Assessing the security of your Azure environments
using standardized benchmarks helps ensure that
your organizational security posture has not been
adversely weakened.
More and more enterprises are taking advantage of the competitive market-
place of public cloud providers. While AWS continues to be the leader, Micro-
soft Azure’s growth is exponential. What’s common to any public cloud initia-
tive is the need to build a cloud security program that typically focuses on the
following tasks:
• Recognizing the areas of information security risks to the organization
that are related to organizational objectives such as “Cloud First”; and
defining the impact and necessary enhancements on three levels: people,
processes and technology.
• Evaluating and implementing security controls to limit the exposure to
risks in these areas.
However, in practice, many companies often initiate cloud security programs
after the fact, as a reaction to workloads already being deployed on public
clouds. Many security teams were long under the impression that workloads
would not be adequately protected in the public cloud. Hence, the need to
review the current state of Azure security controls arbitrarily implemented by
various delivery teams, has become urgent in many organizations.
Start your Azure Security Assessment by Defining a Stan-
dardized Security Benchmark
Let’s assume you agree that assessing the security controls already imple-
mented in your Azure environments is one of your top priorities. Where do you
start?
NIST SP 800-53 and ISO 27001 are comprehensive security standards, but
implementing them will take months of planning and execution. The Center for
Internet Security (CIS) Top 20 Critical Security Controls prioritize those con-
trols, focusing on the most essential. They were designed to “serve as the basis
for immediate high-value action” and align with other security standards, such
as PCI and FedRAMP, making this standard an efficient starting point. There is
already a CIS AWS Foundations Benchmark that defines prescriptive security
configurations for a subset of core AWS services. However, you will not find an
analogous baseline for Azure.
That is why we at CTP developed our own Azure Foundations Benchmark
which is closely based on the CIS AWS Foundations Benchmark. Why did we
decide to model it after the CIS AWS Foundations Benchmark, rather than start
directly from the CIS Top 20 Critical Security Controls? One of the key reasons
WINTER 2018 | THE DOPPLER | 11