Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Note
The Microsoft cloud security benchmark v2 (preview) is now available. We encourage you to explore this version and provide feedback to help us improve it further. For any questions or comments, email us at benchmarkfeedback@microsoft.com.
The Microsoft cloud security benchmark provides prescriptive best practices and recommendations to help improve the security of workloads, data, and services on Azure and your multicloud environment. This benchmark focuses on cloud-centric security areas with input from a set of holistic Microsoft and industry security guidance that includes:
- Cloud Adoption Framework: Guidance on security, including strategy, roles and responsibilities, Azure Top 10 Security Best Practices, and reference implementation.
- Azure Well-Architected Framework: Guidance on securing your workloads on Azure.
- Microsoft Secure Future Initiative (SFI): SFI is a multiyear Microsoft internal initiative launched to embed security into every stage of product design, development, and operations. SFI includes Microsoft internal security best practices that we also want to recommend to our customers.
- The Chief Information Security Officer (CISO) Workshop: Program guidance and reference strategies to accelerate security modernization using Zero Trust principles.
- Other industry and cloud service providers security best practice standards and framework: Examples include the Amazon Web Services (AWS) Well-Architected Framework, Center for Internet Security (CIS) Controls, National Institute of Standards and Technology (NIST), and Payment Card Industry Data Security Standard (PCI-DSS).
New services and features are released daily in Azure and cloud service providers platforms. Developers rapidly publish new cloud applications built on these services. And bad actors constantly seek new ways to exploit misconfigured resources. The cloud moves fast. Developers move fast. Bad actors also move fast. How do you keep up and make sure that your cloud deployments are secure? How are security practices for cloud systems different from on-premises systems and different between cloud service providers? How do you monitor your workload for consistency across multiple cloud platforms?
Microsoft found that using security benchmarks can help you quickly secure cloud deployments. A comprehensive security best practice framework from cloud service providers can give you a starting point for selecting specific security configuration settings in your cloud environment, across multiple service providers. It also allows you to monitor these configurations using a single pane of glass.
The Microsoft cloud security benchmark v2 (preview)
The Microsoft cloud security benchmark v2 (preview) represents the latest evolution of the MCSB with enhanced Azure-focused guidance, expanded security domains, and comprehensive technical implementation details. This version introduces a new Artificial Intelligence Security security domain with seven recommendations, over 420 Azure Policy built-in definitions for automated compliance monitoring, and risk and threat-based guidance with granular implementation examples. For detailed information about the security control structure, domain descriptions, and implementation guidance, see the Overview of Microsoft cloud security benchmark v2 (preview).
Implement Microsoft cloud security benchmark
The security controls in MCSB generally apply across your cloud workloads. Each security control identifies stakeholders that are typically involved in planning, approval, or implementation. This information helps organizations coordinate their security efforts effectively.
- Plan your MCSB implementation by reviewing the documentation for the security controls to plan your framework and how it maps to guidance like Center for Internet Security (CIS) Controls, National Institute of Standards and Technology (NIST), and the Payment Card Industry Data Security Standard (PCI-DSS) framework.
- Monitor your compliance with MCSB status (and other control sets) by using the Microsoft Defender for Cloud – Regulatory Compliance Dashboard for your multicloud environment.
- Establish guardrails to automate secure configurations and enforce compliance with MCSB (and other requirements in your organization) by using features such as Azure Blueprints, Azure Policy, or the equivalent technologies from other cloud platforms.
Common use cases
Use the Microsoft cloud security benchmark to address common challenges for customers or service partners who are:
- New to Azure (and other major cloud platforms, such as AWS) and looking for security best practices to ensure a secure deployment of cloud services and your own application workload.
- Looking to improve security posture of existing cloud deployments to prioritize top risks and mitigations.
- Using multicloud environments (such as Azure and AWS) and facing challenges in aligning security control monitoring and evaluation using a single pane of glass.
- Evaluating the security features and capabilities of Azure (and other major cloud platforms, such as AWS) before onboarding or approving a service into the cloud service catalog.
- Having to meet compliance requirements in highly regulated industries, such as government, finance, and healthcare. These customers need to ensure their service configurations of Azure and other clouds to meet the security specification defined in framework such as CIS, NIST, or PCI. MCSB provides an efficient approach with the controls already pre-mapped to these industry benchmarks.
Terminology
The Microsoft cloud security benchmark uses several key terms to organize and describe security guidance. It's important to understand how MCSB uses these terms.
| Term | Description | Example |
|---|---|---|
| Security Domain | A high-level grouping of related security controls that address a specific area of security concern. | Artificial Intelligence Security is one of the 12 security domains in MCSB v2. It groups all security controls related to securing AI workloads and services. |
| Security Control | A specific security requirement or recommendation within a domain that needs to be addressed. Security controls are technology-agnostic descriptions of what you should achieve. | Within the Data Protection domain, "DP-1: Discover, classify, and label sensitive data" is a security control that describes the need to identify and categorize sensitive information. |
| Security Subcontrol | A detailed, granular recommendation or implementation guidance that supports a security control. A security subcontrol provides specific technical or procedural steps. | Under security control DP-1, security subcontrol DP-1.1 provides specific guidance for implementing data classification using Microsoft Purview or similar tools. |
| Baseline | A set of security control implementations tailored for a specific scenario, compliance framework, or industry. | While baselines for MCSB v2 (preview) aren't yet available, you can find information on the MCSB v1 baselines at Overview of Microsoft cloud security benchmark v1. |
We welcome your feedback on Microsoft cloud security benchmark! We encourage you to provide comments in the feedback area below. If you prefer to share your input more privately with the Microsoft cloud security team, email us at benchmarkfeedback@microsoft.com.