The Azure Security Benchmark (ASB) v3 is designed to provide a comprehensive set of prescriptive best practices for enhancing the security of workloads, data, and services on Azure. ASB v3 aligns with several well-established security frameworks, including CIS, NIST, and PCI-DSS, and is an essential resource for maintaining compliance and security standards in cloud environments.
ASB v3 introduces:
New Mappings: Adds mappings to PCI-DSS v3.2.1 and CIS Controls v8, alongside the existing mappings to CIS v7.1 and NIST SP800-53. Detailed Control Guidance: Each control is divided into "Security Principle" (what the control addresses) and "Azure Guidance" (how to implement in Azure). New Controls: Includes DevOps Security and Key/Certificate Management to improve security practices in Azure environments.
Network Security (NS) ensures the security and integrity of Azure networks by enforcing segmentation, securing virtual networks, establishing private connections, and mitigating external attacks. It includes comprehensive controls to manage and protect network boundaries and detect unauthorized access attempts.
NS-1: Virtual Network Security - Security Principle: Enforce network boundaries and isolate resources with virtual networks.
Azure Guidance: Use network security groups (NSGs) and application security groups (ASGs) to control traffic.
Implementation Context: Configure NSGs to control inbound and outbound traffic for VNets.
Stakeholders: Network Admins, Security Engineers
NS-2: Secure Communication Channels - Security Principle: Protect data in transit by using secure communication methods.
Azure Guidance: Use VPNs, ExpressRoute, and private endpoints for secure connections.
Implementation Context: Set up VPN gateways and configure private endpoints for network isolation.
Stakeholders: Network Admins, IT Security
NS-3: Network Segmentation - Security Principle: Implement network segmentation to limit lateral movement within Azure networks.
Azure Guidance: Use VNets and subnets to create isolated network segments.
Implementation Context: Configure isolated subnets for different workloads to restrict access.
Stakeholders: Security Architects, Network Admins
NS-4: DNS Security - Security Principle: Protect DNS configurations to prevent spoofing and unauthorized access.
Azure Guidance: Use Azure DNS with secure configurations and enable DNS logging.
Implementation Context: Configure DNS logging to monitor DNS queries and detect suspicious activity.
Stakeholders: IT Security, Network Admins
NS-5: DDoS Protection - Security Principle: Protect against DDoS attacks to maintain application availability.
Azure Guidance: Enable Azure DDoS Protection to defend against volumetric attacks.
Implementation Context: Implement DDoS Protection Standard for critical resources.
Stakeholders: IT Security, SOC Teams
Identity Management (IM) focuses on securing identities and access management by enforcing strong authentication, managing identities through Azure Active Directory, and ensuring access is granted only to authorized users. This control domain protects user and service identities from unauthorized access.
IM-1: Identity Access Management - Security Principle: Securely manage identities for all Azure resources.
Azure Guidance: Use Azure AD for user and application identity management.
Implementation Context: Configure single sign-on (SSO) and manage user access via Azure AD.
Stakeholders: Identity Admins, IT Security
IM-2: Multi-Factor Authentication (MFA) - Security Principle: Require MFA for additional access security.
Azure Guidance: Enforce MFA on all Azure accounts to prevent unauthorized access.
Implementation Context: Enable MFA in Azure AD for all users and privileged accounts.
Stakeholders: Security Operations, IT Admins
IM-3: Conditional Access - Security Principle: Apply conditional access policies based on user context.
Azure Guidance: Set conditional access policies for access from unknown or untrusted locations.
Implementation Context: Use conditional access in Azure AD based on location, device, and user role.
Stakeholders: Security Engineers, Identity Admins
IM-4: Managed Identities - Security Principle: Use managed identities for applications to avoid hard-coded credentials.
Azure Guidance: Enable managed identities for Azure services to securely access resources.
Implementation Context: Configure managed identities for applications requiring resource access.
Stakeholders: App Developers, Security Engineers
IM-5: Monitoring and Anomaly Detection - Security Principle: Detect unusual account behavior and access patterns.
Azure Guidance: Use Azure AD Identity Protection to monitor for unusual sign-in attempts.
Implementation Context: Enable and review alerts in Azure AD for high-risk sign-ins.
Stakeholders: SOC Teams, IT Security
Privileged Access (PA) covers securing and managing high-privilege accounts and roles within Azure environments. It enforces role-based access control, just-in-time access, and activity monitoring to minimize the risk associated with privileged access.
PA-1: Privileged Access Workstations (PAWs) - Security Principle: Use secure workstations for administrative tasks.
Azure Guidance: Enforce PAWs for critical administrative access.
Implementation Context: Configure PAWs to restrict admin access to secure workstations.
Stakeholders: IT Security, Admins
PA-2: Role-Based Access Control (RBAC) - Security Principle: Limit privileged access with RBAC.
Azure Guidance: Define and apply RBAC roles to control resource access.
Implementation Context: Configure RBAC in Azure AD to grant least-privilege access.
Stakeholders: Security Engineers, IT Admins
PA-3: Just-in-Time Access - Security Principle: Minimize exposure of privileged accounts with time-limited access.
Azure Guidance: Use Azure AD Privileged Identity Management for JIT access to privileged roles.
Implementation Context: Set up JIT access for high-privilege accounts in Azure AD.
Stakeholders: Identity Admins, Security Operations
PA-4: Privileged Identity Management (PIM) - Security Principle: Monitor and control privileged roles.
Azure Guidance: Use PIM in Azure AD to control and audit privileged roles.
Implementation Context: Configure PIM for roles with elevated permissions in Azure AD.
Stakeholders: IT Security, SOC Teams
PA-5: Logging and Monitoring of Privileged Activity - Security Principle: Monitor all privileged actions for accountability.
Azure Guidance: Enable logging and monitor privileged activities in Azure.
Implementation Context: Set up activity monitoring in Azure AD and review audit logs for privileged actions.
Stakeholders: SOC Teams, Security Engineers
Data Protection (DP) focuses on safeguarding data at rest, in transit, and during processing. It includes controls for data discovery, classification, encryption, and secure data access protocols, ensuring data confidentiality, integrity, and compliance with regulatory requirements.
DP-1: Data Discovery and Classification - Security Principle: Identify and classify sensitive data to apply relevant protections.
Azure Guidance: Use Azure Information Protection and Microsoft Purview for data discovery and classification.
Implementation Context: Label and classify data assets to ensure sensitive data is adequately protected.
Stakeholders: Data Security, Compliance Teams
DP-2: Encryption of Data at Rest - Security Principle: Encrypt sensitive data to protect it from unauthorized access.
Azure Guidance: Enable Azure Disk Encryption and Transparent Data Encryption (TDE) for stored data.
Implementation Context: Use TDE for Azure SQL and Azure Storage Service Encryption for data in Azure Blob Storage.
Stakeholders: IT Security, Database Admins
DP-3: Encryption of Data in Transit - Security Principle: Protect data integrity by encrypting data during transit.
Azure Guidance: Use TLS for data transmitted across Azure resources.
Implementation Context: Configure encryption protocols like TLS for all data transfers.
Stakeholders: Network Security, IT Security
DP-4: Key and Certificate Management - Security Principle: Securely manage cryptographic keys and certificates to control data access.
Azure Guidance: Use Azure Key Vault for secure key storage and management.
Implementation Context: Store all encryption keys and secrets in Azure Key Vault.
Stakeholders: IT Security, Compliance Teams
DP-5: Access Control for Sensitive Data - Security Principle: Limit data access to authorized users only.
Azure Guidance: Use Role-Based Access Control (RBAC) to restrict access to sensitive data.
Implementation Context: Set up RBAC for Azure Storage and other data services.
Stakeholders: Data Security, IT Admins
Asset Management (AM) ensures security visibility and governance over Azure resources. It includes asset tracking, tagging, and management recommendations to enhance operational oversight and security control across all assets.
AM-1: Asset Inventory - Security Principle: Maintain a complete inventory of all Azure resources for security oversight.
Azure Guidance: Use Azure Resource Graph and Azure Policy to track and audit resources.
Implementation Context: Enable continuous inventory tracking for all resources in Azure.
Stakeholders: IT Security, Asset Management
AM-2: Security Access to Asset Inventory - Security Principle: Provide security teams with access to resource inventories for monitoring and compliance.
Azure Guidance: Use RBAC to grant security teams access to resource inventories.
Implementation Context: Configure access controls for security and compliance personnel.
Stakeholders: Compliance Teams, IT Security
AM-3: Tagging and Classification of Assets - Security Principle: Tag resources to support classification and security management.
Azure Guidance: Apply resource tags in Azure for classification and compliance tracking.
Implementation Context: Use Azure Policy to enforce tagging for compliance requirements.
Stakeholders: IT Admins, Compliance Teams
AM-4: Approval Management - Security Principle: Enforce approval workflows for managing resources to prevent unauthorized access.
Azure Guidance: Implement approvals for changes and deployment of new resources.
Implementation Context: Use Azure DevOps for managing resource change requests.
Stakeholders: Change Management, Security Operations
AM-5: Resource Ownership and Responsibility - Security Principle: Assign clear ownership for all Azure resources to ensure accountability.
Azure Guidance: Define ownership within Azure subscriptions for all resources.
Implementation Context: Enforce roles for resource owners through Azure AD.
Stakeholders: Resource Managers, IT Admins
Logging and Threat Detection (LT) focuses on enabling, collecting, storing, and analyzing security logs to detect potential threats across Azure services. This control domain helps establish a solid foundation for threat detection, investigation, and remediation.
LT-1: Enable Security Logging - Security Principle: Ensure logging is enabled across Azure services to capture all relevant security events.
Azure Guidance: Enable logging for all Azure resources to capture network, identity, and activity logs.
Implementation Context: Use Azure Monitor, Azure Sentinel, and Microsoft Defender for Cloud to enable, collect, and manage logs.
Stakeholders: Security Operations, IT Admins
LT-2: Centralize Security Log Management - Security Principle: Consolidate security logs in a centralized storage solution to facilitate analysis and alerting.
Azure Guidance: Use Azure Log Analytics and Sentinel to centralize log data.
Implementation Context: Configure centralized log collection and aggregation through Azure services.
Stakeholders: SOC Teams, Compliance Teams
LT-3: High-Quality Alert Generation - Security Principle: Configure high-quality, actionable alerts for security events.
Azure Guidance: Use Sentinel's alerting capabilities to configure actionable alerts based on log analytics.
Implementation Context: Use custom alerts in Azure Sentinel to meet specific security needs.
Stakeholders: SOC Analysts, Security Engineers
LT-4: Log Retention Policy - Security Principle: Implement retention policies to store logs for compliance and audit purposes.
Azure Guidance: Configure retention policies in Azure Log Analytics for long-term log storage.
Implementation Context: Set retention periods based on compliance requirements and audit needs.
Stakeholders: Compliance Teams, IT Security
LT-5: Threat Detection and Incident Investigation - Security Principle: Use advanced tools to detect threats and support investigations.
Azure Guidance: Leverage Azure Sentinel and Defender for Cloud for enhanced threat detection and analysis.
Implementation Context: Enable Microsoft Defender and Sentinel for comprehensive threat protection.
Stakeholders: SOC Teams, Security Operations
Incident Response (IR) focuses on preparing for, detecting, analyzing, and responding to security incidents in Azure. It includes automating incident response workflows and leveraging Azure tools to enhance response capabilities and minimize impact.
IR-1: Incident Response Planning - Security Principle: Develop an incident response (IR) plan to ensure quick and organized reactions to security incidents.
Azure Guidance: Define an IR strategy and response plans that include Azure-specific processes.
Implementation Context: Use Microsoft Defender for Cloud to manage security incidents and align with organizational IR plans.
Stakeholders: SOC Teams, Incident Managers
IR-2: Automated Response - Security Principle: Automate response actions to reduce incident response time and limit damage.
Azure Guidance: Use playbooks in Azure Sentinel to automate incident responses and workflows.
Implementation Context: Create Sentinel playbooks to respond to specific threat types automatically.
Stakeholders: Security Engineers, SOC Teams
IR-3: Incident Simulation - Security Principle: Conduct simulation exercises to improve response readiness and team performance.
Azure Guidance: Run tabletop exercises and simulated attacks in Azure to test incident response readiness.
Implementation Context: Use simulation tools and periodic drills to refine response procedures.
Stakeholders: SOC Teams, Incident Managers
IR-4: Incident Management - Security Principle: Use a centralized solution for managing incidents and tracking their lifecycle.
Azure Guidance: Use Azure Sentinel’s incident management features to log and manage security incidents.
Implementation Context: Enable Sentinel’s incident response capabilities to streamline incident tracking.
Stakeholders: SOC Analysts, Security Operations
IR-5: Post-Incident Analysis - Security Principle: Conduct root cause analysis and refine response plans following incidents.
Azure Guidance: Document findings and lessons learned to improve future response efforts.
Implementation Context: Implement a feedback loop to integrate learnings into the IR plan.
Stakeholders: SOC Teams, Compliance Teams
Posture and Vulnerability Management (PV) focuses on assessing, tracking, and improving the security posture of Azure environments. It includes vulnerability scanning, configuration assessments, and remediation strategies to reduce risk across resources.
PV-1: Vulnerability Scanning - Security Principle: Regularly scan for vulnerabilities to proactively identify and address risks.
Azure Guidance: Use Defender for Cloud to scan resources for vulnerabilities.
Implementation Context: Enable periodic vulnerability scans for virtual machines and containers.
Stakeholders: Security Engineers, Compliance Teams
PV-2: Configuration Assessment - Security Principle: Regularly assess configuration settings for security compliance and best practices.
Azure Guidance: Use Azure Policy and Defender for Cloud to track and enforce configuration standards.
Implementation Context: Set up Azure Policy to monitor configurations for compliance.
Stakeholders: IT Security, Compliance Teams
PV-3: Patch Management - Security Principle: Ensure timely patching and updates to minimize exposure to known vulnerabilities.
Azure Guidance: Automate patching for Azure VMs using Update Management.
Implementation Context: Configure scheduled patching to ensure all resources remain up-to-date.
Stakeholders: IT Security, Operations Teams
PV-4: Security Baseline - Security Principle: Define and implement security baselines for all Azure resources.
Azure Guidance: Use Defender for Cloud to establish and track baseline configurations.
Implementation Context: Apply Azure Security Benchmark baselines as minimum requirements.
Stakeholders: IT Security, Compliance Teams
PV-5: Threat and Risk Assessment - Security Principle: Conduct risk assessments to identify and mitigate potential threats.
Azure Guidance: Use Defender for Cloud’s threat intelligence to identify risks in your environment.
Implementation Context: Regularly assess Azure resources and prioritize remediation.
Stakeholders: Security Operations, Compliance Teams
Endpoint Security (ES) includes controls for securing endpoints within Azure environments. It covers endpoint detection and response (EDR), anti-malware, and configuration management to prevent unauthorized access and data compromise on virtual machines and other devices.
ES-1: Endpoint Detection and Response (EDR) - Security Principle: Use EDR to continuously monitor and detect threats on endpoints.
Azure Guidance: Deploy Microsoft Defender for Endpoint to protect Azure VMs and devices.
Implementation Context: Enable EDR for all endpoints to detect potential threats in real-time.
Stakeholders: IT Security, SOC Teams
ES-2: Anti-Malware Protection - Security Principle: Deploy anti-malware solutions to protect endpoints from malicious software.
Azure Guidance: Use Defender for Cloud to monitor for anti-malware status on endpoints.
Implementation Context: Ensure anti-malware is active on all endpoints, including VMs.
Stakeholders: Security Engineers, IT Admins
ES-3: Endpoint Configuration Management - Security Principle: Maintain secure endpoint configurations to prevent misconfigurations.
Azure Guidance: Use Azure Policy to enforce secure configurations on endpoints.
Implementation Context: Set configuration policies for endpoints to align with security standards.
Stakeholders: IT Security, Compliance Teams
ES-4: Endpoint Patching - Security Principle: Regularly apply patches to keep endpoints secure and up-to-date.
Azure Guidance: Automate endpoint patching using Update Management.
Implementation Context: Set patch schedules to keep all endpoints protected from vulnerabilities.
Stakeholders: IT Operations, IT Security
ES-5: Access Control - Security Principle: Enforce least-privilege access to secure endpoint devices.
Azure Guidance: Implement RBAC and MFA to secure endpoint access.
Implementation Context: Configure role-based access policies and enforce MFA on sensitive endpoints.
Stakeholders: IT Security, Compliance Teams
Backup and Recovery (BR) ensures that data and configurations are backed up and validated. It covers policies and procedures to protect data from accidental loss, corruption, or attacks, ensuring data recoverability in case of a disaster or security incident.
BR-1: Backup Policies - Security Principle: Establish backup policies to ensure data and configuration integrity.
Azure Guidance: Define backup policies with Azure Backup to secure data and configurations.
Implementation Context: Use Azure Backup to automate backup scheduling and retention.
Stakeholders: IT Admins, Compliance Teams
BR-2: Backup Validation - Security Principle: Regularly test and validate backups for data integrity and recoverability.
Azure Guidance: Perform regular restore tests to ensure backup data reliability.
Implementation Context: Schedule restore tests for critical backups to validate functionality.
Stakeholders: IT Security, Compliance Teams
BR-3: Disaster Recovery Planning - Security Principle: Develop and maintain a disaster recovery (DR) plan to ensure business continuity.
Azure Guidance: Use Azure Site Recovery to manage DR plans and facilitate failover.
Implementation Context: Test DR plans periodically to ensure functionality.
Stakeholders: IT Security, IT Operations
BR-4: Data Restoration Testing - Security Principle: Regularly test data restoration processes to verify recoverability.
Azure Guidance: Schedule and perform data restoration tests using Azure Backup.
Implementation Context: Implement a regular testing schedule for critical backup restores.
Stakeholders: IT Operations, Compliance Teams
BR-5: Backup Security - Security Principle: Secure backup data to prevent unauthorized access or tampering.
Azure Guidance: Use encryption and role-based access to secure backup data.
Implementation Context: Enable encryption for backups and restrict access to authorized users.
Stakeholders: IT Security, Compliance Teams
BR-6: Geo-Redundancy - Security Principle: Implement geo-redundant storage for critical backups to improve resilience.
Azure Guidance: Use geo-redundant storage for critical backup data to enhance disaster resilience.
Implementation Context: Configure geo-redundancy settings in Azure Backup for key resources.
Stakeholders: IT Security, IT Operations
DevOps Security (DS) focuses on integrating security practices within the DevOps lifecycle, ensuring that security is maintained throughout development, testing, and deployment phases. This domain includes secure coding practices, vulnerability scanning, and automated security checks.
DS-1: Secure Code Review - Security Principle: Conduct code reviews to identify and mitigate security vulnerabilities early.
Azure Guidance: Use tools like Azure DevOps Security Code Analysis or GitHub Advanced Security to conduct static and dynamic code reviews.
Implementation Context: Integrate code analysis tools within CI/CD pipelines to detect security issues automatically.
Stakeholders: DevOps Teams, Security Engineers
DS-2: Vulnerability Management - Security Principle: Perform vulnerability scanning on code and container images before deployment.
Azure Guidance: Use Azure Security Center to scan containers and applications for known vulnerabilities.
Implementation Context: Automate vulnerability scans within the pipeline to detect issues before production.
Stakeholders: DevOps Teams, Security Engineers
DS-3: Threat Modeling - Security Principle: Conduct threat modeling to proactively identify potential threats to applications.
Azure Guidance: Use Microsoft Threat Modeling Tool to anticipate and mitigate security risks during design.
Implementation Context: Integrate threat modeling sessions into the design phase of DevOps workflows.
Stakeholders: Security Architects, DevOps Teams
DS-4: CI/CD Security - Security Principle: Implement security tests within CI/CD pipelines to prevent the introduction of vulnerabilities during deployment.
Azure Guidance: Use Azure Pipelines with security test integration for dynamic analysis during the CI/CD process.
Implementation Context: Set up automated security tests that run during each pipeline stage.
Stakeholders: DevOps Teams, Security Engineers
DS-5: Software Supply Chain Security - Security Principle: Enforce security on dependencies and third-party libraries to prevent supply chain attacks.
Azure Guidance: Use tools to monitor dependencies, such as GitHub Dependabot, to identify vulnerable libraries.
Implementation Context: Enable automated checks for dependencies in all development repositories.
Stakeholders: DevOps Teams, Security Engineers
DS-6: Secure Configuration - Security Principle: Ensure that development and production environments are securely configured.
Azure Guidance: Use Azure Policy to enforce secure configurations within Azure environments.
Implementation Context: Define configuration baselines and implement checks to ensure adherence across all environments.
Stakeholders: IT Security, Compliance Teams
Governance and Strategy (GS) emphasizes the development of a cohesive security strategy and governance framework within Azure environments. It ensures accountability, consistency, and alignment with organizational objectives through clear roles, policies, and continuous improvement processes.
GS-1: Security Roles and Responsibilities - Security Principle: Define roles and responsibilities for all security functions within Azure to ensure accountability.
Azure Guidance: Assign and document security responsibilities across teams to enhance organizational accountability.
Implementation Context: Clearly define security roles within Azure AD and integrate with organizational policies.
Stakeholders: Security Leadership, Compliance Teams
GS-2: Security Strategy and Policy - Security Principle: Establish a comprehensive security strategy and develop supporting policies to guide security efforts.
Azure Guidance: Use Azure Blueprints to manage and enforce security policies across environments.
Implementation Context: Develop security policies that align with organizational goals and industry best practices.
Stakeholders: IT Security Leadership, Compliance Teams
GS-3: Risk Management - Security Principle: Establish risk management processes to identify, assess, and mitigate risks within Azure environments.
Azure Guidance: Use Microsoft Defender for Cloud to identify and assess risk levels and implement mitigation measures.
Implementation Context: Develop risk management workflows to monitor and address security risks continuously.
Stakeholders: IT Security, Compliance Teams
GS-4: Compliance Management - Security Principle: Ensure compliance with relevant regulations and standards through continuous monitoring and policy enforcement.
Azure Guidance: Use Compliance Manager and Azure Policy to manage and maintain regulatory compliance.
Implementation Context: Regularly review and update compliance settings within Azure to meet current requirements.
Stakeholders: Compliance Teams, Security Operations
GS-5: Security Policy Enforcement - Security Principle: Automate the enforcement of security policies to maintain consistency and reduce human error.
Azure Guidance: Use Azure Policy to ensure resources remain compliant with security policies.
Implementation Context: Define and apply policies across resources to prevent misconfigurations.
Stakeholders: IT Security, Compliance Teams
GS-6: Continuous Improvement - Security Principle: Regularly evaluate and update security policies and practices to address evolving threats.
Azure Guidance: Use security assessments and incident reviews to update security policies proactively.
Implementation Context: Establish feedback mechanisms and reviews to ensure that security practices evolve as necessary.
Stakeholders: Security Leadership, IT Operations
The Azure Security Benchmark (ASB) v3 is designed to provide a comprehensive set of prescriptive best practices for enhancing the security of workloads, data, and services on Azure. ASB v3 aligns with several well-established security frameworks, including CIS, NIST, and PCI-DSS, and is an essential resource for maintaining compliance and security standards in cloud environments.
ASB v3 introduces:
New Mappings: Adds mappings to PCI-DSS v3.2.1 and CIS Controls v8, alongside the existing mappings to CIS v7.1 and NIST SP800-53. Detailed Control Guidance: Each control is divided into "Security Principle" (what the control addresses) and "Azure Guidance" (how to implement in Azure). New Controls: Includes DevOps Security and Key/Certificate Management to improve security practices in Azure environments.
Network Security (NS) ensures the security and integrity of Azure networks by enforcing segmentation, securing virtual networks, establishing private connections, and mitigating external attacks. It includes comprehensive controls to manage and protect network boundaries and detect unauthorized access attempts.
NS-1: Virtual Network Security - Security Principle: Enforce network boundaries and isolate resources with virtual networks.
Azure Guidance: Use network security groups (NSGs) and application security groups (ASGs) to control traffic.
Implementation Context: Configure NSGs to control inbound and outbound traffic for VNets.
Stakeholders: Network Admins, Security Engineers
NS-2: Secure Communication Channels - Security Principle: Protect data in transit by using secure communication methods.
Azure Guidance: Use VPNs, ExpressRoute, and private endpoints for secure connections.
Implementation Context: Set up VPN gateways and configure private endpoints for network isolation.
Stakeholders: Network Admins, IT Security
NS-3: Network Segmentation - Security Principle: Implement network segmentation to limit lateral movement within Azure networks.
Azure Guidance: Use VNets and subnets to create isolated network segments.
Implementation Context: Configure isolated subnets for different workloads to restrict access.
Stakeholders: Security Architects, Network Admins
NS-4: DNS Security - Security Principle: Protect DNS configurations to prevent spoofing and unauthorized access.
Azure Guidance: Use Azure DNS with secure configurations and enable DNS logging.
Implementation Context: Configure DNS logging to monitor DNS queries and detect suspicious activity.
Stakeholders: IT Security, Network Admins
NS-5: DDoS Protection - Security Principle: Protect against DDoS attacks to maintain application availability.
Azure Guidance: Enable Azure DDoS Protection to defend against volumetric attacks.
Implementation Context: Implement DDoS Protection Standard for critical resources.
Stakeholders: IT Security, SOC Teams
Identity Management (IM) focuses on securing identities and access management by enforcing strong authentication, managing identities through Azure Active Directory, and ensuring access is granted only to authorized users. This control domain protects user and service identities from unauthorized access.
IM-1: Identity Access Management - Security Principle: Securely manage identities for all Azure resources.
Azure Guidance: Use Azure AD for user and application identity management.
Implementation Context: Configure single sign-on (SSO) and manage user access via Azure AD.
Stakeholders: Identity Admins, IT Security
IM-2: Multi-Factor Authentication (MFA) - Security Principle: Require MFA for additional access security.
Azure Guidance: Enforce MFA on all Azure accounts to prevent unauthorized access.
Implementation Context: Enable MFA in Azure AD for all users and privileged accounts.
Stakeholders: Security Operations, IT Admins
IM-3: Conditional Access - Security Principle: Apply conditional access policies based on user context.
Azure Guidance: Set conditional access policies for access from unknown or untrusted locations.
Implementation Context: Use conditional access in Azure AD based on location, device, and user role.
Stakeholders: Security Engineers, Identity Admins
IM-4: Managed Identities - Security Principle: Use managed identities for applications to avoid hard-coded credentials.
Azure Guidance: Enable managed identities for Azure services to securely access resources.
Implementation Context: Configure managed identities for applications requiring resource access.
Stakeholders: App Developers, Security Engineers
IM-5: Monitoring and Anomaly Detection - Security Principle: Detect unusual account behavior and access patterns.
Azure Guidance: Use Azure AD Identity Protection to monitor for unusual sign-in attempts.
Implementation Context: Enable and review alerts in Azure AD for high-risk sign-ins.
Stakeholders: SOC Teams, IT Security
Privileged Access (PA) covers securing and managing high-privilege accounts and roles within Azure environments. It enforces role-based access control, just-in-time access, and activity monitoring to minimize the risk associated with privileged access.
PA-1: Privileged Access Workstations (PAWs) - Security Principle: Use secure workstations for administrative tasks.
Azure Guidance: Enforce PAWs for critical administrative access.
Implementation Context: Configure PAWs to restrict admin access to secure workstations.
Stakeholders: IT Security, Admins
PA-2: Role-Based Access Control (RBAC) - Security Principle: Limit privileged access with RBAC.
Azure Guidance: Define and apply RBAC roles to control resource access.
Implementation Context: Configure RBAC in Azure AD to grant least-privilege access.
Stakeholders: Security Engineers, IT Admins
PA-3: Just-in-Time Access - Security Principle: Minimize exposure of privileged accounts with time-limited access.
Azure Guidance: Use Azure AD Privileged Identity Management for JIT access to privileged roles.
Implementation Context: Set up JIT access for high-privilege accounts in Azure AD.
Stakeholders: Identity Admins, Security Operations
PA-4: Privileged Identity Management (PIM) - Security Principle: Monitor and control privileged roles.
Azure Guidance: Use PIM in Azure AD to control and audit privileged roles.
Implementation Context: Configure PIM for roles with elevated permissions in Azure AD.
Stakeholders: IT Security, SOC Teams
PA-5: Logging and Monitoring of Privileged Activity - Security Principle: Monitor all privileged actions for accountability.
Azure Guidance: Enable logging and monitor privileged activities in Azure.
Implementation Context: Set up activity monitoring in Azure AD and review audit logs for privileged actions.
Stakeholders: SOC Teams, Security Engineers
Data Protection (DP) focuses on safeguarding data at rest, in transit, and during processing. It includes controls for data discovery, classification, encryption, and secure data access protocols, ensuring data confidentiality, integrity, and compliance with regulatory requirements.
DP-1: Data Discovery and Classification - Security Principle: Identify and classify sensitive data to apply relevant protections.
Azure Guidance: Use Azure Information Protection and Microsoft Purview for data discovery and classification.
Implementation Context: Label and classify data assets to ensure sensitive data is adequately protected.
Stakeholders: Data Security, Compliance Teams
DP-2: Encryption of Data at Rest - Security Principle: Encrypt sensitive data to protect it from unauthorized access.
Azure Guidance: Enable Azure Disk Encryption and Transparent Data Encryption (TDE) for stored data.
Implementation Context: Use TDE for Azure SQL and Azure Storage Service Encryption for data in Azure Blob Storage.
Stakeholders: IT Security, Database Admins
DP-3: Encryption of Data in Transit - Security Principle: Protect data integrity by encrypting data during transit.
Azure Guidance: Use TLS for data transmitted across Azure resources.
Implementation Context: Configure encryption protocols like TLS for all data transfers.
Stakeholders: Network Security, IT Security
DP-4: Key and Certificate Management - Security Principle: Securely manage cryptographic keys and certificates to control data access.
Azure Guidance: Use Azure Key Vault for secure key storage and management.
Implementation Context: Store all encryption keys and secrets in Azure Key Vault.
Stakeholders: IT Security, Compliance Teams
DP-5: Access Control for Sensitive Data - Security Principle: Limit data access to authorized users only.
Azure Guidance: Use Role-Based Access Control (RBAC) to restrict access to sensitive data.
Implementation Context: Set up RBAC for Azure Storage and other data services.
Stakeholders: Data Security, IT Admins
Asset Management (AM) ensures security visibility and governance over Azure resources. It includes asset tracking, tagging, and management recommendations to enhance operational oversight and security control across all assets.
AM-1: Asset Inventory - Security Principle: Maintain a complete inventory of all Azure resources for security oversight.
Azure Guidance: Use Azure Resource Graph and Azure Policy to track and audit resources.
Implementation Context: Enable continuous inventory tracking for all resources in Azure.
Stakeholders: IT Security, Asset Management
AM-2: Security Access to Asset Inventory - Security Principle: Provide security teams with access to resource inventories for monitoring and compliance.
Azure Guidance: Use RBAC to grant security teams access to resource inventories.
Implementation Context: Configure access controls for security and compliance personnel.
Stakeholders: Compliance Teams, IT Security
AM-3: Tagging and Classification of Assets - Security Principle: Tag resources to support classification and security management.
Azure Guidance: Apply resource tags in Azure for classification and compliance tracking.
Implementation Context: Use Azure Policy to enforce tagging for compliance requirements.
Stakeholders: IT Admins, Compliance Teams
AM-4: Approval Management - Security Principle: Enforce approval workflows for managing resources to prevent unauthorized access.
Azure Guidance: Implement approvals for changes and deployment of new resources.
Implementation Context: Use Azure DevOps for managing resource change requests.
Stakeholders: Change Management, Security Operations
AM-5: Resource Ownership and Responsibility - Security Principle: Assign clear ownership for all Azure resources to ensure accountability.
Azure Guidance: Define ownership within Azure subscriptions for all resources.
Implementation Context: Enforce roles for resource owners through Azure AD.
Stakeholders: Resource Managers, IT Admins
Logging and Threat Detection (LT) focuses on enabling, collecting, storing, and analyzing security logs to detect potential threats across Azure services. This control domain helps establish a solid foundation for threat detection, investigation, and remediation.
LT-1: Enable Security Logging - Security Principle: Ensure logging is enabled across Azure services to capture all relevant security events.
Azure Guidance: Enable logging for all Azure resources to capture network, identity, and activity logs.
Implementation Context: Use Azure Monitor, Azure Sentinel, and Microsoft Defender for Cloud to enable, collect, and manage logs.
Stakeholders: Security Operations, IT Admins
LT-2: Centralize Security Log Management - Security Principle: Consolidate security logs in a centralized storage solution to facilitate analysis and alerting.
Azure Guidance: Use Azure Log Analytics and Sentinel to centralize log data.
Implementation Context: Configure centralized log collection and aggregation through Azure services.
Stakeholders: SOC Teams, Compliance Teams
LT-3: High-Quality Alert Generation - Security Principle: Configure high-quality, actionable alerts for security events.
Azure Guidance: Use Sentinel's alerting capabilities to configure actionable alerts based on log analytics.
Implementation Context: Use custom alerts in Azure Sentinel to meet specific security needs.
Stakeholders: SOC Analysts, Security Engineers
LT-4: Log Retention Policy - Security Principle: Implement retention policies to store logs for compliance and audit purposes.
Azure Guidance: Configure retention policies in Azure Log Analytics for long-term log storage.
Implementation Context: Set retention periods based on compliance requirements and audit needs.
Stakeholders: Compliance Teams, IT Security
LT-5: Threat Detection and Incident Investigation - Security Principle: Use advanced tools to detect threats and support investigations.
Azure Guidance: Leverage Azure Sentinel and Defender for Cloud for enhanced threat detection and analysis.
Implementation Context: Enable Microsoft Defender and Sentinel for comprehensive threat protection.
Stakeholders: SOC Teams, Security Operations
Incident Response (IR) focuses on preparing for, detecting, analyzing, and responding to security incidents in Azure. It includes automating incident response workflows and leveraging Azure tools to enhance response capabilities and minimize impact.
IR-1: Incident Response Planning - Security Principle: Develop an incident response (IR) plan to ensure quick and organized reactions to security incidents.
Azure Guidance: Define an IR strategy and response plans that include Azure-specific processes.
Implementation Context: Use Microsoft Defender for Cloud to manage security incidents and align with organizational IR plans.
Stakeholders: SOC Teams, Incident Managers
IR-2: Automated Response - Security Principle: Automate response actions to reduce incident response time and limit damage.
Azure Guidance: Use playbooks in Azure Sentinel to automate incident responses and workflows.
Implementation Context: Create Sentinel playbooks to respond to specific threat types automatically.
Stakeholders: Security Engineers, SOC Teams
IR-3: Incident Simulation - Security Principle: Conduct simulation exercises to improve response readiness and team performance.
Azure Guidance: Run tabletop exercises and simulated attacks in Azure to test incident response readiness.
Implementation Context: Use simulation tools and periodic drills to refine response procedures.
Stakeholders: SOC Teams, Incident Managers
IR-4: Incident Management - Security Principle: Use a centralized solution for managing incidents and tracking their lifecycle.
Azure Guidance: Use Azure Sentinel’s incident management features to log and manage security incidents.
Implementation Context: Enable Sentinel’s incident response capabilities to streamline incident tracking.
Stakeholders: SOC Analysts, Security Operations
IR-5: Post-Incident Analysis - Security Principle: Conduct root cause analysis and refine response plans following incidents.
Azure Guidance: Document findings and lessons learned to improve future response efforts.
Implementation Context: Implement a feedback loop to integrate learnings into the IR plan.
Stakeholders: SOC Teams, Compliance Teams
Posture and Vulnerability Management (PV) focuses on assessing, tracking, and improving the security posture of Azure environments. It includes vulnerability scanning, configuration assessments, and remediation strategies to reduce risk across resources.
PV-1: Vulnerability Scanning - Security Principle: Regularly scan for vulnerabilities to proactively identify and address risks.
Azure Guidance: Use Defender for Cloud to scan resources for vulnerabilities.
Implementation Context: Enable periodic vulnerability scans for virtual machines and containers.
Stakeholders: Security Engineers, Compliance Teams
PV-2: Configuration Assessment - Security Principle: Regularly assess configuration settings for security compliance and best practices.
Azure Guidance: Use Azure Policy and Defender for Cloud to track and enforce configuration standards.
Implementation Context: Set up Azure Policy to monitor configurations for compliance.
Stakeholders: IT Security, Compliance Teams
PV-3: Patch Management - Security Principle: Ensure timely patching and updates to minimize exposure to known vulnerabilities.
Azure Guidance: Automate patching for Azure VMs using Update Management.
Implementation Context: Configure scheduled patching to ensure all resources remain up-to-date.
Stakeholders: IT Security, Operations Teams
PV-4: Security Baseline - Security Principle: Define and implement security baselines for all Azure resources.
Azure Guidance: Use Defender for Cloud to establish and track baseline configurations.
Implementation Context: Apply Azure Security Benchmark baselines as minimum requirements.
Stakeholders: IT Security, Compliance Teams
PV-5: Threat and Risk Assessment - Security Principle: Conduct risk assessments to identify and mitigate potential threats.
Azure Guidance: Use Defender for Cloud’s threat intelligence to identify risks in your environment.
Implementation Context: Regularly assess Azure resources and prioritize remediation.
Stakeholders: Security Operations, Compliance Teams
Endpoint Security (ES) includes controls for securing endpoints within Azure environments. It covers endpoint detection and response (EDR), anti-malware, and configuration management to prevent unauthorized access and data compromise on virtual machines and other devices.
ES-1: Endpoint Detection and Response (EDR) - Security Principle: Use EDR to continuously monitor and detect threats on endpoints.
Azure Guidance: Deploy Microsoft Defender for Endpoint to protect Azure VMs and devices.
Implementation Context: Enable EDR for all endpoints to detect potential threats in real-time.
Stakeholders: IT Security, SOC Teams
ES-2: Anti-Malware Protection - Security Principle: Deploy anti-malware solutions to protect endpoints from malicious software.
Azure Guidance: Use Defender for Cloud to monitor for anti-malware status on endpoints.
Implementation Context: Ensure anti-malware is active on all endpoints, including VMs.
Stakeholders: Security Engineers, IT Admins
ES-3: Endpoint Configuration Management - Security Principle: Maintain secure endpoint configurations to prevent misconfigurations.
Azure Guidance: Use Azure Policy to enforce secure configurations on endpoints.
Implementation Context: Set configuration policies for endpoints to align with security standards.
Stakeholders: IT Security, Compliance Teams
ES-4: Endpoint Patching - Security Principle: Regularly apply patches to keep endpoints secure and up-to-date.
Azure Guidance: Automate endpoint patching using Update Management.
Implementation Context: Set patch schedules to keep all endpoints protected from vulnerabilities.
Stakeholders: IT Operations, IT Security
ES-5: Access Control - Security Principle: Enforce least-privilege access to secure endpoint devices.
Azure Guidance: Implement RBAC and MFA to secure endpoint access.
Implementation Context: Configure role-based access policies and enforce MFA on sensitive endpoints.
Stakeholders: IT Security, Compliance Teams
Backup and Recovery (BR) ensures that data and configurations are backed up and validated. It covers policies and procedures to protect data from accidental loss, corruption, or attacks, ensuring data recoverability in case of a disaster or security incident.
BR-1: Backup Policies - Security Principle: Establish backup policies to ensure data and configuration integrity.
Azure Guidance: Define backup policies with Azure Backup to secure data and configurations.
Implementation Context: Use Azure Backup to automate backup scheduling and retention.
Stakeholders: IT Admins, Compliance Teams
BR-2: Backup Validation - Security Principle: Regularly test and validate backups for data integrity and recoverability.
Azure Guidance: Perform regular restore tests to ensure backup data reliability.
Implementation Context: Schedule restore tests for critical backups to validate functionality.
Stakeholders: IT Security, Compliance Teams
BR-3: Disaster Recovery Planning - Security Principle: Develop and maintain a disaster recovery (DR) plan to ensure business continuity.
Azure Guidance: Use Azure Site Recovery to manage DR plans and facilitate failover.
Implementation Context: Test DR plans periodically to ensure functionality.
Stakeholders: IT Security, IT Operations
BR-4: Data Restoration Testing - Security Principle: Regularly test data restoration processes to verify recoverability.
Azure Guidance: Schedule and perform data restoration tests using Azure Backup.
Implementation Context: Implement a regular testing schedule for critical backup restores.
Stakeholders: IT Operations, Compliance Teams
BR-5: Backup Security - Security Principle: Secure backup data to prevent unauthorized access or tampering.
Azure Guidance: Use encryption and role-based access to secure backup data.
Implementation Context: Enable encryption for backups and restrict access to authorized users.
Stakeholders: IT Security, Compliance Teams
BR-6: Geo-Redundancy - Security Principle: Implement geo-redundant storage for critical backups to improve resilience.
Azure Guidance: Use geo-redundant storage for critical backup data to enhance disaster resilience.
Implementation Context: Configure geo-redundancy settings in Azure Backup for key resources.
Stakeholders: IT Security, IT Operations
DevOps Security (DS) focuses on integrating security practices within the DevOps lifecycle, ensuring that security is maintained throughout development, testing, and deployment phases. This domain includes secure coding practices, vulnerability scanning, and automated security checks.
DS-1: Secure Code Review - Security Principle: Conduct code reviews to identify and mitigate security vulnerabilities early.
Azure Guidance: Use tools like Azure DevOps Security Code Analysis or GitHub Advanced Security to conduct static and dynamic code reviews.
Implementation Context: Integrate code analysis tools within CI/CD pipelines to detect security issues automatically.
Stakeholders: DevOps Teams, Security Engineers
DS-2: Vulnerability Management - Security Principle: Perform vulnerability scanning on code and container images before deployment.
Azure Guidance: Use Azure Security Center to scan containers and applications for known vulnerabilities.
Implementation Context: Automate vulnerability scans within the pipeline to detect issues before production.
Stakeholders: DevOps Teams, Security Engineers
DS-3: Threat Modeling - Security Principle: Conduct threat modeling to proactively identify potential threats to applications.
Azure Guidance: Use Microsoft Threat Modeling Tool to anticipate and mitigate security risks during design.
Implementation Context: Integrate threat modeling sessions into the design phase of DevOps workflows.
Stakeholders: Security Architects, DevOps Teams
DS-4: CI/CD Security - Security Principle: Implement security tests within CI/CD pipelines to prevent the introduction of vulnerabilities during deployment.
Azure Guidance: Use Azure Pipelines with security test integration for dynamic analysis during the CI/CD process.
Implementation Context: Set up automated security tests that run during each pipeline stage.
Stakeholders: DevOps Teams, Security Engineers
DS-5: Software Supply Chain Security - Security Principle: Enforce security on dependencies and third-party libraries to prevent supply chain attacks.
Azure Guidance: Use tools to monitor dependencies, such as GitHub Dependabot, to identify vulnerable libraries.
Implementation Context: Enable automated checks for dependencies in all development repositories.
Stakeholders: DevOps Teams, Security Engineers
DS-6: Secure Configuration - Security Principle: Ensure that development and production environments are securely configured.
Azure Guidance: Use Azure Policy to enforce secure configurations within Azure environments.
Implementation Context: Define configuration baselines and implement checks to ensure adherence across all environments.
Stakeholders: IT Security, Compliance Teams
Governance and Strategy (GS) emphasizes the development of a cohesive security strategy and governance framework within Azure environments. It ensures accountability, consistency, and alignment with organizational objectives through clear roles, policies, and continuous improvement processes.
GS-1: Security Roles and Responsibilities - Security Principle: Define roles and responsibilities for all security functions within Azure to ensure accountability.
Azure Guidance: Assign and document security responsibilities across teams to enhance organizational accountability.
Implementation Context: Clearly define security roles within Azure AD and integrate with organizational policies.
Stakeholders: Security Leadership, Compliance Teams
GS-2: Security Strategy and Policy - Security Principle: Establish a comprehensive security strategy and develop supporting policies to guide security efforts.
Azure Guidance: Use Azure Blueprints to manage and enforce security policies across environments.
Implementation Context: Develop security policies that align with organizational goals and industry best practices.
Stakeholders: IT Security Leadership, Compliance Teams
GS-3: Risk Management - Security Principle: Establish risk management processes to identify, assess, and mitigate risks within Azure environments.
Azure Guidance: Use Microsoft Defender for Cloud to identify and assess risk levels and implement mitigation measures.
Implementation Context: Develop risk management workflows to monitor and address security risks continuously.
Stakeholders: IT Security, Compliance Teams
GS-4: Compliance Management - Security Principle: Ensure compliance with relevant regulations and standards through continuous monitoring and policy enforcement.
Azure Guidance: Use Compliance Manager and Azure Policy to manage and maintain regulatory compliance.
Implementation Context: Regularly review and update compliance settings within Azure to meet current requirements.
Stakeholders: Compliance Teams, Security Operations
GS-5: Security Policy Enforcement - Security Principle: Automate the enforcement of security policies to maintain consistency and reduce human error.
Azure Guidance: Use Azure Policy to ensure resources remain compliant with security policies.
Implementation Context: Define and apply policies across resources to prevent misconfigurations.
Stakeholders: IT Security, Compliance Teams
GS-6: Continuous Improvement - Security Principle: Regularly evaluate and update security policies and practices to address evolving threats.
Azure Guidance: Use security assessments and incident reviews to update security policies proactively.
Implementation Context: Establish feedback mechanisms and reviews to ensure that security practices evolve as necessary.
Stakeholders: Security Leadership, IT Operations