Control areas
The building blocks of any effective technology security strategy are a firm understanding of the domains and their controls, which make up the frameworks to allow review of the current implementations. Microsoft Cloud offers several ways in which you can review, understand, and periodically check against baselines of security controls. For a detailed understanding of the baseline set of controls for the Microsoft Cloud, see Microsoft cloud security benchmark.
However, Microsoft also understands that while globally recognizable frameworks like System and Organization Controls (SOC), International Organization for Standardization (ISO), or Payment Card Industry (PCI) mandate some controls, there are also controls related to certain security domains beyond the baseline. In this context, financial services companies usually deal with domains including resiliency, access, incident response, and vulnerability management.
Resiliency
National Institution of Standards and Technology (NIST), SOC, ISO, and other control regimes care intently about business continuity and disaster recovery. Microsoft Cloud services help meet the controls associated with this domain. The following links provide information using which your organization can use Microsoft Cloud optimally and achieve the right levels of resilience in your workloads:
- What are Azure availability zones?
- Availability Zones Service Support
- Reliability quick links - Microsoft Azure Well-Architected Framework
- Recommendations for using availability zones and regions
Access
For financial institutions, the controls in place to restrict and monitor access to resources by their employees and the cloud service providers are important. Microsoft engineers have NO standing access to customer resources, except when requested to gain access in troubleshooting scenarios. Using continuously vetted security groups, mandatory personnel screening, using Secure Admin Workstations (SAWs) for production environment access, and using technical tools such as Just-in-Time (JIT) for limiting the access aperture and creating an approval chain for access, are all part of highly secure access controls within the Microsoft environment.
For extra steps at your end, consider using Microsoft Customer Lockbox, which ensures that Microsoft can't access your content without your explicit approval. Using the Lockbox provides an extra layer of control and security. It allows you to approve or deny access requests from Microsoft engineers when troubleshooting issues, ensuring that only authorized personnel can access your data. It also helps meet compliance requirements and enhances data privacy. For more information, see Customer Lockbox.
While Microsoft requires Just-in-time (JIT) technology to review access requests by our own engineers, your organization can also deploy JIT to ensure that access by your employees is undergoing the same vigilance. JIT access on Azure virtual machines (VMs) enhances security by allowing access only when needed, on specific ports, and for a limited time. It reduces the risk of unauthorized access and potential attacks. You can easily configure and manage JIT access through Microsoft Defender for Cloud or programmatically through PowerShell and APIs. For more information, see Just-in-time (JIT).
Incident response
Microsoft's incident Response team helps before, during, and after a cybersecurity incident by removing bad actors, building resilience, and mending your defenses. The following information resources provide more information about how Microsoft helps strengthen security and resiliency, and also respond to incidents.
- Microsoft Incident Response
- Unified Enterprise Plan Details
- Cybersecurity Incident Response
- Support for Mission Critical
You can use Microsoft Sentinel, the cloud-native security information and event management (SIEM) solution for efficient large-volume data analysis. Microsoft Sentinel allows real-time log data aggregation, correlation, and analysis from various sources, aiding security teams in swift incident detection and response. Microsoft Sentinel, coupled with the Defender suite and Azure, offers invaluable trend data for incident response investigations.
Vulnerability management
Microsoft security researchers monitor the threat landscape and collaborate with customers, partners, and industry experts to discover new vulnerabilities and exploits. As the threat and computing landscape continues to evolve, vulnerability discoveries, coordinated response, and other forms of threat intelligence sharing are paramount to protecting customers against present and future threats. For more information, see Vulnerabilities and exploits.
Defender Vulnerability Management offers a comprehensive solution for identifying, assessing, and remediating vulnerabilities across critical assets, including Windows, macOS, Linux, Android, iOS, and network devices. Using Microsoft threat intelligence and risk-based prioritization helps financial institutions reduce cyber risk by continuously monitoring and addressing the most critical vulnerabilities, even on devices not connected to the corporate network. It ensures enhanced security and reduced exposure to potential breaches. For more information, see Defender Vulnerability Management.
Sovereignty
Microsoft sovereign cloud capabilities provide you with the tools and controls necessary to meet stringent compliance requirements and ensure data sovereignty. By using Microsoft's trusted cloud platform, you can implement compliance through various features such as Azure confidential computing, customer-managed keys, and Azure Managed Hardware Security Modules (HSMs). These capabilities offer enhanced protection over sensitive workloads, preventing unauthorized access to data and resources.
You can refer to the following information resources for details of sovereign capabilities, which you can also implement in the financial sector:
- Key and certificate management in Microsoft Cloud for Sovereignty
- Azure Confidential Computing
- Microsoft Cloud for Sovereignty policy portfolio
- Overview of the Sovereign Landing Zone
- Workload templates for Sovereign Landing Zone
Transparency
Microsoft Cloud for Financial Services customers can use comprehensive tools and resources to ensure transparency in their cloud environment and to have visibility into their own cloud activities. Through monitoring actions and changes from Microsoft, controlling access to resources, and receiving notifications of incidents and outages, the financial sector can secure their use of the Microsoft Cloud and ensure strong transparency, which, in turn, assists conversations with their corporate risk boards and regulators.
For more details in this regard, go through the following information resources:
- Microsoft Purview Audit
- Transparency logs
- Customer Lockbox for Microsoft Azure and Customer Lockbox in Power Platform and Dynamics 365
- Azure Service Health
Secure by default
Microsoft Cloud services provide a robust set of tools and features that help you adopt a 'secure by default' mindset. By using these services, you can ensure that your cloud environment is secure from the outset, minimizing vulnerabilities and enhancing overall security posture. To achieve a secure by default status, your organization can use the following capabilities:
- Use Azure Policy to enforce organizational standards and assess compliance at-scale. Azure Policy helps you create, assign, and manage policies that enforce rules and effects for your resources. By defining an allow-listed set of deployable services, you can ensure that only approved services are used within your cloud environment. For more information, see Azure Policy.
- Microsoft Defender for Cloud helps improve your security posture by providing a secure score that aggregates security findings into a single score. This score helps in assessing the current security situation, and prioritizes actions to improve it. The secure score is based on the Microsoft cloud security benchmark (MCSB) standard, which is applied by default when Defender for Cloud is enabled. For more information, see Microsoft Defender for Cloud.
- Azure Private Link enables you to access Azure services, such as Azure Storage and SQL Database, apart from your services over a private endpoint in your virtual network. It ensures that traffic between your virtual network and the service travels the Microsoft backbone network, providing private access for sensitive functions. For more information, see Azure Private Link.
- Microsoft Entra provides centralized identity and access management for cloud services. By enforcing multifactor authentication (MFA) and using Microsoft Entra ID conditional access policies, you can ensure that local authentication isn't allowed for any resources. This measure enhances security by requiring users to authenticate using their Microsoft Entra credentials. For more information on the access policies, see conditional access policies.