Overview of Azure security controls (v2)

The Azure Security Benchmark (ASB) provides prescriptive best practices and recommendations to help improve the security of workloads, data, and services on Azure.

This benchmark is part of a set of holistic security guidance that also includes:

The Azure Security Benchmark focuses on cloud-centric control areas. These controls are consistent with well-known security benchmarks, such as those described by the Center for Internet Security (CIS) Controls Version 7.1 and National Institute of Standards and Technology (NIST) SP 800-53. The following controls are included in the Azure Security Benchmark:

ASB Control Domains Description
Network security (NS) Network Security covers controls to secure and protect Azure networks, including securing virtual networks, establishing private connections, preventing and mitigating external attacks, and securing DNS.
Identity Management (IM) Identity Management covers controls to establish a secure identity and access controls using Azure Active Directory, including the use of single sign-on, strong authentications, managed identities (and service principals) for applications, conditional access, and account anomalies monitoring.
Privileged Access (PA) Privileged Access covers controls to protect privileged access to your Azure tenant and resources, including a range of controls to protect your administrative model, administrative accounts, and privileged access workstations against deliberate and inadvertent risk.
Data Protection (DP) Data Protection covers control of data protection at rest, in transit, and via authorized access mechanisms, including discover, classify, protect, and monitor sensitive data assets using access control, encryption, and logging in Azure.
Asset Management (AM) Asset Management covers controls to ensure security visibility and governance over Azure resources, including recommendations on permissions for security personnel, security access to asset inventory, and managing approvals for services and resources (inventory, track, and correct).
Logging and Threat Detection (LT) Logging and Threat Detection covers controls for detecting threats on Azure and enabling, collecting, and storing audit logs for Azure services, including enabling detection, investigation, and remediation processes with controls to generate high-quality alerts with native threat detection in Azure services; it also includes collecting logs with Azure Monitor, centralizing security analysis with Azure Sentinel, time synchronization, and log retention.
Incident Response (IR) Incident Response covers controls in incident response life cycle - preparation, detection and analysis, containment, and post-incident activities, including using Azure services such as Azure Security Center and Sentinel to automate the incident response process.
Posture and Vulnerability Management (PV) Posture and Vulnerability Management focuses on controls for assessing and improving Azure security posture, including vulnerability scanning, penetration testing and remediation, as well as security configuration tracking, reporting, and correction in Azure resources.
Endpoint Security (ES) Endpoint Security covers controls in endpoint detection and response, including use of endpoint detection and response (EDR) and anti-malware service for endpoints in Azure environments.
Backup and Recovery (BR) Backup and Recovery covers controls to ensure that data and configuration backups at the different service tiers are performed, validated, and protected.
Governance and Strategy (GS) Governance and Strategy provides guidance for ensuring a coherent security strategy and documented governance approach to guide and sustain security assurance, including establishing roles and responsibilities for the different cloud security functions, unified technical strategy, and supporting policies and standards.

Azure Security Benchmark Recommendations

Each recommendation includes the following information:

  • Azure ID: The Azure Security Benchmark ID that corresponds to the recommendation.
  • CIS Controls v7.1 ID(s): The CIS Controls v7.1 control(s) that correspond to this recommendation.
  • NIST SP 800-53 r4 ID(s): The NIST SP 800-53 r4 (moderate) control(s) that correspond to this recommendation.
  • Details: The rationale for the recommendation and links to guidance on how to implement it. If the recommendation is supported by Azure Security Center, that information will also be listed.
  • Responsibility: Whether the customer, the service-provider, or both are responsible for implementing this recommendation. Security responsibilities are shared in the public cloud. Some security controls are only available to the cloud service provider and therefore the provider is responsible for addressing those. These are general observations – for some individual services, the responsibility will be different from what is listed in the Azure Security Benchmark. Those differences are described in the baseline recommendations for the individual service.
  • Customer Security Stakeholders: The security functions at the customer organization who may be accountable, responsible, or consulted for the respective control. It may be different from organization to organization depending on your company’s security organization structure, and the roles and responsibilities you set up related to Azure security.

Note

The control mappings between ASB and industry benchmarks (such as NIST and CIS) only indicate that a specific Azure feature can be used to fully or partially address a control requirement defined in NIST or CIS. You should be aware that such implementation does not necessarily translate to the full compliance of the corresponding control in CIS or NIST.

We welcome your detailed feedback and active participation in the Azure Security Benchmark effort. If you would like to provide the Azure Security Benchmark team direct input, fill out the form at https://aka.ms/AzSecBenchmark

Download

You can download the Azure Security Benchmark in spreadsheet format.

Next steps