Azure Security Benchmark introduction
New services and features are released daily in Azure, developers are rapidly publishing new cloud applications built on these services, and attackers are always seeking new ways to exploit misconfigured resources. The cloud moves fast, developers move fast, and attackers are always on the move. How do you keep up and make sure that your cloud deployments are secure? How are security practices for cloud systems different from on-premises systems? How do you monitor for consistency across many independent development teams?
Microsoft has found that using security benchmarks can help you quickly secure cloud deployments. Benchmark recommendations from your cloud service provider give you a starting point for selecting specific security configuration settings in your environment and allow you to quickly reduce risk to your organization.
The Azure Security Benchmark includes a collection of high-impact security recommendations you can use to help secure the services you use in Azure:
- Security controls: These recommendations are generally applicable across your Azure tenant and Azure services. Each recommendation identifies a list of stakeholders that are typically involved in planning, approval, or implementation of the benchmark.
- Service baselines: These apply the controls to individual Azure services to provide recommendations on that service’s security configuration.
Implement the Azure Security Benchmark
- Plan your Azure Security Benchmark implementation by reviewing the documentation for the enterprise controls and service-specific baselines to plan your control framework and how it maps to guidance like Center for Internet Security (CIS) Controls, National Institute of Standards and Technology (NIST), and the Payment Card Industry Data Security Standard (PCI-DSS) framework.
- Monitor your compliance with Azure Security Benchmark status (and other control sets) using the Microsoft Defender for Cloud regulatory compliance dashboard.
- Establish guardrails to automate secure configurations and enforce compliance with Azure Security Benchmark (and other requirements in your organization) with Azure Blueprints and Azure Policy.
Common Use Cases
Azure Security Benchmark is frequently used to address these common challenges for customers or service partners who are:
- New to Azure and are looking for security best practices to ensure a secure deployment of Azure services and your own application workload.
- Looking to improve security posture of existing Azure deployments to prioritize top risks and mitigations.
- Evaluating the security features/capabilities of Azure services before onboarding/approving an Azure service(s) into the cloud service catalog.
- Having the need to meet compliance requirements in highly regulated industries like government, finance and healthcare. These customers need to ensure their service configurations of Azure meet the security specification defined in framework such as CIS, NIST, or PCI. Azure Security Benchmark provides an efficient approach with the controls already pre-mapped to these industry benchmarks.
The terms "benchmark", "control", and "baseline" are used often in the Azure Security Benchmark documentation and it's important to understand how Azure Security Benchmark uses those terms.
|Control||A control is a high-level description of a feature or activity that needs to be addressed and is not specific to a technology or implementation.||Data Protection is one of the security control families. Data Protection contains specific actions that must be addressed to help ensure data is protected.|
|Baseline||A baseline is the implementation of the control on the individual Azure service. Each organization decides benchmark recommendation and corresponding configurations are needed in the Azure implementation scope.||The Contoso company looks to enabling Azure SQL security features by following the configuration recommended in Azure SQL security baseline.|
We welcome your feedback on the Azure Security Benchmark! We encourage you to provide comments in the feedback area below. If you prefer to share your input more privately with the Azure Security Benchmark team, you are welcome to fill out the form at https://aka.ms/AzSecBenchmark