Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The Microsoft cloud security benchmark provides prescriptive best practices and recommendations to help improve the security of workloads, data, and services on Azure and your multi-cloud environment. This benchmark focuses on cloud-centric control areas with input from a set of holistic Microsoft and industry security guidance that includes:
- Cloud Adoption Framework: Guidance on security, including strategy, roles and responsibilities, Azure Top 10 Security Best Practices, and reference implementation.
- Azure Well-Architected Framework: Guidance on securing your workloads on Azure.
- Microsoft Secure Future Initiative (SFI): SFI is a multi-year Microsoft internal initiative launched to embed security into every stage of product design, development, and operations. SFI includes Microsoft internal security best practices that we also want to recommend to our customers.
- The Chief Information Security Officer (CISO) Workshop: Program guidance and reference strategies to accelerate security modernization using Zero Trust principles.
- Other industry and cloud service providers security best practice standards and framework: Examples include the Amazon Web Services (AWS) Well-Architected Framework, Center for Internet Security (CIS) Controls, National Institute of Standards and Technology (NIST), and Payment Card Industry Data Security Standard (PCI-DSS).
What's new in Microsoft cloud security benchmark v2
Note
Microsoft cloud security benchmark v2 is now available as a preview. We encourage you to explore the new version and provide feedback to help us improve it further. For any questions or comments, please email us at [email protected]
Here's what's new in the Microsoft cloud security benchmark v2 (preview):
Adding Artificial Intelligence Strategy into our scope to address the threats and risks in artificial intelligence domain. This new control domain includes 7 recommendations that cover AI platform security, AI application security, and AI security monitoring.
Expanding the Azure Policy based control measurements from ~220+ to ~420+ to cover more new security controls and expanding the measurements on the existing controls. This will help you to better measure and monitor your security posture in Azure using Azure Policy and Defender for Cloud.
Expanding the prior control guideline to a more comprehensive, risk and threats-based control guide with more granular technical implementation examples and references details. This improvement will help you to better understand the security risks and threats that each control is trying to mitigate, and how to implement the controls in your Azure environment.
Controls
| Control Domains | Description |
|---|---|
| Network security (NS) | Network Security covers controls to secure and protect networks, including securing virtual networks, establishing private connections, preventing, and mitigating external attacks, and securing DNS. |
| Identity Management (IM) | Identity Management covers controls to establish a secure identity and access controls using identity and access management systems, including the use of single sign-on, strong authentications, managed identities (and service principals) for applications, conditional access, and account anomalies monitoring. |
| Privileged Access (PA) | Privileged Access covers controls to protect privileged access to your tenant and resources, including a range of controls to protect your administrative model, administrative accounts, and privileged access workstations against deliberate and inadvertent risk. |
| Data Protection (DP) | Data Protection covers control of data protection at rest, in transit, and via authorized access mechanisms, including discover, classify, protect, and monitor sensitive data assets using access control, encryption, key management and certificate management. |
| Asset Management (AM) | Asset Management covers controls to ensure security visibility and governance over your resources, including recommendations on permissions for security personnel, security access to asset inventory, and managing approvals for services and resources (inventory, track, and correct). |
| Logging and Threat Detection (LT) | Logging and Threat Detection covers controls for detecting threats on cloud, and enabling, collecting, and storing audit logs for cloud services, including enabling detection, investigation, and remediation processes with controls to generate high-quality alerts with native threat detection in cloud services; it also includes collecting logs with a cloud monitoring service, centralizing security analysis with a SIEM, time synchronization, and log retention. |
| Incident Response (IR) | Incident Response covers controls in incident response life cycle - preparation, detection and analysis, containment, and post-incident activities, including using Azure services (such as Microsoft Defender for Cloud and Sentinel) and/or other cloud services to automate the incident response process. |
| Posture and Vulnerability Management (PV) | Posture and Vulnerability Management focuses on controls for assessing and improving cloud security posture, including vulnerability scanning, penetration testing and remediation, as well as security configuration tracking, reporting, and correction in cloud resources. |
| Endpoint Security (ES) | Endpoint Security covers controls in endpoint detection and response, including use of endpoint detection and response (EDR) and anti-malware service for endpoints in cloud environments. |
| Backup and Recovery (BR) | Backup and Recovery covers controls to ensure that data and configuration backups at the different service tiers are performed, validated, and protected. |
| DevOps Security (DS) | DevOps Security covers the controls related to the security engineering and operations in the DevOps processes, including deployment of critical security checks (such as static application security testing, vulnerability management) prior to the deployment phase to ensure the security throughout the DevOps process; it also includes common topics such as threat modeling and software supply security. |
| Artificial Intelligence Strategy (AI) | Artificial Intelligence Strategy covers controls to ensure the secure development, deployment, and operation of AI models and services, including AI platform security, AI application security and AI security monitoring. |
| Governance and Strategy (GS) (deprecated in v2) | Governance and Strategy provides guidance for ensuring a coherent security strategy and documented governance approach to guide and sustain security assurance, including establishing roles and responsibilities for the different cloud security functions, unified technical strategy, and supporting policies and standards. |
Recommendations in Microsoft cloud security benchmark
Each recommendation includes the following information:
- ID: The Benchmark ID that corresponds to the recommendation.
- Security Principle: The recommendation focused on the "what", explaining the control at the technology-agnostic level.
- Risk to mitigate: The security risk(s) that the recommendation aims to mitigate.
- MITRE ATT&CK: The MITRE ATT&CK tactics, techniques and procedures (TTPs) that's relevant to the security risks. Learn more at https://attack.mitre.org/.
- Azure Guidance: The recommendation focused on the "how", explaining the Azure technical features and implementation basics.
- AWS Guidance: The recommendation focused on the "how", explaining the AWS technical features and implementation basics.
- Implementation Examples (v2 Azure only): Practical examples of how to implement the recommendation in a real-world scenario.
- Implementation and additional context (v1 only v2 natively embedded): The implementation details and other relevant context which links to the Azure and AWS service offering documentation articles.
- Customer Security Stakeholders (deprecated in v2): The security functions at the customer organization who may be accountable, responsible, or consulted for the respective control. It may be different from organization to organization depending on your company's security organization structure, and the roles and responsibilities you set up related to Azure security.
- Azure Policy (Built-in) Mapping: The applicable Azure Policy that can be used to measure the corresponding control effectiveness. For more information, see Microsoft cloud security benchmark control to Azure Built-in Policy mapping.
- Control Mapping: The mapping between MCSB recommendation and industry security standards, including:
- CIS Controls v8 ID(s): The CIS Controls v8 control(s) that correspond to the recommendation.
- CIS Controls v7.1 ID(s) (deprecated in v2): The CIS Controls v7.1 control(s) that correspond to the recommendation (not available in the web due to the formatting reason).
- PCI-DSS v3.2.1 ID(s) (deprecated in v2): The PCI-DSS v3.2.1 control(s) that correspond to the recommendation.
- PCI-DSS v4 ID(s) (v2 only): The PCI-DSS v4 control(s) that correspond to the recommendation.
- ISO/IEC 27001:2022 ID(s) (v2 only): The ISO/IEC 27001:2022 control(s) that correspond to the recommendation.
- NIST Cybersecurity Framework v2 ID(s) (v2 only): The NIST Cybersecurity Framework (CSF) v2 control(s) that correspond to the recommendation.
- NIST SP 800-53 r4 ID(s) (deprecated in v2): The NIST SP 800-53 r4 (Moderate and High) control(s) correspond to this recommendation.
- NIST SP 800-53 r5 ID(s) (v2 only): The NIST SP 800-53 r5 (Moderate and High) control(s) correspond to this recommendation.
The control mappings between MCSB and industry benchmarks (such as CIS, NIST, PCI, ISO, etc.) only indicate that a specific Azure feature(s) can be used to fully or partially address a control requirement defined in these industry benchmarks. You should be aware that such implementation does not necessarily translate to the full compliance of the corresponding control(s) in these industry benchmarks.
We welcome your detailed feedback and active participation in the Microsoft cloud security benchmark effort. If you would like to provide direct input, please email us at [email protected].
Download
You can download the Benchmark and baseline offline copy in spreadsheet format.
Next steps
- See the first security control: Network security
- Read the Microsoft cloud security benchmark introduction
- Learn the Azure Security Fundamentals