Information Security is one of the most important and crucial aspects for any enterprise grade system software. For a cloud ecosystem, like Azure, having sturdy information security (including data security) is fundamental. Microsoft has been constantly improving the robustness of the Azure platform ever since its launch.
Recently, Microsoft have released the second version of their recommended security practices and configurations, called the Azure Security Benchmark to help customers adopt recommended information security best practices across the Azure platform.
The benchmark provides design and configuration guidelines across various cloud-centric control areas, called Control Domains. These are based on well-known security benchmarks such as, Center for Internet Security (CIS) Controls Version 7.1 and National Institute of Standards and Technology (NIST) SP 800-53.
The Control Domains included in the Azure Security Benchmark v2 are :
|Network security (NS)|
|Identity Management (IM)|
|Privileged Access (PA)|
|Data Protection (DP)|
|Asset Management (AM)|
|Logging and Threat Detection (LT)|
|Incident Response (IR)|
|Posture and Vulnerability Management (PV)|
|Endpoint Security (ES)|
|Backup and Recovery (BR)|
|Governance and Strategy (GS)|
Each Information Security Control Domain mentioned above includes the following:
Azure ID: A unique Security Benchmark ID to identify the recommendation.
CIS Controls v7.1 ID(s): The corresponding CIS Controls v7.1 id(s) (single or multiple) for the recommendation.
NIST SP 800-53 r4 ID(s): The corresponding NIST SP 800-53 r4 ID(s) (single or multiple) to identify the recommendation.
Details: The detailed explanation around the rationale and helpful guidelines on how to implement the recommendation. Information about whether the recommendation is supported by Azure Security Center is also included.
Responsibility: To identify the responsible entity (Customer, service-provider or both) for implementing the security recommendation. Due to the overarching nature of the Azure Security Benchmark, some recommendations may have a shared responsibility between the customer and service-provider. These will be specified in the baseline recommendations for the individual service.
Customer Security Stakeholders: The security function in the customer organization security department who is responsible for the respective control. This can differ based the ownership and organization structure for different customers.