an accredited Qualified Security Assessor to certify your production ready solution.
The POC solution is designed with the following fictitious employees of Contosoclinic.com
:
These roles are used only to illustrate use case, and provide insight into the user interface
Item | Example |
---|---|
Username: | EdnaB |
Password: | !Password111!!! |
First name: | Edna |
Last name: | Benson |
User type: | Member |
Edna Benson is the receptionist, and business manager. She is responsible to ensure that patient customer information is accurate, and billing is completed. Edna will use the patient data in the following manner:
- Edna can Create, read patient information, read date of birth (DOB)*
- Edna will be able to modify patient information
- Edna can overwrite (or replace) credit card number, expiration, and CVC verification information
- Edna can replace stored Social Security number (SSN)
- Edna cannot read SSN or credit card information unmasked. In addition, all her actions are logged.
Item | Example |
---|---|
Username: | ChrisA |
Password: | !Password222!!! |
First name: | Chris |
Last name: | Aston |
User type: | Member |
Dr. Chris Aston is the clinic’s doctor. He is responsible for patient care, he will be entering patient history and treatment information. Chris can update information for patients.
- Chris can Create, read patient information, read DOB
- Chris can modify patient information, including medical records and date of birth, and can view masked SSN.
- All of Chris’s actions are logged
In the Contoso Clinic
Demo Application, you will be logged in as Edna and able to test the capabilities of the deployed environment.
The solution cost sample has a monthly fee structure and a use per hr. to consider when sizing the solution. This example deployment estimate cost using the Azure costing calculator. The solution consist of the following items:
Service type | Custom name | Region | Description | Estimated Cost |
---|---|---|---|---|
Virtual Machines | Virtual Machines | South Central US | 1 Standard virtual machine(s), D1 (1 cores, 3.5 GB RAM, 50 GB disk) size: 1 months | $96.72 |
App Service | App Service | South Central US | 1 instance(s), 744 hours, size: s1, standard tier, 0 SNI connection(s), 0 IP connection(s) | $74.40 |
IP Addresses | IP Addresses | East US | arm type, 1 public IP Address(es) x 1 months | $2.98 |
SQL Database | SQL Database | East US | 1 standard database(s) x 1 months, size: s0 | $15.03 |
Storage | Storage | East US | 5/GB storage: Block blob type, Basic tier, LRS redundancy | $0.10 |
Storage | Storage | East US | 1 GB storage Table and Queue type. Basic tier, LRS redundancy, 1 x100,000 transactions | $0.07 |
Storage | Storage | East US | standard-s4 Disk type with 1 Managed disks | $0.77 |
Application Insights | Application Insights | East US | basic tier in us-east region with 2 GBs and 0 multi-step web test(s). | $2.30 |
Log Analytics | Log Analytics | East US | 1 GB(s), standalone tier | $2.30 |
Traffic Manager | Traffic Manager | East US | 2 million(s)/mo queries, 2 Azure endpoints, 0 external endpoints | $1.80 |
Security Center | Security Center | East US | $15.00 | |
Key Vault | Key Vault | East US | 1 operations, 1 certificate renewals, 1 HSM keys in the us-east region | $4.03 |
Azure Active Directory | Azure Active Directory | East US | free tier, per-user MFA billing model, 10 MFA user(s), 25001-100000 directory objects, 0 hours | $14.00 |
Application Gateway | Application Gateway | East US | 1 instance(s) x 1 months, 1 GB data processed, outbound transfers:: 5 GB | $93.74 |
Azure DNS | Azure DNS | East US | 1 zone(s), 0 million queries | $0.50 |
Traffic Manager | Traffic Manager | East US | 1 million(s)/mo queries, 1 Azure endpoints, 0 external endpoints | $0.90 |
Monthly Total $324.64 | ||||
Annual Total $3,895.73 |
Disclaimer All prices shown are in US Dollar ($). This estimate was created in April 2017
This solution used the following Azure services (details to the deployment architecture are located in DEPLOYMENT ARCHITECTURE):
- Application Gateway
- Azure Active Directory
- App Service Environment
- OMS Log Analytics
- Azure Key Vault
- Network Security Groups
- Azure SQL DB
- Azure Load Balancer
- Application Insights
- Azure Security Center
- Azure Web App
- Azure Automation
- Azure Automation Runbooks
- Azure DNS
- Azure Virtual Network
- Azure Virtual Machine
- Azure Resource Group and Policies
- Azure Blob Storage
- Azure Active Directory access control (RBAC)
- Collect prerequisites such as certificate, azure subscription
- Install PowerShell modules on the client computer by running a PowerShell install script
- Configure global admin on azure subscription in the Azure portal
- Acquire initial configuration variables
- Set up run-as services to allow installation scripts to execute
- Run the pre-installer script
- Install the ARM templates (build the Azure service elements)
- Run the post-installer script
- Validate data in SQL database
- Run post-installer SQL script to encrypt database
- Run SQL script to encrypt service elements (patient SSN, DOB, credit card #, Exp date, CVV)
- Validate data in SQL database is encrypted
- Review user roles and rights assigned to Edna and Chris
- If you choose, delete the installation and dependencies by running a PowerShell script
This section provides detailed information about items you will need during installation.
IMPORTANT The solution requires a paid subscription on Azure, a trial subscription account will not work.
Note that many of the features are not available in an Azure trial account. You will also require to have access to manage the subscription as a Subscription Admins role and co-administrator of the subscription.
If you have not already done so, download, or clone a copy of installation solution from https://github.com/AvyanConsultingCorp/pci-paas-webapp-ase-sqldb-appgateway-keyvault-oms (If you downloaded a .zip file, expand the content of the compressed file to a local directory.)
The installation requires a custom domain and SSL certificate. Microsoft recommends that a custom domain be purchased with an SSL package. Microsoft offers the ability to create a domain and request an SSL certificate from a Microsoft partner.
Setting up a custom domain with a DNS record and a root domain can be configured in the Azure Portal.
The installation of the ARM template requires the domain name, such as contosoclinic.com, and the .pfx file from the SSL provider that will be Base64-encrypted before uploading to Azure. The following process can be used to create the correct file.
-
Review the instructions on creating a website SSL certificate.
-
Retrieve your private key. This file will have a name structure such as
www.contosoclinic.com\_private\_key.key
-
Retrieve your certificate. This file will have a name structure such as
www.contosoclinic.com\_ssl\_certificate.cer
-
Create a personal information exchange (pfx) file protect this file with a password.
-
Convert the pfx file into a string Base64 text file. For example, in PowerShell you can use the following commands:
$fileContentBytes = get-content 'contosoclinic.com\_private\_key.pfx' -Encoding Byte[System.Convert]::ToBase64String(\$fileContentBytes) | Out-File 'pfx-bytes.txt'
Preserve your SSL 64-bit string and password; you will use them when installing the ARM template.
If you cannot use an authority to create a SSL certificate, you can consider using a self-signed certificate generated by services such as Lets Encrypt. However, for PCI compliance, self-signed certificates do not comply with requirements and will not pass an audit for PCI DSS.
The local configuration of PowerShell will require that the installation script be run with local admin privileges or remotely signed credentials to ensure that local permissions do not prevent the installer from running correctly.
The following software applications and modules are required on the client computer throughout the installation of this solution.
-
SQL Management Tools to manage the SQL database.
-
Powershell version v5.x or greater. For example, in PowerShell you can use the following commands:
$PSVersionTable.psversion
-
The Powershell modules referenced in the following PowerShell script, which must be installed with local Administrative permissions. To do so,
-
Open Powershell in Administrator Mode
-
Run the following installation script located in the
./pre-post-deployment
folder of this solution, and accept (or select Yes to user commands)
-
./Install-azure-powershell-modules.ps1
If any of the commands from the script fail, see the following reference links for assistance:
To test AzureRM run the following commands in PowerShell:
$cred = Get-Credential
Login-AzureRmAccount -Credential $cred
To test Azure AD run the following commands in PowerShell:
$cred = Get-Credential
Login-AzureAD -Credential $cred
Review the following documentation to test Enable AzureRM Diagnostics
Review the following documentation to test Azure Diagnostics and LogAnalytics
To test SQL Server PowerShell run the following commands in PowerShell:
$Credential = Get-Credential Connect-AzureAD -Credential $Credential Get-Module -ListAvailable -Name Sqlps;
An Active Directory Administrator with global privileges is required to run the
installation. The local administrator must be in the .onmicrosoft.com
domain
name to run this solution, this step will help create the correct administrator
user.
-
In the Azure Portal, select Azure Active Directory.
-
Select Domain Name. Record the name of your domain registered under name. This will be used in our domain script as the
$AzureADDomainName
. In our example
pcidemo.onmicrosoft.com
- Select the Properties. It will provide your Directory ID. This will
be used in our domain script as the
$tenantID
. In our example
46d804b6-210b-4a4a-9304-83b93
- You will require your username, and password that was used to create your subscription.
The script CreateGlobalADAdmin.ps1
provides the setup and configuration of the admin user that will be used for the remainder of the installation. This user is essential that it be configured corrected, with the right level of Subscription Admins role and co-administrator of the subscription.
NOTE: Strong passwords (Minimum 15 characters, with Upper and Lower case letters, at least 1 number and 1 special character) are recommended throughout the solution.
-
Open Powershell in Local Administrator Mode (Right click and select run as administrator)
-
change directory to the local directory that contains the script and run the script.
.\\pre-post-deployment\\CreateGlobalADAdmin.ps1
-
Provide your Domain Name, Directory ID (or tenantID), subscription manager password.
-
In the Azure Portal, select Subscription, select your subscription.
-
Select Access control (IAM)
-
Select +Add
-
Select the Role as Owner.
-
Select the user – Admin, in our example
[email protected]
-
Save the configurations.
Return to the Azure portal, and login with your admin user. You may need to open a InPrivate browser to ensure you are logging in without cached credentials. Reset your temporary password.
NOTE – The remainder of the installation guidance will use the Admin user for all steps.
The following procedure should be followed whenever you restart your PowerShell IDE session. This may not be required at all times, but strongly recommended to ensure the correct credentials are cached in your new session. ---at all times for this demo log in as the admin user in our example.
Logging in to the powershell administrative
-
Open your powerShell IDE
-
Connect to your Azure AD service running the following command, with your admin user such as [email protected]
Connect-AzureAD
- Connect to your Azure Active directory running the following command, with your admin user such as [email protected]
Connect-MsolService
- Connect to your Azure Resource manager running the following commands, with your admin user such as [email protected]
login-azurermaccount
- Retrieve your subscription information running the following commands
Get-AzureRmSubscription
- Record the highlighted information as illustrated in the following example.
TenantId : 21d644f0-12av-4043-b0bb-f5acfde12256
SubscriptionId : 27017c43-3ea4-467a-afa4-7d3d3d9D33232
NOTE – whenever starting or restarting your PowerShell IDE session, it is recommended you run the previous four commands to ensure your are logged into the correct services throughout the installation, and testing of this solution.
The script pre-deployment.ps1
provides the setup and configuration of users and
other framework elements. The following steps are required to run the script.
Note that the scripts must complete without errors before the ARM template can
be deployed successfully. Note use admin ensure you are LOGGING INTO POWERSHELL WITH CORRECT CREDENTIALS
Using the Azure portal with an account that is a member of the Subscription Admins role and co-administrator of the subscription.
- Set up your resource group.
- In a PowerShell IDE, run the following command:
New-AzureRmResourceGroup -Name [RESOURCE GROUP NAME] -Location "East US"
- In our example we use:
New-AzureRmResourceGroup -Name Contosoclinic -Location "East US"
NOTE - This demo currently ONLY runs correctly in the location East, East US
- Create an Automation account following the instruction create a runbooks with an Azure Run As account.
NOTE: Do not proceed without verifying your Automation account was successful deployed by running the runbook examples in the previous step called
azureautomationtutorialscript
Creation of a Service Principal has a propensity to fail on occasion troubleshooting this process is essential.
- Record the information about your resource group, and Automation account:
Parameter name | Example from previous step |
---|---|
Name of automation | Contosoclinic-Automation |
Resource group you added | Contosoclinic |
- In the PowerShell IDE, change directory to the local directory that contains the script and run the script
predeployment.ps1
.
.\predeployment.ps1
Select Run Once to the script warning if you are prompted
Parameter name | Example from previous steps |
---|---|
$azureADDomainName | pcidemo.onmicrosoft.com |
$subscriptionID | 27017c43-3ea4-467a-afa4-7d3d3d9D33232 |
$suffix | contosoclinic |
Record the information provided by the script. You will need this information to
proceed as illustrated in the following example for contosoclinic.com
.
Name of Automation account
Contosoclinic-Automation
Parameter name | Example for Contosoclinic.com |
---|---|
_artifactsLocationSasToken: | [BLANK] |
Cert Data: | Your base 64 SSL certificate string |
Cert Password: | Your certificate password |
Bastion Host Administrator User Name: | Default Value 'bastionadmin' |
Bastion Host Administrator Password: | Password must meet minimum length and complexity requirements |
SQL Administrator Login User Name: | Default Value is 'sqladmin' |
SQL Administrator Login Password: | Password must meet minimum length and complexity requirements |
SQL Threat Detection Alert Email Address: | Email Address to receive alerts for the account |
Automation Account Name: | Automation account In our example contosoclinic-automation |
Custom Host Name: | Your registered domain name. In our example www.contosoclinc.com |
Azure AD Application Client ID: | In our example 27017c43-3ea4-467a-afa4-7d3d3d9D |
Azure AD Application Client Secret: | Default Value Password@123 |
Azure AD Application Object ID: | In our example 73559c5c-e213-4f10-a88c-546c2 |
SQL AD Admin User Name: | Default Value, in our example sqladmin\@pcidemo.onmicrosoft.com |
The following additional users have been created in domain.
User Role | Example for Contosoclinic.com |
---|---|
receptionist | [email protected] |
password | !Password111!!!** |
doctor | [email protected] |
password | !Password222!!! |
Azure Active Directory application permissions must be configured manually; there are no PowerShell scripts available at this time to manage the settings reliably.
- In the Azure Portal, select App Registrations.
- Select the application you created. It will be listed with your selected
$suffix
with the name Azure PCI PAAS Sample. - Click Required Permissions.
- Click +Add.
- Click Select an API.
- In this step you will modify Windows Azure Active Directory, Microsoft Graph, Windows Azure Service Management API, and Azure Key Vault.
NOTE: If Azure Key Vault is not listed in your App Registration list, you will need to manually create a temporary key vault instance by selecting Key Vault in Azure Portal, select +Add, you can create a sample Resource group, and name. Once the Vault is created, you will be able to delete it. This action will force the app. API to register in the App Registration interface for the next step. Additional you can read the following guidance from this blog post for additional guidance.
The following sections will help you configure each App Registration permission sets.
NOTE the order of your API’s maybe different than listed in this documentation.
-
Select the Windows Azure Active Directory API
-
Select the following 2 application permissions
-
Read and write directory data
-
Read directory data
-
-
Select the following 3 delegated permissions
-
Read all groups
-
Read directory data
-
Access the directory as the signed-in user
-
-
-
Click Select
-
Select Done
-
Click +Add.
-
Select the Microsoft Graph API
-
Select the following 6 application permissions
-
Read files in all site collections
-
Read all groups
-
Read directory data
-
Read and write directory data
-
Read all users’ full profiles
-
Read all identity risk event information
-
-
Select the following 7 delegated permissions
-
Sign in and read user profiles
-
Read all users’ basic profiles
-
Read all users’ full profiles
-
Read all groups
-
Read directory data
-
Read and write directory data
-
Access the directory as the signed in user
-
-
-
Click Select
-
Select Done
-
Click +Add.
-
Select the Azure Key Vault API
-
Select no application permissions
-
Select the following 1 delegated permission
- Have full access to the Azure Key Vault service
-
-
Click Select
-
Select Done
-
Click +Add
-
Select the Windows Azure Service Management API
-
Select no application permissions
-
Select the following 1 delegated permission
- Access Azure Service Management as organization user
-
-
Click Select
-
Select Done
If the configurations are successful, you will see a table of permissions similar to the following:
API | Application permissions | Delegated permissions |
---|---|---|
Windows Azure Active Directory | 2 | 3 |
Microsoft Graph | 6 | 7 |
Azure Key Vault | 0 | 1 |
Windows Azure Service Management | 0 | 1 |
Deploying the ARM template requires the following information, which you should collect before clicking Deploy to Azure on the following page. (The information shown is for a sample deployment.) This information used here will be the predeployment script output.
The following example is used to illustrate the ARM information for contosoclinic.com
Basics
- Subscription:
27017c43-3ea4-467a-afa4-7d3d3d9D33232
- Resource group:
Contosoclinic
- Location: Greyed out
Settings
- _artifactsLocation:
https://raw.githubusercontent.com/AvyanConsultingCorp/pci-paas-webapp-ase-sqldb-appgateway-keyvault-oms/master
- _artifactsLocationSasToken: NULL
- certData: [The Contoso Base-64 SSL string]
- certPassword: [Password you created for the SSL cert]
- bastionHostAdministratorUserName:
bastionadmin
- bastionHostAdministratorPassword: [Create a secure password]
- SqlAdministratorLoginUserName:
sqladmin
- sqlAdministratorLoginPassword: [Created password]
- sqlThreatDetectionAlertEmailAddress:
[email protected]
- automationAccountName:
Contosoclinic-Automation
- customHostName:
contosoclinic.com
- azureAdApplicationClientId:
952b0b1e-2582-4058-a0a0-0abc42107d70
- azureAdApplicationClientSecret:
Password@123
- azureAdApplicationObjectId:
e3aa33bb-1cae-4afd-a8ba-9124b2a1838a
- sqlAdAdminUserName:
[email protected]
- sqlAdAdminUserPassword: [Created password]
After you have collected all of this information, you can click Deploy to Azure
- Provide all of the deployment information you collected. Then click I agree to the Terms and conditions stated above.
- Click Purchase.
The following graphic displays the estimated time to deploy the solution components. The total time required is approximately 2.5 hours from when the Purchase button is clicked.
The following post-deployment steps deploy and set up the database, users, and data records; the steps also finalize connectivity. Steps in this section address PCI and healthcare record protection requirements by encrypting the customer records that contain payment card data and personal healthcare information (PHI).
In the Contoso example, the customer’s DNS settings require the Application Gateway IP address to be updated as a DNS record on the hosting site.
- Collect the Application Gateway IP address using the following PowerShell command:
Get-AzureRmPublicIpAddress \| where {\$\_.Name -eq "publicIp-AppGateway"} |select IpAddress
This command will return the IP address. For example:
IpAddress
---------
52.168.0.1
-
Log into your DNS hosting provider and update the A/AAAA and CNAME records with the Application Gateway IP address.
-
Verify you can connect to your site by browsing to its domain, for example
http://www.contosoclinic.com
.- Note that your site will have limited services until the post-deployment script is executed.
The post-deployment script is designed to run after the ARM templates are successfully deployed. The script sets up security for the protection of Social Security number (SSN) samples and credit card or payment card information (PCI).
Post-deployment steps require the following information from your installation:
- Your SubscriptionId, which was collected in the ARM deployment step.
For example: `27017c43-3ea4-467a-afa4-7d3d3d9D33232`
- Your resource group name. You can use the following script to identify your resource group:
Get-AzureRMResourceGroup | select ResourceGroupName
For example: `Contosoclinic`
- Your client side IP address. To retrieve your client IP address, complete the following steps:
- Click **Overview**, and select **Set server firewall** in the banner.
- Your client IP address will be displayed in the **Firewall Settings**.
In this example:
Client IP address is `10.0.1.231`
If you are using NAT, or a firewall it’s recommended you also test your IP address with:
Invoke-RestMethod http://ipinfo.io/json | Select-Object -exp ip
and
Ipconfig | Select-String “IPv4”
NOTE: While in this configuration it’s advisable to add your client IP to the firewall setting for the SQL server.
- In Rule name, add – Rule name, Start IP, and End IP.
- In this example: Client IP
10.0.1.1, 167.0.1.255
-
Your ASE outbound IP Address, which you can retrieve using the Azure Portal. Complete the following steps:
-
Select your resource group, and select your ase App Service Environments.
- In this example
ase-PCI-dzwhejjrwbwdy
- In this example
-
Click Properties.
-
Record the Outbound IP addresses
- In this example
52.179.0.1
- In this example
-
-
Your SQL server name SQLServerName, which can be retrieved in the Azure Portal.
-
To retrieve the SQL server name, you will need to log in to your Azure Portal and then complete these steps:
-
Click SQL Databases.
-
Select your database. For this example it will be
ContosoClinicDb
. -
The SQL server name will display in the Server name field.
-
-
In our example:
Server name fully qualified:
sqlserver-dzwhejjrwbwdy.database.windows.net
Server name:
sqlserver-dzwhejjrwbwdy
-
-
Your SQL username and password from Azure ARM deployment.
-
In our example:
sqlAdAdminUserName:
sqladmin
sqlAdAdminUserPassword:
PASSWORD
-
-
Your Key Vault name, which you can retrieve using the Azure Portal. Complete the following steps:
-
Click Filter and select Key Vault.
-
Select your key vault.
- In our example:
kv-pcisamples-dzwhejjr
-
-
Your azureAdApplicationClientId which was collected in the ARM deployment step.
- In our example:
952b0b1e-2582-4058-a0a0-0abc4210
- In our example:
-
Your azureAdApplicationClientSecret which was collected in the ARM deployment step.
- In our example:
Password\@123
- In our example:
-
The SQL AD Admin User created in step
- In our example:
[email protected]
- In our example:
-
The SQL AD Admin User password
- In our example:
PASSWORD
- In our example:
Running the post-deployment PowerShell script sets up the key vault, the master key, configures the SQL database, and sets up rules to configure the remainder of the reference architecture.
- To run the
postdeployment.ps1
script you will require to be logged into your PowerShell IDE Logging in to PowerShell with correct credentials
-
In the PowerShell IDE, change directory to the local directory that contains the script.
-
You will need to change the permission to the script before you run it. You can set the permissions by issuing the following command.
Set-ExecutionPolicy Unrestricted
- Run the PostDeployment.ps1 script
.\pre-post-deployment\PostDeployment.ps1
Select Run Once to the script warning
- Once the script has completed you must set your ADsqladmin password in PowerShell with the following command to the same password used during the ARM deployment.
Set-MsolUserPassword -userPrincipalName [sqladmin@yourdomain] -NewPassword [NEWPASSWORD] -ForceChangePassword $false
in our example
Set-MsolUserPassword -userPrincipalName [email protected] -NewPassword 'SECRET' -ForceChangePassword $false
At this point you will have a fully deployed solution, to which the two administrative user roles will be added. The user roles can be deployed using SQL Management Studio.
Open SQL Server Management Studio using the Active Directory username and password.
In our example: [email protected]
The following connection information should be used to connect to your SQL Server Management Studio:
-
Server Type:
Database Engine
-
Server name: Your server string. In this example:
pcidemo.onmicrosoft.com
-
Authentication: Use Active Directory Password Authentication
-
Username: The AD SQL user account you set up in pre-deployment. In our example:
[email protected]
-
Password: The password for your AD SQL user account. In this example:
PASSWORD
-
Create a new query and run the following command to see the patient records secured
SELECT * FROM [dbo].[Patients]
You will need to edit the PostDeploymentSQL.sql
script under the
pre-post-deployment folder
- Replace
XXXX
with your AD domain name. In our example:
pcidemo.onmicrosoft.com
You can copy the script from the deployment file and run it in a new SQL query.
The following sections address security controls that are required to enable logging, monitoring, security detection, and anti-malware protection.
During the deployment step, OMS scripts were created and installed. In this configuration step, the OMS instance is configured.
NOTE: Pricing default free tier, will not be sufficient for this solution to operate correctly, you will be required to change to the OMS tier.
-
Sign in to the Azure Portal with an account that is a member of the Subscription Admins role and co-administrator of the subscription.
-
Click Automation Accounts.
-
In the Automation Accounts blade, select your automation. For example: Contosoclinic-Automation
-
In Process Automation, click Runbooks. For example: Contosoclinic-Automation – Runbooks
-
Select the scheduleIngestion runbook that was installed by the post-installation script.
-
Click Start to launch the OMS data intake runbook.
-
Click Yes
-
Return to your runbook blade
-
Select the sqlAzureIngestion runbook that was installed by the post-installation script.
-
Click Start to launch the OMS data intake runbook.
-
Click Yes
-
Return to your runbook blade
-
Select the webAzureIngestion runbook that was installed by the post-installation script.
-
Click Start to launch the OMS data intake runbook.
-
Click Yes
-
Sign in to the Azure Portal with an account that is a member of the Subscription Admins role and co-administrator of the subscription.
-
Click Log Analytics.
-
Click Pricing Tier.
-
Click Ok
Installing the OMS Dashboard view requires deployment of the scripts located in
the ./omsDashboards
folder.
NOTE: OMS Dashboard will not install correctly, until has collected information for a period of time. If you receive an error when running the dashboard import it is due to the lack of collected data. It is recommended that you wait up to 10 minutes to guarantee data is available in OMS.
-
Open Log Analytics.
-
Select your OMS Log Analytics in your list of items. In this example:
oms-WS-pci-paas-dzwhejjrwbwdy
-
Click Log Analytics.
-
Click OMS Portal.
-
The Microsoft Operations Management Suite will open in a new browser window, or tab.
-
Click View Designer on your Microsoft Operations Management Suite home page.
-
In the designer, select import.
-
For the SQL monitoring solution, import the file with OMSSQL in the file name. In this example: \omsDashboards\OMSSQLDBAzureMonitoringSolution.omsview
-
Select Save.
-
Repeat steps 8 through 11 for the web application monitoring solution; import the file with OMSWebApp in the file name. In this example: \omsDashboards\OMSWebAppAzureMonitoringSolution.omsview
The monitoring configuration of your SQL server, database, and webapps is now complete.
You can now review your data collection in OMS.
Azure Security Center was enabled in the deployment of your subscription. However, to ensure that the antimalware and threat detection capabilities are enabled, you will need to enable the solution with a standard tier data plan.
-
Sign in to the Azure Portal with an account that is a member of the Subscription Admins role and co-administrator of the subscription.
-
Click Security Center.
-
Click the banner that reads “Your security experience may be limited. Click here to learn more.”
-
Select your subscription.
-
Click Pricing tier.
-
Select the Standard tier – Free Trial.
-
Click Select.
You can review additional information about Azure Security Center in the getting started guidance.
Complete the instructions at this link https://docs.microsoft.com/en-us/azure/security-center/security-center-get-started to enable data collections from Azure Security Center.
Azure Advisor Advisor is a personalized cloud consultant that helps you follow best practices to optimize your Azure deployments. It analyzes your resource configuration and usage telemetry and then recommends solutions that can help you improve the cost effectiveness, performance, high availability, and security of your Azure resources.
- Select Browse, and then scroll to Azure Advisor.
- The Advisor dashboard displays personalized recommendations for contoso clinic subscription.
NOTE:
Currently, the OMS Monitoring agent is automatically installed along with the Bastion Host deployment. In this solution, the Security Center VM agent is not deployed; the reason is to prevent OMS conflict issues.
!Installation Complete!
The following section provides insight into the development, and implementation elements. The descriptions in this document’s deployment strategies apply to the following diagram:
- SSL Offload
- Disable TLS v1.0 and v1.1
- Web application firewall(WAF mode)
- Prevention mode with OWASP 3.0 ruleset
- Diagnostics logging
- Custom health probes
- A private virtual network with address spacing 10.0.0.0/16
Each of the network tiers have a dedicated NSG
- A DMZ network security group for firewall and Application Gateway WAF
- An NSG for management jumpbox (bastion host)
- An NSG for the app service environment
Each of the NSGs have specific ports and protocols opened for the secure and correct working of the solution.
In addition, the following configurations are enabled for each NSG
- Enabled diagnostics logs and events are stored in storage account
- Connected OMS Log Analytics to the NSGs diagnostics
- Ensure each subnet is associated with its corresponding NSG
- HTTPS traffic enabled using custom domain SSL certificate
To meet encrypted data-at-rest requirements, all Azure Storage uses the following:
A PaaS SQL Database instance was used to showcase security measures.
- AD Authentication and Authorization
- Enabled Auditing logging
- Enabled Transparent Data Encryption
- Enabled SQL DB Firewall rules(allowing for ASE worker pools and client IP management)
- Enabled Threat Detection
- Enabled Always Encrypted columns
- Enabled Dynamic Data masking(using the post-deployment PowerShell script)
Logging using OMS, and Runbook to collect logs.
- Activity Logs: Configure Azure Activity Logs to provide insight into the operations that were performed on resources in your subscription.
- Diagnostic Logs: Diagnostic Logs are all logs emitted by every resource. These logs could include Windows event system logs, Azure Blob storage, tables, and queue logs.
- Firewall Logs: The Application Gateway provides full diagnostics and access logs. Firewall logs are available for Application Gateway resources that have WAF enabled.
- Log Archiving: All diagnostics logs are configured to write to a centralized and encrypted Azure storage account for archival and a defined retention period (2 days). Logs are then connected to Azure Log Analytics (OMS) for processing, storing, and dashboarding.
Azure Key Vault helps safeguard cryptographic keys and secrets used by cloud applications and services. Stores
- Keys - SQL DB Column Encryption keys (customer managed keys)
- Secrets - Bitlocker keys for Azure Disk Encryption
-
Azure Active Directory (Azure AD) is the multi-tenant cloud-based directory and identity management service from Microsoft.
-
All users for the solution were created in Azure Active Directory, including users accessing the SQL Database.
-
Authentication to the app is done through the Azure AD application and associated service principals.
-
Also, the SQL DB Column Encryption is conducted using the AD app. Refer to this sample from the Azure SQL DB team for more details.
-
Azure [Identity Protection] (https://docs.microsoft.com/en-us/azure/active-directory/active-directory-identityprotection) provides additional safeguards that can be implemented. such as detect potential vulnerabilities affecting your organization’s identities , configure automated responses to detected suspicious actions that are related to your organization’s identities, and investigate suspicious incidents and take appropriate action to resolve them.
-Azure Role-based Access Control(RBAC) enables precisely focused access management for Azure. Specific configurations exist for:
-
Subscription access
-
Azure Key Vault access
The Web Appsfeature in Azure App Service lets developers rapidly build, deploy, and manage powerful websites and web apps. Build standards-based web apps and APIs using .NET, Node.js, PHP, Python, and Java. Deliver both web and mobile apps for employees or customers using a single back end. Securely deliver APIs that enable additional apps and devices.
With App Service, develop powerful applications for any platform or device, faster than ever before. Meet rigorous performance, scalability, security, and compliance requirements using a single back end.
As the App Service Environment is secured and locked down, there needs to be a mechanism to allow for any DevOps releases/changes that might be necessary, such as the ability to monitor WebApp using Kudu.
A virtual machine was stood up as a Jumpbox / Bastion host with the following configurations:
-
Bitlocker Encrypted Disk using Azure Key Vault (respects Azure Government, PCI DSS, and HIPAA requirements)
-
An AutoShutDown Policy to reduce consumption of virtual machine resources when not in use.
An App Service Environment is a Premium service plan is used for compliance reasons. Use of this plan allowed for the following controls/configurations:
- Host inside a secured Virtual Network and Network security rules
- Internal Load Balancing mode (mode 3)
- Disable TLS 1.0 – a deprecated TLS protocol from PCI DSS standpoint
- Change TLS Cipher
- Control inbound traffic N/W ports
- WAF – Restrict Data
- Allow SQL DB traffic
With Azure Security Center, you get a central view of the security state of all of your Azure resources. At a glance, you can verify that the appropriate security controls are in place and configured correctly and be able to quickly identify any resources that require attention.
- Advisor is a personalized cloud consultant that helps you follow best practices to optimize your Azure deployments. It analyzes your resource configuration and usage telemetry and then recommends solutions that can help you improve the cost effectiveness, performance, high availability, and security of your Azure resources.
Microsoft Antimalware for Azure Cloud Services and Virtual Machines is real-time protection capability that helps identify and remove viruses, spyware, and other malicious software, with configurable alerts when known malicious or unwanted software attempts to install itself or run on your Azure systems.
For Azure Web Apps, Tinfoil Security is a security vulnerability scanning solution built into the Azure App Service management experience that provides web app scanning.
Gain actionable insights through application performance management and instant analytics.
Log Analytics is a service in Operations Management Suite (OMS) that helps you collect and analyze data generated by resources in your cloud and on-premises environments.
The following OMS Solutions are pre-installed with this reference solution:
- Activity Log Analytics
- Azure Networking Analytics
- Azure SQL Analytics
- Change Tracking
- Key Vault Analytics
- Service Map
- Security and Audit
- Antimalware
- Update Management
Default deployment is intended to provide for a clean chit of security center recommendations, indicating a healthy and secure configuration state of the solution. You can review additional information about Azure Security Center in the getting started guidance. Complete the instructions at this link https://docs.microsoft.com/en-us/azure/security-center/security-center-get-started to enable data collections from Azure Security Center.
You require to create an AAD admin as identified in the document. This is required as a subscription admin does not automatically receive DS or AAD credentials. This is a security feature that enables RBAC and role separation in Azure.
Currently there is a limitation in how AES handles webapps. This reboot solution will be removed once the AES issues is resolved.