Azure CIS – Turbot Pipes

Introduction

In the last blog posts, I went into more detail on the topic of Azure Security. On the one hand, I gave you an initial overview of Azure frameworks and, on the other hand, I looked at the Azure Security Benchmark.

Today, I would like to introduce you to a tool from Turbot Pipes that could help you with the CIS framework implementation in your Azure tenant.

What is CIS?

The Center for Internet Security (CIS) is a non-profit organization that specializes in cybersecurity. Its mission is to identify, develop, validate, promote, and sustain best practice solutions for cyber defense and build and lead communities to enable an environment of trust in cyberspace.

CIS provides a range of tools, best practices, guidelines, and frameworks designed to help organizations protect their systems and data from cyber threats. Among its most well-known resources is the CIS Controls, a set of 20 prioritized best practices designed to stop the most pervasive and dangerous threats of today.

CIS also offers a variety of services, including security assessments, incident response, and a 24/7 security operations center. They work with businesses, government entities, and academic institutions to enhance their cybersecurity readiness and response.

The current CIS Framework version for Microsoft Azure is 2.1.0 and can be downloaded here as a PDF for non-commercial purposes.

CIS Control Jungle

The CIS Microsoft Azure Foundations Benchmark v2.1.0 framework includes a lot of controls. I haven’t counted how many controls it contains myself, but I assume there are more than 100.

There are tools on the market to help you find your way around the jungle of controls and provide you with a certain amount of support.

There are various types of tools. Free as open source on-premise, in the cloud as a hosted variant, for a fee on-premise or in the cloud.

I deliberately opted for a tool that is available free of charge. Whether in the cloud as a hosted version or on-premise.

What is Turbot Pipes?

Turbot Pipes is a feature provided by Turbot, a cloud governance platform. Turbot Pipes allows you to connect, transform, and route your data across various systems. It’s designed to help you manage and control your data flow in a multi-cloud environment.

With Turbot Pipes, you can automate data workflows, integrate with third-party applications, and ensure your data is consistently managed and governed according to your organization’s policies. It provides a flexible, scalable solution for data management in complex cloud environments.

Setup cloud environment

What are the requirements for using Turbot Pipes for Azure CIS?

  • Microsoft Azure Tenant
  • App registration with minimum Entra Global Reader and RBAC Reader permissions

A Turbot Pipes organisation can be set up free of charge. This free version includes one user with 400 compute minutes per month and 3GB storage. You can find the current price models and included features here.

You can register here: Sign up | Turbot Pipes

As soon as you have successfully logged in, you can create a workspace for yourself.

Create a new connection to your Microsoft Azure tenant with an app registration. 

Add the connection to your workspace.

Now you can install custom mods (dashboards) into your workspace.

Click “install a custom mod:”
The following URL for the latest CIS Dashboard can be filled in: https://github.com/turbot/steampipe-mod-azure-compliance

After a few minutes, the mod is installed and can be selected in the dashboard.

If you now select the CIS v2.1.0 dashboard, for example, you get a very good overview of which controls are fulfilled and which are not.

Summary

To summarize, it can be said that CIS controls are very important. Especially in the areas of banking, insurance, healthcare and wherever ISO certifications are required.

Turbot Pipes in the cloud offers you and your company a very good overview of which Azure resources and Entra settings fulfil the current CIS v2.1.0 and where there is still a need for action.

In the next blog post, I’ll show you a way to do this on-premise, as you may not want to store your Azure data with a SaaS provider like Turbot. Stay tuned and keep following the Azure Security blog series.

You might also like