AzSK

3.14.0

Framework/Configurations/SVT/Services/ODG.json

                                {

  "FeatureName": "ODG",

  "Reference": "aka.ms/azsktcp/odg",

  "IsMaintenanceMode": false,

  "Controls": [

    {

      "ControlID": "Azure_ODG_Config_Lockdown_Server",

      "Description": "ODG must be installed on a hardened locked down VM",

      "Id": "ODG110",

      "ControlSeverity": "High",

      "Automated": "No",

      "MethodName": "",

      "Rationale": "The ODG machine is serving as a 'gateway' into the corporate environment allowing endpoint in the cloud access to enteprise data. Using a locked-down, secure baseline configuration ensures that this machine does not get leveraged as an entry point to the downstream data server/service.",

      "Recommendation": "Locking down machine isolates ODG tool and prevents malfunctioning programs from damaging or snooping on the data source machine. ",

      "Tags": [

        "SDL",

        "TCP",

        "Manual",

        "Config",

        "ODG"

      ],

      "Enabled": true

    },

    {

      "ControlID": "Azure_ODG_DP_Disabled_Additional_Log",

      "Description": "Additional logging in diagnostics should be disabled",

      "Id": "ODG120",

      "ControlSeverity": "Low",

      "Automated": "No",

      "MethodName": "",

      "Rationale":  "Additional logs feature of ODG tool contains all the records/data that pass through the ODG. Those logs may contain customer's PII and other sensitive data.",

      "Recommendation": "Additional logs in ODG tool contains all the data passing through ODG. If its required to enable additional logs than keep/share the logs in encrypted format.",

      "Tags": [

        "SDL",

        "Best Practice",

        "Manual",

        "DP",

        "ODG"

      ],

      "Enabled": true

    },

    {

      "ControlID": "Azure_ODG_ACL_DataSource_Privacy",

      "Description": "Privacy level setting must be configured to private while using ODG in PowerBI.",

      "Id": "ODG130",

      "ControlSeverity": "High",

      "Automated": "No",

      "MethodName": "",

      "Rationale": "Granting minimum permission ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user/service account compromise.",

      "Recommendation": "With privacy level settings, user can specify an isolation level that defines the degree that one data source must be isolated from other data sources. Refer: https://support.office.com/en-us/article/Privacy-levels-Power-Query-CC3EDE4D-359E-4B28-BC72-9BEE7900B540?ui=en-US&rs=en-US&ad=US",

      "Tags": [

        "SDL",

        "TCP",

        "Manual",

        "ACL",

        "ODG"

      ],

      "Enabled": true

    },

    {

      "ControlID": "Azure_ODG_ACL_Least_Permission_While_Sharing",

      "Description": "Must use the least required permission based on scenario while sharing gateways through PowerApps/Flow",

      "Id": "ODG140",

      "ControlSeverity": "High",

      "Automated": "No",

      "MethodName": "",

      "Rationale": "Granting minimum permission ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user/service account compromise.",

      "Recommendation": "Any one from these permissions must be provided while sharing gateways through PowerApps. Can use - Can use the gateway to use and create apps and flows. Can use + share - Can use the gateway to use and create apps and flows, and can share the gateway for others to use. Admin - Manages the gateway, can use the gateway to create apps and flows, can share the gateway with users tenant wide, can specify the type of connections that can be used with the gateway, and can delete the gateway. Refer: https://powerapps.microsoft.com/en-us/tutorials/share-app-resources/#on-premises-data-gateways",

      "Tags": [

        "SDL",

        "TCP",

        "Manual",

        "ACL",

        "ODG"

      ],

      "Enabled": true

    },

    {

      "ControlID": "Azure_ODG_BCDR_Design_Failover_Plan",

      "Description": "Failover plan should be designed as per business requirements.",

      "Id": "ODG150",

      "ControlSeverity": "Medium",

      "Automated": "No",

      "MethodName": "",

      "Rationale": "ODG service does not offer features to cover backup/disaster recovery out-of-the-box. As a result, when processing critical workloads, a team must have adequate backups of the data.",

      "Recommendation": "Out of the box no failover support is provided with ODG. So custom failover plan should be designed (e.g. To minimize the response time, ODG should be setup on another machine from where data source is accessible.)",

      "Tags": [

        "SDL",

        "TCP",

        "Manual",

        "BCDR",

        "ODG"

      ],

      "Enabled": true

    },

    {

      "ControlID": "Azure_ODG_AuthZ_Grant_Min_Access",

      "Description": "User accounts/roles connecting to data source must have minimum required permissions",

      "Id": "ODG160",

      "ControlSeverity": "Medium",

      "Automated": "No",

      "MethodName": "",

      "Rationale": "Granting minimum access ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user/service account compromise.",

      "Recommendation": "All user accounts/roles which are involved in ODG must have minimum required access rights to data source. (e.g. If Gateway is fetching data from data source then user role must have read-only access.)",

      "Tags": [

        "SDL",

        "TCP",

        "Manual",

        "AuthZ",

        "ODG"

      ],

      "Enabled": true

    }

  ]

}