Security Control V2: Posture and Vulnerability Management

Posture and Vulnerability Management focuses on controls for assessing and improving Azure security posture. This includes vulnerability scanning, penetration testing and remediation, as well as security configuration tracking, reporting, and correction in Azure resources.

PV-1: Establish secure configurations for Azure services

Azure ID CIS Controls v7.1 ID(s) NIST SP800-53 r4 ID(s)
PV-1 5.1 CM-2, CM-6

Define security guardrails for infrastructure and DevOps teams by making it easy to securely configure the Azure services they use.

Start your security configuration of Azure services with the service baselines in the Azure Security Benchmark and customize as needed for your organization.

Use Azure Security Center to configure Azure Policy to audit and enforce configurations of your Azure resources.

You can use Azure Blueprints to automate deployment and configuration of services and application environments, including Azure Resource Manager templates, Azure RBAC controls, and policies, in a single blueprint definition.

Responsibility: Customer

Customer Security Stakeholders (Learn more):

PV-2: Sustain secure configurations for Azure services

Azure ID CIS Controls v7.1 ID(s) NIST SP800-53 r4 ID(s)
PV-2 5.2 CM-2, CM-6

Use Azure Security Center to monitor your configuration baseline and use Azure Policy [deny] and [deploy if not exist] rule to enforce secure configuration across Azure compute resources, including VMs, containers, and others.

Responsibility: Customer

Customer Security Stakeholders (Learn more):

PV-3: Establish secure configurations for compute resources

Azure ID CIS Controls v7.1 ID(s) NIST SP800-53 r4 ID(s)
PV-3 5.1 CM-2, CM-6

Use Azure Security Center and Azure Policy to establish secure configurations on all compute resources, including VMs, containers, and others. Additionally, you can use custom operating system images or Azure Automation State configuration to establish the security configuration of the operating system required by your organization.

Responsibility: Customer

Customer Security Stakeholders (Learn more):

PV-4: Sustain secure configurations for compute resources

Azure ID CIS Controls v7.1 ID(s) NIST SP800-53 r4 ID(s)
PV-4 5.2 CM-2, CM-6

Use Azure Security Center and Azure Policy to regularly assess and remediate configuration risks on your Azure compute resources, including VMs, containers, and others. In addition, you can use Azure Resource Manager templates, custom operating system images, or Azure Automation State Configuration to maintain the security configuration of the operating system required by your organization. Microsoft VM templates in conjunction with Azure Automation State Configuration can assist in meeting and maintaining security requirements.

Also, note that Azure Marketplace VM images published by Microsoft are managed and maintained by Microsoft.

Azure Security Center can also scan vulnerabilities in container images and perform continuous monitoring of your Docker configuration in containers, based on the CIS Docker Benchmark. You can use the Azure Security Center recommendations page to view recommendations and remediate issues.

Responsibility: Shared

Customer Security Stakeholders (Learn more):

PV-5: Securely store custom operating system and container images

Azure ID CIS Controls v7.1 ID(s) NIST SP800-53 r4 ID(s)
PV-5 5.3 CM-2, CM-6

Use Azure role-based access control (Azure RBAC) to ensure that only authorized users can access your custom images. Use an Azure Shared Image Gallery you can share your images to different users, service principals, or AD groups within your organization. Store container images in Azure Container Registry and use Azure RBAC to ensure that only authorized users have access.

Responsibility: Customer

Customer Security Stakeholders (Learn more):

PV-6: Perform software vulnerability assessments

Azure ID CIS Controls v7.1 ID(s) NIST SP800-53 r4 ID(s)
PV-6 3.1, 3.2, 3.3, 3.6 CA-2, RA-5

Follow recommendations from Azure Security Center for performing vulnerability assessments on your Azure virtual machines, container images, and SQL servers. Azure Security Center has a built-in vulnerability scanner for virtual machine scan.

Use a third-party solution for performing vulnerability assessments on network devices and web applications. When conducting remote scans, do not use a single, perpetual, administrative account. Consider implementing JIT (Just In Time) provisioning methodology for the scan account. Credentials for the scan account should be protected, monitored, and used only for vulnerability scanning.

Export scan results at consistent intervals and compare the results with previous scans to verify that vulnerabilities have been remediated. When using vulnerability management recommendations suggested by Azure Security Center, you can pivot into the selected scan solution's portal to view historical scan data.

Responsibility: Customer

Customer Security Stakeholders (Learn more):

PV-7: Rapidly and automatically remediate software vulnerabilities

Azure ID CIS Controls v7.1 ID(s) NIST SP800-53 r4 ID(s)
PV-7 3.7 CA-2, RA-5, SI-2

Rapidly deploy software updates to remediate software vulnerabilities in operating systems and applications. Use a common risk scoring program (for example, Common Vulnerability Scoring System) or the default risk ratings provided by your third-party scanning tool and tailor to your environment, taking into account which applications present a high security risk and which ones require high uptime.

Use Azure Automation Update Management or a third-party solution to ensure that the most recent security updates are installed on your Windows and Linux VMs. For Windows VMs, ensure Windows Update has been enabled and set to update automatically.

For third-party software, use a third-party patch management solution or System Center Updates Publisher for Configuration Manager.

Responsibility: Customer

Customer Security Stakeholders (Learn more):

PV-8: Conduct regular attack simulation

Azure ID CIS Controls v7.1 ID(s) NIST SP800-53 r4 ID(s)
PV-8 20 CA-8, CA-2, RA-5

As required, conduct penetration testing or red team activities on your Azure resources and ensure remediation of all critical security findings. Follow the Microsoft Cloud Penetration Testing Rules of Engagement to ensure your penetration tests are not in violation of Microsoft policies. Use Microsoft's strategy and execution of Red Teaming and live site penetration testing against Microsoft-managed cloud infrastructure, services, and applications.

Responsibility: Shared

Customer Security Stakeholders (Learn more):