Service enablement framework
As business units request to deploy workloads to Azure, you need visibility into each workload to determine how to achieve the right governance, security, and compliance levels. When a new service is required, you need to allow it.
The following tables provide a framework to assess the enterprise security readiness of Azure services.
Security
| Category | Criteria |
|---|---|
| Network endpoint | - Does the service have a public endpoint accessible outside of a virtual network? - Does it support virtual network service endpoints? - Can Azure services interact directly with the service endpoint? - Does it support Azure Private Link endpoints? - Can it be deployed within a virtual network? |
| Data exfiltration prevention | - Does the Platform-as-a-Service (PaaS) service have a separate Border Gateway Protocol (BGP) community in Azure ExpressRoute Microsoft peering? - Does ExpressRoute expose a route filter for the service? - Does the service support Private Link endpoints? |
| Enforce network traffic flow for management and data plane operations | - Is it possible to inspect traffic entering and exiting the service? - Can traffic be force-tunneled with user-defined routing? - Do management operations use Azure shared public IP ranges? - Is management traffic directed via a link-local endpoint exposed on the host? |
| Data encryption at-rest | - Is encryption applied by default? - Can encryption be disabled? - Is encryption done with Microsoft-managed keys or customer-managed keys? |
| Data encryption in-transit | - Is traffic to the service encrypted at a protocol level, like SSL/TLS? - Are there any HTTP endpoints, and can they be disabled? - Is the underlying service communication encrypted? - Is encryption done with Microsoft-managed keys or customer-managed keys? Is bringing your own encryption supported? |
| Software deployment | - Can application software or third-party products be deployed to the service? - How is software deployment done and managed? - Can policies be enforced to control source code integrity? - Can antimalware capability, vulnerability management, and security monitoring tools be used if the software is deployable? - Does the service provide such capabilities natively, such as with Azure Kubernetes Service (AKS)? |
Identity and access management
| Category | Criteria |
|---|---|
| Authentication and access control | - Are all control plane operations governed by Microsoft Entra ID? Is there a nested control plane, such as with AKS? - What methods exist to provide access to the data plane? - Does the data plane integrate with Microsoft Entra ID? - Does authentication between Azure services use managed identities or service principals? - How are any applicable keys or shared access signatures managed? - How can access be revoked? |
| Segregation of duties | Does the service separate control plane and data plane operations within Microsoft Entra ID? |
| Multifactor authentication and conditional access | Is multifactor authentication enforced for user-to-service interactions? |
Governance
| Category | Criteria |
|---|---|
| Data export and import | Can you import and export data securely and encrypted with the service? |
| Data privacy and usage | - Can Microsoft engineers access the data? - Is any Microsoft Support interaction with the service audited? |
| Data residency | Is data contained in the service deployment region? |
Operations
| Category | Criteria |
|---|---|
| Monitoring | Does the service integrate with Azure Monitor? |
| Backup management | - Which workload data needs to be backed up? - How are backups captured? - How frequently can backups be taken? - How long can backups be kept for? - Are backups encrypted? - Is backup encryption done with Microsoft-managed keys or customer-managed keys? |
| Disaster recovery | - How can the service be used in a regionally redundant fashion? - What are the achievable recovery time and recovery point goals? |
| SKU | - What SKUs are available? How do they differ? - Are there any features related to security for the Premium SKU? |
| Capacity management | - How is capacity monitored? - What is the unit of horizontal scale? |
| Patch and update management | - Does the service require active updating, or do updates happen automatically? - How frequently are updates applied? Can they be automated? |
| Audit | - Are nested control plane operations captured? For example, AKS or Azure Databricks. - Are key data plane activities recorded? |
| Configuration management | Does it support tags and provide a put schema for all resources? |
Azure service compliance
| Category | Criteria |
|---|---|
| Service attestation, certification, and external audits | Is the service PCI/ISO/SOC compliant? |
| Service availability | - Is the service generally available? - In what regions is the service available? - What is the deployment scope of the service? Is it a regional or global service? |
| Service-level agreements (SLAs) | - What is the SLA for service availability? - If applicable, what is the SLA for performance? |
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for