#

5
 6

10

11

12
13

14

15

16

17

18

19

20

21
22
23

24

25

26

27
28
29

30
31

32

33
34

35
36

37

38

39

40
41
42

43

44
45

46
47

48

49

50

51
52

53

54

55

56

57

58
59

60

61

62

63

64
65

66

67

68
69
70

71
Control
The enterprise has defined a formal and independent governance structure (e.g., cloud/IT security steering committee) that e
and ongoing operations of the Azure cloud platform.

Note: This group should be separate from the enterprise's personnel performing daily or routine operations that utilize Azure
applications. This group should also be responsible for consulting with the board of directors to establish objective compliance
of all in-use Azure services methods (e.g., Cosmo DB, Azure Active Directory®, Key Vault, etc.) to measure compliance and rep
the board of directors and operational personnel accountable to this group.

On a regular basis (as defined by the enterprise), the cloud/IT security steering committee meets with operational manageme
status.

Note: These meetings should focus on the governance structure providing feedback to operational management, high availab
performance indicators (KPIs), formal communication of staffing and resource needs required to operate the platform in accor
challenges operational management is facing with security or program implementation, compliance concerns or other matters
achievement of stakeholder requirements.

Note: Other specific elements the steering committee should be made aware of include results of Active Directory® (AD) risk r
penetration testing (if any), results of any internal audits, external audits, and security or compliance scans conducted.

The enterprise has designated cloud resource owners responsible for accurately configuring the use of Azure applications, ass
maintenance of Azure applications or related resources as necessary.

Note: Azure has dozens of individual service offerings and the enterprise should designate Azure application owners who take
owners may be a single individual or department, or may span several departments or individuals across the enterprise. Azure
enterprise's applications (blob storage, SQL DB, VMs, etc.) are subject to code changes or changes in general which are under
also emerge constantly that may integrate with existing services. The entire suite of Azure cloud services and their related res
instances, and IAM users or roles) should be specifically owned and their capabilities fully understood, assessed and strictly m
requirements.

Note: Microsoft recommends that security personnel who are responsible for protecting Azure environments have adequate s
roles and responsibilities, the audit team should consider reviewing level of access early in the audit engagement.

The enterprise has developed formal Azure security documentation (plan, policies and procedures) which incorporates the use
Management reviews documentation annually for completeness and accuracy.

The enterprise has developed formal change management, security incident response, business continuity and disaster recove
resources.
Management has documented network diagrams detailing in-use Azure services, data pathways and data participants. Diagram
as necessary.

Note: Network diagrams typically consist of a series of layered diagrams that explain abstract but related concepts about the s
computing environment. In the case of Azure, it is important to understand number of Azure tenants in use, management gro
tenant, physical region(s) of each tenant and service resources deployed to (e.g., North Central US, UK South, West India), con
architecture, number of subnets per tenant, number of on-premise networks connected to each tenant and types of data alon

Note: Microsoft recommends that management group depth is limited to no more than 3 levels to avoid over complication of
standards. Microsoft further recommends that root management groups have clear requirements as to their purposes (e.g., a
requirement, RBAC permissions assignment) and that any changes to root management groups are carefully planned and test
committing changes to production.

Executive management has expressly declared (through Azure Policy) the physical locations where Azure resources may be de

On a frequency defined by the enterprise, management reviews the current physical locations where Azure resources are dep
continue to support enterprise requirements.
Management has defined configuration baselines for critical applications and resources using Azure Blueprints.

Note: Azure Blueprints enables cloud architects and central information technology groups to define a repeatable set of Azure
adheres to an organization's standards, patterns and security requirements. Broader than Azure Policy, Blueprints exists to de
everything needed for a web application (VMs, database, etc.), and the security policy associated to them.

Note: Blueprints may be unnecessary due to size of the environment and number of resources. This mechanism is beneficial to
deployed numerous types of similar resources.

Management has defined an Azure resources tagging strategy to support necessary operational management efforts.

Note: Resource tagging should generally support resource management efforts, cost management and optimization, data clas
and other governance factors. Tagging should also align to either IT-aligned tagging (tag by application function) or business-a
resources). See the References tab for additional guidance. Not all resource types support tags. Check Microsoft® documentati

Management has subscribed to an appropriate Azure support plan which enhances critical Azure security and operations func

Note: There are 4 options as of Q2 2020. Every Azure customer has access to the basic support plan. Enterprise-level operatio
consider either a standard or professional direct subscription which provides 24/7 support with severity-one support within an
architecture- and operations-consultative support, and many other benefits. See References tab for more information.

On a frequency defined by the enterprise, management reviews, documents and executes relevant environment recommend

Note: Azure Advisor is a free service built into Azure that provides recommendations on high availability, security, performanc
On a frequency defined by the enterprise, management reviews results of completed assessments executed against the Azure
operations as necessary based on observed or relevant risk.
Management implements network architecture best practices to secure critical cloud applications and their data

Note: This control can be applied based on management preference and individual app needs. Some enterprises prefer and ad
prefer other models such as a microservices strategy. Application architecture can take on as many layers as required by the e
this writing. While the command line interface (CLI) commands are available to review each tier of an example 3-tier applicati
as it typically contains no data or business logic. Test here if the subnet or the network security groups require validation or ha

Note: Server side validation can be tested simply by having a list of accepted values pulled from Virtual machine/business logi
value not seen on the list fed to the presentation layer of the application. If a value not on the list is accepted server side valid

Azure network security architecture is routinely reviewed and compared against enterprise defined security requirements.

Periodic reports are produced. Then sent to appropriate personnel for their review with relevant deficiencies addressed in a ti

The enterprise has defined processes and procedures to integrate on premise systems and data with Azure applications and fu

Note: There may be legacy systems or other on premises systems that need security and availability controls but the enterpris
not willing to migrate to Azure. Testing to determine the population and general approach taken to migrate or integrate these
control testing purposes.

The enterprise has deployed a security information and event management (SIEM) capability to report suspicious network eve
timely manner.

SIEM configuration and event logs are routinely assessed by the enterprise to ensure the tool functions as intended.

Note: The enterprise may leverage third-party SIEM tools such as Splunk® or leverage related Azure tools such as Azure Sentin
provided here can apply to any tool used for SIEM purposes.

Note: Where use of a SIEM solution is impractical, the enterprise may choose to use a log analytics workspace in place of SIEM
Centralized Log Storage section of this audit program for more information.

Separate Azure environments have been created to facilitate production and development functions.

The enterprise restricts inbound and outbound virtual network traffic to interactions which serve valid business needs.

Azure Management tools are restricted to the department identified by the enterprise and provide personnel access based on

Azure Security Center has been deployed to assist management identifying and remediating noncompliant network security re

Azure DDoS Protection Standard is enabled for critical business applications or where deemed necessary.
Management has secured integrated network connections through use of Azure® ExpressRoute® or similar mechanisms.

Note: Azure ExpressRoute® allows additional network security to be achieved for external connections integrating with Azure
does not traverse the public Internet and is instead brokered by a third-party provider such as AT&T. Enterprise connections to
this additional privacy and may help enhance regulatory compliance concerning connection security.

Azure AD Connect has been configured to establish and facilitate management of a single Azure Active Directory ® environmen

Note: This control is highly recommended to avoid unnecessary management effort over identities, allow account managemen
reduce avoidable security risk that associates to network accounts (passwords, similar accounts in two locations [on-premise a
assessment should also consider whether the default AD Connect configuration is intact, to prevent replication of credentials f
may assist with mitigating risk for these accounts becoming compromised.

Note: In a cloud-only environment, Azure AD connect may not be deployed or required, especially where there is no prior on-p
case, verifying the seamlessness of the single sign-on, etc., could be all that is required for this control.

The enterprise has developed and assigned access roles which provide users or network services the amount of least privilege

Note: There can be hundreds of IdAM roles and even more permission policies in Azure Active Directory. For the sake of timel
focus on users, groups or access roles that have been provided privileged access, such as Azure Global Administrators, Owner
permissions applied directly to various groups of user accounts would be a security concern and should be accounted for in te

Note: Microsoft strongly recommends that Privileged Identity Management (PIM) be enabled to support Just-In-Time access, w
against privileged accounts that are low use (like Global Administrator) and that have permanent privileged access. Enterprise
review of PIM as an additional optional audit step.

Note: Where possible, built in roles should be leveraged instead of custom built roles and permissions that introduce unneces
permissions when the resources provided by Microsoft do not work.

The enterprise has configured and deployed Azure management groups to associate user access by environment, business fun
subscription resources.
Critical Azure applications leverage Managed Identities (MI) to support enhanced credential management and security.

Note: There is a limited number of Azure Resources that support use of managed identities, and there are 2 types of Managed
1. System Assigned—Created directly as part of an Azure resource (such as a virtual machine) and has its life cycle integrated w
deleted, so is the managed identity created in Azure Active Directory). Can only be linked to a single Azure resource and best u
the Azure resource to which the managed identity is linked.
2. User assigned—Stand alone resources (not resource dependent) that must be explicitly deleted. User assigned managed ide
resources and can support workloads running on multiple resources and are best used for workloads that may require recyclin
require the same permission sets.
Access to Azure applications or related resources requires multifactor authentication (MFA) and is further enforced using cond

Note: Azure MFA can be applied in several different ways, and is primarily driven by enterprise requirements, the Azure AD ed
options the enterprise is using. This audit program will focus on the type offering flexibility, which is MFA paired with Conditio
for Azure MFA in a cloud environment.

Special attention for MFA should given to users in sensitive roles such as global administrator, security administrator, user acc

The enterprise prevents user accounts from remembering multifactor authentication when using devices users have trusted.
The enterprise requires privileged users to be assigned a secondary nonprivileged account for all nonadministrator tasks.

Note: Administrative-level users are often targeted by phishing or other social engineering attacks due to the level of access th
assigned standard user accounts for all nonadministrator-level tasks they may perform.

Management disallows use of Azure guest accounts through configuration.

Azure Fine Grained Password Policies (FGPP) have been configured for administrative and standard user access.

Note: Azure sets a default lockout and password policy with the following values that cannot be modified:
• Account lockout duration: 30 minutes
• Number of failed logon attempts allowed: 5
• Reset failed logon attempts count after: 30 minutes
• Maximum password age (lifetime): 90 days
• Minimum password length (characters): 7
• Passwords must meet complexity requirements

Note: An enterprise user with sufficient privileges (e.g., AAD DC Administrators group) can create a weaker custom policy and
any custom policy take precedence over the built-in policy. This is the primary risk over which this control seeks to gain assura

Note: Creation of a custom password policy requires use of the Active Directory Administrative Tools from a domain-joined vir
Administrative Center which allows admins to view, edit and create password policy.

Seamless Single Sign On (SSO) has been implemented for enterprise domain access where necessary.

Note: Implementing SSO in Azure consists of 2 parts:

1. The feature must be enabled in Azure AD Connect and have enterprise domains listed under the service.
2. The feature must be explicitly rolled out to and made available to users' browsers via Group Policy by adding the azure SSO
https://autologon.microsoftazuread-sso.com to their Intranet zone settings. There are 2 ways to complete th
a. Group Policy
b. Group Policy Preference
The control testing section to the right will cover method a). Both are described further in the reference for SSO.
Azure accounts are disabled after the enterprise's determined period of inactivity has passed, and the accounts are then remo

Note: Inactive accounts can be identified either using the Sign In reporting feature of Azure Active Directory or by using the M
lastSignInDateTime property of user accounts. The control listed here will walk through how to view inactive accounts
Ins reporting feature, while references to the Microsoft Graph function will be made available in the references section.

On a frequency defined by the enterprise, management performs user- and application-access reviews to remove unnecessar

Note: It is highly recommend that access recertifications include a review of the Microsoft Graph API access as users or applica
associated to a compromise may leak a significant amount of data.

The enterprise has configured Resource Locks on critical Azure application resources to prevent inappropriate deletion or mod
The enterprise leverages Azure Customer Lockbox to obtain external vendor support as necessary.

Note: The enterprise must have an Azure support plan with a minimal level of Developer to leverage this feature.

The enterprise has enabled Azure Update Management to identify and automate the application of necessary virtual machine

Note: Azure Update Management allows virtual machine patches to be scheduled and executed on a routine schedule set by
customization and flexibility per individuals or resource groups. Security Center can also be used to identify VMs that are miss
patch update requirements.

Update management requires creation of an automation account and a log analytics workspace that handles the scheduling,
patches for in scope VMs. Automation of Update Management can be accessed and managed directly from the automation ac

The enterprise has installed and configured an endpoint protection solution for Azure Virtual Machines.

Note: Endpoint protection solutions typically consist of an anti-malware, anti-spyware and threat detection software from pro
TrendMicro, etc. There may be several types and versions supported based on the VMs types deployed (Windows, Linux, Cen

The enterprise secures virtual machine using strong data at rest encryption for physical disks and virtual hard disk (VHD) files.

Note: Azure provides default server side encryption for virtual machine OS disks using storage service encryption (SSE) with a p
managed key. The default encryption can be disabled only when the disk is unattached from the VM or the owner VM is deallo

Azure also provides an Azure Disk Encryption for both OS and data disks to further secure data disks through volume encryptio
prevent a user from seeing data stored on a physical disk or .vhd when mounting a .vhd from one VM to another VM or install
another server and is highly recommended it be enabled for both OS and data disk types where enterprise sensitive data is sto
The enterprise documents, reviews and formally approves allowed extensions running on Azure Virtual Machines

Note: VM extensions are micro applications(1st and 3rd party) used for post deployment and/or automation workloads specifi
Symantec, Qualys, Dynatrace ,etc. The enterprise should formally document and have a process in place that reviews and app
installed and used in the environment. A process to formally review and remove unapproved or potentially vulnerable extensi

Azure Storage accounts are configured to require the secure transfer of data using strong data in transit encryption.
Storage account access keys are configured to expire after a time period defined by the enterprise and rotate, generating new

Note: When a storage account is created 2 512 bit access keys are created simultaneously that allow access to the data being
appropriateness of this control requires a comparison of the access key create date against regeneration event timestamps be

Shared Access Signatures (SAS) are configured and provided to external business partners for delegation of data held in enterp

Note: SAS is used when temporary access needs to be provided to an external party that you would not trust providing your st
allows access to be granted via a connection string with specifically delegated access associated to a storage account. A conne
to the business partner that have an access start and end time.

Allowed use of SAS should be limited to the shortest amount of time as possible and only allow secure protocols such as HTTP

Storage accounts are configured to restrict network access to sources that serve a valid business need and that are approved b
Advanced Data Security is enabled on business-critical database servers when necessary, and notifies management in order to
threats.

Database auditing is enabled on business critical databases along with management-defined retention periods.
Transparent data encryption (TDE) with customer managed keys has been enabled for business-critical databases.

Note: It is recommended that the enterprise employ bring your own key (BYOK) for greater security and control flexibility whe
encryption for SQL servers.

MySQL and POSTGRE databases require SSL connections before clients or users may access business critical data.

Note: Azure SQL database type requires TLS connections by default and is a nonconfigurable setting. More testing should occu
database types to ensure TLS is enabled and protecting data in transit.

The enterprise completely and accurately defines minimum monitoring requirements for Microsoft® Azure® applications and r

Azure monitoring requirements are formally documented and reviewed on a frequency defined by the enterprise.

Note: Monitoring may include certain types of events or processes, API calls, or revolve around more high-level requirements
account(s) making changes, date/time, etc.

The enterprise programmatically enforces minimum monitoring requirements through application configuration.

Azure applications are configured to generate and retain monitored events required by the enterprise.
The enterprise retains logs generated by Azure subscriptions, resources and applications for a minimum period of time defined
centralized location using Azure Monitor and Log Analytics workspaces.

Note: Specific resources such as Linux® and Windows® VMs require installation and configuration of agents in order to send lo
should be reviewed if these resources exist.

Note: Azure Monitor and its log analytics workspaces can be used for resource- and subscription-level activity monitoring. Imp
and reviewing its configuration was covered in the Network Configuration section; integrated SIEM solutions and processes th
monitoring and logging solution will be covered below.

Access to Azure Monitor logs is based on job responsibilities or need to know and is reviewed by management on a periodic b

Activity Log alerts are configured to detect and inform the appropriate persons or departments when suspicious privileged acti

On a periodic basis, the enterprise reviews logging and monitoring capabilities to determine whether additional logging is requ
disabled.

Note: In Azure, there is typically a cost associated with configured monitoring and logging solutions that the enterprise uses fo
also consider its monitoring needs as it onboards additional applications or resources into Azure and as it retires them.

The enterprise has registered contacts within Azure Security Center to notify designated department(s) or individuals when en
impacts or potential compromise.
The enterprise has implemented Security Center baseline monitoring policies to enforce and drive security compliance.

Security Center compliance is reviewed on a frequency defined by the enterprise to ensure noncompliant findings are address

Note: Security Center offers a default compliance policy as well as other security standard-specific baselines (e.g., FedRAMP, C
ISO®, etc.) that can be used by Security Center to assess the Azure environment.

Security Center alerts are configured to identify and report to management instances of resource security noncompliance.

Note: The Azure Security Center (ASC) default policy is enabled automatically upon creation/initialization of an Azure subscrip
without charge under the basic pricing tier for Security Center. The policy consists of approximately 100 security policy checks
centrally managed through the Azure Policy service.

If any changes to the policy are desired (such as disabling or enabling a specific security compliance policy), the changes must
Security Center.
Security Center has been integrated with enterprise security information and event management (SIEM) tools to enhance secu

Note: Getting Security Center to send subscription activity logs to a SIEM for ingestion has prerequisites before it will function
1. The Security Center standard pricing tier is needed.
2. Each subscription that is required to send its logs to the SIEM must have continuous export enabled.
3. Each subscription must be configured with a diagnostic setting to export its activity log to the appropriate event hub.
4. An Event Hub is required along with an event hub policy with a Send configuration.
5. The proper SIEM connector must be downloaded, installed and configured in Azure.

Security incident response documentation is continuously updated as the enterprise evolves.

Management reviews the security incident response on a frequency defined by the enterprise or as needed following operatio

The enterprise prepares for cloud security threats through a variety of simulated exercises.

The enterprise schedules Azure security table top exercises on a frequency defined by the enterprise to improve security incid

The enterprise has developed crisis communication procedures that inform personnel on how to report security breaches to r
customers if necessary.

Note: The enterprise should know when, how and to whom it should be reporting security incidents (whether short lived or pr
security incident can have adverse financial impact due to loss of customers, or can result in reputational damage. Crisis comm
reviewed and practiced over time may help reduce this risk.

Enterprise security incident artifacts (as identified by the enterprise) are maintained within the application and are retained fo
enterprise.

Note: It is not uncommon for certain phases of a security incident to be handled in different applications or network directorie
may be initially documented, investigated and eradicated in the enterprise's help desk ticketing system (e.g., ServiceNow®, Re
root cause using less formal means outside of that system via meetings, Microsoft® Word documents and reports stored in se
done to keep the details of a security breach suppressed for security purposes, or as details of the incident are further uncove

The enterprise has appropriate contact information for external business partners and, on a periodic basis, the enterprise revi
contact information modifications to external business partners.

Note: External entities should know whom to contact if it is externally discovered that a security breach is (or may be) affectin
Azure Sentinel has been configured to incorporate threat intelligence feeds for enhanced enterprisewide security.

Note: This control will assume that Azure Sentinel is the security information and event management (SIEM) solution used by
are in use, these instructions do not directly apply.

Note: Using the threat intelligence platforms import method, Azure Sentinel has prerequisites before threat intelligence feeds
1. An application registration to the source data feeding threat intelligence to Sentinel needs to be completed in Azure AD wit
(ThreatIndicators.ReadWrite.OwnedBy).
2. A user with the global administrator role will need to explicitly grant consent within the Azure tenant to API permissions ass
3. A client secret needs to be generated and, along with the application client ID, the directory (tenant) ID and client secret ne
threat intelligence feed before it will send to Sentinel. This control also assumes these steps have been completed.

Note: Azure Sentinel should also be used to identify and drive disablement of insecure protocols such as SMBv1, LM, etc.

Management has defined a data protection strategy that includes tenants and resources in scope, roles and responsibilities, a
and minimum encryption strength.
Azure Information Protection has been configured to completely and accurately classify and label critical business data.

Once Azure Information Protection Service is enabled under a subscription such as Office 365®, the default label and its prote
documents created but that do not contain a label. Administrators use policy scope to determine which users the label protec

Note: Use of Azure Information Protection requires a Protection Premium P1 (included within Enterprise Mobility and Security
Premium P2 (included within Enterprise Mobility and Security E5) or an Office 365 subscription that includes Azure Rights Man

One of the following roles is required to administer the service:

• Global administrator
• Azure Information Protection administrator
• Compliance administrator
• Compliance data administrator
• Security administrator

Azure Key Vault has been enabled to store business critical encryption objects and access is restricted to users or application r

Note: Key Vault has an independent identity and access management function that allows more granular control over who ha
encryption objects.

Management periodically conducts routine assessments to ensure that encryption mechanisms are completely and accurately
Azure Key Vault Recovery has been enabled to support availability of business-critical data as necessary.
On a frequency defined by the enterprise, management schedules and executes Azure Key Vault recovery exercises to ensure
objects can be successfully restored.
Area

Governance body

Regular cloud steering meeting

Responsible staff

Security policy

SDLC, incident response and BCP

Network diagram

Azure Policy

Physical location

Azure Blueprints

Azure Resource tag

Azure Support plan

Azure Advisor
Regular cloud assessment

Network security architecture

Network security architecture

On premise system integration

Network SIEM

Separate production and development environment

Inbound and outbound traffic control

Least privilege to management tool

Azure Security center

DDoS
Azure ExpressRoute

Azure AD Connect

Least privilege to network services

Azure management groups

Azure Managed Identity

MFA
MFA

Separate administrator account

Guest account

Password policy

SSO
User account termination

User account review

Azure Resource lock

Azure Customer lockbox

Azure Update management

Azure Endpoint protection

Azure Disk encryption

Virtual Machine extension
Data in transit encryption

Storage account

Shared access signatures

Storage account

Azure Advanced data security

Database audit

Transparent data encryption

SSL for database connection

Azure Monitor

Azure Monitor
Azure subscription log

Azure Monitor access

Azure Activity log

Log review

Azure Security center contact person

Azure Security center baseline monitoring

Azure Security center alert

Azure Security center and SIEM

Security incident reponse process

Security threat drill

Security breach communication procedure

Security incident log

External partner contact person

Azure Sentinel

Data protection strategy

Azure Information protection

Azure Key vault

Regular encryption assessment
Azure Key vault recovery

Azure Key vault recovery drill