GS-1 |
Governance and Strategy |
17.2 - Deliver Training to Fill the Skills Gap |
14.9 - Conduct Role-Specific Security Awareness and Skills Training |
PL-9: CENTRAL MANAGEMENT |
12.4 |
Align organization roles, responsibilities and accountabilities |
N/A |
Ensure that you define and communicate a clear strategy for roles and responsibilities in your security organization. Prioritize providing clear accountability for security decisions, educating everyone on the shared responsibility model, and educate technical teams on technology to secure the cloud. |
Azure Security Best Practice 1 – People: Educate Teams on Cloud Security Journey: |
All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions |
|
|
|
|
PM-10: SECURITY AUTHORIZATION PROCESS |
|
|
|
|
https://docs.microsoft.com/azure/cloud-adoption-framework/security/security-top-10#1-people-educate-teams-about-the-cloud-security-journey |
|
|
|
|
|
PM-13: INFORMATION SECURITY WORKFORCE |
|
|
|
|
|
|
|
|
|
|
AT-1: SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES |
|
|
|
|
Azure Security Best Practice 2 - People: Educate Teams on Cloud Security Technology: |
|
|
|
|
|
AT-3: ROLE-BASED SECURITY TRAINING |
|
|
|
|
https://docs.microsoft.com/azure/cloud-adoption-framework/security/security-top-10#2-people-educate-teams-on-cloud-security-technology |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Security Best Practice 3 - Process: Assign Accountability for Cloud Security Decisions: |
|
|
|
|
|
|
|
|
|
|
https://docs.microsoft.com/azure/cloud-adoption-framework/security/security-top-10#4-process-update-incident-response-ir-processes-for-cloud |
|
GS-2 |
Governance and Strategy |
2.10 - Physically or Logically Segregate High Risk Applications |
3.12 - Segment Data Processing and Storage Based on Sensitivity |
AC-4: INFORMATION FLOW ENFORCEMENT |
1.2 |
Define and implement enterprise segmentation/separation of duties strategy |
N/A |
Establish an enterprise-wide strategy to segment access to assets using a combination of identity, network, application, subscription, management group, and other controls. |
Security in the Microsoft Cloud Adoption Framework for Azure - Segmentation: Separate to protect |
All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions |
|
|
14.1 - Segment the Network Based on Sensitivity |
|
SC-7: BOUNDARY PROTECTION |
6.4 |
|
|
|
https://docs.microsoft.com/azure/cloud-adoption-framework/secure/access-control#segmentation-separate-to-protect |
|
|
|
|
|
SC-2: APPLICATION PARTITIONING |
|
|
|
Carefully balance the need for security separation with the need to enable daily operation of the systems that need to communicate with each other and access data. |
|
|
|
|
|
|
|
|
|
|
|
Security in the Microsoft Cloud Adoption Framework for Azure - Architecture: establish a single unified security strategy: |
|
|
|
|
|
|
|
|
|
Ensure that the segmentation strategy is implemented consistently in the workload, including network security, identity and access models, and application permission/access models, and human process controls. |
https://docs.microsoft.com/azure/cloud-adoption-framework/secure/security-top-10#11-architecture-establish-a-single-unified-security-strategy |
|
GS-3 |
Governance and Strategy |
14.1 - Segment the Network Based on Sensitivity |
3.1 - Establish and Maintain a Data Management Process |
AC-4: INFORMATION FLOW ENFORCEMENT |
3.1 |
Define and implement data protection strategy |
N/A |
Establish an enterprise-wide strategy for data protection in your cloud environment: |
Azure Security Benchmark - Data Protection: |
All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions |
|
|
|
3.7 - Establish and Maintain a Data Classification Scheme |
SI-4: INFORMATION SYSTEM MONITORING |
3.2 |
|
|
- Define and apply the data classification and protection standard in accordance with the enterprise data management standard and regulatory compliance to dictate the security controls required for each level of the data classification. |
https://docs.microsoft.com/security/benchmark/azure/security-controls-v3-data-protection |
|
|
|
|
3.12 - Segment Data Processing and Storage Based on Sensitivity |
SC-8: TRANSMISSION CONFIDENTIALITY AND INTEGRITY |
3.3 |
|
|
- Set up your cloud resource management hierarchy aligned to the enterprise segmentation strategy. The enterprise segmentation strategy should also be informed by the location of sensitive or business critical data and systems. |
|
|
|
|
|
|
SC-12: CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT |
3.4 |
|
|
- Define and apply the applicable zero-trust principles in your cloud environment to avoid implementing trust based on network location within a perimeter. Instead, use device and user trust claims to gate access to data and resources. |
Cloud Adoption Framework - Azure data security and encryption best practices: |
|
|
|
|
|
SC-17: PUBLIC KEY INFRASTRUCTURE CERTIFICATES |
3.5 |
|
|
- Track and minimize the sensitive data footprint (storage, transmission, and processing) across the enterprise to reduce the attack surface and data protection cost. Consider techniques such as one-way hashing, truncation, and tokenization in the workload where possible, to avoid storing and transmitting sensitive data in its original form. |
https://docs.microsoft.com/azure/security/fundamentals/data-encryption-best-practices |
|
|
|
|
|
SC-28: PROTECTION OF INFORMATION AT REST |
3.6 |
|
|
- Ensure you have a full lifecycle control strategy to provide security assurance of the data and access keys. |
|
|
|
|
|
|
RA-2: SECURITY CATEGORIZATION |
3.7 |
|
|
|
Azure Security Fundamentals - Azure Data security, encryption, and storage: |
|
|
|
|
|
|
4.1 |
|
|
|
https://docs.microsoft.com/azure/security/fundamentals/encryption-overview |
|
|
|
|
|
|
A3.2 |
|
|
|
|
|
GS-4 |
Governance and Strategy |
12.1 - Maintain an Inventory of Network Boundaries |
12.2 - Establish and Maintain a Secure Network Infrastructure |
AC-4: INFORMATION FLOW ENFORCEMENT |
1.1 |
Define and implement network security strategy |
N/A |
Establish a cloud network security strategy as part of your organization’s overall security strategy for access control. This strategy should include documented guidance, policy, and standards for the following elements: |
Azure Security Best Practice 11 - Architecture. Single unified security strategy: |
All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions |
|
|
|
12.4 - Establish and Maintain Architecture Diagram(s) |
AC-17: REMOTE ACCESS |
1.2 |
|
|
- Design a centralized/decentralized network management and security responsibility model to deploy and maintain network resources. |
https://docs.microsoft.com/azure/cloud-adoption-framework/security/security-top-10#11-architecture-establish-a-single-unified-security-strategy |
|
|
|
|
|
CA-3: SYSTEM INTERCONNECTIONS |
1.3 |
|
|
- A virtual network segmentation model aligned with the enterprise segmentation strategy. |
|
|
|
|
|
|
CM-1: CONFIGURATION MANAGEMENT POLICY AND PROCEDURES |
1.5 |
|
|
- An Internet edge and ingress and egress strategy. |
Azure Security Benchmark - Network Security: |
|
|
|
|
|
CM-2: BASELINE CONFIGURATION |
4.1 |
|
|
- A hybrid cloud and on-premises interconnectivity strategy. |
https://docs.microsoft.com/security/benchmark/azure/security-controls-v3-network-security |
|
|
|
|
|
CM-6: CONFIGURATION SETTINGS |
6.6 |
|
|
- A network monitoring and logging strategy. |
|
|
|
|
|
|
CM-7: LEAST FUNCTIONALITY |
11.4 |
|
|
- An up-to-date network security artifacts (such as network diagrams, reference network architecture). |
Azure network security overview: |
|
|
|
|
|
SC-1: SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES |
A2.1 |
|
|
|
https://docs.microsoft.com/azure/security/fundamentals/network-overview |
|
|
|
|
|
SC-2: APPLICATION PARTITIONING |
A2.2 |
|
|
|
|
|
|
|
|
|
SC-5: DENIAL OF SERVICE PROTECTION |
A2.3 |
|
|
|
Enterprise network architecture strategy: |
|
|
|
|
|
SC-7: BOUNDARY PROTECTION |
A3.2 |
|
|
|
https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/architecture |
|
|
|
|
|
SC-20: SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE) |
|
|
|
|
|
|
|
|
|
|
SC-21: SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER) |
|
|
|
|
|
|
|
|
|
|
SI-4: INFORMATION SYSTEM MONITORING |
|
|
|
|
|
|
GS-5 |
Governance and Strategy |
5.1 - Establish Secure Configurations |
4.1 - Establish and Maintain a Secure Configuration Process |
CA-1: SECURITY ASSESSMENT AND AUTHORIZATION POLICY AND PROCEDURES |
1.1 |
Define and implement security posture management strategy |
N/A |
Establish a policy, procedure and standard to ensure the security configuration management and vulnerability management are in place in your cloud security mandate. |
Azure Security Benchmark - Posture and vulnerability management: |
All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions |
|
|
|
4.2 - Establish and Maintain a Secure Configuration Process for Network Infrastructure |
CA-8: PENETRATION TESTING |
1.2 |
|
|
|
https://docs.microsoft.com/security/benchmark/azure/security-controls-v3-posture-vulnerability-management |
|
|
|
|
|
CM-1: CONFIGURATION MANAGEMENT POLICY AND PROCEDURES |
2.2 |
|
|
The security configuration management in cloud should include the following areas: |
|
|
|
|
|
|
CM-2: BASELINE CONFIGURATION |
6.1 |
|
|
- Define the secure configuration baselines for different resource types in the cloud, such as the web portal/console, management and control plane, and resources running in the IaaS, PaaS and SaaS services. |
Azure Security Best Practice 9 - Establish security posture management: |
|
|
|
|
|
CM-6: CONFIGURATION SETTINGS |
6.2 |
|
|
- Ensure the security baselines address the risks in different control areas such as network security, identity management, privileged access, data protection and so on. |
https://docs.microsoft.com/azure/cloud-adoption-framework/secure/security-top-10#5-process-establish-security-posture-management |
|
|
|
|
|
RA-1: RISK ASSESSMENT POLICY AND PROCEDURES |
6.5 |
|
|
- Use tools to continuously measure, audit, and enforce the configuration to prevent configuration deviating from the baseline. |
|
|
|
|
|
|
RA-3: RISK ASSESSMENT |
6.6 |
|
|
- Develop a cadence to stay updated with security features, for instance, subscribe to the service updates. |
|
|
|
|
|
|
RA-5: VULNERABILITY SCANNING |
11.2 |
|
|
- Utilize a security health or compliance check mechanism (such as Secure Score, Compliance Dashboard in Microsoft Defender for Cloud) to regularly review security configuration posture and remediate the gaps identified. |
|
|
|
|
|
|
SI-1: SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES |
11.3 |
|
|
|
|
|
|
|
|
|
SI-2: FLAW REMEDIATION |
11.5 |
|
|
The vulnerability management in the cloud should include the following security aspects: |
|
|
|
|
|
|
SI-5: SECURITY ALERTS, ADVISORIES, AND DIRECTIVES |
|
|
|
- Regularly assess and remediate vulnerabilities in all cloud resource types, such as cloud native services, operating systems, and application components. |
|
|
|
|
|
|
|
|
|
|
- Use a risk-based approach to prioritize assessment and remediation. |
|
|
|
|
|
|
|
|
|
|
- Subscribe to the relevant CSPM's security advisory notices and blogs to receive the latest security updates. |
|
|
|
|
|
|
|
|
|
|
- Ensure the vulnerability assessment and remediation (such as schedule, scope, and techniques) meet the regularly compliance requirements for your organization. |
|
|
GS-6 |
Governance and Strategy |
4.5 - Use Multifactor Authentication For All Administrative Access |
5.6 - Centralize Account Management |
AC-1: ACCESS CONTROL POLICY AND PROCEDURES |
7.1 |
Define and implement identity and privileged access strategy |
N/A |
Establish a cloud identity and privileged access approach as part of your organization’s overall security access control strategy. This strategy should include documented guidance, policy, and standards for the following aspects: |
Azure Security Benchmark - Identity management: |
All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions |
|
|
16.2 - Configure Centralized Point of Authentication |
6.5 - Require MFA for Administrative Access |
AC-2: ACCOUNT MANAGEMENT |
7.2 |
|
|
- Centralized identity and authentication system (such as Azure AD) and its interconnectivity with other internal and external identity systems |
https://docs.microsoft.com//security/benchmark/azure/security-controls-v3-identity-management |
|
|
|
|
6.7 - Centralize Access Control |
AC-3: ACCESS ENFORCEMENT |
7.3 |
|
|
- Privileged identity and access governance (such as access request, review and approval) |
|
|
|
|
|
|
AC-4: INFORMATION FLOW ENFORCEMENT |
8.1 |
|
|
- Privileged accounts in emergency (break-glass) situation |
Azure Security Benchmark - Privileged access: |
|
|
|
|
|
AC-5: SEPARATION OF DUTIES |
8.2 |
|
|
- Strong authentication (passwordless authentication and multifactor authentication) methods in different use cases and conditions |
https://docs.microsoft.com/security/benchmark/azure/security-controls-v3-privileged-access |
|
|
|
|
|
AC-6: LEAST PRIVILEGE |
8.3 |
|
|
- Secure access by administrative operations through web portal/console, command-line and API. |
|
|
|
|
|
|
IA-1: IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES |
8.4 |
|
|
|
Azure Security Best Practice 11 - Architecture. Single unified security strategy: |
|
|
|
|
|
IA-2: IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) |
8.5 |
|
|
For exception cases, where an enterprise system isn’t used, ensure adequate security controls are in place for identity, authentication and access management, and governed. These exceptions should be approved and periodically reviewed by the enterprise team. These exceptions are typically in cases such as: |
https://docs.microsoft.com/azure/cloud-adoption-framework/security/security-top-10#11-architecture-establish-a-single-unified-security-strategy |
|
|
|
|
|
IA-4: IDENTIFIER MANAGEMENT |
8.6 |
|
|
- Use of a non-enterprise designated identity and authentication system, such as cloud-based third-party systems (may introduce unknown risks) |
|
|
|
|
|
|
IA-5: AUTHENTICATOR MANAGEMENT |
8.7 |
|
|
- Privileged users authenticated locally and/or use non-strong authentication methods |
Azure identity management security overview: |
|
|
|
|
|
IA-8: IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) |
8.8 |
|
|
|
https://docs.microsoft.com/azure/security/fundamentals/identity-management-overview |
|
|
|
|
|
IA-9: SERVICE IDENTIFICATION AND AUTHENTICATION |
A3.4 |
|
|
|
|
|
|
|
|
|
SI-4: INFORMATION SYSTEM MONITORING |
|
|
|
|
|
|
GS-7 |
Governance and Strategy |
6.2 -Activate audit logging |
8.1 - Establish and Maintain an Audit Log Management Process |
AU-1: AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES |
10.1 |
Define and implement logging, threat detection and incident response strategy |
N/A |
Establish a logging, threat detection and incident response strategy to rapidly detect and remediate threats and meet compliance requirements. Security operations (SecOps / SOC) team should prioritize high quality alerts and seamless experiences so that they can focus on threats rather than log integration and manual steps. |
Azure Security Benchmark - Logging and threat detection: |
All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions |
|
|
6.3 - Enable Detailed Logging |
13.1 - Centralize Security Event Alerting |
IR-1: INCIDENT RESPONSE POLICY AND PROCEDURES |
10.2 |
|
|
This strategy should include documented policy, procedure and standards for the following aspects: |
https://docs.microsoft.com/azure/security/benchmarks/security-benchmark-v3-logging-threat-detection |
|
|
|
6.6 - Deploy SIEM or Log Analytic tool |
17.2 - Establish and Maintain Contact Information for Reporting Security Incidents |
IR-2: INCIDENT RESPONSE TRAINING |
10.3 |
|
|
- The security operations (SecOps) organization's role and responsibilities |
|
|
|
|
6.7 - Regularly Review Logs |
17.4 - Establish and Maintain an Incident Response Process |
IR-10: INTEGRATED INFORMATION SECURITY ANALYSIS TEAM |
10.4 |
|
|
- A well-defined and regularly tested incident response plan and handling process aligning with NIST SP 800-61 (Computer Security Incident Handling Guide) or other industry frameworks. |
Azure Security Benchmark - Incident response: |
|
|
|
19.1 - Document Incident Response Procedures |
17.7 - Conduct Routine Incident Response Exercises |
SI-1: SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES |
10.5 |
|
|
- Communication and notification plan with your customers, suppliers, and public parties of interest. |
https://docs.microsoft.com/azure/security/benchmarks/security-benchmark-v3-incident-response |
|
|
|
19.5 - Maintain Contact Information For Reporting Security Incidents |
|
SI-5: SECURITY ALERTS, ADVISORIES, AND DIRECTIVES |
10.6 |
|
|
- Simulate both expected and unexpected security events within your cloud environment to understand the effectiveness of your preparation. Iterate on the outcome of your simulation to improve the scale of your response posture, reduce time to value, and further reduce risk. |
|
|
|
|
19.7 - Conduct Periodic Incident Scenario Sessions for Personnel |
|
|
10.7 |
|
|
- Preference of using extended detection and response (XDR) capabilities such as Azure Defender capabilities to detect threats in the various areas. |
Azure Security Best Practice 4 - Process. Update Incident Response Processes for Cloud: |
|
|
|
|
|
|
10.8 |
|
|
- Use of cloud native capability (e.g., as Microsoft Defender for Cloud) and third-party platforms for incident handling, such as logging and threat detection, forensics, and attack remediation and eradication. |
https://aka.ms/AzSec4 |
|
|
|
|
|
|
10.9 |
|
|
- Prepare the necessary runbooks, both manual and automated, to ensure reliable and consistent responses. |
|
|
|
|
|
|
|
12.10 |
|
|
- Define key scenarios (such as threat detection, incident response, and compliance) and set up log capture and retention to meet the scenario requirements. |
Azure Adoption Framework, logging, and reporting decision guide: |
|
|
|
|
|
|
A3.5 |
|
|
- Centralized visibility of and correlation information about threats, using SIEM, native cloud threat detection capability, and other sources. |
https://docs.microsoft.com/azure/cloud-adoption-framework/decision-guides/logging-and-reporting/ |
|
|
|
|
|
|
|
|
|
- Post-incident activities, such as lessons learned and evidence retention. |
|
|
|
|
|
|
|
|
|
|
|
Azure enterprise scale, management, and monitoring: |
|
|
|
|
|
|
|
|
|
|
https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/management-and-monitoring |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
NIST SP 800-61 Computer Security Incident Handling Guide: |
|
|
|
|
|
|
|
|
|
|
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf |
|
GS-8 |
Governance and Strategy |
10.1 - Ensure Regular Automated Backups |
11.1 - Establish and Maintain a Data Recovery Process |
CP-1: CONTINGENCY PLANNING POLICY AND PROCEDURES |
3.4 |
Define and implement backup and recovery strategy |
N/A |
Establish a backup and recovery strategy for your organization. This strategy should include documented guidance, policy, and standards in the following aspects: |
Azure Security Benchmark - Backup and recovery: |
All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions |
|
|
|
|
CP-9: INFORMATION SYSTEM BACKUP |
|
|
|
- Recovery time objective (RTO) and recovery point objective (RPO) definitions in accordance with your business resiliency objectives, and regulatory compliance requirements. |
https://docs.microsoft.com/azure/security/benchmarks/security-benchmark-v3-backup-recovery |
|
|
|
|
|
CP-10: INFORMATION SYSTEM RECOVERY AND RECONSTITUTION |
|
|
|
- Redundancy design (including backup, restore and replication) in your applications and infrastructure for both in cloud and on-premises. Consider regional, region-pairs, cross-regional recovery and off-site storage location as part of your strategy. |
|
|
|
|
|
|
|
|
|
|
- Protection of backup from unauthorized access and tempering using controls such as data access control, encryption and network security. |
Azure Well-Architecture Framework - Backup and disaster recover for Azure applications: https://docs.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery |
|
|
|
|
|
|
|
|
|
- Use of backup and recovery to mitigate the risks from emerging threats, such as ransomware attack. And also secure the backup and recovery data itself from these attacks. |
|
|
|
|
|
|
|
|
|
|
- Monitoring the backup and recovery data and operations for audit and alerting purposes. |
Azure Adoption Framework-business continuity and disaster recovery: |
|
|
|
|
|
|
|
|
|
|
https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/business-continuity-and-disaster-recovery |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Backup and restore plan to protect against ransomware: |
|
|
|
|
|
|
|
|
|
|
https://docs.microsoft.com/azure/security/fundamentals/backup-plan-to-protect-against-ransomware |
|
GS-9 |
Governance and Strategy |
8.1 - Utilize Centrally Managed Anti-malware Software |
4.4 - Implement and Manage a Firewall on Servers |
SI-2: FLAW REMEDIATION |
5.1 |
Define and implement endpoint security strategy |
N/A |
Establish a cloud endpoint security strategy which includes the following aspects: |
Azure Security Benchmark - Endpoint security: |
All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions |
|
|
9.4 - Apply Host-Based Firewalls or Port-Filtering |
10.1 - Deploy and Maintain Anti-Malware Software |
SI-3: MALICIOUS CODE PROTECTION |
5.2 |
|
|
- Deploy the endpoint detection and response and antimalware capability into your endpoint and integrate with the threat detection and SIEM solution and security operations process. |
https://docs.microsoft.com/azure/security/benchmarks/security-benchmark-v3-endpoint-security |
|
|
|
|
|
SC-3: SECURITY FUNCTION ISOLATION |
5.3 |
|
|
- Follow Microsoft Cloud Security Benchmark to ensure endpoint related security settings in other respective areas (such as network security, posture vulnerability management, identity and privileged access, and logging and threat detections) are also in place to provide a defense-in-depth protection for your endpoint. |
|
|
|
|
|
|
|
5.4 |
|
|
- Prioritize the endpoint security in your production environment but ensure the non-production environments (such as test and build environment used in the DevOps process) are also secured and monitored, as these environment can also be used to introduce the malware and vulnerabilities into the production. |
Best practices for endpoint security on Azure: |
|
|
|
|
|
|
11.5 |
|
|
|
https://docs.microsoft.com/azure/architecture/framework/security/design-network-endpoints |
|
GS-10 |
Governance and Strategy |
5.1 - Establish Secure Configurations |
4.1 - Establish and Maintain a Secure Configuration Process |
SA-12: SUPPLY CHAIN PROTECTION |
2.2 |
Define and implement DevOps security strategy |
N/A |
Mandate the security controls as part of the organization’s DevOps engineering and operation standard. Define the security objectives, control requirements, and tooling specifications in accordance with enterprise and cloud security standards in your organization. |
Azure Security Benchmark - DevOps security: |
All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions |
|
|
18.1 - Establish Secure Coding Practices |
4.2 - Establish and Maintain a Secure Configuration Process for Network Infrastructure |
SA-15: DEVELOPMENT PROCESS, STANDARDS, AND TOOLS |
6.1 |
|
|
|
https://docs.microsoft.com/azure/security/benchmarks/security-benchmark-v3-devops-security |
|
|
|
18.8 - Establish a Process to Accept and Address Reports of Software Vulnerabilities |
16.1 - Establish and Maintain a Secure Application Development Process |
CM-1: CONFIGURATION MANAGEMENT POLICY AND PROCEDURES |
6.2 |
|
|
Encourage the use of DevOps as an essential operating model in your organization for its benefits in rapidly identifying and remediating vulnerabilities using different type of automations (such as infrastructure as code provision, and automated SAST and DAST scan) throughout the CI/CD workflow. This ‘shift left’ approach also increases visibility and ability to enforce consistent security checks in your deployment pipeline, effectively deploying security guardrails into the environment ahead of time to avoid last minute security surprises when deploying a workload into production. |
|
|
|
|
|
16.2 - Establish and Maintain a Process to Accept and Address Software Vulnerabilities |
CM-2: BASELINE CONFIGURATION |
6.3 |
|
|
|
Secure DevOps: |
|
|
|
|
|
CM-6: CONFIGURATION SETTINGS |
6.5 |
|
|
When shifting security controls left into the pre-deployment phases, implement security guardrails to ensure the controls are deployed and enforced throughout your DevOps process. This technology could include resource deployment templates (such as Azure ARM template) to define guardrails in the IaC (infrastructure as code), resource provisioning and audit to restrict which services or configurations can be provisioned into the environment. |
https://www.microsoft.com/securityengineering/devsecops |
|
|
|
|
|
AC-2: ACCOUNT MANAGEMENT |
7.1 |
|
|
|
|
|
|
|
|
|
AC-3: ACCESS ENFORCEMENT |
10.1 |
|
|
For the run-time security controls of your workload, follow the Microsoft Cloud Security Benchmark to design and implement effective the controls, such as identity and privileged access, network security, endpoint security, and data protection inside your workload applications and services. |
Cloud Adoption Framework - DevSecOps controls: |
|
|
|
|
|
AC-6: LEAST PRIVILEGE |
10.2 |
|
|
|
https://docs.microsoft.com/azure/cloud-adoption-framework/secure/devsecops-controls |
|
|
|
|
|
SA-11: DEVELOPER TESTING AND EVALUATION |
10.3 |
|
|
|
|
|
|
|
|
|
AU-6: AUDIT REVIEW, ANALYSIS, AND REPORTING |
10.6 |
|
|
|
|
|
|
|
|
|
AU-12: AUDIT GENERATION |
12.2 |
|
|
|
|
|
|
|
|
|
SI-4: INFORMATION SYSTEM MONITORING |
|
|
|
|
|
|
GS-11 |
Governance and Strategy |
nan |
nan |
nan |
nan |
Define and implement multi-cloud security strategy |
N/A |
Ensure a multi-cloud strategy is defined in your cloud and security governance, risk management, and operation process which should include the following aspects: |
Azure hybrid and multicloud: |
All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions |
|
|
|
|
|
|
|
|
- Multi-cloud adoption: For organizations that operate multi-cloud infrastructure and Educate your organization to ensure teams understand the feature difference between the cloud platforms and technology stack. Build, deploy, and/or migrate solutions that are portable. Allow for ease of movement between cloud platforms with minimum vendor lock-in while utilizing cloud native features adequately for the optimal result from the cloud adoption. |
https://docs.microsoft.com/en-us/hybrid/ |
|
|
|
|
|
|
|
|
|
- Cloud and security operations: Streamline security operations to support the solutions across each cloud, through a central set of governance and management processes which share common operations processes, regardless of where the solution is deployed and operated. |
|
|
|
|
|
|
|
|
|
|
- Tooling and technology stack: Choose the appropriate tooling that supports multi-cloud environment to help with establishing unified and centralized management platforms which may include all the security domains discussed in this security benchmark. |
Azure hybrid and multicloud documentation: |
|
|
|
|
|
|
|
|
|
|
https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/hybrid/scenario-overview |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
AWS to Azure services comparison: |
|
|
|
|
|
|
|
|
|
|
https://docs.microsoft.com/en-us/azure/architecture/aws-professional/services |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure for AWS professionals: |
|
|
|
|
|
|
|
|
|
|
https://docs.microsoft.com/en-us/azure/architecture/aws-professional/ |
|