Today we are pleased to announce the https://docs.microsoft.com/en-us/azure/security/benchmarks/overview. To accelerate the security of your cloud adoption journey, Microsoft has developed the Azure Security Benchmark (ASB). The benchmark is designed to provide clarity on security best practices and controls for configuring and operating Azure and Azure Services.
ASB v2 builds on the work of ASBv1 and includes these updates:
- Mapping of https://nvd.nist.gov/800-53 controls (in addition to existing https://www.cisecurity.org/controls/)
- Mapping of security stakeholders to benchmark recommendations
- Expansion and restructure of controls to make them clear and actionable
- Integration of https://docs.microsoft.com/en-us/security/compass/compass guidance
Vision for azure security guidance
We have learned that securing Azure means different things to different roles in the organization and have built a system of integrated security guidance. Each of these are aligned together to simplify your security journey:
- https://docs.microsoft.com/en-us/security/compass/microsoft-security-compass-introduction – Recommendations for securing all assets in your enterprise, typically integrated into security architectures and strategies.
- https://docs.microsoft.com/en-us/assessments/?mode=pre-assessment&session=local – Guidance for workload owners to architect workloads that meet goals for security, performance, cost, and more.
- https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/strategy/define-security-strategy (CAF) – Guidance for cloud adoption initiatives to plan and execute on a strategy that meets organizational goals for security, cost management, reliability, and more (includes https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/ reference implementation and automation)
- https://aka.ms/benchmarkdocs – Prescriptive best practices and controls to guide all roles in the security organizations on securing Azure and Azure Services
Over the course of the last few months, the teams working on ASB, Enterprise Scale Landing Zone in CAF, Azure Security Compass, Azure Security Top 10 Best Practices, and Microsoft Best Practices have been working to consolidate and align all this guidance together to make it simpler and easier for you to rapidly secure your Azure resources.
As with all our guidance, we would love to hear your feedback on how this is working for you and how we can improve it. You can reach us by sending us mailto:benchmarkfeedback@microsoft.com?subject=Benchmark%20Feedback.
What’s new in ASB v2?
In addition to mapping and aligning all the guidance together, the team focused on these improvements in ASBv2:
- Mapped to NIST SP 800-53 Controls: NIST SP 800-53 is one of the most used control frameworks in the Industry, so we updated the ASB controls to map with the NIST controls. Now you can use ASB to meet the NIST requirements in Azure and can monitor the requirements in https://docs.microsoft.com/en-us/azure/security-center/security-center-compliance-dashboard. The benchmark and mapping to NIST controls is also available in https://github.com/MicrosoftDocs/SecurityBenchmarks/tree/master/Azure%20Security%20Benchmark/2.0 for easy consumption.
- Identified Security Stakeholders: We added security stakeholders to each recommendation to help you bring in the right people in your organization to plan, approve, or implement it. The stakeholders are identified by their https://aka.ms/securityroles from the CAF.
- Updated and restructured the security controls to provide more clarity: We made changes to the Azure security controls to make them actionable and more effective. A few examples are:
- Updated the controls to provide clear guidance on security outcomes rather than just technical configurations.
- Created a https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy control to guide your strategic planning and governance strategy for security.
- Updated the https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection control to focus more on the outcome of threat detection rather than just collection of logs.
- Added https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access as a separate control to provide clear recommendations on the critically important discipline of protecting privileged accounts (which can have an outsized business impact if compromised).
- Added the https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management control to provide clear guidance on how to monitor and improve your cloud security posture.
- Identified a number of opportunities to modernize legacy security approaches with modern cloud approaches in https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security, https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-endpoint-security, https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection, and more.
- Updated and added controls to ensure a full lifecycle view for all controls including https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection, https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-asset-management, https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-identity-management, and https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-backup-recovery.
What’s coming next?
Here is a brief overview of upcoming features:
- Monitoring of ASB v2 recommendations: Today, you can use the Azure Security Center https://docs.microsoft.com/en-us/azure/security-center/security-center-compliance-dashboard to monitor your live Azure environment status with all the Azure Security Benchmark controls. In upcoming weeks, Security Center will be fully integrated with ASB v2, automatically monitoring your environment with policies implementing the complete ASB v2 control set by default.
- Implementing the Benchmark recommendations: In coming weeks, we will be publishing the ASB v2 blueprint which will help you to implement and enforce the benchmark requirements. Today you can achieve that by using https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/enterprise-scale/implementation to get a head start and use it to implement the Benchmark recommendations.
- Security Baselines based on ASB v2: So far, we have published https://docs.microsoft.com/en-us/azure/security/benchmarks/security-baselines-overview based on ASB v1. These baselines provide service guidance on how you can meet the Benchmark requirements for a specific service. Azure customers today use these baselines as part of their cloud service assessment process. In upcoming months, we will be updating these baselines and adding more service baselines based on the ASB v2 recommendations.
- Control framework targeted next: After CIS v7.1 and NIST SP 800-53 control mapping, we are working on adding mapping of PCI DSS control requirements in coming months. This will help you to meet PCI DSS control requirements using the Azure Security Benchmark.
Call to Action
You can get started now with planning and implementing the https://docs.microsoft.com/azure/security/benchmarks/, automate deployment with https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/enterprise-scale/implementation, and monitor status using the https://docs.microsoft.com/en-us/azure/security-center/security-center-compliance-dashboard.
We want to thank the multiple teams within Microsoft, contributors from the Azure community, and NIST for the help with ASBv2 effort!
If you would like to participate in improving the benchmark or provide feedback, please mailto:benchmarkfeedback@microsoft.com?subject=Feedback%252520on%252520the%252520Azure%252520Cloud%252520Security%252520Benchmark. We would love to hear your success stories and feedback on how to make it better!
