Share via

Overview of Microsoft cloud security benchmark v2 (preview)

For an introduction to the Microsoft cloud security benchmark project, including key concepts, implementation guidance, and terminology, see the Microsoft cloud security benchmark introduction.

The Microsoft cloud security benchmark v2 (preview) provides enhanced Azure-focused guidance with expanded security domains and comprehensive technical implementation details. This version builds upon the foundation of the Microsoft cloud security benchmark with refined security controls, AI security guidance, and expanded Azure Policy mappings.

Key features

Note

Microsoft cloud security benchmark v2 (preview) is now available. Explore this version and provide feedback to help us improve it. For any questions or comments, email us at benchmarkfeedback@microsoft.com.

For information about the earlier version, see Overview of Microsoft cloud security benchmark v1.

The Microsoft cloud security benchmark v2 (preview) includes:

  1. Artificial Intelligence Security - A new security domain with seven recommendations covering AI platform security, AI application security, and AI security monitoring to address threats and risks in artificial intelligence deployments.

  2. Comprehensive Azure Policy mappings - More than 420 Azure Policy built-in definitions to help you measure and monitor your security posture in Azure by using Azure Policy and Defender for Cloud.

  3. Risk and threat-based guidance - Comprehensive guidelines with granular technical implementation examples and detailed references to help you understand the security risks and threats that each security control mitigates, and how to implement the security controls in your Azure environment.

Security domains

Security domain Description
Network security (NS) Network Security covers controls to secure and protect networks, including securing virtual networks, establishing private connections, preventing and mitigating external attacks, and securing DNS.
Identity Management (IM) Identity Management covers controls to establish a secure identity and access controls by using identity and access management systems, including the use of single sign-on, strong authentications, managed identities (and service principals) for applications, conditional access, and account anomalies monitoring.
Privileged Access (PA) Privileged Access covers controls to protect privileged access to your tenant and resources, including a range of controls to protect your administrative model, administrative accounts, and privileged access workstations against deliberate and inadvertent risk.
Data Protection (DP) Data Protection covers control of data protection at rest, in transit, and via authorized access mechanisms, including discover, classify, protect, and monitor sensitive data assets by using access control, encryption, key management, and certificate management.
Asset Management (AM) Asset Management covers controls to ensure security visibility and governance over your resources, including recommendations on permissions for security personnel, security access to asset inventory, and managing approvals for services and resources (inventory, track, and correct).
Logging and Threat Detection (LT) Logging and Threat Detection covers controls for detecting threats on cloud, and enabling, collecting, and storing audit logs for cloud services, including enabling detection, investigation, and remediation processes with controls to generate high-quality alerts with native threat detection in cloud services. It also includes collecting logs with a cloud monitoring service, centralizing security analysis with a SIEM, time synchronization, and log retention.
Incident Response (IR) Incident Response covers controls in incident response life cycle - preparation, detection and analysis, containment, and post-incident activities, including using Azure services (such as Microsoft Defender for Cloud and Sentinel) and/or other cloud services to automate the incident response process.
Posture and Vulnerability Management (PV) Posture and Vulnerability Management focuses on controls for assessing and improving cloud security posture, including vulnerability scanning, penetration testing and remediation, as well as security configuration tracking, reporting, and correction in cloud resources.
Endpoint Security (ES) Endpoint Security covers controls in endpoint detection and response, including use of endpoint detection and response (EDR) and anti-malware service for endpoints in cloud environments.
Backup and Recovery (BR) Backup and Recovery covers controls to ensure that data and configuration backups at the different service tiers are performed, validated, and protected.
DevOps Security (DS) DevOps Security covers the controls related to the security engineering and operations in the DevOps processes, including deployment of critical security checks (such as static application security testing, vulnerability management) prior to the deployment phase to ensure the security throughout the DevOps process. It also includes common topics such as threat modeling and software supply security.
Artificial Intelligence Security (AI) Artificial Intelligence Security covers controls to ensure the secure development, deployment, and operation of AI models and services, including AI platform security, AI application security and AI security monitoring.

Security control structure in Microsoft cloud security benchmark v2 (preview)

Each security control in the benchmark includes the following sections:

  • ID: A unique identifier for each security control, consisting of a domain abbreviation and number (for example, AI-1 for Artificial Intelligence Security control 1, DP-1 for Data Protection control 1, NS-2 for Network Security control 2). This ID is used throughout the documentation to reference specific security controls.
  • Azure Policy: Links to Azure built-in policy definitions that you can use to measure and enforce the security control. Note that not every security control includes an Azure Policy link, as some security controls provide guidance for scenarios or configurations that Azure Policy automation can't enforce.
  • Security principle: High-level description of the security control at the technology-agnostic level, explaining the "what" and "why" of the security control.
  • Risk to mitigate: The specific security risks and threats that the security control aims to address.
  • MITRE ATT&CK: The MITRE ATT&CK tactics, techniques, and procedures (TTPs) relevant to the security risks. Learn more at https://attack.mitre.org/.
  • Implementation guidance: Detailed Azure-specific technical guidance organized in numbered sub-sections (for example, NS-1.1, NS-1.2) explaining how to implement the security control using Azure features and services.
  • Implementation example: Practical real-world scenario demonstrating how to implement the security control, including the challenge, solution approach, and outcome.
  • Criticality level: Indicates the relative importance of the security control for security posture. Possible values are "Must have" (essential for baseline security), "Should have" (important for enhanced security), or "Nice to have" (beneficial for advanced security scenarios).
  • Control Mapping: Mappings to industry security standards and frameworks, including:

The security control mappings between MCSB and industry benchmarks (such as CIS, NIST, PCI, ISO, and others) only indicate that you can use specific Azure features to fully or partially address a security control requirement defined in these industry benchmarks. Such implementation doesn't necessarily translate to the full compliance of the corresponding security controls in these industry benchmarks.

We welcome your detailed feedback and active participation in the Microsoft cloud security benchmark v2 (preview) effort. If you want to provide direct input, email us at benchmarkfeedback@microsoft.com.

Next steps

  • Last updated on