Blog Post

Microsoft Defender for Cloud Blog
5 MIN READ

How Microsoft cloud security benchmark (MCSB) helps you succeed in your cloud security journey

JimCheng's avatar
JimCheng
Icon for Microsoft rankMicrosoft
Dec 05, 2022

We hear your challenges of keeping up with security innovation:

Organizations often find it challenging to keep up with security for all the new services and features from cloud providers. While these rapid innovations offer flexibility and can greatly accelerate value for organizations and their customers, securing an organization at the speed of innovation can be difficult.

 

In today's rapidly evolving cloud security landscape, we often hear from our customers about these common challenges that you too might be facing:

  • How to understand the security profiles of each cloud service and which configurations and recommendations are critical to protect your cloud workloads from potential attackers
  • How to keep up and make sure that your cloud deployments are secure?
  • How do security practices for cloud systems differ from on-premises systems and differ between cloud service providers?
  • How to manage multiple compliance standards from different sources?
  • How to monitor your workload for consistency across multiple cloud platforms?

In short, security professionals like you who are busy defending, configuring and managing need guidance — guidance that can help them secure their organizations quickly.

Cloud Security Benchmarks can help:

Microsoft and our customers have found that using security benchmarks can help prioritize and navigate secure cloud deployments. That's why we created the Microsoft cloud security benchmark, which provides a best practice framework you can use as a:

  • Starting point for selecting specific security configuration settings in your cloud environment
  • Comparison for existing security standards and configurations

Microsoft cloud security benchmark provides guidance across multiple cloud service providers and allows you to monitor these configurations using a single pane of glass (in Microsoft Defender for Cloud - Compliance Dashboard free tier). The MCSB also includes baselines for Azure services that show how to apply these benchmarks to each service, which accelerates security of each service and the ability to approve use of them to support innovation. Microsoft publishes this guidance for free, integrates it into Defender for Cloud, and we also use the benchmarks internally to secure our own infrastructure.

 

Microsoft’s vision of clear and concrete guidance for us and our customers to meet security and compliance requirements started when we launched our first security benchmark product for the Azure platform – Azure Security Benchmark v1 in December 2019. In the past few years, we have been continuously enhancing the Azure Security Benchmark (ASB) and released the ASB version 2 in 2020 and version 3 in 2021. In October 2022, we released our first multi-cloud security benchmark based on listening to customer needs Microsoft cloud security benchmark (MCSB) v1. MCSB is the successor of ASB v3 and includes a set of security best practices for Amazon Web Services (AWS) in addition to the existing Azure guidance.

 

The Microsoft Cloud Security Benchmark framework:

 

Microsoft cloud security benchmark program include three pillars: Publish, Standardize and Automate.

Publish:

  • Internal and external reference: We define and publish the benchmark primarily focused on cloud-centric control areas with input from a set of holistic industry and Microsoft security guidance, such as: Center for Internet Security (CIS) Controls, National Institute of Standards and Technology (NIST), Payment Card Industry Data Security Standard (PCI-DSS), Microsoft Cloud Adoption Framework, Azure Well-Architected Framework, and Amazon Web Services (AWS) Well-Architected Framework.

Our security benchmark product includes these main deliverables:

  • Security controls: These recommendations are generally applicable across your cloud workloads. Each recommendation identifies a list of stakeholders that are typically involved in planning, approval, or implementation of the benchmark.
  • Service baselines: Following the security control definition, the security baselines basically apply the controls to individual cloud services to provide recommendations on that specific service’s security configuration. We currently have service baselines available only for Azure.
  • Internal and external community: We also work closely with Microsoft internal communities such as product subject experts from other product lines and Microsoft security operation teams, along with external communities, such as Center for Internet Security (CIS) and our partners to ensure their feedback is reflected in the benchmark.

Standardize:

  • Security Gating: using Microsoft cloud security benchmark, we also build a set of feature KPIs internally for Azure product lines to ensure when an Azure service offering is designed and built, key security features are in the scope and will be made available to our customers when it was launched. These KPIs include security features such as data-related services should support data at-rest encryption using customer-managed keys, services should support Azure Private Link for secure network access, and so on.

Automate:  

  • To automate the monitoring and enforcement of the controls defined in the benchmark, you can use Microsoft Defender for Cloud -Regulatory Compliance Dashboard to monitor controls defined in the ASB or MCSB scope for resource types both in Azure and AWS. Currently close to 400 configuration checks are available for Azure and AWS, and we are continuously adding new checks into the scope.

 

 

How your security journey will look with our security benchmark:

As you apply the Microsoft Cloud Security Benchmark (MCSB) framework, you can expect a typical cloud security journey to unfold in three stages: 1) Control Mapping & Assessment 2) Control implementation 3) Control monitoring.

 

 

1. Control mapping and assessment:

Control mapping and assessment usually happens when you are new to Azure (and other major cloud platforms, such as AWS) in general or a particular Azure offering. Our security benchmark can help you in the following areas:

  • Mapping your control requirements to our benchmark to meet your compliance requirements (esp., in highly regulated industries, such as government, finance, and healthcare) where you may need to ensure implementation of Azure and other clouds to meet the security specification defined in framework such as CIS, NIST, or PCI. MCSB provides an efficient approach with the controls already pre-mapped to these industry benchmarks.
  • Looking for security best practices to ensure a secure deployment of cloud services and your own application workload.
  • Evaluating the security features/capabilities of Azure (and other major cloud platforms, such as AWS) before onboarding/approving a service(s) into the cloud service catalog.

2. Control implementation:

Control implementation happens after the mapping and assessment where you can conclude the control details you need to implement in your cloud environment. While moving to the actual security configuration, our security benchmark can help you in the following areas:

  • Using the security control and service baselines to identify the security configurations required.
  • Using Azure Policy to audit and enforce the in-scope configuration to establish a security guardrail both at the tenant level and workload level. This can be implemented through using Azure landing zone tooling, native tooling, or third-party tooling.

3. Control monitoring:

Continuous monitoring of your security configurations is the final step to ensure the cloud security stays within the defined guardrails, and any configuration drift should be detected and alerted. Our security benchmark can help you to:

  • Monitor the controls defined in the Azure Security Benchmark / Microsoft cloud security benchmark in Microsoft Defender for Cloud – Regulatory Compliance Dashboard, which is enabled by default and without charge for all Azure customers. In addition, you can also monitor your AWS security posture in the same unified dashboard.

The Microsoft Cloud Security Benchmark is not just guidance that we give to customers, but also a standard that we hold ourselves to so that our products and services are secure from the start. 

 

Feedback and contribution:

We welcome your detailed feedback and active participation in the Microsoft cloud security benchmark effort. If you have any question and would like to provide a direct input, please email us at benchmarkfeedback@microsoft.com.

Updated Dec 05, 2022
Version 1.0
No CommentsBe the first to comment