| 1 |
1 |
AM-1 |
Asset Management |
Customer |
Ensure security team has visibility into risks for assets |
Ensure security teams are granted Security Reader permissions in your Azure tenant and subscriptions so they can monitor for security risks using Azure Security Center.
Depending on how security team responsibilities are structured, monitoring for security risks could be the responsibility of a central security team or a local team. That said, security insights and risks must always be aggregated centrally within an organization.
Security Reader permissions can be applied broadly to an entire tenant (Root Management Group) or scoped to management groups or specific subscriptions.
Note: Additional permissions might be required to get visibility into workloads and services.
Overview of Security Reader Role: https://docs.microsoft.com/azure/role-based-access-control/built-in-roles#security-reader
Overview of Azure Management Groups: https://docs.microsoft.com/azure/governance/management-groups/overview |
Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint
Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-secur |
| 2 |
2 |
AM-2 |
Asset Management |
Customer |
Ensure security team has access to asset inventory and metadata |
Ensure that security teams have access to a continuously updated inventory of assets on Azure. Security teams often need this inventory to evaluate their organization's potential exposure to emerging risks, and as an input to continuously security improvements.
The Azure Security Center inventory feature and Azure Resource Graph can query for and discover all resources in your subscriptions, including Azure services, applications, and network resources.
Logically organize assets according to your organization’s taxonomy using Tags as well as other metadata in Azure (Name, Description, and Category).
How to create queries with Azure Resource Graph Explorer: https://docs.microsoft.com/azure/governance/resource-graph/first-query-portal
Azure Security Center asset inventory management: https://docs.microsoft.com/azure/security-center/asset-inventory
For more information about tagging assets, see the resource naming and tagging decision guide: https://docs.microsoft.com/azure/cloud-adoption-framework/decision-guides/resource-tagging/?toc=/azure/azure-resource-manager/management/toc.json |
Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint
Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-secur |
| 3 |
3 |
AM-3 |
Asset Management |
Customer |
Use only approved Azure services |
Use Azure Policy to audit and restrict which services users can provision in your environment. Use Azure Resource Graph to query for and discover resources within their subscriptions. You can also use Azure Monitor to create rules to trigger alerts when a non-approved service is detected.
Configure and manage Azure Policy: https://docs.microsoft.com/azure/governance/policy/tutorials/create-and-manage
How to deny a specific resource type with Azure Policy: https://docs.microsoft.com/azure/governance/policy/samples/not-allowed-resource-types
How to create queries with Azure Resource Graph Explorer: https://docs.microsoft.com/azure/governance/resource-graph/first-query-portal |
Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management
Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-manageme |
| 4 |
4 |
AM-4 |
Asset Management |
Customer |
Ensure security of asset lifecycle management |
Establish or update security policies that address asset lifecycle management processes for potentially high impact modifications. These modifications include changes to: identity providers and access, data sensitivity, network configuration, and administrative privilege assignment.
Remove Azure resources when they are no longer needed.
Delete Azure resource group and resource: https://docs.microsoft.com/azure/azure-resource-manager/management/delete-resource-group |
Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint
Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture- |
| 5 |
5 |
AM-5 |
Asset Management |
Customer |
Limit users' ability to interact with Azure Resource Manager |
Use Azure AD Conditional Access to limit users' ability to interact with Azure Resource Manager by configuring "Block access" for the "Microsoft Azure Management" App.
How to configure Conditional Access to block access to Azure Resources Manager: https://docs.microsoft.com/azure/role-based-access-control/conditional-access-azure-management |
Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructur |
| 6 |
6 |
AM-6 |
Asset Management |
Customer |
Use only approved applications in compute resources |
Ensure that only authorized software executes, and all unauthorized software is blocked from executing on Azure Virtual Machines.
Use Azure Security Center (ASC) adaptive application controls to discover and generate an application allow list. You can also use ASC adaptive application controls to ensure that only authorized software executes and all unauthorized software is blocked from executing on Azure Virtual Machines.
Use Azure Automation Change Tracking and Inventory to automate the collection of inventory information from your Windows and Linux VMs. Software name, version, publisher, and refresh time are available from the Azure Portal. To get the software installation date and other information, enable guest-level diagnostics and direct the Windows Event Logs to Log Analytics workspace.
Depending on the type of scripts, you can use operating system-specific configurations or third-party resources to limit users' ability to execute scripts in Azure compute resources.
You can also use a third-party solution to discover and identify unapproved software.
How to use Azure Security Center adaptive application controls: https://docs.microsoft.com/azure/security-center/security-center-adaptive-application
Understand Azure Automation Change Tracking and Inventory: https://docs.microsoft.com/azure/automation/change-tracking
How to control PowerShell script execution in Windows environments: https://docs.microsoft.com/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-6 |
Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint
Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture- |
| 7 |
7 |
BR-1 |
Backup and Recovery |
Customer |
Ensure regular automated backups |
Ensure you are backing up systems and data to maintain business continuity after an unexpected event. This should be defined by any objectives for Recovery Point Objective (RPO) and Recovery Time Objective (RTO).
Enable Azure Backup and configure the backup source (e.g. Azure VMs, SQL Server, HANA databases, or File Shares), as well as the desired frequency and retention period.
For a higher level of protection, you can enable geo-redundant storage option to replicate backup data to a secondary region and recover using cross region restore.
Enterprise-scale business continuity and disaster recovery: https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/business-continuity-and-disaster-recovery
How to enable Azure Backup: https://docs.microsoft.com/azure/backup/
How to enable cross region restore: https://docs.microsoft.com/azure/backup/backup-azure-arm-restore-vms#cross-region-restore |
Policy and standards: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-policy-standards
Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
Infrastructure |
| 8 |
8 |
BR-2 |
Backup and Recovery |
Customer |
Encrypt backup data |
Ensure your backups are protected against attacks. This should include encryption of the backups to protect against loss of confidentiality.
For on-premises backups using Azure Backup, encryption-at-rest is provided using the passphrase you provide. For regular Azure service backups, backup data is automatically encrypted using Azure platform-managed keys. You can choose to encrypt the backups using customer managed key. In this case, ensure this customer-managed key in the key vault is also in the backup scope.
Use role-based access control in Azure Backup, Azure Key Vault, or other resources to protect backups and customer managed keys. Additionally, you can enable advanced security features to require MFA before backups can be altered or deleted.
Overview of security features in Azure Backup: https://docs.microsoft.com/azure/backup/security-overview
Encryption of backup data using customer-managed keys: https://docs.microsoft.com/azure/backup/encryption-at-rest-with-cmk
How to backup Key Vault keys in Azure: https://docs.microsoft.com/powershell/module/azurerm.keyvault/backup-azurekeyvaultkey?view=azurermps-6.13.0
Security features to help protect hybrid backups from attacks: https://docs.microsoft.com/azure/backup/backup-azure-security-feature#prevent-attacks |
Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-e |
| 9 |
9 |
BR-3 |
Backup and Recovery |
Customer |
Validate all backups including customer-managed keys |
Periodically perform data restoration of your backup. Ensure that you can restore backed-up customer-managed keys.
How to recover files from Azure Virtual Machine backup: https://docs.microsoft.com/azure/backup/backup-azure-restore-files-from-vm
How to restore Key Vault keys in Azure: https://docs.microsoft.com/powershell/module/azurerm.keyvault/restore-azurekeyvaultkey?view=azurermps-6.13.0 |
Incident preparation: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation
Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-complianc |
| 10 |
10 |
BR-4 |
Backup and Recovery |
Customer |
Mitigate risk of lost keys |
Ensure you have measures in place to prevent and recover from loss of keys. Enable soft delete and purge protection in Azure Key Vault to protect keys against accidental or malicious deletion.
How to enable soft delete and purge protection in Key Vault: https://docs.microsoft.com/azure/storage/blobs/storage-blob-soft-delete?tabs=azure-portal |
Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
Incident preparation: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation
Data |
| 11 |
11 |
DP-1 |
Data Protection |
Shared |
Discovery, classify and label sensitive data |
Discover, classify, and label your sensitive data so that you can design the appropriate controls to ensure sensitive information is stored, processed, and transmitted securely by the organization's technology systems.
Use Azure Information Protection (and its associated scanning tool) for sensitive information within Office documents on Azure, on-premises, on Office 365, and in other locations.
You can use Azure SQL Information Protection to assist in the classification and labeling of information stored in Azure SQL Databases.
Tag sensitive information using Azure Information Protection: https://docs.microsoft.com/azure/information-protection/what-is-information-protection
How to implement Azure SQL Data Discovery: https://docs.microsoft.com/azure/sql-database/sql-database-data-discovery-and-classification |
Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
Data Security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-data-securi |
| 12 |
12 |
DP-2 |
Data Protection |
Shared |
Protect sensitive data |
Protect sensitive data by restricting access using Azure Role Based Access Control (Azure RBAC), network-based access controls, and specific controls in Azure services (such as encryption in SQL and other databases).
To ensure consistent access control, all types of access control should be aligned to your enterprise segmentation strategy. The enterprise segmentation strategy should also be informed by the location of sensitive or business critical data and systems.
For the underlying platform, which is managed by Microsoft, Microsoft treats all customer content as sensitive and guards against customer data loss and exposure. To ensure customer data within Azure remains secure, Microsoft has implemented some default data protection controls and capabilities.
Azure Role Based Access Control (RBAC): https://docs.microsoft.com/azure/role-based-access-control/overview
Understand customer data protection in Azure: https://docs.microsoft.com/azure/security/fundamentals/protection-customer-data |
Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
Data Security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-data-securi |
| 13 |
13 |
DP-3 |
Data Protection |
Shared |
Monitor for unauthorized transfer of sensitive data |
Monitor for unauthorized transfer of data to locations outside of enterprise visibility and control. This typically involves monitoring for anomalous activities (large or unusual transfers) that could indicate unauthorized data exfiltration.
Azure Storage Advanced Threat Protection (ATP) and Azure SQL ATP can alert on anomalous transfer of information that might indicate unauthorized transfers of sensitive information.
Azure Information protection (AIP) provides monitoring capabilities for information that has been classified and labelled.
If required for compliance of data loss prevention (DLP), you can use a host-based DLP solution to enforce detective and/or preventative controls to prevent data exfiltration.
Enable Azure SQL ATP: https://docs.microsoft.com/azure/azure-sql/database/threat-detection-overview
Enable Azure Storage ATP: https://docs.microsoft.com/azure/storage/common/storage-advanced-threat-protection?tabs=azure-security-center |
Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security
Application security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
Infr |
| 14 |
14 |
DP-4 |
Data Protection |
Shared |
Encrypt sensitive information in transit |
To complement access controls, data in transit should be protected against ‘out of band’ attacks (e.g. traffic capture) using encryption to ensure that attackers cannot easily read or modify the data.
While this is optional for traffic on private networks, this is critical for traffic on external and public networks. For HTTP traffic, ensure that any clients connecting to your Azure resources can negotiate TLS v1.2 or greater. For remote management, use SSH (for Linux) or RDP/TLS (for Windows) instead of an unencrypted protocol. Obsoleted SSL, TLS, and SSH versions and protocols, and weak ciphers should be disabled.
By default, Azure provides encryption for data in transit between Azure data centers.
Understand encryption in transit with Azure: https://docs.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit
Information on TLS Security: https://docs.microsoft.com/security/engineering/solving-tls1-problem
Double encryption for Azure data in transit: https://docs.microsoft.com/azure/security/fundamentals/double-encryption#data-in-transit |
Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-e |
| 15 |
15 |
DP-5 |
Data Protection |
Shared |
Encrypt sensitive data at rest |
To complement access controls, data at rest should be protected against ‘out of band’ attacks (such as accessing underlying storage) using encryption. This helps ensure that attackers cannot easily read or modify the data.
Azure provides encryption for data at rest by default. For highly sensitive data, you have options to implement additional encryption at rest on all Azure resources where available. Azure manages your encryption keys by default, but Azure provides options to manage your own keys (customer managed keys) for certain Azure services.
Understand encryption at rest in Azure: https://docs.microsoft.com/azure/security/fundamentals/encryption-atrest#encryption-at-rest-in-microsoft-cloud-services
How to configure customer managed encryption keys: https://docs.microsoft.com/azure/storage/common/storage-encryption-keys-portal
Encryption model and key management table: https://docs.microsoft.com/azure/security/fundamentals/encryption-models
Data at rest double encryption in Azure: https://docs.microsoft.com/azure/security/fundamentals/double-encryption#data-at-rest |
Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-e |
| 16 |
16 |
ES-1 |
Endpoint Security |
Customer |
Use Endpoint Detection and Response (EDR) |
Enable Endpoint Detection and Response (EDR) capabilities for servers and clients and integrate with SIEM and Security Operations processes.
Microsoft Defender Advanced Threat Protection provides EDR capability as part of an enterprise endpoint security platform to prevent, detect, investigate, and respond to advanced threats.
Microsoft Defender Advanced Threat Protection Overview: https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection
Microsoft Defender ATP service for Windows servers: https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints
Microsoft Defender ATP service for non-Windows servers: https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows |
Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security
Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence
Security C |
| 17 |
17 |
ES-2 |
Endpoint Security |
Customer |
Use centrally managed modern anti-malware software |
Use a centrally managed endpoint anti-malware solution capable of real time and periodic scanning
Azure Security Center can automatically identify the use of a number of popular anti-malware solutions for your virtual machines and report the endpoint protection running status and make recommendations.
Microsoft Antimalware for Azure Cloud Services is the default anti-malware for Windows virtual machines (VMs). For Linux VMs, use third-party antimalware solution. Also, you can use Azure Security Center's Threat detection for data services to detect malware uploaded to Azure Storage accounts.
How to configure Microsoft Antimalware for Cloud Services and Virtual Machines:
https://docs.microsoft.com/azure/security/fundamentals/antimalware
Supported endpoint protection solutions:
https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions- |
Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security
Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence
Security C |
| 18 |
18 |
ES-3 |
Endpoint Security |
Customer |
Ensure anti-malware software and signatures are updated |
Ensure anti-malware signatures are updated rapidly and consistently.
Follow recommendations in Azure Security Center: "Compute & Apps" to ensure all endpoints are up to date with the latest signatures. Microsoft Antimalware will automatically install the latest signatures and engine updates by default. For Linux, use third-party antimalware solution.
How to deploy Microsoft Antimalware for Azure Cloud Services and Virtual Machines: https://docs.microsoft.com/azure/security/fundamentals/antimalware
Endpoint
protection assessment and recommendations in Azure Security Center:https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection |
Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security
Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence
Security C |
| 19 |
19 |
GS-1 |
Governance and Strategy |
Customer |
Define asset management and data protection strategy |
Ensure you document and communicate a clear strategy for continuous monitoring and protection of systems and data. Prioritize discovery, assessment, protection, and monitoring of business-critical data and systems.
This strategy should include documented guidance, policy, and standards for the following elements:
- Data classification standard in accordance with the business risks
- Security organization visibility into risks and asset inventory
- Security organization approval of Azure services for use
- Security of assets through their lifecycle
- Required access control strategy in accordance with organizational data classification
- Use of Azure native and third party data protection capabilities
- Data encryption requirements for in-transit and at-rest use cases
- Appropriate cryptographic standards
For more information, see the following references:
Azure Security Architecture Recommendation - Storage, data, and encryption: https://docs.microsoft.com/azure/architecture/framework/security/storage-data-encryption?toc=/security/compass/toc.json&bc=/security/compass/breadcrumb/toc.json
Azure Security Fundamentals - Azure Data security, encryption, and storage: https://docs.microsoft.com/azure/security/fundamentals/encryption-overview
Cloud Adoption Framework - Azure data security and encryption best practices: https://docs.microsoft.com/azure/security/fundamentals/data-encryption-best-practices?toc=/azure/cloud-adoption-framework/toc.json&bc=/azure/cloud-adoption-framework/_bread/toc.json
Azure Security Benchmark - Asset management: https://docs.microsoft.com/azure/security/benchmarks/security-benchmark-v2-asset-management
Azure Security Benchmark - Data Protection: https://docs.microsoft.com/azure/security/benchmarks/security-benchmark-v2-data-protection |
All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions |
| 20 |
20 |
GS-2 |
Governance and Strategy |
Customer |
Define enterprise segmentation strategy |
Establish an enterprise-wide strategy to segmenting access to assets using a combination of identity, network, application, subscription, management group, and other controls.
Carefully balance the need for security separation with the need to enable daily operation of the systems that need to communicate with each other and access data.
Ensure that the segmentation strategy is implemented consistently across control types including network security, identity and access models, and application permission/access models, and human process controls.
Guidance on segmentation strategy in Azure (video):
https://docs.microsoft.com/en-us/security/compass/microsoft-security-compass-introduction#azure-components-and-reference-model-2151
Guidance on segmentation strategy in Azure (document):
https://docs.microsoft.com/en-us/security/compass/governance#enterprise-segmentation-strategy
Align network segmentation with enterprise segmentation strategy:
https://docs.microsoft.com/en-us/security/compass/network-security-containment#align-network-segmentation-with-enterprise-segmentation-strategy |
All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions |
| 21 |
21 |
GS-3 |
Governance and Strategy |
Customer |
Define security posture management strategy |
Continuously measure and mitigate risks to your individual assets and the environment they are hosted in. Prioritize high value assets and highly-exposed attack surfaces, such as published applications, network ingress and egress points, user and administrator endpoints, etc.
Azure Security Benchmark - Posture and vulnerability management: https://docs.microsoft.com/azure/security/benchmarks/security-benchmark-v2-posture-vulnerability-management |
All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions |
| 22 |
22 |
GS-4 |
Governance and Strategy |
Customer |
Align organization roles, responsibilities, and accountabilities |
Ensure you document and communicate a clear strategy for roles and responsibilities in your security organization. Prioritize providing clear accountability for security decisions, educating everyone on the shared responsibility model, and educate technical teams on technology to secure the cloud.
Azure Security Best Practice 1 – People: Educate Teams on Cloud Security Journey: https://aka.ms/AzSec1
Azure Security Best Practice 2 - People: Educate Teams on Cloud Security Technology: https://aka.ms/AzSec2
Azure Security Best Practice 3 - Process: Assign Accountability for Cloud Security Decisions: https://aka.ms/AzSec3 |
All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions |
| 23 |
23 |
GS-5 |
Governance and Strategy |
Customer |
Define network security strategy |
Establish an Azure network security approach as part of your organization’s overall security access control strategy.
This strategy should include documented guidance, policy, and standards for the following elements:
- Centralized network management and security responsibility
- Virtual network segmentation model aligned with the enterprise segmentation strategy
- Remediation strategy in different threat and attack scenarios
- Internet edge and ingress and egress strategy
- Hybrid cloud and on-premises interconnectivity strategy
- Up-to-date network security artifacts (e.g. network diagrams, reference network architecture)
For more information, see the following references:
Azure Security Best Practice 11 - Architecture. Single unified security strategy: https://aka.ms/AzSec11
Azure Security Benchmark - Network Security: https://docs.microsoft.com/azure/security/benchmarks/security-benchmark-v2-network-security
Azure network security overview: https://docs.microsoft.com/azure/security/fundamentals/network-overview
Enterprise network architecture strategy: https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/architecture |
All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions |
| 24 |
24 |
GS-6 |
Governance and Strategy |
Customer |
Define identity and privileged access strategy |
Establish an Azure identity and privileged access approaches as part of your organization’s overall security access control strategy.
This strategy should include documented guidance, policy, and standards for the following elements:
- A centralized identity and authentication system and its interconnectivity with other internal and external identity systems
- Strong authentication methods in different use cases and conditions
- Protection of highly privileged users
- Anomaly user activities monitoring and handling
- User identity and access review and reconciliation process
For more information, see the following references:
Azure Security Benchmark - Identity management: https://docs.microsoft.com/azure/security/benchmarks/security-benchmark-v2-identity-management
Azure Security Benchmark - Privileged access: https://docs.microsoft.com/azure/security/benchmarks/security-benchmark-v2-privileged-access
Azure Security Best Practice 11 - Architecture. Single unified security strategy: https://aka.ms/AzSec11
Azure identity management security overview: https://docs.microsoft.com/azure/security/fundamentals/identity-management-overview |
All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions |
| 25 |
25 |
GS-7 |
Governance and Strategy |
Customer |
Define logging and threat response strategy |
Establish a logging and threat response strategy to rapidly detect and remediate threats while meeting compliance requirements. Prioritize providing analysts with high quality alerts and seamless experiences so that they can focus on threats rather than integration and manual steps.
This strategy should include documented guidance, policy, and standards for the following elements:
- The security operations (SecOps) organization’s role and responsibilities
- A well-defined incident response process aligning with NIST or another industry framework
- Log capture and retention to support threat detection, incident response, and compliance needs
- Centralized visibility of and correlation information about threats, using SIEM, native Azure capabilities, and other sources
- Communication and notification plan with your customers, suppliers, and public parties of interest
- Use of Azure native and third-party platforms for incident handling, such as logging and threat detection, forensics, and attack remediation and eradication
- Processes for handling incidents and post-incident activities, such as lessons learned and evidence retention
For more information, see the following references:
Azure Security Benchmark - Logging and threat detection: https://docs.microsoft.com/azure/security/benchmarks/security-benchmark-v2-logging-threat-detection
Azure Security Benchmark - Incident response: https://docs.microsoft.com/azure/security/benchmarks/security-benchmark-v2-incident-response
Azure Security Best Practice 4 - Process. Update Incident Response Processes for Cloud: https://aka.ms/AzSec4
Azure Adoption Framework, logging, and reporting decision guide: https://docs.microsoft.com/azure/cloud-adoption-framework/decision-guides/logging-and-reporting/
Azure enterprise scale, management, and monitoring: https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/management-and-monitoring |
All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions |
