The Microsoft Cloud Security Benchmark (MCSB) is a set of best practices and security controls developed by Microsoft to help organizations secure their cloud environments. Aligned with well-known industry standards, the MCSB provides guidance for protecting resources, detecting threats, and maintaining compliance in Microsoft Azure. This benchmark addresses security across various domains, including network security, identity management, and data protection.
The MCSB is organized into multiple security domains, each encompassing specific controls and best practices:
Network Security: Securing network configurations and communications.
Identity Management: Ensuring secure identity and access controls.
Privileged Access: Managing and monitoring high-level permissions.
Data Protection: Protecting data through encryption and access control.
Asset Management: Maintaining visibility and control over cloud resources.
Logging and Threat Detection: Monitoring and detecting potential threats.
Incident Response: Planning for and responding to security incidents.
Posture and Vulnerability Management: Managing vulnerabilities and improving security posture.
Endpoint Security: Securing endpoints to prevent malware and other threats.
Backup and Recovery: Protecting data through secure backup and recovery practices.
DevOps Security: Integrating security into DevOps processes for secure development and deployment.
Governance and Strategy: Defining security policies, roles, and strategies to support cloud security functions.
Network Security covers controls to secure and protect networks, including securing virtual networks, establishing private connections, preventing and mitigating external attacks, and securing DNS.
Security Principle: Ensure that your virtual network deployment aligns with your enterprise segmentation strategy. Isolate workloads that incur higher risk, such as those containing sensitive data or exposed to external networks.
Azure Guidance: Use Azure Virtual Network (VNet) as a fundamental segmentation method, deploying resources within VNets and creating subnets for further segmentation. Apply Network Security Groups (NSGs) to control traffic by port, protocol, source, and destination IPs. Simplify configuration with Application Security Groups (ASGs).
AWS Guidance: Use Virtual Private Cloud (VPC) as a primary segmentation approach, deploying resources within VPCs. Use Security Groups for EC2 instances and Network Access Control Lists (NACLs) for subnets to manage traffic flow.
GCP Guidance: Use VPC networks to segment GCP environments, with firewall rules targeting instances or groups based on tags or service accounts.
Implementation Context: Define subnets for high-risk workloads and configure controls to enforce access boundaries.
Stakeholders: Security Architecture, Posture Management, Application Security, DevOps
Security Principle: Secure cloud services by establishing private access points for resources and limiting public network exposure.
Azure Guidance: Use Azure Private Link to create private endpoints for supported services, avoiding public network routing. For services without Private Link, use VNet integration to restrict access. Avoid assigning public IPs directly to VMs; use load balancers or gateways.
AWS Guidance: Use VPC PrivateLink for private connections to supported AWS services. Avoid assigning public IPs to resources unless necessary.
GCP Guidance: Use Private Google Access to establish private connectivity, and VPC firewall rules to control access. Avoid assigning public IPs to VMs where possible.
Implementation Context: Configure private endpoints and restrict access to sensitive services with ACLs and network controls.
Stakeholders: Security Architecture, Posture Management, Application Security, DevOps
Security Principle: Deploy a firewall to filter traffic between external and internal networks, as well as within internal segments as needed. Use custom routes for controlled traffic routing.
Azure Guidance: Use Azure Firewall for centralized management and traffic filtering. Use user-defined routes (UDRs) to control traffic flow within complex network topologies.
AWS Guidance: Use AWS Network Firewall with custom route tables for centralized traffic filtering in complex VPC environments.
GCP Guidance: Use Google Cloud Armor for Layer 7 filtering and VPC firewall rules for network traffic restriction.
Implementation Context: Configure firewall policies to block high-risk protocols and known malicious IPs.
Stakeholders: Security Architecture, Posture Management, Application Security, DevOps
Security Principle: Use IDS/IPS to monitor network traffic and detect or prevent unauthorized access attempts. Deploy host-based IDS/IPS or EDR for enhanced detection.
Azure Guidance: Use Azure Firewall’s IDPS for network-level protection, and Microsoft Defender for Endpoint at the host level.
AWS Guidance: Use AWS Network Firewall’s IPS for VPC protection, and deploy host-based solutions as needed.
GCP Guidance: Use Cloud IDS with Google-managed peered networks for network traffic inspection.
Implementation Context: Enable network traffic mirroring and inspection where required, using EDR solutions alongside IDS/IPS for in-depth analysis.
Stakeholders: Security Architecture, Posture Management, Application Security, DevOps
Security Principle: Implement DDoS protection to defend against attacks that could disrupt network or application availability.
Azure Guidance: Use DDoS Protection Basic for underlying Azure infrastructure and DDoS Protection Standard for application-layer protection.
AWS Guidance: Enable AWS Shield Standard for network layer protection and Shield Advanced for application layer defenses.
GCP Guidance: Use Google Cloud Armor for standard and advanced DDoS protection for services hosted in GCP.
Implementation Context: Enable DDoS protection at critical entry points and ensure configuration aligns with resource sensitivity.
Stakeholders: Security Architecture, Posture Management, Application Security, DevOps
Security Principle: Deploy WAFs to protect web applications and APIs from application-layer attacks.
Azure Guidance: Use WAFs in Azure Application Gateway, Front Door, or CDN with appropriate rulesets like OWASP Top 10.
AWS Guidance: Deploy AWS WAF for CloudFront, API Gateway, or ALB to filter application-layer attacks, using Managed Rules for AWS WAF for simplified setup.
GCP Guidance: Use Google Cloud Armor with preconfigured security policies to protect against OWASP Top 10 and other application threats.
Implementation Context: Configure WAFs with built-in and custom rules to filter traffic based on known vulnerabilities.
Stakeholders: Security Architecture, Posture Management, Application Security, DevOps
Security Principle: Use centralized tools to simplify the management and deployment of network security configurations.
Azure Guidance: Use Azure Virtual Network Manager for centralized NSG management, and Adaptive Network Hardening for NSG recommendations.
AWS Guidance: Use AWS Firewall Manager to manage WAF, Shield Advanced, and Network Firewall policies across accounts.
GCP Guidance: Use VPC Networks and Hierarchical Firewall Policies for centralized management and configuration across GCP environments.
Implementation Context: Apply policies globally or hierarchically to improve consistency and simplify maintenance.
Stakeholders: Security Architecture, Posture Management, Application Security, DevOps
Security Principle: Identify and disable insecure services and protocols, such as deprecated versions of SSL or SSH, across cloud and on-premises environments.
Azure Guidance: Use Microsoft Sentinel’s Insecure Protocol Workbook to identify and disable legacy protocols and services.
AWS Guidance: Enable VPC Flow Logs with GuardDuty to identify and track insecure services.
GCP Guidance: Enable VPC Flow Logs with Security Command Center or Chronicle to monitor for insecure protocols.
Implementation Context: Regularly audit services and protocols and deploy compensating controls if insecure options cannot be disabled.
Stakeholders: Security Architecture, Posture Management, Application Security, DevOps
Security Principle: Use private network connections for secure communications between on-premises or cloud networks.
Azure Guidance: Use Azure VPN for lightweight connections or ExpressRoute for high-performance connections. Use VNet Peering for private inter-VNet communications.
AWS Guidance: Use AWS VPN for lightweight connections or Direct Connect for high-performance needs. Use VPC Peering or Transit Gateway for private connections.
GCP Guidance: Use Cloud VPN for basic connectivity or Cloud Interconnect for higher performance. Use VPC Network Peering or Network Connectivity Center for regional connections.
Implementation Context: Configure private endpoints and disable direct internet access for sensitive networks.
Stakeholders: Security Architecture, Posture Management, Application Security, DevOps
Security Principle: Secure DNS services against risks, ensuring separation of public and private DNS resolution, and implementing protections against attacks like DNS poisoning and amplification.
Azure Guidance: Use Azure DNS for secure resolution, Private DNS zones for private networks, and Defender for DNS to prevent malicious attacks.
AWS Guidance: Use Route 53 for secure DNS management, private hosted zones for internal networks, and DNSSEC for spoofing protection.
GCP Guidance: Use Google Cloud DNS with private zones for internal DNS, and DNSSEC for secure domain management.
Implementation Context: Enable DNS logging and security policies to control traffic and protect domain integrity.
Stakeholders: Security Architecture, Posture Management, Application Security, DevOps
Identity Management establishes secure identity and access controls through systems such as single sign-on (SSO), strong authentication, managed identities for applications, conditional access, and account anomaly monitoring.
Security Principle: Use a centralized identity and authentication system to govern identities across cloud and non-cloud resources.
Azure Guidance: Use Azure Active Directory (AD) for identity management across Microsoft and third-party resources, avoiding local authentication where possible.
AWS Guidance: Use AWS IAM for centralized identity, integrating Azure AD SSO to avoid duplicate accounts across platforms.
GCP Guidance: Use Google Cloud IAM for identity management, optionally synchronizing with Azure AD SSO to prevent duplicate accounts in multi-cloud environments.
Implementation Context: Ensure consistency in identity management across cloud and on-premises resources using centralized directory services.
Stakeholders: Identity Management, Security Architecture, Application Security, DevSecOps
Security Principle: Secure identity systems as a top priority, restricting privileged access, enforcing strong authentication, and auditing high-risk activities.
Azure Guidance: Use Azure AD Identity Secure Score to evaluate identity security posture, enabling MFA and blocking legacy authentication.
AWS Guidance: Follow AWS IAM best practices, including strong authentication and permission boundaries for least privilege.
GCP Guidance: Use Google Cloud IAM audit logging, least privilege principles, and strong authentication policies to secure identity systems.
Implementation Context: Apply role-based restrictions and enable monitoring for high-risk activities across identity systems.
Stakeholders: Identity Management, Security Architecture, Application Security, DevSecOps
Security Principle: Use managed identities for applications to reduce credential exposure and automate credential rotation where possible.
Azure Guidance: Use Azure managed identities for resources with Azure AD authentication, or use service principals for restricted access.
AWS Guidance: Use IAM roles with temporary credentials for applications, or service-linked roles for AWS services.
GCP Guidance: Use Google-managed service accounts with temporary keys for applications, and enable Policy Intelligence for monitoring.
Implementation Context: Avoid hard-coded credentials and enforce automated credential rotation where possible.
Stakeholders: Identity Management, Application Security, DevSecOps
Security Principle: Ensure client-side authentication for remote servers and services using TLS for secure connections.
Azure Guidance: Use TLS for Azure services by default and ensure identity verification for services without TLS enforcement.
AWS Guidance: Enforce TLS for AWS services, utilizing Amazon Certificate Manager for identity verification where necessary.
GCP Guidance: Enable TLS for GCP services, and use mutual authentication where applicable, such as with Cloud Load Balancing.
Implementation Context: Verify server identities using trusted certificates during client-server interactions.
Stakeholders: Identity Management, Application Security, DevSecOps
Security Principle: Implement SSO to streamline access management for cloud and on-premises applications.
Azure Guidance: Use Azure AD for SSO across cloud and on-premises applications, enabling unified access management.
AWS Guidance: Use AWS SSO and Cognito for customer-facing applications, bridging third-party identities with AWS.
GCP Guidance: Use Google Cloud Identity for SSO across GCP and on-premises applications, reducing the need for duplicate accounts.
Implementation Context: Implement SSO across all applicable platforms to simplify user experience and strengthen access control.
Stakeholders: Security Architecture, Identity Management, Application Security, DevSecOps
Security Principle: Enforce strong authentication (passwordless or multi-factor) to secure access to resources.
Azure Guidance: Use Azure MFA for privileged users and passwordless authentication for general accounts where feasible.
AWS Guidance: Enforce MFA across AWS accounts, including conditions based on access level and use of third-party accounts.
GCP Guidance: Use Google Cloud Identity with MFA and protect super admin accounts with security keys.
Implementation Context: Apply MFA for high-risk accounts and strong authentication for all other users to enhance security.
Stakeholders: Security Architecture, Identity Management, Application Security, DevSecOps
Security Principle: Apply access restrictions based on user-defined conditions, following a zero-trust model.
Azure Guidance: Use Azure AD Conditional Access to set policies based on user location, device, and risk level.
AWS Guidance: Create IAM policies with conditions for location-based access, IP ranges, and risk signals.
GCP Guidance: Use IAM Conditions in GCP for attribute-based access control, adjusting permissions based on conditions.
Implementation Context: Enforce conditional access policies based on user and device context to support zero-trust security.
Stakeholders: Identity Management, Application Security, DevSecOps, Threat Intelligence
Security Principle: Securely manage credentials by storing them in key vaults and avoiding exposure in code or configuration files.
Azure Guidance: Use Azure Key Vault for secure storage of credentials, implementing Credential Scanner for code review.
AWS Guidance: Store credentials in AWS Secrets Manager or Parameter Store, and use CodeGuru Reviewer for secure coding.
GCP Guidance: Store credentials in Google Cloud Secret Manager and use secure IDE integrations to prevent exposure.
Implementation Context: Regularly audit secrets management processes and configure automated credential rotation where feasible.
Stakeholders: Application Security, DevSecOps, Posture Management
Security Principle: Secure access to legacy or non-cloud-native applications through centralized authentication solutions.
Azure Guidance: Use Azure AD Application Proxy and Defender for Cloud Apps to protect on-premises applications with SSO and CASB.
AWS Guidance: Implement AWS SSO and use Azure AD for hybrid scenarios requiring centralized authentication.
GCP Guidance: Use Google Cloud Identity-Aware Proxy for secure access to applications outside GCP, leveraging centralized security policies.
Implementation Context: Protect access to legacy applications using CASB, SSO, and other centralized security measures.
Stakeholders: Security Architecture, Infrastructure Security, Application Security, DevSecOps
Privileged Access controls protect administrative and high-level access to resources by defining controls over administrative models, accounts, and privileged access workstations to prevent both deliberate and inadvertent risks.
Security Principle: Identify high-impact accounts and limit the number of privileged/administrative accounts across cloud control, management, and data planes.
Azure Guidance: Secure critical Azure AD roles like Global Administrator and Privileged Role Administrator, as well as resource-level roles such as Owner, Contributor, and User Access Administrator.
AWS Guidance: Secure root users and IAM identities with privileged access policies. Use Azure AD to manage privileged roles if integrated with AWS.
GCP Guidance: Limit the use of the super administrator role and avoid legacy basic roles, instead using predefined roles like Organization Administrator and Security Admin.
Implementation Context: Restrict privileged accounts across management, identity, and security systems to protect critical assets from potential compromise.
Stakeholders: Identity Management, Security Architecture, Compliance Management, Security Operations
Security Principle: Use just-in-time (JIT) access rather than standing privileges to minimize risk.
Azure Guidance: Enable JIT access with Azure AD Privileged Identity Management (PIM) for temporary permissions, and limit VM management access with Defender for Cloud’s JIT feature.
AWS Guidance: Use AWS Security Token Service (STS) for short-lived temporary credentials, generated dynamically when needed.
GCP Guidance: Use IAM conditional access to create temporary, time-bound access to resources, controlled via Access Context Manager.
Implementation Context: Implement JIT access for privileged accounts to reduce potential exposure of high-risk privileges.
Stakeholders: Identity Management, Security Architecture, Compliance Management, Security Operations
Security Principle: Automate identity and access lifecycle management, covering request, approval, provisioning, and deprovisioning stages.
Azure Guidance: Use Azure AD entitlement management for automated workflows, and Permissions Management to monitor and adjust entitlements.
AWS Guidance: Use Access Advisor and IAM policies to manage account access assignments and periodic reviews.
GCP Guidance: Use Cloud Audit Logs for access tracking and Cloud Identity for lifecycle management features like automated provisioning and device management.
Implementation Context: Automate identity lifecycle processes to maintain a consistent and secure access management policy.
Stakeholders: Identity Management, Application Security, Compliance Management, DevSecOps
Security Principle: Conduct regular reviews of privileged accounts to ensure valid access across all layers of control and management.
Azure Guidance: Use Azure AD access reviews and Privileged Identity Management for monitoring Azure AD roles, group memberships, and application access.
AWS Guidance: Leverage IAM Access Advisor, Access Analyzer, and Credential Reports to periodically audit and manage access entitlements.
GCP Guidance: Use Cloud Audit Logs and Policy Analyzer to audit roles and access, ensuring least-privilege adherence.
Implementation Context: Conduct periodic audits and ensure the validity of access entitlements to support least-privilege principles.
Stakeholders: Identity Management, Application Security, Compliance Management, DevSecOps
Security Principle: Establish emergency access accounts for critical scenarios, ensuring limited, secure use and storage.
Azure Guidance: Use break-glass accounts in Azure AD for emergencies, maintaining strict security and limited visibility to avoid unauthorized use.
AWS Guidance: Reserve root accounts for emergency situations and enable MFA for added security.
GCP Guidance: Use super admin accounts only for emergencies, with additional security measures like MFA and access monitoring.
Implementation Context: Secure emergency access accounts and monitor usage to prevent unauthorized or unintended access.
Stakeholders: DevSecOps, Compliance Management, Security Operations
Security Principle: Use isolated workstations for privileged roles to minimize exposure and enhance control over sensitive environments.
Azure Guidance: Deploy Azure AD, Microsoft Defender, or Intune-managed PAWs, and consider Azure Bastion for secure VM access.
AWS Guidance: Use AWS Systems Manager’s Session Manager for secure, managed access to resources without direct access.
GCP Guidance: Use Identity-Aware Proxy (IAP) Desktop for secure access to instances, optionally employing bastion hosts as a secure access solution.
Implementation Context: Maintain isolated, centrally managed PAWs for secure access to critical resources and services.
Stakeholders: DevSecOps, Security Operations, Identity Management
Security Principle: Enforce least privilege by limiting permissions to only those required for the assigned roles and responsibilities.
Azure Guidance: Use Azure RBAC for fine-grained access control, assigning roles through built-in and custom roles as needed.
AWS Guidance: Use IAM policies and AWS ABAC to enforce attribute-based least privilege access across resources.
GCP Guidance: Use Google Cloud IAM and Policy Intelligence for automated role recommendations to support least privilege.
Implementation Context: Review roles periodically to ensure least-privilege access and apply conditional roles where possible.
Stakeholders: DevSecOps, Compliance Management, Posture Management, Identity Management
Security Principle: Establish secure processes for requesting and authorizing vendor support, with controlled access paths and approval workflows.
Azure Guidance: Use Customer Lockbox to control Microsoft’s access to your data in support scenarios, allowing review and approval.
AWS Guidance: Provide controlled read-only access or screen sharing in AWS Support for vendor troubleshooting needs.
GCP Guidance: Use Access Approval in GCP to authorize Cloud Customer Care requests securely.
Implementation Context: Define and monitor secure paths for vendor support, ensuring data access is controlled and auditable.
Stakeholders: DevSecOps, Compliance Management, Identity Management
Data Protection covers the security and control of data at rest, in transit, and through authorized access mechanisms. This includes the discovery, classification, protection, and monitoring of sensitive data assets using access controls, encryption, key management, and certificate management.
Security Principle: Establish an inventory of sensitive data. Use tools to discover, classify, and label in-scope sensitive data.
Azure Guidance: Use Microsoft Purview and Azure SQL Data Discovery and Classification to scan, classify, and label sensitive data across Azure and Microsoft 365.
AWS Guidance: Replicate data to S3 and use AWS Macie for classification and labeling. Macie detects sensitive data, such as credentials and PII.
GCP Guidance: Use Google Cloud Data Loss Prevention to scan, classify, and label data in GCP, with Data Catalog for tagging.
Stakeholders: Application Security, Data Security, Infrastructure Security
Security Principle: Monitor for anomalies around sensitive data, such as unusual transfers or unauthorized exfiltration.
Azure Guidance: Use Azure Information Protection and Microsoft Defender for Storage, SQL, and Cosmos DB to monitor anomalous data activities.
AWS Guidance: Use AWS Macie for monitoring and GuardDuty to detect anomalous activities on resources like S3 and EC2.
GCP Guidance: Use Security Command Center and Event Threat Detection for alerts on unauthorized data transfers.
Stakeholders: Security Operations, Application Security, Endpoint Security
Security Principle: Use encryption to protect data in transit, ensuring it cannot be easily read or modified during transmission.
Azure Guidance: Enforce secure transfer in Azure services and use TLS for all web applications and VM management.
AWS Guidance: Use HTTPS and enforce TLS v1.2 or later in services like S3 and CloudFront.
GCP Guidance: Use HTTPS and enforce TLS v1.2 in services like Google Cloud Storage and App Engine.
Stakeholders: Security Architecture, Endpoint Security, DevOps
Security Principle: Use encryption to protect data at rest, preventing unauthorized access to data in underlying storage systems.
Azure Guidance: Enable data at rest encryption in Azure services using service-managed keys, which rotate every two years.
AWS Guidance: AWS services use data at rest encryption by default with customer master keys rotated every three years.
GCP Guidance: Google Cloud uses data at rest encryption by default with managed keys, rotated automatically.
Stakeholders: Endpoint Security, DevOps, Data Security
Security Principle: For regulatory compliance, use customer-managed keys in data encryption when required.
Azure Guidance: Use Azure Key Vault for customer-managed keys, integrating them across many Azure services.
AWS Guidance: Use AWS Key Management Service for customer-managed master keys, supporting AWS services.
GCP Guidance: Use Cloud Key Management Service for customer-managed keys, integrated across GCP services.
Stakeholders: Security Architecture, Endpoint Security, DevOps
Security Principle: Document and implement a secure key management process for customer-managed keys across services.
Azure Guidance: Use Azure Key Vault for lifecycle management of encryption keys, including generation, rotation, and revocation.
AWS Guidance: Use AWS Key Management Service for key lifecycle management, including generation, rotation, and revocation.
GCP Guidance: Use Cloud Key Management Service for lifecycle management of encryption keys, supporting HSM-backed keys.
Stakeholders: Security Architecture, DevOps, Data Security
Security Principle: Maintain an enterprise certificate management standard, ensuring secure issuance, rotation, and storage.
Azure Guidance: Use Azure Key Vault to manage certificate lifecycles, enforcing secure attributes and automatic rotation.
AWS Guidance: Use AWS Certificate Manager for secure management and automatic rotation of certificates.
GCP Guidance: Use Google Cloud Certificate Manager for lifecycle management, including secure issuance and rotation.
Stakeholders: Application Security, Data Security, DevOps
Security Principle: Secure the key and certificate repositories, using access control, network security, logging, and monitoring.
Azure Guidance: Harden Azure Key Vault through RBAC policies, network security, logging, and soft delete protection.
AWS Guidance: Use AWS Key Management Service and Certificate Manager, implementing policies, logging, and rotation.
GCP Guidance: Secure Cloud Key Management Service and Certificate Manager with IAM roles, logging, and access controls.
Stakeholders: Security Architecture, Application Security, Data Security
Asset Management covers controls to ensure security visibility and governance over resources, including permissions for security personnel, access to asset inventory, and managing approvals for services and resources.
Security Principle: Track and logically organize all cloud assets by tagging and grouping based on characteristics. Security teams should have access to an up-to-date inventory of assets and associated risks.
Azure Guidance: Use Microsoft Defender for Cloud and Azure Resource Graph to query and track resources, tagging assets for logical organization.
AWS Guidance: Use AWS Systems Manager Inventory and AWS Resource Groups to query and organize assets by tags.
GCP Guidance: Use Cloud Asset Inventory and Security Command Center for inventory services and asset risk visibility.
Stakeholders: Infrastructure Security, Security Compliance Management
Security Principle: Ensure only approved cloud services are used by auditing and restricting provisioning permissions within the environment.
Azure Guidance: Use Azure Policy to restrict services and Azure Monitor to alert on unapproved services.
AWS Guidance: Use AWS Config to restrict service provisioning and AWS Resource Groups to discover resources.
GCP Guidance: Use Cloud Recommender and Organization Policy Service to restrict and audit service usage.
Stakeholders: Security Compliance Management, Posture Management
Security Principle: Ensure security attributes and configurations are updated throughout the asset lifecycle, particularly for high-impact changes.
Azure Guidance: Use policies to control asset lifecycle changes, and remove unused Azure resources.
AWS Guidance: Establish policies for lifecycle management and remove unused AWS resources.
GCP Guidance: Use IAM and VPC Service Controls to manage access and protect asset lifecycle management.
Stakeholders: Infrastructure Security, Posture Management, Security Compliance Management
Security Principle: Restrict access to asset management functions to prevent accidental or unauthorized modification of assets.
Azure Guidance: Use Azure Resource Manager and RBAC to control access and enforce permissions, with resource locks for additional protection.
AWS Guidance: Use IAM policies for fine-grained access control over AWS resources.
GCP Guidance: Use VM Manager and OS inventory to manage application permissions and restrict asset modifications.
Stakeholders: Posture Management, Infrastructure Security
Security Principle: Create an allow list of approved software for virtual machines, blocking unauthorized software from executing.
Azure Guidance: Use Microsoft Defender for Cloud adaptive application controls and Azure Automation Change Tracking for application monitoring.
AWS Guidance: Use AWS Systems Manager and AWS Config to control and track applications on EC2 instances.
GCP Guidance: Use VM Manager and OS configuration management to manage allowed applications.
Stakeholders: Infrastructure Security, Posture Management, Security Compliance Management
Logging and Threat Detection encompasses controls to detect cloud-based threats and enable, collect, and store audit logs for cloud services. It includes native threat detection, centralized security log analysis, and log retention strategies.
Security Principle: Monitor known resource types for threats and anomalies, configuring alert rules to produce high-quality alerts while reducing false positives.
Azure Guidance: Use Microsoft Defender for Cloud for threat detection on Azure services, ingesting logs into Azure Monitor or Microsoft Sentinel for analytics.
AWS Guidance: Use Amazon GuardDuty for threat detection, configuring AWS Config and SecurityHub for additional compliance checks.
GCP Guidance: Use Event Threat Detection in Security Command Center, integrating with Chronicle SIEM and SOAR for enhanced threat detection.
Stakeholders: Infrastructure Security, Security Operations, Threat Intelligence
Security Principle: Detect IAM threats by monitoring sign-in and access anomalies, such as excessive failed logins or deprecated accounts.
Azure Guidance: Use Azure AD logs and Identity Protection for sign-in and account anomalies, with Microsoft Defender for Cloud for additional alerts.
AWS Guidance: Use IAM Access Advisor, GuardDuty for IAM threats, and CloudTrail logging for detailed IAM event tracking.
GCP Guidance: Use IAM logs and Policy Intelligence for IAM anomalies, with Event Threat Detection for sensitive IAM role activity.
Stakeholders: Security Operations, Application Security, Threat Intelligence
Security Principle: Enable logging for cloud resources to support security investigations, incident response, and compliance.
Azure Guidance: Use Azure Resource, Activity, and AD logs, configuring Microsoft Defender for Cloud and Azure Policy for log data collection.
AWS Guidance: Use CloudTrail and CloudWatch for management, data events, and custom logging for security insights.
GCP Guidance: Use Cloud Logging for different logging tiers, supporting custom, multi-cloud, and on-premises logs.
Stakeholders: Security Operations, DevOps, Threat Intelligence
Security Principle: Enable network service logging for incident investigation, threat hunting, and alert generation.
Azure Guidance: Use NSG logs, Firewall logs, and Traffic Analytics for insights, collecting DNS query logs.
AWS Guidance: Use VPC Flow Logs, WAF Logs, and Route53 Resolver logs for network security analysis.
GCP Guidance: Use VPC Flow Logs, Packet Mirroring, and export options for real-time network monitoring and analysis.
Stakeholders: Security Operations, Endpoint Security, Threat Intelligence
Security Principle: Centralize logging storage and analysis for correlation across logs, using a cloud-native or existing SIEM.
Azure Guidance: Use Log Analytics and Microsoft Sentinel for centralized log management and security analytics.
AWS Guidance: Aggregate AWS logs in CloudWatch or S3, using Microsoft Sentinel for SIEM capabilities.
GCP Guidance: Use Cloud Logging and Chronicle SIEM for comprehensive log storage and analysis.
Stakeholders: Security Architecture, DevOps, Endpoint Security
Security Principle: Define log retention policies based on compliance and business needs, ensuring appropriate archival.
Azure Guidance: Use Log Analytics, Azure Storage, and Data Lake for log retention, forwarding logs with Event Hubs if needed.
AWS Guidance: Configure CloudWatch retention policies and use S3 for long-term log archival.
GCP Guidance: Use Cloud Logging with configurable retention and Cloud Storage for archival.
Stakeholders: Security Compliance, Security Operations, DevOps
Security Principle: Use approved time synchronization sources to ensure accurate timestamps across all log data.
Azure Guidance: Use Microsoft NTP servers or configure custom NTP for compute resources.
AWS Guidance: Use Amazon Time Sync Service or configure NTP servers for custom setups.
GCP Guidance: Use Google Cloud NTP servers for time synchronization on compute resources.
Stakeholders: Policy and Standards, DevOps, Endpoint Security
Incident Response (IR) covers the incident response lifecycle, including preparation, detection and analysis, containment, and post-incident activities. This section includes controls for updating plans, automating response, and leveraging cloud tools to streamline the incident response process.
Security Principle: Develop processes for cloud incident response, considering shared responsibility and different service models. Regularly test and update plans to ensure they align with best practices.
Azure Guidance: Customize your incident response plan for Azure services and regularly update it.
AWS Guidance: Update your plan to include AWS services, following the AWS Security Incident Response Guide.
GCP Guidance: Update your incident response plan to address incidents on Google Cloud.
Stakeholders: Security Operations, Incident Preparation, Threat Intelligence
Security Principle: Ensure alerts and notifications reach the correct contacts in the incident response team.
Azure Guidance: Set up incident notifications in Microsoft Defender for Cloud.
AWS Guidance: Use AWS Incident Manager to define contact and escalation plans for incident notifications.
GCP Guidance: Use Security Command Center and Chronicle to set up notifications and playbook actions.
Stakeholders: Security Operations, Incident Preparation
Security Principle: Prioritize high-quality alerts based on historical incidents, validated sources, and alert filtering to improve response efficiency.
Azure Guidance: Use Microsoft Defender for Cloud and Sentinel to generate and prioritize alerts.
AWS Guidance: Use GuardDuty, SecurityHub, and Incident Manager to create incidents based on alerts.
GCP Guidance: Use Security Command Center and Chronicle to manage incident creation and prioritization.
Stakeholders: Security Operations, Incident Preparation, Threat Intelligence
Security Principle: Enable comprehensive investigation by collecting diverse data sources, correlating logs, and ensuring insights are retained for future use.
Azure Guidance: Use Azure AD, Network Watcher, and Sentinel for investigation with diverse data sources.
AWS Guidance: Use IAM logs, VPC Flow Logs, and CloudWatch for detailed incident investigations.
GCP Guidance: Use IAM and VPC logs in conjunction with Security Command Center for thorough incident analysis.
Stakeholders: Security Operations, Incident Preparation, Threat Intelligence
Security Principle: Prioritize incidents based on severity, asset sensitivity, and alert context to ensure the highest-risk issues are addressed first.
Azure Guidance: Use Microsoft Defender for Cloud and Sentinel to assign severity to alerts.
AWS Guidance: Use impact levels in Incident Manager to prioritize incidents.
GCP Guidance: Use severity ratings in Security Command Center and Chronicle to prioritize incidents.
Stakeholders: Security Operations, Incident Preparation, Threat Intelligence
Security Principle: Automate repetitive tasks to improve response time and reduce analyst fatigue.
Azure Guidance: Use Defender for Cloud and Sentinel playbooks to automate response actions.
AWS Guidance: Use AWS Systems Manager automation features and playbooks in Microsoft Sentinel.
GCP Guidance: Use Chronicle playbooks for automated incident handling.
Stakeholders: Security Operations, Incident Preparation, Threat Intelligence
Security Principle: Conduct post-incident analysis to improve future response and retain evidence for legal and operational purposes.
Azure Guidance: Retain evidence in Azure Storage and incorporate findings into Sentinel playbooks and detection settings.
AWS Guidance: Store evidence in Amazon S3 or Azure Storage and update response plans based on lessons learned.
GCP Guidance: Retain evidence in Google Cloud Storage and refine response plans in Chronicle or Sentinel.
Stakeholders: Security Operations, Incident Preparation, Threat Intelligence
Posture and Vulnerability Management focuses on controls for assessing and enhancing cloud security posture. It includes vulnerability scanning, remediation, security configuration tracking, reporting, and regular red team operations.
Security Principle: Define security configuration baselines for cloud resources, using configuration management tools to establish compliant settings by default.
Azure Guidance: Use Microsoft Cloud Security Benchmark and Azure Blueprints to establish baseline configurations.
AWS Guidance: Use AWS Well-Architected Framework and CloudFormation templates to set secure baselines.
GCP Guidance: Use Google Cloud blueprints and Terraform modules to automate secure configurations.
Stakeholders: Posture Management, Infrastructure & Endpoint Security, Application Security and DevOps
Security Principle: Continuously monitor for configuration deviations and enforce baseline configurations.
Azure Guidance: Use Azure Policy and Microsoft Defender for Cloud to audit and enforce configurations.
AWS Guidance: Use AWS Config rules and Systems Manager Automation for configuration compliance.
GCP Guidance: Use Google Cloud Security Command Center and Organizational Policy for configuration enforcement.
Stakeholders: Posture Management, Infrastructure & Endpoint Security, Application Security and DevOps
Security Principle: Set secure configuration baselines for compute resources, such as VMs and containers, using pre-configured images or configuration management tools.
Azure Guidance: Use Azure Image Builder and Automanage Machine Configuration to secure VMs.
AWS Guidance: Use EC2 Image Builder and trusted AMIs for secure configurations.
GCP Guidance: Use Google Cloud Build container images and Packer Image Builder for secure VM configurations.
Stakeholders: Posture Management, Infrastructure & Endpoint Security, Application Security and DevOps
Security Principle: Continuously monitor and enforce secure configuration baselines for compute resources.
Azure Guidance: Use Defender for Cloud and Automanage Machine Configuration for VMs and containers.
AWS Guidance: Use Systems Manager State Manager and CloudFormation templates for EC2.
GCP Guidance: Use VM Manager and Security Command Center for Google Compute Engine instances.
Stakeholders: Posture Management, Infrastructure & Endpoint Security, Application Security and DevOps
Security Principle: Regularly perform vulnerability assessments for cloud resources across all tiers and track remediation efforts.
Azure Guidance: Use Defender for Cloud's built-in vulnerability scanner for VMs and third-party tools for network assessments.
AWS Guidance: Use Amazon Inspector for EC2 and container images and Defender for Cloud for extended monitoring.
GCP Guidance: Use Security Command Center's Web Security Scanner for vulnerability assessment.
Stakeholders: Posture Management, Infrastructure & Endpoint Security, Application Security and DevOps
Security Principle: Quickly and automatically apply patches and updates, prioritizing remediation based on risk.
Azure Guidance: Use Azure Automation Update Management for automated patching.
AWS Guidance: Use AWS Systems Manager Patch Manager for automated updates.
GCP Guidance: Use Google Cloud VM Manager OS patch management for automated patching.
Stakeholders: Posture Management, Infrastructure & Endpoint Security, Application Security and DevOps
Security Principle: Simulate real-world attacks through red team operations to gain a more comprehensive view of vulnerabilities.
Azure Guidance: Follow Microsoft’s Red Teaming strategy and perform penetration tests as per the Rules of Engagement.
AWS Guidance: Conduct penetration tests following AWS policies for testing.
GCP Guidance: Follow GCP policies for penetration testing.
Stakeholders: Posture Management, Infrastructure & Endpoint Security, Application Security and DevOps
Endpoint Security includes controls for endpoint detection and response (EDR) and anti-malware solutions for cloud-based endpoints to detect and protect against advanced threats and malware.
Security Principle: Enable EDR capabilities for virtual machines, integrating with SIEM and security operations processes.
Azure Guidance: Use Microsoft Defender for servers with Microsoft Defender for Endpoint for EDR, integrated with Microsoft Sentinel.
AWS Guidance: Use Microsoft Defender for Cloud on EC2, or Amazon GuardDuty for threat intelligence on EC2 instances.
GCP Guidance: Use Microsoft Defender for Cloud on GCP VMs, or Security Command Center for threat intelligence.
Stakeholders: Infrastructure & Endpoint Security, Threat Intelligence, Security Compliance Management, Posture Management
Security Principle: Use real-time protection and periodic scanning anti-malware solutions for endpoint protection.
Azure Guidance: Use Microsoft Defender Antivirus for Windows VMs, and Microsoft Defender for Endpoint on Linux VMs. Defender for Cloud can assess anti-malware health.
AWS Guidance: Deploy Microsoft Defender Antivirus on EC2 Windows instances and Defender for Endpoint on Linux. Defender for Cloud provides health assessment.
GCP Guidance: Use Microsoft Defender Antivirus for Windows VMs and Defender for Endpoint for Linux VMs. Defender for Cloud assesses anti-malware health.
Stakeholders: Infrastructure & Endpoint Security, Threat Intelligence, Security Compliance Management, Posture Management
Security Principle: Ensure anti-malware signatures are updated promptly to maintain protection.
Azure Guidance: Microsoft Defender for Cloud monitors endpoint protection updates. Microsoft Antimalware and Defender for Endpoint auto-update signatures by default.
AWS Guidance: Microsoft Defender for Cloud monitors updates; Microsoft Antimalware and Defender for Endpoint automatically update signatures.
GCP Guidance: Microsoft Defender for Cloud monitors EDR solutions; Microsoft Antimalware and Defender for Endpoint auto-update signatures.
Stakeholders: Infrastructure & Endpoint Security, Threat Intelligence, Security Compliance Management, Posture Management
Backup and Recovery ensures data and configuration backups at different service tiers are performed, validated, and protected, supporting business continuity and disaster recovery.
Security Principle: Automate backups of business-critical resources, either during creation or through policy for existing resources.
Azure Guidance: Enable Azure Backup for supported resources and configure policies. For others, use native or custom backup solutions.
AWS Guidance: Enable AWS Backup for supported resources; use native features or custom methods as needed.
GCP Guidance: Enable GCP Backup for supported resources, or use native/custom solutions.
Stakeholders: Policy and Standards, Security Architecture, Infrastructure Security, Incident Preparation
Security Principle: Secure backup data from exfiltration, compromise, and other threats using access control and encryption.
Azure Guidance: Use Azure RBAC, private endpoints, encryption, and multi-factor authentication for backup operations.
AWS Guidance: Implement IAM policies, multi-factor authentication, encryption, and Vault Lock for data protection.
GCP Guidance: Use Google IAM roles, encryption, and secure access controls for backup and recovery.
Stakeholders: Security Architecture, Infrastructure Security, Incident Preparation
Security Principle: Ensure business-critical resources are compliant with backup policies and monitored regularly.
Azure Guidance: Use Azure Policy and Backup Center for centralized backup governance and monitoring.
AWS Guidance: Use AWS Backup Audit Manager, CloudWatch, EventBridge, and SNS for backup monitoring.
GCP Guidance: Use Organizational Policy and Management Console to govern and monitor backups.
Stakeholders: Incident Preparation, Security Compliance Management
Security Principle: Conduct data recovery tests periodically to verify backup configurations and data availability as per RTO/RPO requirements.
Azure Guidance: Define recovery test strategy and perform periodic recovery tests for Azure backups.
AWS Guidance: Define recovery test strategy and perform data recovery tests for AWS backups.
GCP Guidance: Define recovery test strategy and perform periodic recovery tests for GCP backups.
Stakeholders: Security Architecture, Incident Preparation, Data Security
DevOps Security covers security controls within DevOps processes, focusing on critical checks like threat modeling, supply chain security, and security testing within the CI/CD pipeline to ensure continuous security throughout DevOps.
Security Principle: Perform threat modeling to identify potential threats and mitigation controls for applications and DevOps environments.
Azure Guidance: Use Microsoft threat modeling tools with STRIDE methodology for comprehensive threat analysis, especially in the CI/CD pipeline.
AWS Guidance: Use the Microsoft Threat Modeling Tool, incorporating STRIDE for secure CI/CD environments.
GCP Guidance: Use STRIDE methodology with Microsoft Threat Modeling Tool to secure GCP environments in DevOps.
Stakeholders: Policy and Standards, Application Security, DevSecOps
Security Principle: Secure the software supply chain with controls over in-house and third-party dependencies.
Azure Guidance: Use GitHub Advanced Security features like Dependabot and Dependency Graph to monitor dependencies.
AWS Guidance: Use AWS CodeGuru Reviewer for code analysis, along with Dependabot in GitHub.
GCP Guidance: Use Software Delivery Shield for end-to-end supply chain security in GCP’s CI/CD workflows.
Stakeholders: Application Security, DevSecOps, Posture Management
Security Principle: Apply security best practices to protect CI/CD infrastructure, including access controls and configuration management.
Azure Guidance: Secure Azure DevOps and GitHub CI/CD environments with Azure AD policies and Azure Key Vault for secrets management.
AWS Guidance: Use AWS IAM for secure access, CodeArtifact for artifact management, and AWS Inspector for vulnerability scanning.
GCP Guidance: Use Cloud IAM for access, Artifact Registry for secure artifact storage, and Cloud Security Command Center for compliance.
Stakeholders: DevSecOps, Infrastructure Security, Security Architecture
Security Principle: Include SAST in the CI/CD pipeline to prevent vulnerabilities from reaching production.
Azure Guidance: Use GitHub CodeQL and Azure DevOps Credential Scanner for source code analysis.
AWS Guidance: Integrate AWS CodeGuru and GitHub CodeQL for SAST in AWS CodePipeline.
GCP Guidance: Use Software Delivery Shield and Cloud Build for SAST integration in GCP workflows.
Stakeholders: Application Security, DevSecOps
Security Principle: Include DAST in the CI/CD pipeline to catch runtime vulnerabilities before deployment.
Azure Guidance: Integrate DAST tools in Azure DevOps Pipeline for automated penetration testing.
AWS Guidance: Use third-party DAST tools in AWS CodePipeline for runtime security testing.
GCP Guidance: Use Web Security Scanner with Cloud Build for DAST in GCP workflows.
Stakeholders: Application Security, DevSecOps
Security Principle: Maintain secure workloads from development through deployment using security benchmarks.
Azure Guidance: Use Azure Shared Image Gallery and Defender for Containers to secure images and container workloads.
AWS Guidance: Use Amazon ECR and AWS Inspector for secure image storage and scanning.
GCP Guidance: Implement Artifact Registry and Container Threat Detection for secure image handling in GCP.
Stakeholders: DevSecOps, Posture Management, Security Architecture
Security Principle: Ensure comprehensive logging and monitoring across non-production and CI/CD workflows for security insights.
Azure Guidance: Use Azure Monitor and Sentinel for centralized log ingestion and monitoring of Azure DevOps and GitHub environments.
AWS Guidance: Enable CloudTrail logging in non-production and CI/CD environments for auditing AWS CodePipeline, CodeBuild, and CodeDeploy.
GCP Guidance: Enable logging in Cloud Build, Google Cloud Deploy, and ingest logs to Chronicle or Security Command Center for monitoring.
Stakeholders: Security Operations, DevSecOps, Incident Preparation
Governance and Strategy provides guidance for a coherent security strategy, establishing roles and responsibilities, and defining security policies to support cloud security functions, segmentation, and secure DevOps.
Guidance: Define and communicate roles and responsibilities within the security organization. Prioritize clarity in accountability and emphasize shared responsibility.
Implementation: Review Azure Security Best Practices for education and accountability strategies.
Stakeholders: All
Guidance: Segment access to resources with network, identity, and application controls while balancing operational needs.
Implementation: Follow Microsoft's Cloud Adoption Framework for segmentation strategies.
Stakeholders: All
Guidance: Define a strategy for data classification, encryption, and access control aligned to regulatory requirements.
Implementation: Apply Microsoft cloud security benchmarks and Azure Data security best practices.
Stakeholders: All
Guidance: Establish network security policies, segment virtual networks, and define ingress/egress strategies.
Implementation: Use Azure Security Best Practices and network security benchmarks.
Stakeholders: All
Guidance: Set baselines for resource configurations, use tools to enforce compliance, and schedule regular vulnerability assessments.
Implementation: Apply Secure Score, Compliance Dashboard, and subscribe to vulnerability advisories.
Stakeholders: All
Guidance: Define centralized identity management, enforce MFA, and establish break-glass protocols for emergency access.
Implementation: Use Azure AD, apply privileged identity management, and review access regularly.
Stakeholders: All
Guidance: Implement centralized logging, threat detection, and a well-defined incident response plan following NIST guidelines.
Implementation: Use Microsoft Defender, SIEM, and runbooks for incident response.
Stakeholders: All
Guidance: Define RTO/RPO, use redundancy strategies, and secure backups to mitigate risks like ransomware.
Implementation: Apply Azure Backup, Disaster Recovery Framework, and monitor backup integrity.
Stakeholders: All
Guidance: Deploy EDR and anti-malware across endpoints, integrated with threat detection and SIEM for defense-in-depth.
Implementation: Use Defender for Endpoint and ensure endpoint protection in both production and non-production environments.
Stakeholders: All
Guidance: Mandate security in DevOps workflows, emphasizing early checks in the CI/CD pipeline to prevent last-minute issues.
Implementation: Use resource deployment templates and Azure DevSecOps best practices for automated security testing.
Stakeholders: All
Guidance: Build a strategy for consistent security across multi-cloud environments, with tooling and operations processes that reduce vendor lock-in.
Implementation: Leverage Microsoft Defender, Sentinel, and apply hybrid cloud management practices.
Stakeholders: All