One of the best ways to speed up securing your cloud deployments is to focus on the most impactful security best practices. Best practices for securing any service begins with a fundamental understanding of cybersecurity risk and how to manage it. As an Azure customer, you can leverage this understanding by using security recommendations from Microsoft to help guide your risk-based decisions as they’re applied to specific security configuration settings in your environment.
We partnered with the Center for Internet Security (CIS) to create the CIS Microsoft Azure Foundations Benchmark v1. Since that submission, we’ve received good feedback and wanted to share it with the community for comment in a document we call the Azure Security Foundations Benchmark. This benchmark contains recommendations that help improve the security of your applications and data on Azure. The recommendations in this document will go into updating the CIS Microsoft Azure Foundations Benchmark v1, and are anchored on the security best practices defined by the CIS Controls, Version 7.
In addition, these recommendations are or will be integrated into Azure Security Center and their impact will be surfaced in the Azure Security Center Secure Score and the Azure Security Center Compliance Dashboard.
We want your feedback on this document. There are two ways you can let us know what you think:
The Azure Security Foundation Benchmark is now in draft stage and we’d like to get your input on this effort. Specifically, we’d like to know:
- Does this document provide you with the information needed to understand how to define your own security baseline for Azure based resources?
- Does this format work for you? Are there other formats that would make it easier for you to use the information and act on it?
- Do you currently use the CIS Controls as a framework and the current edition of the CIS Azure Security Foundation Benchmarks?
- What additional information do you need on how to implement the recommendations using Azure security related capabilities?
- Once we have the final version of the benchmark ready, we will be integrating with Azure Security Center Compliance Portal. Does this meet your requirements of monitoring Azure resources based on CIS Benchmarks?
What’s in the Azure Security Foundation Benchmark document
The benchmark document is divided into three main sections:
- Overview information.
- Security recommendations.
- Security implementation in Azure services.
The Overview information provides background on why we put this document together, how you can use it to improve your security posture in Azure, and some key definitions of benchmark terminology.
The security recommendations are the cornerstone of the document. In this phase, we cover security recommendations in the following areas:
- Identity and access management
- Data protection
The recommendations are surfaced in tables like those seen in the image below.
The last section shows how the Azure security recommendations are implemented in a selection of core Azure services. The implementations include links to documents that will help you understand how to apply each component of the benchmark to improve your security.
Implementation information is contained in tables as seen below.
We hope you find this information useful and thank you in advance for your input on how we can make this document more useful for you and your organization! Remember to send us your feedback via email on the CIS Azure Cloud Security Benchmark.