Microsoft’s recently released Azure Security Benchmark v2 allows you to map to the same benchmarks that you use for your on-premises technology. The benchmarks for both CIS Controls v7.1 and NIST SP800-53 r4 Security and Privacy Controls for Federal Information Systems and Organizations will soon be aligned with the Azure security benchmarks. This will provide a consolidated view of Microsoft’s Azure security recommendations.
Reviewing the Azure benchmarks and frameworks will give you a clearer picture of your Azure security posture. I urge you to look these over even if you are not in a regulated industry. These best practices can go a long way to keeping you secure.
What Azure Security Benchmark v2 includes
Network security: This covers controls to secure and protect Azure networks, securing virtual networks, private connections, preventing and mitigating external attacks, and securing DNS. This is close to the physical and hardware network security in a typical on-premises network.
Identity management: The new security edge in the cloud is identity. This includes controls to establish a secure identity and access controls using Azure Active Directory (AD). It also covers the use of single sign-on (SSO), strong authentications, managed identities (and service principles) for applications, conditional access, and account anomalies monitoring.
Privileged access: Protecting your administrators is a key part of both cloud and on-premises protection. Privileged access covers controls to protect privileged access to your Azure tenant and resources including protecting your administrative model, administrative accounts, and privileged access workstations against deliberate and inadvertent risk.
Data protection: Especially in this new era of work-from-anywhere, data can be stored anywhere. Data protection covers control of data protection at rest, in transit and via authorized access mechanisms including discover, classify, protect and monitor sensitive data assets using access control, encryption and logging in Azure.
Asset management: Keeping control of assets ensures security visibility and governance over Azure resources including recommendations on permissions for security personnel, security access to asset inventory, and managing approvals for services and resources (inventory, track and correct).
Logging and threat detection: Logging is often overlooked in on-premises networks as well as cloud. In Azure this includes enabling, collecting and storing audit logs for Azure services such as enabling detection, investigation and remediation processes with controls to generate high-quality alerts with native threat detection in Azure services. Azure Sentinel (Microsoft’s cloud-based logging product), time synchronization and log retention are key elements.
Incident response: The incident response life cycle (preparation, detection and analysis, containment, and post-incident activities) are often overlooked in the zeal to get a business back online. It includes Azure Security Center and Sentinel to automate the incident response process.
Posture and vulnerability management: Continuous monitoring including vulnerability scanning, penetration testing and remediation, as well as security configuration tracking, reporting, and correction in Azure resources is key for secure cloud resources.
Endpoint security: This includes endpoint detection and response (EDR), including use of EDR and anti-malware service for endpoints in Azure environments.
Backup and recovery: This includes controls to ensure that data and configuration backups at the different service tiers are performed, validated and protected.
Governance and strategy: This includes a strategy for policies and standards such as establishing roles and responsibilities for the different cloud security functions, unified technical strategy and supporting policies and standards.
In the coming months, PCI DSS control requirements will be included in the Azure security benchmarks mapping.
How to use Azure Security Benchmark v2
To start reviewing the benchmarks, download the Excel spreadsheet that shows the mapping to the NIST controls. Azure Security Center has v1 version of the benchmark is the default in its regulatory compliance dashboard. Soon the new v2 benchmark will be default.
Susan Bradley
Reviewing the benchmark mapping controls
Azure CIS 1.1.0 is the default currently in place. To review the regulatory compliance dashboard you need an Azure Defender license. You can choose additional regulatory standards by going to the Azure Security Center and selecting “Regulatory Compliance”. Then click on “Manage compliance policies”. Choose your Azure subscription and then click on “Add more standards”. From here you can choose standards such as NIST SP800-53 r4 Security and Privacy Controls for Federal Information Systems and Organizations.
Susan BradleyMicrosoft has templates called “landing zone” to implement the benchmarks easily and dependably. You can review the template first in GitHub before you deploy the template to your Azure assets.
To start, ensure you have certain rights in your Azure tenant before deploying templates. You may need to connect to PowerShell or Azure Cloud Shell to check what rights you have. Open Azure AD. Under “Manage”, select “Properties”. Under “Access management for Azure resources”, set the toggle to “Yes”. In Azure Cloud Shell, grant access to the admin user and the root scope.
#get object Id of the user
$user = Get-AzADUser -UserPrincipalName <user>@<azuredomain>
#Assign Owner role to Tenant root scope ("/") as a User Access Administrator
New-AzRoleAssignment -Scope '/' -RoleDefinitionName 'Owner' -ObjectId $user.Id
Once you have the proper permissions, begin the process to deploy the template to your subscription. In the framework page, click on “Deploy to Azure”. The portal then opens the “Deployment” tab. Next, select the correct tenant and the region you want to choose to deploy resources.
Next, assign a management group prefix. This value must be one to five characters. On the next section, “Platform management, security and governance”, select the defaults you wish to deploy. The selections include enabling log analytics workspace for a 30-day retention. You can choose to deploy solutions for agent health, change tracking, update management, activity log, VM insights, antimalware, service map, and SQL assessment. Then you can choose to deploy Azure Security Center and enable monitoring. You need to choose between standard or free tiers.
The free tier of Azure Security Center allows you to perform continuous assessment and security recommendations and review the Azure secure score. The standard tier adds just-in-time VM access, adaptive application controls and network hardening, regulatory compliance dashboard and reports, threat protection for Azure VMs and non-Azure servers (including Server EDR), threat protection for PaaS services, and Microsoft Defender for Endpoint (servers). Review the costs on the Microsoft calculator page.