Understand the Azure platform security baseline

Completed

The Microsoft cybersecurity group and the Center for Internet Security (CIS) have developed best practices to help establish security baselines for the Azure platform.

A diagram of the workflow for securing Azure workloads with the Azure C I S benchmark.

Microsoft initially partnered with CIS to develop an off-the-shelf hardened Azure virtual machine (VM). An initiative then began to create a CIS benchmark, a document that details CIS best practices, for Azure security services and tools to facilitate security and compliance for customer applications running on Azure services.

Tip

CIS Microsoft Azure Foundations Security Benchmark v. 1.3.0 provides prescriptive guidance for establishing a secure baseline configuration for Azure. This guide was tested against the listed Azure services as of February 2021. The scope of this benchmark is to establish the foundational level of security for anyone who adopts Azure.

Create a platform security baseline

Various security standards can help cloud service customers achieve workload security when they use cloud services. The following recommended technology groupings help create secure cloud-enabled workloads. These recommendations aren't an exhaustive list of all possible security configurations and architectures. These security baseline recommendations are a starting point.

CIS has two implementation levels and several categories of recommendations:

  • Level 1 - Recommended minimum security settings

    • These settings should be configured on all systems.
    • These settings should cause little or no interruption of services or reduced functionality.
  • Level 2 - Recommendations for highly secure environments

    • These settings might result in reduced functionality.

The following table provides the categories and number of recommendations made for each category in CIS Microsoft Azure Foundations Security Benchmark v. 1.3.0:

Technology group Description # of recommendations
Identity & Access Management (IAM) Recommendations related to IAM policies 23
Microsoft Defender for Cloud Recommendations related to the configuration and use of Microsoft Defender for Cloud 19
Storage accounts Recommendations for setting storage account policies 7
Azure SQL Database Recommendations for helping to secure Azure SQL databases 8
Logging and monitoring Recommendations for setting logging and monitoring policies for your Azure subscriptions 13
Networking Recommendations for helping to securely configure Azure networking settings and policies 5
VMs Recommendations for setting security policies for Azure compute services, and specifically VMs 6
Other Recommendations regarding general security and operational controls, including recommendations related to Azure Key Vault and resource locks 3
Total recommended 84

Let's explore each category in more detail.