Skip to content

MCSB_v1 - Governance and Strategy

ID Control Domain CIS Controls v7.1 ID(s) CIS Controls v8 ID(s) NIST SP800-53 r4 ID(s) PCI-DSS v3.2.1 ID(s) Recommendation Security Principle General Guidance Implementation and additional context Customer Security Stakeholders:
GS-1 Governance and Strategy 17.2 - Deliver Training to Fill the Skills Gap 14.9 - Conduct Role-Specific Security Awareness and Skills Training PL-9: CENTRAL MANAGEMENT 12.4 Align organization roles, responsibilities and accountabilities N/A Ensure that you define and communicate a clear strategy for roles and responsibilities in your security organization. Prioritize providing clear accountability for security decisions, educating everyone on the shared responsibility model, and educate technical teams on technology to secure the cloud. Azure Security Best Practice 1 – People: Educate Teams on Cloud Security Journey: All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions
PM-10: SECURITY AUTHORIZATION PROCESS https://docs.microsoft.com/azure/cloud-adoption-framework/security/security-top-10#1-people-educate-teams-about-the-cloud-security-journey
PM-13: INFORMATION SECURITY WORKFORCE
AT-1: SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES Azure Security Best Practice 2 - People: Educate Teams on Cloud Security Technology:
AT-3: ROLE-BASED SECURITY TRAINING https://docs.microsoft.com/azure/cloud-adoption-framework/security/security-top-10#2-people-educate-teams-on-cloud-security-technology
Azure Security Best Practice 3 - Process: Assign Accountability for Cloud Security Decisions:
https://docs.microsoft.com/azure/cloud-adoption-framework/security/security-top-10#4-process-update-incident-response-ir-processes-for-cloud
GS-2 Governance and Strategy 2.10 - Physically or Logically Segregate High Risk Applications 3.12 - Segment Data Processing and Storage Based on Sensitivity AC-4: INFORMATION FLOW ENFORCEMENT 1.2 Define and implement enterprise segmentation/separation of duties strategy N/A Establish an enterprise-wide strategy to segment access to assets using a combination of identity, network, application, subscription, management group, and other controls. Security in the Microsoft Cloud Adoption Framework for Azure - Segmentation: Separate to protect All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions
14.1 - Segment the Network Based on Sensitivity SC-7: BOUNDARY PROTECTION 6.4 https://docs.microsoft.com/azure/cloud-adoption-framework/secure/access-control#segmentation-separate-to-protect
SC-2: APPLICATION PARTITIONING Carefully balance the need for security separation with the need to enable daily operation of the systems that need to communicate with each other and access data.
Security in the Microsoft Cloud Adoption Framework for Azure - Architecture: establish a single unified security strategy:
Ensure that the segmentation strategy is implemented consistently in the workload, including network security, identity and access models, and application permission/access models, and human process controls. https://docs.microsoft.com/azure/cloud-adoption-framework/secure/security-top-10#11-architecture-establish-a-single-unified-security-strategy
GS-3 Governance and Strategy 14.1 - Segment the Network Based on Sensitivity 3.1 - Establish and Maintain a Data Management Process AC-4: INFORMATION FLOW ENFORCEMENT 3.1 Define and implement data protection strategy N/A Establish an enterprise-wide strategy for data protection in your cloud environment: Azure Security Benchmark - Data Protection: All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions
3.7 - Establish and Maintain a Data Classification Scheme SI-4: INFORMATION SYSTEM MONITORING 3.2 - Define and apply the data classification and protection standard in accordance with the enterprise data management standard and regulatory compliance to dictate the security controls required for each level of the data classification. https://docs.microsoft.com/security/benchmark/azure/security-controls-v3-data-protection
3.12 - Segment Data Processing and Storage Based on Sensitivity SC-8: TRANSMISSION CONFIDENTIALITY AND INTEGRITY 3.3 - Set up your cloud resource management hierarchy aligned to the enterprise segmentation strategy. The enterprise segmentation strategy should also be informed by the location of sensitive or business critical data and systems.
SC-12: CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT 3.4 - Define and apply the applicable zero-trust principles in your cloud environment to avoid implementing trust based on network location within a perimeter. Instead, use device and user trust claims to gate access to data and resources. Cloud Adoption Framework - Azure data security and encryption best practices:
SC-17: PUBLIC KEY INFRASTRUCTURE CERTIFICATES 3.5 - Track and minimize the sensitive data footprint (storage, transmission, and processing) across the enterprise to reduce the attack surface and data protection cost. Consider techniques such as one-way hashing, truncation, and tokenization in the workload where possible, to avoid storing and transmitting sensitive data in its original form. https://docs.microsoft.com/azure/security/fundamentals/data-encryption-best-practices
SC-28: PROTECTION OF INFORMATION AT REST 3.6 - Ensure you have a full lifecycle control strategy to provide security assurance of the data and access keys.
RA-2: SECURITY CATEGORIZATION 3.7 Azure Security Fundamentals - Azure Data security, encryption, and storage:
4.1 https://docs.microsoft.com/azure/security/fundamentals/encryption-overview
A3.2
GS-4 Governance and Strategy 12.1 - Maintain an Inventory of Network Boundaries 12.2 - Establish and Maintain a Secure Network Infrastructure AC-4: INFORMATION FLOW ENFORCEMENT 1.1 Define and implement network security strategy N/A Establish a cloud network security strategy as part of your organization’s overall security strategy for access control. This strategy should include documented guidance, policy, and standards for the following elements: Azure Security Best Practice 11 - Architecture. Single unified security strategy: All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions
12.4 - Establish and Maintain Architecture Diagram(s) AC-17: REMOTE ACCESS 1.2 - Design a centralized/decentralized network management and security responsibility model to deploy and maintain network resources. https://docs.microsoft.com/azure/cloud-adoption-framework/security/security-top-10#11-architecture-establish-a-single-unified-security-strategy
CA-3: SYSTEM INTERCONNECTIONS 1.3 - A virtual network segmentation model aligned with the enterprise segmentation strategy.
CM-1: CONFIGURATION MANAGEMENT POLICY AND PROCEDURES 1.5 - An Internet edge and ingress and egress strategy. Azure Security Benchmark - Network Security:
CM-2: BASELINE CONFIGURATION 4.1 - A hybrid cloud and on-premises interconnectivity strategy. https://docs.microsoft.com/security/benchmark/azure/security-controls-v3-network-security
CM-6: CONFIGURATION SETTINGS 6.6 - A network monitoring and logging strategy.
CM-7: LEAST FUNCTIONALITY 11.4 - An up-to-date network security artifacts (such as network diagrams, reference network architecture). Azure network security overview:
SC-1: SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES A2.1 https://docs.microsoft.com/azure/security/fundamentals/network-overview
SC-2: APPLICATION PARTITIONING A2.2
SC-5: DENIAL OF SERVICE PROTECTION A2.3 Enterprise network architecture strategy:
SC-7: BOUNDARY PROTECTION A3.2 https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/architecture
SC-20: SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE)
SC-21: SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER)
SI-4: INFORMATION SYSTEM MONITORING
GS-5 Governance and Strategy 5.1 - Establish Secure Configurations 4.1 - Establish and Maintain a Secure Configuration Process CA-1: SECURITY ASSESSMENT AND AUTHORIZATION POLICY AND PROCEDURES 1.1 Define and implement security posture management strategy N/A Establish a policy, procedure and standard to ensure the security configuration management and vulnerability management are in place in your cloud security mandate. Azure Security Benchmark - Posture and vulnerability management: All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions
4.2 - Establish and Maintain a Secure Configuration Process for Network Infrastructure CA-8: PENETRATION TESTING 1.2 https://docs.microsoft.com/security/benchmark/azure/security-controls-v3-posture-vulnerability-management
CM-1: CONFIGURATION MANAGEMENT POLICY AND PROCEDURES 2.2 The security configuration management in cloud should include the following areas:
CM-2: BASELINE CONFIGURATION 6.1 - Define the secure configuration baselines for different resource types in the cloud, such as the web portal/console, management and control plane, and resources running in the IaaS, PaaS and SaaS services. Azure Security Best Practice 9 - Establish security posture management:
CM-6: CONFIGURATION SETTINGS 6.2 - Ensure the security baselines address the risks in different control areas such as network security, identity management, privileged access, data protection and so on. https://docs.microsoft.com/azure/cloud-adoption-framework/secure/security-top-10#5-process-establish-security-posture-management
RA-1: RISK ASSESSMENT POLICY AND PROCEDURES 6.5 - Use tools to continuously measure, audit, and enforce the configuration to prevent configuration deviating from the baseline.
RA-3: RISK ASSESSMENT 6.6 - Develop a cadence to stay updated with security features, for instance, subscribe to the service updates.
RA-5: VULNERABILITY SCANNING 11.2 - Utilize a security health or compliance check mechanism (such as Secure Score, Compliance Dashboard in Microsoft Defender for Cloud) to regularly review security configuration posture and remediate the gaps identified.
SI-1: SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES 11.3
SI-2: FLAW REMEDIATION 11.5 The vulnerability management in the cloud should include the following security aspects:
SI-5: SECURITY ALERTS, ADVISORIES, AND DIRECTIVES - Regularly assess and remediate vulnerabilities in all cloud resource types, such as cloud native services, operating systems, and application components.
- Use a risk-based approach to prioritize assessment and remediation.
- Subscribe to the relevant CSPM's security advisory notices and blogs to receive the latest security updates.
- Ensure the vulnerability assessment and remediation (such as schedule, scope, and techniques) meet the regularly compliance requirements for your organization.
GS-6 Governance and Strategy 4.5 - Use Multifactor Authentication For All Administrative Access 5.6 - Centralize Account Management AC-1: ACCESS CONTROL POLICY AND PROCEDURES 7.1 Define and implement identity and privileged access strategy N/A Establish a cloud identity and privileged access approach as part of your organization’s overall security access control strategy. This strategy should include documented guidance, policy, and standards for the following aspects: Azure Security Benchmark - Identity management: All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions
16.2 - Configure Centralized Point of Authentication 6.5 - Require MFA for Administrative Access AC-2: ACCOUNT MANAGEMENT 7.2 - Centralized identity and authentication system (such as Azure AD) and its interconnectivity with other internal and external identity systems https://docs.microsoft.com//security/benchmark/azure/security-controls-v3-identity-management
6.7 - Centralize Access Control AC-3: ACCESS ENFORCEMENT 7.3 - Privileged identity and access governance (such as access request, review and approval)
AC-4: INFORMATION FLOW ENFORCEMENT 8.1 - Privileged accounts in emergency (break-glass) situation Azure Security Benchmark - Privileged access:
AC-5: SEPARATION OF DUTIES 8.2 - Strong authentication (passwordless authentication and multifactor authentication) methods in different use cases and conditions https://docs.microsoft.com/security/benchmark/azure/security-controls-v3-privileged-access
AC-6: LEAST PRIVILEGE 8.3 - Secure access by administrative operations through web portal/console, command-line and API.
IA-1: IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES 8.4 Azure Security Best Practice 11 - Architecture. Single unified security strategy:
IA-2: IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) 8.5 For exception cases, where an enterprise system isn’t used, ensure adequate security controls are in place for identity, authentication and access management, and governed. These exceptions should be approved and periodically reviewed by the enterprise team. These exceptions are typically in cases such as: https://docs.microsoft.com/azure/cloud-adoption-framework/security/security-top-10#11-architecture-establish-a-single-unified-security-strategy
IA-4: IDENTIFIER MANAGEMENT 8.6 - Use of a non-enterprise designated identity and authentication system, such as cloud-based third-party systems (may introduce unknown risks)
IA-5: AUTHENTICATOR MANAGEMENT 8.7 - Privileged users authenticated locally and/or use non-strong authentication methods Azure identity management security overview:
IA-8: IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) 8.8 https://docs.microsoft.com/azure/security/fundamentals/identity-management-overview
IA-9: SERVICE IDENTIFICATION AND AUTHENTICATION A3.4
SI-4: INFORMATION SYSTEM MONITORING
GS-7 Governance and Strategy 6.2 -Activate audit logging 8.1 - Establish and Maintain an Audit Log Management Process AU-1: AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES 10.1 Define and implement logging, threat detection and incident response strategy N/A Establish a logging, threat detection and incident response strategy to rapidly detect and remediate threats and meet compliance requirements. Security operations (SecOps / SOC) team should prioritize high quality alerts and seamless experiences so that they can focus on threats rather than log integration and manual steps. Azure Security Benchmark - Logging and threat detection: All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions
6.3 - Enable Detailed Logging 13.1 - Centralize Security Event Alerting IR-1: INCIDENT RESPONSE POLICY AND PROCEDURES 10.2 This strategy should include documented policy, procedure and standards for the following aspects: https://docs.microsoft.com/azure/security/benchmarks/security-benchmark-v3-logging-threat-detection
6.6 - Deploy SIEM or Log Analytic tool 17.2 - Establish and Maintain Contact Information for Reporting Security Incidents IR-2: INCIDENT RESPONSE TRAINING 10.3 - The security operations (SecOps) organization's role and responsibilities
6.7 - Regularly Review Logs 17.4 - Establish and Maintain an Incident Response Process IR-10: INTEGRATED INFORMATION SECURITY ANALYSIS TEAM 10.4 - A well-defined and regularly tested incident response plan and handling process aligning with NIST SP 800-61 (Computer Security Incident Handling Guide) or other industry frameworks. Azure Security Benchmark - Incident response:
19.1 - Document Incident Response Procedures 17.7 - Conduct Routine Incident Response Exercises SI-1: SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES 10.5 - Communication and notification plan with your customers, suppliers, and public parties of interest. https://docs.microsoft.com/azure/security/benchmarks/security-benchmark-v3-incident-response
19.5 - Maintain Contact Information For Reporting Security Incidents SI-5: SECURITY ALERTS, ADVISORIES, AND DIRECTIVES 10.6 - Simulate both expected and unexpected security events within your cloud environment to understand the effectiveness of your preparation. Iterate on the outcome of your simulation to improve the scale of your response posture, reduce time to value, and further reduce risk.
19.7 - Conduct Periodic Incident Scenario Sessions for Personnel 10.7 - Preference of using extended detection and response (XDR) capabilities such as Azure Defender capabilities to detect threats in the various areas. Azure Security Best Practice 4 - Process. Update Incident Response Processes for Cloud:
10.8 - Use of cloud native capability (e.g., as Microsoft Defender for Cloud) and third-party platforms for incident handling, such as logging and threat detection, forensics, and attack remediation and eradication. https://aka.ms/AzSec4
10.9 - Prepare the necessary runbooks, both manual and automated, to ensure reliable and consistent responses.
12.10 - Define key scenarios (such as threat detection, incident response, and compliance) and set up log capture and retention to meet the scenario requirements. Azure Adoption Framework, logging, and reporting decision guide:
A3.5 - Centralized visibility of and correlation information about threats, using SIEM, native cloud threat detection capability, and other sources. https://docs.microsoft.com/azure/cloud-adoption-framework/decision-guides/logging-and-reporting/
- Post-incident activities, such as lessons learned and evidence retention.
Azure enterprise scale, management, and monitoring:
https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/management-and-monitoring
NIST SP 800-61 Computer Security Incident Handling Guide:
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
GS-8 Governance and Strategy 10.1 - Ensure Regular Automated Backups 11.1 - Establish and Maintain a Data Recovery Process CP-1: CONTINGENCY PLANNING POLICY AND PROCEDURES 3.4 Define and implement backup and recovery strategy N/A Establish a backup and recovery strategy for your organization. This strategy should include documented guidance, policy, and standards in the following aspects: Azure Security Benchmark - Backup and recovery: All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions
CP-9: INFORMATION SYSTEM BACKUP - Recovery time objective (RTO) and recovery point objective (RPO) definitions in accordance with your business resiliency objectives, and regulatory compliance requirements. https://docs.microsoft.com/azure/security/benchmarks/security-benchmark-v3-backup-recovery
CP-10: INFORMATION SYSTEM RECOVERY AND RECONSTITUTION - Redundancy design (including backup, restore and replication) in your applications and infrastructure for both in cloud and on-premises. Consider regional, region-pairs, cross-regional recovery and off-site storage location as part of your strategy.
- Protection of backup from unauthorized access and tempering using controls such as data access control, encryption and network security. Azure Well-Architecture Framework - Backup and disaster recover for Azure applications: https://docs.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery
- Use of backup and recovery to mitigate the risks from emerging threats, such as ransomware attack. And also secure the backup and recovery data itself from these attacks.
- Monitoring the backup and recovery data and operations for audit and alerting purposes. Azure Adoption Framework-business continuity and disaster recovery:
https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/business-continuity-and-disaster-recovery
Backup and restore plan to protect against ransomware:
https://docs.microsoft.com/azure/security/fundamentals/backup-plan-to-protect-against-ransomware
GS-9 Governance and Strategy 8.1 - Utilize Centrally Managed Anti-malware Software 4.4 - Implement and Manage a Firewall on Servers SI-2: FLAW REMEDIATION 5.1 Define and implement endpoint security strategy N/A Establish a cloud endpoint security strategy which includes the following aspects: Azure Security Benchmark - Endpoint security: All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions
9.4 - Apply Host-Based Firewalls or Port-Filtering 10.1 - Deploy and Maintain Anti-Malware Software SI-3: MALICIOUS CODE PROTECTION 5.2 - Deploy the endpoint detection and response and antimalware capability into your endpoint and integrate with the threat detection and SIEM solution and security operations process. https://docs.microsoft.com/azure/security/benchmarks/security-benchmark-v3-endpoint-security
SC-3: SECURITY FUNCTION ISOLATION 5.3 - Follow Microsoft Cloud Security Benchmark to ensure endpoint related security settings in other respective areas (such as network security, posture vulnerability management, identity and privileged access, and logging and threat detections) are also in place to provide a defense-in-depth protection for your endpoint.
5.4 - Prioritize the endpoint security in your production environment but ensure the non-production environments (such as test and build environment used in the DevOps process) are also secured and monitored, as these environment can also be used to introduce the malware and vulnerabilities into the production. Best practices for endpoint security on Azure:
11.5 https://docs.microsoft.com/azure/architecture/framework/security/design-network-endpoints
GS-10 Governance and Strategy 5.1 - Establish Secure Configurations 4.1 - Establish and Maintain a Secure Configuration Process SA-12: SUPPLY CHAIN PROTECTION 2.2 Define and implement DevOps security strategy N/A Mandate the security controls as part of the organization’s DevOps engineering and operation standard. Define the security objectives, control requirements, and tooling specifications in accordance with enterprise and cloud security standards in your organization. Azure Security Benchmark - DevOps security: All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions
18.1 - Establish Secure Coding Practices 4.2 - Establish and Maintain a Secure Configuration Process for Network Infrastructure SA-15: DEVELOPMENT PROCESS, STANDARDS, AND TOOLS 6.1 https://docs.microsoft.com/azure/security/benchmarks/security-benchmark-v3-devops-security
18.8 - Establish a Process to Accept and Address Reports of Software Vulnerabilities 16.1 - Establish and Maintain a Secure Application Development Process CM-1: CONFIGURATION MANAGEMENT POLICY AND PROCEDURES 6.2 Encourage the use of DevOps as an essential operating model in your organization for its benefits in rapidly identifying and remediating vulnerabilities using different type of automations (such as infrastructure as code provision, and automated SAST and DAST scan) throughout the CI/CD workflow. This ‘shift left’ approach also increases visibility and ability to enforce consistent security checks in your deployment pipeline, effectively deploying security guardrails into the environment ahead of time to avoid last minute security surprises when deploying a workload into production.
16.2 - Establish and Maintain a Process to Accept and Address Software Vulnerabilities CM-2: BASELINE CONFIGURATION 6.3 Secure DevOps:
CM-6: CONFIGURATION SETTINGS 6.5 When shifting security controls left into the pre-deployment phases, implement security guardrails to ensure the controls are deployed and enforced throughout your DevOps process. This technology could include resource deployment templates (such as Azure ARM template) to define guardrails in the IaC (infrastructure as code), resource provisioning and audit to restrict which services or configurations can be provisioned into the environment. https://www.microsoft.com/securityengineering/devsecops
AC-2: ACCOUNT MANAGEMENT 7.1
AC-3: ACCESS ENFORCEMENT 10.1 For the run-time security controls of your workload, follow the Microsoft Cloud Security Benchmark to design and implement effective the controls, such as identity and privileged access, network security, endpoint security, and data protection inside your workload applications and services. Cloud Adoption Framework - DevSecOps controls:
AC-6: LEAST PRIVILEGE 10.2 https://docs.microsoft.com/azure/cloud-adoption-framework/secure/devsecops-controls
SA-11: DEVELOPER TESTING AND EVALUATION 10.3
AU-6: AUDIT REVIEW, ANALYSIS, AND REPORTING 10.6
AU-12: AUDIT GENERATION 12.2
SI-4: INFORMATION SYSTEM MONITORING
GS-11 Governance and Strategy nan nan nan nan Define and implement multi-cloud security strategy N/A Ensure a multi-cloud strategy is defined in your cloud and security governance, risk management, and operation process which should include the following aspects: Azure hybrid and multicloud: All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions
- Multi-cloud adoption: For organizations that operate multi-cloud infrastructure and Educate your organization to ensure teams understand the feature difference between the cloud platforms and technology stack. Build, deploy, and/or migrate solutions that are portable. Allow for ease of movement between cloud platforms with minimum vendor lock-in while utilizing cloud native features adequately for the optimal result from the cloud adoption. https://docs.microsoft.com/en-us/hybrid/
- Cloud and security operations: Streamline security operations to support the solutions across each cloud, through a central set of governance and management processes which share common operations processes, regardless of where the solution is deployed and operated.
- Tooling and technology stack: Choose the appropriate tooling that supports multi-cloud environment to help with establishing unified and centralized management platforms which may include all the security domains discussed in this security benchmark. Azure hybrid and multicloud documentation:
https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/hybrid/scenario-overview
AWS to Azure services comparison:
https://docs.microsoft.com/en-us/azure/architecture/aws-professional/services
Azure for AWS professionals:
https://docs.microsoft.com/en-us/azure/architecture/aws-professional/