Hi there, It is required to assess the Security (CSPM) for all our Azure PaaS & SaaS services across a number of Management Groups. Not just the security score. An in-depth Security Assessment to be carried out across:- Identity and Access Management Platform Security Security Operations Application & Data Security Subscriptions Security Would it help to go through Microsoft suggested Azure Security Benchmark , then deploy Azure policies and resolve the services that are not complaint? by checking the security center and secure score? Please suggest the best approach, tools, and useful resources. Thanks

@Raju Golla Thank you for your time and patience throughout this issue. I got a response from our engineering team and will post it below. PG response: There is no direct mapping between ASB and CSA CCM, however our ASB v2 is now mapped to NIST 800-53 r4 which can be plugged into other standards like CCM. Reference: https://learn.microsoft.com/en-us/azure/security/benchmarks/overview Example of an ASB control NS-1 mapping to NIST 800-53: Reference: https://learn.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic The Cloud Security Alliance has <a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcloudsecurityalliance.org%2Fartifacts%2Fcsa-ccm-v3-0-1-addendum-nist-800-53-rev-4-moderate%2F&data=04%7C01%7CJames.Tran%40microsoft.com%7Cd09823b977ad44db8c1a08d86c9388ba%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637378728193293593%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=fi9Bv%2BookLYdpA%2B0SVac6e%2BgOV4jvNeA5BcrPDg0WaI%3D&reserved=0" rel="ugc nofollow">some published addendums that outline these mappings to NIST 800-53 r4, so we can get a resulting linked mapping to the ASB where the controls are applicable. Download the CCM mapping to NIST 800-53 r4 a. https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v3-0-1/ Download the ASB v2 mapping to NIST 800-53 r4 a. https://learn.microsoft.com/en-us/azure/security/benchmarks/overview#download Join or perform evaluation of resulting mapping If you have any other questions, please let me know. Thank you again for your time and patience throughout this issue.

@Raju Golla Thank you for the post! It'd definitely be beneficial to go through the Azure Security Benchmark documentation so you can gain a better understanding of the common use cases , such as improving your security posture of existing Azure deployments, or implementing best practices and recommendations to help improve the security of workloads, data, and services on Azure. Another useful resource would be the Azure Security Center documentation , which will help you understand key capabilities, and specifically help you understand your secure score so you can quickly remediate your Azure resources . If you have any other questions, please let me know. Thank you again for your time and patience throughout this issue.

Azure Security Assessment

Raju Golla 41

Hi there,

It is required to assess the Security (CSPM) for all our Azure PaaS & SaaS services across a number of Management Groups. Not just the security score. An in-depth Security Assessment to be carried out across:-

Identity and Access Management
Platform Security
Security Operations
Application & Data Security
Subscriptions Security

Would it help to go through Microsoft suggested Azure Security Benchmark, then deploy Azure policies and resolve the services that are not complaint? by checking the security center and secure score?

Please suggest the best approach, tools, and useful resources.

Thanks

Accepted answer

JamesTran-MSFT 36,376 Reputation points Microsoft Employee

2020-10-12T19:57:38.61+00:00
@Raju Golla
Thank you for your time and patience throughout this issue. I got a response from our engineering team and will post it below.

PG response:
There is no direct mapping between ASB and CSA CCM, however our ASB v2 is now mapped to NIST 800-53 r4 which can be plugged into other standards like CCM.

Reference: https://learn.microsoft.com/en-us/azure/security/benchmarks/overview

Example of an ASB control NS-1 mapping to NIST 800-53:

Reference: https://learn.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic

The Cloud Security Alliance has some published addendums that outline these mappings to NIST 800-53 r4, so we can get a resulting linked mapping to the ASB where the controls are applicable.

Download the CCM mapping to NIST 800-53 r4
a. https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v3-0-1/

Download the ASB v2 mapping to NIST 800-53 r4
a. https://learn.microsoft.com/en-us/azure/security/benchmarks/overview#download

Join or perform evaluation of resulting mapping

If you have any other questions, please let me know.
Thank you again for your time and patience throughout this issue.
Please sign in to rate this answer.
JamesTran-MSFT 36,376 Reputation points Microsoft Employee

2020-10-13T17:15:25.447+00:00

@Raju Golla
I just wanted to check in and see if you had a chance to review my previous post or if you had any other questions?

Thank you again for your time and patience throughout this issue.

----------

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

Raju Golla 41 Reputation points

2020-10-14T09:45:12.91+00:00

Hi James,
Thanks for your help and insight. Appreciated.

Like to request for some additional information - Does Microsoft provides any HIGH-RISK workloads/areas within Azure that could allow Data Loss? Please inform.

As part of the DLP Assessment, we are utilizing CCM and Microsoft Sec Baselines, as the scope is large across the (1) Identity and Access Management (2) Platform Security (3) Security Operations (4) App and Data
Your suggestion that would save time and effort is greatly appreciated.

JamesTran-MSFT 36,376 Reputation points Microsoft Employee

2020-10-14T17:06:21.42+00:00

@Raju Golla
Thank you for the quick response!

For high risk workloads/areas within Azure that could allow Data Loss, you should reference our Security recommendations - a reference guide. This guide details security recommendations and places severity (low - high) for each recommendation ,the services/features covered range from Networking to Identity.

Additional links:
FAQ - General questions about Azure Security Center
Azure Security Center Troubleshooting Guide

I hope this helps, if you have any other questions please let me know.
Thank you for your time and patience throughout this issue.

Raju Golla 41 Reputation points

2020-10-15T11:29:07.403+00:00

Hi James,

Thanks for your persistent help
Sign in to comment

1 additional answer

JamesTran-MSFT 36,376 Reputation points Microsoft Employee

2020-09-29T21:23:19.383+00:00

@Raju Golla
Thank you for the post!

It'd definitely be beneficial to go through the Azure Security Benchmark documentation so you can gain a better understanding of the common use cases, such as improving your security posture of existing Azure deployments, or implementing best practices and recommendations to help improve the security of workloads, data, and services on Azure.

Another useful resource would be the Azure Security Center documentation, which will help you understand key capabilities, and specifically help you understand your secure score so you can quickly remediate your Azure resources.

If you have any other questions, please let me know.
Thank you again for your time and patience throughout this issue.
Please sign in to rate this answer.
JamesTran-MSFT 36,376 Reputation points Microsoft Employee

2020-09-30T17:23:04.693+00:00

@Raju Golla
I just wanted to check in and see if you required additional assistance or if you were able to resolve this issue?

----------

If any reply/answer helped resolve your question, please remember to "mark as answer" so that others in the community facing similar issues can easily find the solution.

Raju Golla 41 Reputation points

2020-10-02T16:46:34.35+00:00

Hi James,
Thanks for your help and insight.

Please note that we do have existing 'Security Patterns and Standards'. As we use multiple Cloud providers we want to consider the 'CSA CCM'.

Review the existing in-house 'Security Patterns and Standards'

Assess the Azure Services against our internal 'Security Patterns and Standards' and the CSA CCM Controls that maps to the Microsoft Security Baselines. Appreciate if you could provide the spreadsheet that contains the mapping between the CSA CCM and Microsoft Security Baselines

Generate the Gap Analysis Report.

Please note the scope of the work is only the Analysis,

not the remediation.

Thanks,

JamesTran-MSFT 36,376 Reputation points Microsoft Employee

2020-10-09T16:39:33.34+00:00

@Raju Golla
I apologize for the delayed response!

I'll take a look into this and update you on this as soon as possible.

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

Raju Golla 41 Reputation points

2020-10-09T17:44:22.3+00:00

Thanks James.
Your help and insight appreciated.

I look forward to your prompt response.
It would be really helpful to go through a strategy doc for the Azure Security Assessment as well.

JamesTran-MSFT 36,376 Reputation points Microsoft Employee

2020-10-09T19:05:46.957+00:00

@Raju Golla
Thank you for the quick response!

I've reached out to our engineering team on this issue and will update you with their responses as soon as possible. If this an urgent issue and you'd like to work with our support engineers to get this issue looked at more closely, please feel free to email me with the information below, this way I can enable your subscription for a one-time free technical support request.

Email: AzCommunity@microsoft.com
Subject: ATTN - James Tran
Body:
Azure Subscription ID
Link to this issue

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
Sign in to comment