Monday, January 3, 2022

Understanding the Azure Security Benchmark

Security in IT can keep people awake at nights. There are many new services and features introduced to Azure every year. It is not easy to keep a track of everything as an administrator or even as a team. Sudden exploits at any level can cost organisations valuable money and thereafter their credibility. So how can we make sure our services on cloud are secure as best it can get? 

This is answered with Azure Security Benchmark.

There are three main guidelines provide security standards. 

  1. Center of Internet Security (CIS)
  2. National Institute of Standards and Technology (NIST)
  3. Payment Card Industry Data Security Standards (PCI - DSS)

Azure Security Benchmark assigns relevant combinations in each guidelines to 12 different control areas.

  1. Network Security (NS)
  2. Identity Management (IM)
  3. Privileged Access (PA)
  4. Data Protection (DP)
  5. Asset Management (AM)
  6. Logging and Threat Detection (LT)
  7. Incident Response (IR)
  8. Posture and Vulnerability Management (PV)
  9. Endpoint Security (ES)
  10. Backup and Recovery (BR)
  11. DevOps Security (DS)
  12. Governance and Strategy (GS)

Inside each control area, there is a list of recommendations with each having a Benchmark ID and more information as shown in the image below. Source:

Then each service is mapped to the necessary recommendations applicable to each control. 

Eg: Cosmos DB can be implemented with following Network Security recommendations.  
NS-1, NS-2, NS-3, NS-4, NS-6, NS-7
The there are following Identity Management recommendations.
IM-1, IM-2, IM-3, IM-7
Likewise, other category recommendations are available based on the service. 
There are some categories which do not have recommendations related to Cosmos DB such as DevOps Security(DS), Governance and Strategy (GS) and etc..

However, these are only to guide you towards compliance as Microsoft specially mentions by adopting this you do not become compliant. 

So how shall we start? Pick the list of resources you have, go one by one and see what are missing. Then plan how you can make them fit into the guidelines. Easy as that.

1 comment: