Today we are pleased to announce the Azure Security Benchmark v2. To accelerate the security of your cloud adoption journey, Microsoft has developed the Azure Security Benchmark (ASB). The benchmark is designed to provide clarity on security best practices and controls for configuring and operating Azure and Azure Services.
ASB v2 builds on the work of ASBv1 and includes these updates:
- Mapping of NIST SP 800-53 controls (in addition to existing CIS control framework v7.1)
- Mapping of security stakeholders to benchmark recommendations
- Expansion and restructure of controls to make them clear and actionable
- Integration of Azure Security Compass guidance
Vision for azure security guidance
We have learned that securing Azure means different things to different roles in the organization and have built a system of integrated security guidance. Each of these are aligned together to simplify your security journey:
- Microsoft Security Best Practices – Recommendations for securing all assets in your enterprise, typically integrated into security architectures and strategies.
- Azure Well-Architected Framework – Guidance for workload owners to architect workloads that meet goals for security, performance, cost, and more.
- Cloud Adoption Framework (CAF) – Guidance for cloud adoption initiatives to plan and execute on a strategy that meets organizational goals for security, cost management, reliability, and more (includes Enterprise Scale Landing Zone reference implementation and automation)
- Azure Security Benchmark – Prescriptive best practices and controls to guide all roles in the security organizations on securing Azure and Azure Services
Over the course of the last few months, the teams working on ASB, Enterprise Scale Landing Zone in CAF, Azure Security Compass, Azure Security Top 10 Best Practices, and Microsoft Best Practices have been working to consolidate and align all this guidance together to make it simpler and easier for you to rapidly secure your Azure resources.
As with all our guidance, we would love to hear your feedback on how this is working for you and how we can improve it. You can reach us by sending us email.
What’s new in ASB v2?
In addition to mapping and aligning all the guidance together, the team focused on these improvements in ASBv2:
- Mapped to NIST SP 800-53 Controls: NIST SP 800-53 is one of the most used control frameworks in the Industry, so we updated the ASB controls to map with the NIST controls. Now you can use ASB to meet the NIST requirements in Azure and can monitor the requirements in Azure Security Center Compliance dashboard. The benchmark and mapping to NIST controls is also available in excel format for easy consumption.
- Identified Security Stakeholders: We added security stakeholders to each recommendation to help you bring in the right people in your organization to plan, approve, or implement it. The stakeholders are identified by their roles and responsibility definitions from the CAF.
- Updated and restructured the security controls to provide more clarity: We made changes to the Azure security controls to make them actionable and more effective. A few examples are:
- Updated the controls to provide clear guidance on security outcomes rather than just technical configurations.
- Created a Governance and Strategy control to guide your strategic planning and governance strategy for security.
- Updated the Logging and Threat detection control to focus more on the outcome of threat detection rather than just collection of logs.
- Added Privileged Access as a separate control to provide clear recommendations on the critically important discipline of protecting privileged accounts (which can have an outsized business impact if compromised).
- Added the Posture and Vulnerability Management control to provide clear guidance on how to monitor and improve your cloud security posture.
- Identified a number of opportunities to modernize legacy security approaches with modern cloud approaches in Network Security, Endpoint Security, Logging and Threat detection, and more.
- Updated and added controls to ensure a full lifecycle view for all controls including Data Protection, Asset Management, Identity Management, and Backup and Recovery.
What’s coming next?
Here is a brief overview of upcoming features:
- Monitoring of ASB v2 recommendations: Today, you can use the Azure Security Center Regulatory Compliance Dashboard to monitor your live Azure environment status with all the Azure Security Benchmark controls. In upcoming weeks, Security Center will be fully integrated with ASB v2, automatically monitoring your environment with policies implementing the complete ASB v2 control set by default.
- Implementing the Benchmark recommendations: In coming weeks, we will be publishing the ASB v2 blueprint which will help you to implement and enforce the benchmark requirements. Today you can achieve that by using Enterprise scale landing zone to get a head start and use it to implement the Benchmark recommendations.
- Security Baselines based on ASB v2: So far, we have published security baselines for 50 Azure services based on ASB v1. These baselines provide service guidance on how you can meet the Benchmark requirements for a specific service. Azure customers today use these baselines as part of their cloud service assessment process. In upcoming months, we will be updating these baselines and adding more service baselines based on the ASB v2 recommendations.
- Control framework targeted next: After CIS v7.1 and NIST SP 800-53 control mapping, we are working on adding mapping of PCI DSS control requirements in coming months. This will help you to meet PCI DSS control requirements using the Azure Security Benchmark.
Call to Action
You can get started now with planning and implementing the Azure Security Benchmark v2, automate deployment with Landing Zone, and monitor status using the Azure Security Center Regulatory Compliance Dashboard.
We want to thank the multiple teams within Microsoft, contributors from the Azure community, and NIST for the help with ASBv2 effort!
If you would like to participate in improving the benchmark or provide feedback, please send us an email. We would love to hear your success stories and feedback on how to make it better!