Skip to content

Releases: trustoncloud/threatmodel-for-azure-storage

2023-06-11

11 Jun 12:46
@jon-trust jon-trust
2023-06-11
efd4bc3
Compare
Choose a tag to compare
2023-06-11 Latest
Latest

Update of the ThreatModel for Azure Storage

Summary change log

  • 1 new threat: Storage.T58 "Create an exfiltration vector via cross-account access point"
  • 1 new control: Storage.C148
  • Various improvements on prioritization or wording of existing controls and threats.

Full change log

New threat: threats.Storage.T58 "Exfiltration due to misconfigured hierarchal namespace permissions"

New control: controls.Storage.C148 "Ensure encryption scopes are used for containers where Security Principals have diverse access requirements to blobs within the container."

New action: actions.Storage.A165 "Gets the current usage count and the limit for the resources under the subscription."

Updated: threats.Storage.T44.cvss

  • From: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"
  • To: "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"

Updated: threats.Storage.T44.cvss_severity

  • From: "High"
  • To: "Medium"

Updated: threats.Storage.T44.cvss_score

  • From: "8.1"
  • To: "4.6"

Updated: controls.Storage.C2.testing

  • From: "Request the list of all Storage Accounts you control, define their authorized data classification, and identify whether the data is primary and the mechanism and records to ensure the accuracy of those metadata"
  • To: "Request the list of all Storage Accounts you control, define their authorized data classification, and identify whether the data is primary and the mechanism and records to ensure the accuracy of those metadata."

Updated: controls.Storage.C3.description

  • From: "Use a data discovery tool (e.g., Microsoft Purview) to control that no sensitive data is stored in an unauthorized storage account"
  • To: "Use a data discovery tool (e.g., Microsoft Purview) to control that no sensitive data is stored in an unauthorized storage account."

Updated: controls.Storage.C3.testing

  • From: "Upload a higher classification data in a storage account, it should be detected."
  • To: "Upload a higher classification data in a storage account; it should be detected."

Updated: controls.Storage.C4.description

  • From: "Use a data discovery tool (e.g., Microsoft Purview) to ensure the storage account names, object names, and tags do not contain sensitive data"
  • To: "Use a data discovery tool (e.g., Microsoft Purview) to ensure the storage account names, object names, and tags do not contain sensitive data."

Updated: controls.Storage.C4.testing

  • From: "Create 1) a storage account name, 2) object names, or 3) tags with sensitive data, it should be detected."
  • To: "Create 1) a storage account name, 2) object names, or 3) tags with sensitive data; it should be detected."

Updated: controls.Storage.C5.description

  • From: "Integrate the access to files and directories via ACL in the IAM Operating Model"
  • To: "Integrate the access to files and directories via ACL in the IAM Operating Model."

Updated: controls.Storage.C5.testing

  • From: "Request the IAM Operating Model for access to files and directories via ACL"
  • To: "Request the IAM Operating Model for access to files and directories via ACL."

Updated: controls.Storage.C6.description

  • From: "Maintain a list of authorized Storage Accounts with allowblobPublicAccess enabled; ideally, none"
  • To: "Maintain a list of authorized Storage Accounts with allowblobPublicAccess enabled; ideally, none."

Updated: controls.Storage.C7.testing

  • From: "Request 1) the mechanism ensuring only authorized Storage Accounts have allowblobPublicAccess enabled, 2) its records of execution for all new Storage Accounts, and 3) plan to move any older Storage Accounts"
  • To: "Request 1) the mechanism ensuring only authorized Storage Accounts have allowblobPublicAccess enabled, 2) its records of execution for all new Storage Accounts, and 3) the plan to move any older Storage Accounts."

Updated: controls.Storage.C8.testing

  • From: "Create a storage account with allowblobPublicAccess, it should be denied."
  • To: "Create a storage account with allowblobPublicAccess; it should be denied."

Updated: controls.Storage.C9.testing

  • From: "Create a storage account with allowblobPublicAccess, it should be detected."
  • To: "Create a storage account with allowblobPublicAccess; it should be detected."

Updated: controls.Storage.C10.description

  • From: "Enable versioning on blobs holding primary data"
  • To: "Enable versioning on blobs holding primary data."

Updated: controls.Storage.C10.testing

  • From: "Request the mechanism used to ensure versioning on blobs holding primary data, and its records"
  • To: "Request the mechanism used to ensure versioning on blobs holding primary data, and its records."

Updated: controls.Storage.C11.description

  • From: "Verify blobs holding primary data are versioned"
  • To: "Verify blobs holding primary data are versioned."

Updated: controls.Storage.C11.testing

  • From: "Remove versioning from a blob holding primary data, it should be detected"
  • To: "Remove versioning from a blob holding primary data; it should be detected."

Updated: controls.Storage.C12.description

  • From: "Enable snapshots to Azure Files holding primary data"
  • To: "Enable snapshots to Azure Files holding primary data."

Updated: controls.Storage.C12.testing

  • From: "Request the mechanism used to ensure snapshots to Azure Files on blobs holding primary data and its records"
  • To: "Request the mechanism used to ensure snapshots to Azure Files on blobs holding primary data and its records."

Updated: controls.Storage.C13.testing

  • From: "Remove snapshots from an Azure Files account holding primary data, it should be detected"
  • To: "Remove snapshots from an Azure Files account holding primary data; it should be detected."

Updated: controls.Storage.C14.description

  • From: "Backup primary data in a location which have different security authority (ref 1, ref 2)"
  • To: "Backup primary data in a location which have different security authority (ref 1, ref 2)."

Updated: controls.Storage.C14.testing

  • From: "Request the mechanism used to backup primary data in a location which have different security authority, its records of execution, and records of restoration testing"
  • To: "Request the mechanism used to backup primary data in a location which have different security authority, its records of execution, and records of restoration testing."

Updated: controls.Storage.C15.description

  • From: "For each storage account (or type of data), define the minimum retention of container and blob from the deletion (e.g., 7 days)"
  • To: "For each storage account (or type of data), define the minimum retention of container and blob from the deletion (e.g., 7 days)."

Updated: controls.Storage.C15.testing

  • From: "For each storage account, request the minimum retention of container and blob from the deletion, its review process, and its review records"
  • To: "For each storage account, request the minimum retention of container and blob from the deletion, its review process, and its review records."

Updated: controls.Storage.C16.description

  • From: "Ensure Storage Accounts have soft-delete for the blob enabled for at least the defined minimum retention"
  • To: "Ensure Storage Accounts have soft-delete for the blob enabled for at least the defined minimum retention."

Updated: controls.Storage.C16.testing

  • From: "Request 1) the mechanism ensuring Storage Accounts have soft-delete for the blob enabled for at least the defined minimum retention, 2) its records of execution for all new Storage Accounts, and 3) plan to move any older Storage Accounts"
  • To: "Request 1) the mechanism ensuring Storage Accounts have soft-delete for the blob enabled for at least the defined minimum retention, 2) its records of execution for all new Storage Accounts, and 3) the plan to move any older Storage Accounts."

Updated: controls.Storage.C17.testing

  • From: "Create a storage account without soft-delete for the blob, it should be denied"
  • To: "Create a storage account without soft-delete for the blob; it should be denied."

Updated: controls.Storage.C18.testing

  • From: "Create a storage account without soft-delete for the blob option, it should be detected."
  • To: "Create a storage account without soft-delete for the blob option; it should be detected."

Updated: controls.Storage.C19.description

  • From: "Ensure Storage Accounts have soft-delete for the container enabled"
  • To: "Ensure Storage Accounts have soft-delete for the container enabled."

Updated: controls.Storage.C19.testing

  • From: "Request 1) the mechanism ensuring Storage Accounts have soft-delete for the container enabled, 2) its records of execution for all new Storage Accounts, and 3) plan to move any older Storage Accounts."
  • To: "Request 1) the mechanism ensuring Storage Accounts have soft-delete for the container enabled, 2) its records of execution for all new Storage Accounts, and 3) the plan to move any older Storage Accounts."

Updated: controls.Storage.C20.testing

  • From: "Create a storage account without soft-delete for the container, it should be denied."
  • To: "Create a storage account without soft-delete for the container; it should be denied."

Updated: controls.Storage.C21.testing

  • From: "Create a storage account without soft-delete for the container option, it should be detected."
  • To: "Create a storage account without soft-delete for the container option; it should be detected."

Updated: controls.Storage.C22.testing

  • From: "Request the list of authorized {resources}, its review process, and its review records"
  • To: "Request the list of ...
Read more
Assets 2
Loading