Saturday, May 5, 2018

CIS Control 1 on Azure - Maintain Asset Inventory Part 1

Just recently, the Center for Internet Security (CIS) released a new version of their CIS Controls (version 7 now).  You can find out more information here.

The goal of this post is to talk about Control 1 - Inventory and Control of Hardware Assets.  Specifically, I will attempt to address 1.5 - Maintain Asset Inventory Information.  The goal of this series is to discuss how to achieve compliance with this framework using Azure only tools.

When we think about hardware, traditionally anyways, we think about servers, network switches, laptops, etc.  In Azure, the best equivalence to this is all the Azure resources you could have deployed in your subscription. 1.5 - Maintain Asset Inventory Information specifically reads:

Ensure that the hardware asset
inventory records the network
address, hardware address, machine
name, data asset owner, and
department for each asset and
whether the hardware asset has
been approved to connect to the

Okay cool.  In the Azure portal, there is a very easy way to look at all of your resources across your subscription (regardless of region).  It is the All Resources tab in the Azure Portal.

In the above screenshot, I've added the resource ID column to the view, which is effectively the same thing as the "hardware address" mentioned in the control definition.  The following this are missing from the above however:

  • Network Address
  • Data Asset Owner
  • Department
  • Approved to connect
All of the above with the exception of network address is essentially metadata on a particular resource.  This is probably best solved by the use of tags on a particular resource.  When you add that to the view, it looks like the following:

Perfect.  So at a glance, I can see most of the information that I require (minus the network address).

You can generate a similar type of report via powershell using a command similar to the following: