At Ignite November 2021, Microsoft released a new version of the Azure Security Benchmark (v3).
The Azure Security Benchmark (ASB) provides prescriptive best practices and recommendations to help improve the security of workloads, data, and services on Azure. This benchmark is part of a set of holistic security guidance that also includes:
- Cloud Adoption Framework: Guidance on security, including strategy, roles and responsibilities, Azure Top 10 Security Best Practices, and reference implementation.
- Azure Well-Architected Framework: Guidance on securing your workloads on Azure.
- Microsoft Security Best Practices: Recommendations with examples on Azure.
- Microsoft Cybersecurity Reference Architectures (MCRA): Visual diagrams and guidance for security components and relationships
The Azure Security Benchmark focuses on cloud-centric control areas. These controls are consistent with well-known security benchmarks, such as those described by the Center for Internet Security (CIS) Controls, National Institute of Standards and Technology (NIST), and Payment Card Industry Data Security Standard (PCI-DSS).
Here’s what’s new in the Azure Security Benchmark v3:
- Mappings to the industry frameworks PCI-DSS v3.2.1 and CIS Controls v8 are added in addition to the existing mappings to CIS Controls v7.1 and NIST SP800-53 Rev4.
- Refining the control guidance to be more granular and actionable, e.g., security guidance is now divided into two separate parts, Security Principle and Azure Guidance. Security Principle is the « what », explaining the control at the technology-agnostic level; Azure Guidance is focused on the « how », elaborating on the relevant technical features and ways to implement the controls in Azure.
- The addition of new control(s), e.g., DevOps Security as a new control family which also includes topics such as threat modeling and software supply chain security. Key and certificate management was introduced to recommend key and certificate management best practices in Azure.
You can download the Azure Security Benchmark in spreadsheet format.