Introduction
The following text is translated and optimized in English:
In the last blog post, the topic of Azure Compliance was discussed. Part of Azure Compliance can be addressed with the Azure Security Benchmark (ASB).
This blog post aims to introduce you to the Azure Security Benchmark (ASB) framework, so you can get an overview to determine if it’s suitable for your Azure tenant or not.
What is the Azure Security Benchmark?
The Azure Security Benchmark (ASB) is a set of security best practices and recommendations provided by Microsoft to help organizations improve their security posture in Azure. This benchmark belongs to a comprehensive set of security guidelines that also encompasses:
- Cloud Adoption Framework
- Azure Well-Architected Framework
- Microsoft Security Best Practices
- Microsoft Cybersecurity Reference Architectures (MCRA)
The Azure Security Benchmark strongly focuses on cloud-centric controls as seen in well-known benchmarks such as CIS, NIST, or PCI-DSS.
Azure Security Benchmark v3
ASB v3 was released in August 2021, so it can be assumed that it is a very robust framework that does not receive a new version every day. The following new features are included in ASB v3:
- Mapping to PCI-DSS v3.2.1 and CIS Controls v8
- Adding new control(s), eg.g., DevOps Security
- Control guidance more granular and actionable
Controls
The Azure Security Benchmark v3 includes the following controls:
- Asset Management
- Backup and Recovery
- Data Protection
- DevOps Security
- Endpoint Security
- Governance and Strategy
- Identity Management
- Incident Response
- Logging and Threat Detection
- Network security
- Posture and Vulnerability Management
- Privileged Access
Recommendations
Every recommendation encompasses the following details:
- ASB ID
This is the unique identifier for the Azure Security Benchmark recommendation. - CIS Controls v8 ID(s)
These are the corresponding control(s) from CIS Controls v8 for the recommendation. - CIS Controls v7.1 ID(s)
These are the corresponding control(s) from CIS Controls v7.1 for the recommendation. - PCI-DSS v3.2.1 ID(s)
These are the corresponding control(s) from PCI-DSS v3.2.1 for the recommendation. - NIST SP 800-53 r4 ID(s)
These are the corresponding control(s) from NIST SP 800-53 r4 (Moderate and High) for the recommendation. - Security Principle
This explains the “what” of the recommendation, detailing the control at a technology-agnostic level. - Azure Guidance
This explains the “how” of the recommendation, detailing the Azure technical features and basic implementation. - Implementation and Additional Context
This provides the implementation details and other relevant context, linking to Azure service offering documentation articles. - Customer Security Stakeholders
These are the security roles at the customer’s organization who may be accountable, responsible, or consulted for the respective control. This may vary from organization to organization based on your company’s security structure, and the roles and responsibilities you establish related to Azure security.
Download
The Azure Security Benchmark is available for download in spreadsheet format. ASB v3 spreadsheet
Outlook
In the next blog post, we will delve into a more technical discussion with a CIS tool that assists you with Azure compliance. The last two blog posts were very informative, so it’s time for a hands-on session including a practical example.
Source: ASB v3 – Microsoft Learn