Skip to main content
Microsoft Security

Best practices for securely moving workloads to Microsoft Azure

Azure is Microsoft’s cloud computing environment. It offers customers three primary service delivery models including infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS). Adopting cloud technologies requires a shared responsibility model for security, with Microsoft responsible for certain controls and the customer others, depending on the service delivery model chosen. To ensure that a customer’s cloud workloads are protected, it is important that they carefully consider and implement the appropriate architecture and enable the right set of configuration settings.

Microsoft has developed a set of Azure security guidelines and best practices for our customers to follow. These guides can be found in the Azure security best practices and patterns documentation. In addition, we’re excited to announce the availability of the Center for Internet Security’s (CIS) Microsoft Azure Foundations Security Benchmark, developed in partnership with Microsoft. CIS is a non-profit entity focused on developing global standards and recognized best practices for securing IT systems and data against the most pervasive attacks.

The CIS Microsoft Azure Foundations Security Benchmark provides prescriptive guidance for establishing a secure baseline configuration for Microsoft Azure. Its scope is designed to assist organizations in establishing the foundation level of security for anyone adopting the Microsoft Azure cloud. The benchmark should not be considered as an exhaustive list of all possible security configurations and architecture but as a starting point. Each organization must still evaluate their specific situation, workloads, and compliance requirements and tailor their environment accordingly.

The CIS benchmark contains two levels, each with slightly different technical specifications:

The CIS Microsoft Azure Foundations Security Benchmark is divided into the following sections:

Section

Description

No. of Rec. Controls

Identity and Access Management

Recommendations related to setting the appropriate identity and access management policies.

23

Azure Security Center

Recommendations related to the configuration and use of Azure Security Center.

19

Storage Accounts

Recommendations for setting storage account policies.

7

Azure SQL Services

Recommendations for securing Azure SQL Servers.

8

Azure SQL Databases

Recommendations for securing Azure SQL Databases.

8

Logging and Monitoring

Recommendations for setting logging and monitoring policies on your Azure subscriptions.

13

Networking

Recommendations for securely configuring Azure networking settings and policies.

5

Virtual Machines

Recommendations for setting security policies for Azure compute services, specifically virtual machines.

6

Other Security Considerations

Recommendations regarding general security and operational controls, including those related to Azure Key Vault and Resource Locks.

3

Total Recommendations

92

 

Each recommendation contains several sections, including a recommendation identification number, title, and description; level or profile applicability; rationale; instructions for auditing the control; remediation steps; impact of implementing the control; default value; and references. As an example, the first control contained in the benchmark is under the Identity and Access Management section and is titled: 1.1 Ensure that multi-factor authentication is enabled for all privileged users (Scored). A control is marked as “Scored” or “Not Scored” based on whether it can be programmatically tested. In this case, recommendation 1.1 can be audited leveraging the Microsoft Graph and PowerShell commandlet. The specific steps for auditing the control are contained in the “Audit” section for this specific recommendation. This recommendation is listed as a Level 1 control because it is only applied to Azure administrative users and would not have a company-wide impact or produce less functionality for users. The rationale for recommendation 1.1 is that Azure administrative accounts need to be protected due to their powerful privileges, and with multiple factors for authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk to the Azure tenant.

The benchmark is freely available in PDF format on the CIS website.

You can also find more information on Azure Security Center and on Azure Active Directory. Both are critical solutions to securely deploying and monitoring Azure workloads and are covered in the new CIS benchmark.