This newsletter is our fifth thread on the implementation of PCI DSS in Azure. With the expertise of my friend Nicolas Giraud, architect specialized in Microsoft technologies and my knowledge of PCI DSS we decrypt this still nebulous subject. For each PCI requirement we discuss the responsibilities (who is in charge of what), the implementation mechanisms at your service (your toolbox) as well as implementation guidance wherever deemed necessary.
Previous Episodes
Complying with Req 1 on Azure
Complying with Req 2 on Azure
Complying with Req 3 on Azure
Complying with Req 4 on Azure
Complying with Req 2 on Azure
Complying with Req 3 on Azure
Complying with Req 4 on Azure
Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs
Objective
Protect systems commonly affected by malware from current and evolving malicious software threats.
PCI-DSS Controls
5.1-5.4
Responsibilities
For Paas service, the responsibility for complying with the below requirements is wholly on Microsoft Azure.
For Iaas, the responsibility is shared between Azure and the customers as follow:
5.1. Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers).
Customers must ensure that anti-virus software is deployed on all systems commonly affected by malicious software.
Wherever Azure Antimalware solution is used, customers are responsible for the configuration options under their control. Microsoft Azure is responsible for the effectiveness of this solution.
5.1.1 Ensure that anti-virus programs are capable of detecting, removing, and protecting against all known types of malicious software.
Customers are responsible for evaluating, selecting, deploying and maintaining anti-malware software on all VM’s.
Wherever Azure Antimalware solution is used, customers are responsible for the configuration options under their control. Microsoft Azure is responsible for the effectiveness of this solution.
5.1.2 For systems considered to be not commonly affected by malicious software, perform periodic evaluations to identify and evaluate evolving malware threats in order to confirm whether such systems continue to not require anti-virus software.
If such technologies are used, Customers are responsible for performing periodic evaluations of the impact of evolving malware threats on these technologies.
5.2 Ensure that all anti-virus mechanisms are kept current, perform periodic scans and generate audit logs which are retained per PCI DSS Requirement 10.7.
Customers are responsible for ensuring their anti-malware software is kept current and regularly updated, perform periodic scans and generate audit logs.
Wherever Azure Antimalware solution is used, customers are responsible for the configuration options under their control. Microsoft Azure is responsible for the effectiveness of this solution, including updates, periodic scans, audit logs and alerting.
5.3 Ensure that anti-virus mechanisms are actively running and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period.
Customers are responsible for ensuring anti-malware software are running and are not altered on their VM’s.
5.4 Ensure that security policies and operational procedures for protecting systems against malware are documented, in use, and known to all affected parties.
Customers are responsible for creating and maintaining policies for protecting systems against malwares.
For Iaas, the responsibility is shared between Azure and the customers as follow:
5.1. Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers).
Customers must ensure that anti-virus software is deployed on all systems commonly affected by malicious software.
Wherever Azure Antimalware solution is used, customers are responsible for the configuration options under their control. Microsoft Azure is responsible for the effectiveness of this solution.
5.1.1 Ensure that anti-virus programs are capable of detecting, removing, and protecting against all known types of malicious software.
Customers are responsible for evaluating, selecting, deploying and maintaining anti-malware software on all VM’s.
Wherever Azure Antimalware solution is used, customers are responsible for the configuration options under their control. Microsoft Azure is responsible for the effectiveness of this solution.
5.1.2 For systems considered to be not commonly affected by malicious software, perform periodic evaluations to identify and evaluate evolving malware threats in order to confirm whether such systems continue to not require anti-virus software.
If such technologies are used, Customers are responsible for performing periodic evaluations of the impact of evolving malware threats on these technologies.
5.2 Ensure that all anti-virus mechanisms are kept current, perform periodic scans and generate audit logs which are retained per PCI DSS Requirement 10.7.
Customers are responsible for ensuring their anti-malware software is kept current and regularly updated, perform periodic scans and generate audit logs.
Wherever Azure Antimalware solution is used, customers are responsible for the configuration options under their control. Microsoft Azure is responsible for the effectiveness of this solution, including updates, periodic scans, audit logs and alerting.
5.3 Ensure that anti-virus mechanisms are actively running and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period.
Customers are responsible for ensuring anti-malware software are running and are not altered on their VM’s.
5.4 Ensure that security policies and operational procedures for protecting systems against malware are documented, in use, and known to all affected parties.
Customers are responsible for creating and maintaining policies for protecting systems against malwares.
The Azure Toolbox for Req 5
To protect Azure Virtual Machinesrunning Windows OS from malicious software, Microsoft provides a solution called Microsoft Antimalware. Alternative solutions from third party vendors are also supported (and required for Linux environments).
Microsoft Antimalware is a free single-agent security solution that protects servers against viruses, spyware and other software threats. It includes a real-time protection and scheduled system scans, generates logs and can trigger alerts. Virus definitions and the detection engine are updated automatically.
Microsoft Antimalware is installed on a server via a Virtual Machine Extension. A Virtual Machine Extension is like a plugin for a virtual machine. Extensions are managed via Azure Portal or programmatically.
On a Windows 2016 server, the Microsoft Antimalware extension just configures the native antimalware solution included in the operating system: Windows Defender. On older Windows versions, this extension installs a specific antimalware engine.
Microsoft Antimalware is installed on a server via a Virtual Machine Extension. A Virtual Machine Extension is like a plugin for a virtual machine. Extensions are managed via Azure Portal or programmatically.
On a Windows 2016 server, the Microsoft Antimalware extension just configures the native antimalware solution included in the operating system: Windows Defender. On older Windows versions, this extension installs a specific antimalware engine.
Azure Security Center will be your main entry point to manage your antimalware solution.
Security Center can install and monitor Microsoft Antimalware on your servers. But it also supports other antimalware products.
Security Center constantly monitors the status of all your virtual machines regarding endpoint protection. It reports missing installations, out-of-date virus definitions, disabled real-time protection or unresponsive detection engine. A dashboard summarizes the health state of all servers and counts the number of detected malwares or attacks.
Security Center also includes a policy management tool that can be used to enforce some security procedures (for example, security data/events collection).
Security Center can install and monitor Microsoft Antimalware on your servers. But it also supports other antimalware products.
Security Center constantly monitors the status of all your virtual machines regarding endpoint protection. It reports missing installations, out-of-date virus definitions, disabled real-time protection or unresponsive detection engine. A dashboard summarizes the health state of all servers and counts the number of detected malwares or attacks.
Security Center also includes a policy management tool that can be used to enforce some security procedures (for example, security data/events collection).
Azure Log Analytics (part of Operations Management Suite) is a log aggregation tool that can be another useful component to monitor antimalware activity.
Logs generated locally on each server by your antimalware product can be exported to Azure Log Analytics for centralized analysis and alerting.
Retention is limited to 31 days in the free tier but can be extended to 730 days if you pay for extra storage. Azure Monitor Logs is a new option in Azure Portal that provides similar features in a more integrated and unified way. It will progressively replace Azure Log Analytics.
Logs generated locally on each server by your antimalware product can be exported to Azure Log Analytics for centralized analysis and alerting.
Retention is limited to 31 days in the free tier but can be extended to 730 days if you pay for extra storage. Azure Monitor Logs is a new option in Azure Portal that provides similar features in a more integrated and unified way. It will progressively replace Azure Log Analytics.