Professional Documents
Culture Documents
This spreadsheet is designed to provide you a spreadsheet(Excel) format of the Azure Security Benchmark(ASB) v3. For the w
please refer to ttps://docs.microsoft.com/en-us/security/benchmark/azure/overview
Disclaimer:
a. The control mappings between ASB and industry benchmarks (such as NIST, CIS and PCI) only indicate that a specific Azure
partially address a control requirement defined in NIST, CIS or PCI. You should be aware that such implementation does not n
compliance of the corresponding control in CIS, NIST or PCI.
b. This document is developed as a reference and should not be used to define all means by which a customer can meet spec
and regulations. Customers should seek legal support from their organization on approved customer implementations.
Column Header
ASB ID
ASB Control Domain
CIS Controls v8 ID(s)
CIS Controls v8 ID(s)
PCI-DSS v3.2.1 ID(s)
NIST SP 800-53 r4 ID(s)
Security Principle
Recommendation
ASB Guideline
Implementation and additional context
Customer Stakeholders
tween ASB and industry benchmarks (such as NIST, CIS and PCI) only indicate that a specific Azure feature can be used to fully or
equirement defined in NIST, CIS or PCI. You should be aware that such implementation does not necessarily translate to the full
nding control in CIS, NIST or PCI.
ed as a reference and should not be used to define all means by which a customer can meet specific compliance requirements
should seek legal support from their organization on approved customer implementations.
Overview
The Azure Security Benchmark ID.
The Azure Security Benchmark control domain.
The CIS Controls v8 control(s) that correspond to the recommendation.
The CIS Controls v8 control(s) that correspond to the recommendation.
The PCI-DSS v3.2.1 control(s) that correspond to the recommendation.
The NIST SP 800-53 r4 (Moderate and High) control(s) that correspond to this recommendation.
The recommendation focused on the "what", explaining the control at the technology-agnostic level.
The Azure Security Benchmark control recommendation in summarized format.
The recommendation focused on the "how", explaining the Azure technical features and implementation basics.
The implementation details and other relevant context which links to the Azure service offering documentation
articles.
The security functions at the customer organization who may be accountable, responsible, or consulted for the
respective control. It may be different from organization to organization depending on your company’s security
organization structure, and the roles and responsibilities you set up related to Azure security.
The Azure Policy that can be used to audit the services that correspond to the ASB control.
The GUID(s) that correspond to the Azure Policy.
ASB ID Control Domain CIS Controls v7.1 ID(s) CIS Controls v8 ID(s)
NS-1 Network Security 9.2 - Ensure Only Approved 3.12 - Segment Data Processing
Ports, Protocols and Services Are and Storage Based on Sensitivity
Running 13.4 - Perform Traffic Filtering
9.4 - Apply Host-Based Firewalls Between Network Segments
or Port Filtering 4.4 - Implement and Manage a
12.3 - Deny Communications Firewall on Severs
with Known Malicious IP
Addresses
12.4 - Deny Communication over
Unauthorized Ports
14.1 - Segment the Network
Based on Sensitivity
14.2 - Enable Firewall Filtering
Between VLANs
NS-2 Network Security 14.1 - Segment the Network 3.12 - Segment Data Processing
Based on Sensitivity and Storage Based on Sensitivity
4.4 - Implement and Manage a
Firewall on Servers
NS-3 Network Security 9.2 - Ensure Only Approved 4.4 - Implement and Manage a
Ports, Protocols and Services Are Firewall on Servers
Running 4.8 - Uninstall or Disable
9.4 - Apply Host-Based Firewalls Unnecessary Services on
or Port Filtering Enterprise Assets and Software
12.3 - Deny Communications 13.10 Perform Application Layer
with Known Malicious IP Filtering
Addresses
12.4 - Deny Communication over
Unauthorized Ports
14.1 - Segment the Network
Based on Sensitivity
14.2 - Enable Firewall Filtering
Between VLANs
NS-4 Network Security 12.6 - Deploy Network-Based IDS 13.2 Deploy a Host-Based
Sensors Intrusion Detection Solution
12.7 - Deploy Network-Based 13.3 - Deploy a Network
Intrusion Prevention Systems Intrusion Detection Solution
13.7 Deploy a Host-Based
Intrusion Prevention Solution
13.8 - Deploy a Network
Intrusion Prevention Solution
NS-5 Network Security 9.5 - Implement Application 13.10 - Perform Application Layer
Firewalls Filtering
12.3 - Deny Communications
with Known Malicious IP
Addresses
NS-6 Network Security 9.5 - Implement Application 13.10 - Perform Application Layer
Firewalls Filtering
12.3 - Deny Communications
with Known Malicious IP
Addresses
12.9 - Deploy Application Layer
Filtering Proxy Server
18.10 - Deploy Web Application
Firewalls (WAFs)
NS-7 Network Security 9.2 - Ensure Only Approved 4.4 - Implement and Manage a
Ports, Protocols and Services Are Firewall on Severs
Running 4.8 - Uninstall or Disable
Unnecessary Services on
Enterprise Assets and Software
NS-8 Network Security 9.2 - Ensure Only Approved 4.4 - Implement and Manage a
Ports, Protocols and Services Are Firewall on Severs
Running 4.8 - Uninstall or Disable
Unnecessary Services on
Enterprise Assets and Software
DP-1 Data Protection 13.1 - Maintain an Inventory 3.2 - Establish and Maintain a
of Sensitive Information Data Inventory
14.5 - Utilize an Active Discovery 3.7 - Establish and Maintain a
Tool to Identify Sensitive Data Data Classification Scheme
3.13 - Deploy a Data Loss
Prevention Solution
DP-2 Data Protection 13.3 - Monitor and Block 3.13 - Deploy a Data Loss
Unauthorized Network Traffic Prevention Solution
14.7 - Enforce Access Control to
Data through Automated Tools
DP-3 Data Protection 14.4 - Encrypt All Sensitive 3.10 - Encrypt Sensitive Data In
Information in Transit Transit
DP-4 Data Protection 14.8 - Encrypt Sensitive 3.11 - Encrypt Sensitive Data at
Information at Rest Rest
DP-5 Data Protection 14.8 - Encrypt Sensitive 3.11 - Encrypt Sensitive Data at
Information at Rest Rest
IM-6 Identity Management4.2 - Change Default Passwords 6.3 - Require MFA for Externally-
4.5 - Use Multifactor Exposed Applications
Authentication For All 6.4 - Require MFA for
Administrative Access Administrative Access
12.11 - Require All Remote
Logins to Use Multi-Factor
Authentication
16.3 - Require Multi-Factor
Authentication
IM-7 Identity Management12.11 - Require All Remote 3.3 - Configure Data Access
Logins to Use Multi-Factor Control Lists
Authentication 6.4 - Require MFA for
12.12 - Manage All Devices Administrative Access
Remotely Logging Into Internal 13.5 - Manage Access Control for
Network Remote Assets
14.6 - Protect Information
Through Access Control Lists
16.3 - Require Multi-Factor
Authentication
IM-9 Identity Management12.10 Decrypt Network Traffic at 6.7 - Centralize Access Control
Proxy 12.5 - Centralize Network
16.2 Configure Centralized Point Authentication, Authorization,
of Authentication and Auditing (AAA)
PA-1 Privileged Access 4.3 - Ensure the Use of Dedicated 5.4 - Restrict Administrator
Administrative Accounts Privileges to Dedicated
14.6 - Protect Information Administrator Accounts
Through Access Control Lists 6.8 - Define and Maintain Role-
Based Access Control
PA-3 Privileged Access 16.7 - Establish Process for 6.1 - Establish an Access Granting
Revoking Access Process
6.2 - Establish an Access
Revoking Process
PA-4 Privileged Access 4.1 - Maintain Inventory of 5.1 - Establish and Maintain an
Administrative Accounts Inventory of Accounts
16.6 - Maintain an Inventory of 5.3 - Disable Dormant Accounts
Accounts 5.5 - Establish and Maintain an
16.8 - Disable Any Unassociated Inventory of Service Accounts
Accounts
Disable Dormant Accounts
16.9 - Disable Dormant Accounts
PA-6 Privileged Access 4.6 - Use Dedicated Workstations 12.8 - Establish and Maintain
For All Administrative Tasks Dedicated Computing Resources
11.6 - Use Dedicated Machines for All Administrative Work
For All Network Administrative 13.5 Manage Access Control for
Tasks Remote Assets
12.12 - Manage All Devices
Remotely Logging into Internal
Network
PA-7 Privileged Access 14.6 - Protect Information 3.3 - Configure Data Access
Through Access Control Lists Control Lists
6.8 - Define and Maintain Role-
Based Access Control
PA-8 Privileged Access 16.7 - Establish Process for 6.1 - Establish an Access Granting
Revoking Access Process
6.2 - Establish an Access
Revoking Process
PV-1 Posture and 5.1 - Establish Secure 4.1 - Establish and Maintain a
Vulnerability Configurations Secure Configuration Process
Management 11.1 - Maintain Standard Security 4.2 - Establish and Maintain a
Configurations for Network Secure Configuration Process for
Devices Network Infrastructure
PV-2 Posture and 5.4 - Deploy System 4.1 - Establish and Maintain a
Vulnerability Configuration Management Tools Secure Configuration Process
Management 5.5 - Implement Automated 4.2 - Establish and Maintain a
Configuration Monitoring Secure Configuration Process for
Systems Network Infrastructure
11.3 - Use Automated Tools to
Verify Standard Device
Configurations and Detect
Changes
PV-3 Posture and 5.1 - Establish Secure 4.1 - Establish and Maintain a
Vulnerability Configurations Secure Configuration Process
Management 5.5 - Implement Automated
Configuration Monitoring
Systems
PV-4 Posture and 5.4 - Deploy System 4.1 - Establish and Maintain a
Vulnerability Configuration Management Tools Secure Configuration Process
Management 5.5 - Implement Automated
Configuration Monitoring
Systems
11.3 - Use Automated Tools to
Verify Standard Device
Configurations and Detect
Changes
PV-5 Posture and 3.1 - Run Automated 5.5 - Establish and Maintain an
Vulnerability Vulnerability Scanning Tools Inventory of Service Accounts
Management 3.3 - Protect Dedicated 7.1 - Establish and Maintain a
Assessment Accounts Vulnerability Management
3.6 - Compare Back-to-back Process
Vulnerability Scans 7.5 - Perform Automated
Vulnerability Scans of Internal
Enterprise Assets
7.6 - Perform Automated
Vulnerability Scans of Externally-
Exposed Enterprise Assets
PV-6 Posture and 3.4 - Deploy Automated 7.2 - Establish and Maintain a
Vulnerability Operating System Patch Remediation Process
Management Management Tools 7.3 - Perform Automated
3.5 - Deploy Automated Software Operating System Patch
Patch Management Tools Management
3.7 - Utilize a Risk-rating Process 7.4 - Perform Automated
Application Patch Management
7.7 - Remediate Detected
Vulnerabilities
PV-7 Posture and 20.1 - Establish a Penetration 18.1 - Establish and Maintain a
Vulnerability Testing Program Penetration Testing Program
Management 20.2 - Conduct Regular External 18.2 - Perform Periodic External
and Internal Penetration Tests Penetration Tests
20.3 - Perform Periodic Red 18.3 - Remediate Penetration
Team Exercises Test Findings
18.4 - Validate Security Measures
18.5 - Perform Periodic Internal
Penetration Tests
LT-1 Logging and threat 6.7 - Regularly Review Logs 8.11 - Conduct Audit Log Reviews
detection
LT-2 Logging and threat 4.9 - Log and Alert on 8.11 - Conduct Audit Log Reviews
detection Unsuccessful Administrative
Account Login
6.7 - Regularly Review Logs
16.13 - Alert on Account Login
Behavior Deviation
LT-3 Logging and threat 6.2 - Activate Audit Logging 8.2 - Collect Audit Logs
detection 6.3 - Enable Detailed Logging 8.5 - Collect Detailed Audit Logs
8.8 - Enable Command-Line Audit 8.12 - Collect Service Provider
Logging Logs
LT-4 Logging and threat 6.2 - Activate Audit Logging 8.2 - Collect Audit Logs
detection 6.3 - Enable Detailed Logging 8.5 - Collect Detailed Audit Logs
7.6 - Log All URL Requests 8.6 - Collect DNS Query Audit
8.7 - Enable DNS Query Logging Logs
12.8 - Deploy NetFlow Collection 8.7 - Collect URL Request Audit
on Networking Boundary Devices Logs
13.6 - Collect Network Traffic
Flow Logs
LT-5 Logging and threat 6.5 - Central Log Management 8.9 - Centralize Audit Logs
detection 6.6 - Deploy SIEM or Log Analytic 8.11 - Conduct Audit Log Reviews
tool 13.1 - Centralize Security Event
6.7 - Regularly Review Logs Alerting
8.6 - Centralize Anti-Malware
Logging
LT-6 Logging and threat 6.4 - Ensure Adequate Storage 8.3 - Ensure Adequate Audit Log
detection for Logs Storage
8.10 - Retain Audit Logs
LT-7 Logging and threat 6.1 - Utilize Three Synchronized 8.4 - Standardize Time
detection Time Sources Synchronization
AM-1 Asset Management 1.1 - Utilize an Active Discovery 1.1 - Establish and Maintain
Tool Detailed Enterprise Asset
1.2 - Use a Passive Asset Inventory
Discovery Tool 1.5 - Use a Passive Asset
1.4 - Maintain Detailed Asset Discovery Tool
Inventory 2.1 - Establish and Maintain a
1.5 - Maintain Asset Inventory Software Inventory
Information 2.4 - Utilize Automated Software
2.1 - Maintain Inventory of Inventory Tools
Authorized Software
AM-3 Asset Management 1.4 - Maintain Detailed Asset 1.1 - Establish and Maintain
Inventory Detailed Enterprise Asset
1.5 - Maintain Asset Inventory Inventory
Information 2.1 - Establish and Maintain a
2.1 - Maintain Inventory of Software Inventory
Authorized Software
2.4 - Track Software Inventory
Information
AM-4 Asset Management 14.6 - Protect Information 3.3 - Configure Data Access
Through Access Control Lists Control Lists
AM-5 Asset Management 2.7 - Utilize Application 2.5 - Allowlist Authorized
Whitelisting Software
2.8 - Implement Application 2.6 - Allowlist Authorized
Whitelisting of Libraries Libraries
2.9 - Implement Application 2.7 - Allowlist Authorized Scripts
Whitelisting of Scripts 4.8 - Uninstall or Disable
9.2 - Ensure Only Approved Unnecessary Services on
Ports, Protocols, and Services Are Enterprise Assets and Software
Running
ES-1 Endpoint security 9.4 - Apply Host-Based Firewalls 13.7 - Deploy a Host-Based
or Port Filtering Intrusion Prevention Solution
ES-2 Endpoint security 8.1 - Utilize Centrally Managed 10.1 - Deploy and Maintain Anti-
Anti-malware Software Malware Software
ES-3 Endpoint security 8.2 - Ensure Anti-Malware 10.2 - Configure Automatic Anti-
Software and Signatures are Malware Signature Updates
Updated
BR-1 Backup and 10.1 - Ensure Regular Automated 11.2 - Perform Automated
recovery Backups Backups
BR-2 Backup and 10.4 - Ensure Protection of 11.3 - Protect Recovery Data
recovery Backups
BR-3 Backup and 10.4 - Ensure Protection of 11.3 - Protect Recovery Data
recovery Backups
BR-4 Backup and 10.3 - Test Data on Backup 11.5 - Test Data Recovery
recovery Media
IR-1 Incident Response 19.1 - Document Incident 17.4 - Establish and Maintain an
Response Procedures Incident Response Process
19.7 - Conduct Periodic Incident 17.7 - Conduct Routine Incident
Scenario Sessions for Personnel Response Exercises
IR-2 Incident Response 19.2 - Assign Job Titles and 17.1 - Designate Personnel to
Duties for Incident Response Manage Incident Handling
19.3 - Designate Management 17.3 - Establish and Maintain an
Personnel to Support Incident Enterprise Process for Reporting
Handling Incidents
19.4 - Devise Organization-wide 17.6 - Define Mechanisms for
Standards for Reporting Incidents Communicating During Incident
19.5 - Maintain Contact Response
Information For Reporting
Security Incidents
IR-3 Incident Response 19.8 - Create Incident Scoring 17.9 - Establish and Maintain
and Prioritization Schema Security Incident Thresholds
DS-2 DevOps Security 18.3 - Verify That Acquired 16.4 - Establish and Manage an
Software is Still Supported Inventory of Third-Party Software
18.4 - Only Use Up-to-Date And Components
Trusted Third-Party Components 16.6 - Establish and Maintain a
18.8 - Establish a Process to Severity Rating System and
Accept and Address Reports of Process for Application
Software Vulnerabilities Vulnerabilities
16.11 - Leverage Vetted Modules
or Services for Application
Security Components
DS-3 DevOps Security 18.11 - Use Standard Hardening 16.7 - Use Standard Hardening
Configuration Templates for Configuration Templates for
Databases Application Infrastructure
DS-4 DevOps Security 18.7 - Apply Static and Dynamic 16.12 - Implement Code-Level
Code Analysis Tools Security Checks
DS-5 DevOps Security 18.7 - Apply Static and Dynamic 16.12 - Implement Code-Level
Code Analysis Tools Security Checks
DS-6 DevOps Security 5.2 - Deploy System 7.5 - Perform Automated
Configuration Management Tools Vulnerability Scans of Internal
5.3 - Securely Store Master Enterprise Assets
Images 7.6 - Perform Automated
5.4 - Deploy System Vulnerability Scans of Externally-
Configuration Management Tools Exposed Enterprise Assets
5.5 - Implement Automated 7.7 - Remediate Detected
Configuration Monitoring Vulnerabilities
Systems 16.1 - Establish and Maintain a
18.1 - Establish Secure Coding Secure Application Development
Practices Process
16.7 - Use Standard Hardening
Configuration Templates for
Application Infrastructure
DS-7 DevOps Security 6.2 - Activate audit logging 8.2 Collect Audit Logs
6.3 - Enable Detailed Logging 8.5 Collect Detailed Audit Logs
6.5 - Central Log Management 8.9 Centralize Audit Logs
6.6 - Deploy SIEM or Log Analytic 8.11 Conduct Audit Log Reviews
tool
6.7 - Regularly Review Logs
6.8 - Regularly Tune SIEM
GS-1 Governance and Stra 17.2 - Deliver Training to Fill the 14.9 - Conduct Role-Specific
Skills Gap Security Awareness and Skills
Training
GS-2 Governance and Stra 2.10 - Physically or Logically 3.12 - Segment Data Processing
Segregate High Risk Applications and Storage Based on Sensitivity
14.1 - Segment the Network
Based on Sensitivity
GS-3 Governance and Stra 14.1 - Segment the Network 3.1 - Establish and Maintain a
Based on Sensitivity Data Management Process
3.7 - Establish and Maintain a
Data Classification Scheme
3.12 - Segment Data Processing
and Storage Based on Sensitivity
GS-4 Governance and Stra12.1 - Maintain an Inventory of 12.2 - Establish and Maintain a
Network Boundaries Secure Network Infrastructure
12.4 - Establish and Maintain
Architecture Diagram(s)
GS-5 Governance and Stra5.1 - Establish Secure 4.1 - Establish and Maintain a
Configurations Secure Configuration Process
4.2 - Establish and Maintain a
Secure Configuration Process for
Network Infrastructure
GS-6 Governance and Stra 4.5 - Use Multifactor 5.6 - Centralize Account
Authentication For All Management
Administrative Access 6.5 - Require MFA for
16.2 - Configure Centralized Administrative Access
Point of Authentication 6.7 - Centralize Access Control
GS-7 Governance and Stra 6.2 -Activate audit logging 8.1 - Establish and Maintain an
6.3 - Enable Detailed Logging Audit Log Management Process
6.6 - Deploy SIEM or Log Analytic 13.1 - Centralize Security Event
tool Alerting
6.7 - Regularly Review Logs 17.2 - Establish and Maintain
19.1 - Document Incident Contact Information for
Response Procedures Reporting Security Incidents
19.5 - Maintain Contact 17.4 - Establish and Maintain an
Information For Reporting Incident Response Process
Security Incidents 17.7 - Conduct Routine Incident
19.7 - Conduct Periodic Incident Response Exercises
Scenario Sessions for Personnel
GS-8 Governance and Stra 10.1 - Ensure Regular Automated 11.1 - Establish and Maintain a
Backups Data Recovery Process
GS-9 Governance and Stra 8.1 - Utilize Centrally Managed 4.4 - Implement and Manage a
Anti-malware Software Firewall on Servers
9.4 - Apply Host-Based Firewalls 10.1 - Deploy and Maintain Anti-
or Port-Filtering Malware Software
GS-10 Governance and Stra5.1 - Establish Secure 4.1 - Establish and Maintain a
Configurations Secure Configuration Process
18.1 - Establish Secure Coding 4.2 - Establish and Maintain a
Practices Secure Configuration Process for
18.8 - Establish a Process to Network Infrastructure
Accept and Address Reports of 16.1 - Establish and Maintain a
Software Vulnerabilities Secure Application
Development Process
16.2 - Establish and Maintain a
Process to Accept and Address
Software Vulnerabilities
NIST SP800-53 r4 ID(s) PCI-DSS v3.2.1 ID(s) Recommendation
AC-4: INFORMATION FLOW 1.1 Establish network
ENFORCEMENT 1.2 segmentation
SC-2: APPLICATION 1.3 boundaries
PARTITIONING
SC-7: BOUNDARY PROTECTION
Secure cloud services by establishing a private access point for the resources. You
should also disable or restrict access from public network when possible.
Deploy a firewall to perform advanced filtering on network traffic to and from external
networks. You can also use firewalls between internal segments to support a
segmentation strategy. If required, use custom routes for your subnet to override the
system route when you need to force the network traffic to go through a network
appliance for security control purpose.
At a minimum, block known bad IP addresses and high-risk protocols, such as remote
management (for example, RDP and SSH) and intranet protocols (for example, SMB and
Kerberos).
Use network intrusion detection and intrusion prevention systems (IDS/IPS) to inspect
the network and payload traffic to or from your workload. Ensure that IDS/IPS is always
tuned to provide high-quality alerts to your SIEM solution.
For more in-depth host level detection and prevention capability, use host-based
IDS/IPS or a host-based endpoint detection and response (EDR) solution in conjunction
with the network IDS/IPS.
Deploy distributed denial of service (DDoS) protection to protect your network and
applications from attacks.
Deploy a web application firewall (WAF) and configure the appropriate rules to protect
your web applications and APIs from application-specific attacks.
When managing a complex network environment, use tools to simplify, centralize and
enhance the network security management.
Detect and disable insecure services and protocols at the OS, application, or software
package layer. Deploy compensating controls if disabling insecure services and
protocols are not possible.
Use private connections for secure communication between different networks, such as
cloud service provider datacenters and on-premises infrastructure in a colocation
environment.
Ensure that Domain Name System (DNS) security configuration protects against known
risks:
- Use trusted authoritative and recursive DNS services across your cloud environment to
ensure the client (such as operating systems and applications) receive the correct
resolution result.
- Separate the public and private DNS resolution so the DNS resolution process for the
private network can be isolated from the public network.
- Ensure your DNS security strategy also includes mitigations against common attacks,
such as dangling DNS, DNS amplifications attacks, DNS poisoning and spoofing, and so
on.
Establish and maintain an inventory of the sensitive data, based on the defined
sensitive data scope. Use tools to discover, classify and label the in- scope sensitive
data.
Monitor for anomalies around sensitive data, such as unauthorized transfer of data to
locations outside of enterprise visibility and control. This typically involves monitoring
for anomalous activities (large or unusual transfers) that could indicate unauthorized
data exfiltration.
Protect the data in transit against 'out of band' attacks (such as traffic capture) using
encryption to ensure that attackers cannot easily read or modify the data.
Set the network boundary and service scope where data in transit encryption is
mandatory inside and outside of the network. While this is optional for traffic on private
networks, this is critical for traffic on external and public networks.
To complement access controls, data at rest should be protected against 'out of band'
attacks (such as accessing underlying storage) using encryption. This helps ensure that
attackers cannot easily read or modify the data.
If required for regulatory compliance, define the use case and service scope where
customer-managed key option is needed. Enable and implement data at rest encryption
using customer-managed key in services.
Ensure certificates used by the critical services in your organization are inventoried,
tracked, monitored, and renewed timely using automated mechanism to avoid service
disruption.
Ensure the security of the key vault service used for the cryptographic key and
certificate lifecycle management. Harden your key vault service through access control,
network security, logging and monitoring and backup to ensure keys and certificates are
always protected using the maximum security.
Use managed application identities instead of creating human accounts for applications
to access resources and execute code. Managed application identities provide benefits
such as reducing the exposure of credentials. Automate the rotation of credential to
ensure the security of the identities.
Authenticate remote servers and services from your client side to ensure you are
connecting to trusted server and services. The most common server authentication
protocol is Transport Layer Security (TLS), where the client-side (often a browser or
client device) verifies the server by verifying the server’s certificate was issued by a
trusted certificate authority.
Note: Mutual authentication can be used when both the server and the client
authenticate one-another.
Use single sign-on (SSO) to simplify the user experience for authenticating to resources
including applications and data across cloud services and on-premises environments.
Note: This is often governed and enforced through a secure software development
lifecycle (SDLC) and DevOps security process
Use an automated process or technical control to manage the identity and access
lifecycle including the request, review, approval, provision, and deprovision.
Conduct regular review of privileged account entitlements. Ensure the access granted
to the accounts are valid for administration of control plane, management plane, and
workloads.
Set up emergency access to ensure that you are not accidentally locked out of your
critical cloud infrastructure (such as your identity and access management system) in an
emergency.
Emergency access accounts should be rarely used and can be highly damaging to the
organization if compromised, but their availability to the organization is also critically
important for the few scenarios when they are required.
Secured, isolated workstations are critically important for the security of sensitive roles
like administrator, developer, and critical service operator.
Follow the just enough administration (least privilege) principle to manage permissions
at fine-grained level. Use features such as role-based access control (RBAC) to manage
resource access through role assignments.
Establish an approval process and access path for requesting and approving vendor
support request and temporary access to your data through a secure channel.
Define the secure configuration baselines for different resource types in the cloud.
Alternatively, use configuration management tools to establish the configuration
baseline automatically before or during resource deployment so the environment can
be compliant by default after the deployment.
Continuously monitor and alert when there is a deviation from the defined
configuration baseline. Enforce the desired configuration according to the baseline
configuration by denying the non-compliant configuration or deploy a configuration.
Define the secure configuration baselines for your compute resources, such as VMs and
containers. Use configuration management tools to establish the configuration baseline
automatically before or during the compute resource deployment so the environment
can be compliant by default after the deployment. Alternatively, use a pre-configured
image to build the desired configuration baseline into the compute resource image
template.
Continuously monitor and alert when there is a deviation from the defined
configuration baseline in your compute resources. Enforce the desired configuration
according to the baseline configuration by denying the non-compliant configuration or
deploy a configuration in compute resources.
Perform vulnerabilities assessment for your cloud resources at all tiers in a fixed
schedule or on-demand. Track and compare the scan results to verify the vulnerabilities
are remediated. The assessment should include all type of vulnerabilities, such as
vulnerabilities in Azure services, network, web, operating systems, misconfigurations,
and so on.
Be aware of the potential risks associated with the privileged access used by the
vulnerability scanners. Follow the privileged access security best practice to secure any
administrative accounts used for the scanning.
Rapidly and automatically deploy patches and updates to remediate vulnerabilities in
your cloud resources. Use the appropriate risk-based approach to prioritize the
remediation of the vulnerabilities. For example, more severe vulnerabilities in a higher
value asset should be addressed as a higher priority.
Follow industry best practices to design, prepare and conduct this kind of testing to
ensure it will not cause damage or disruption to your environment. This should always
include discussing testing scope and constraints with relevant stakeholders and
resource owners.
To support threat detection scenarios, monitor all known resource types for known and
expected threats and anomalies. Configure your alert filtering and analytics rules to
extract high-quality alerts from log data, agents, or other data sources to reduce false
positives.
Detect threats for identities and access management by monitoring the user and
application sign-in and access anomalies. Behavioral patterns such as excessive number
of failed login attempts, and deprecated accounts in the subscription, should be alerted.
Enable logging for your cloud resources to meet the requirements for security incident
investigations and security response and compliance purposes.
Enable logging for your network services to support network-related incident
investigations, threat hunting, and security alert generation. The network logs may
include logs from network services such as IP filtering, network and application firewall,
DNS, flow monitoring and so on.
Centralize logging storage and analysis to enable correlation across log data. For each
log source, ensure that you have assigned a data owner, access guidance, storage
location, what tools are used to process and access the data, and data retention
requirements.
Plan your log retention strategy according to your compliance, regulation, and business
requirements. Configure the log retention policy at the individual logging services to
ensure the logs are archived appropriately.
Use approved time synchronization sources for your logging time stamp which include
date, time and time zone information.
Track your asset inventory by query and discover all your cloud resources. Logically
organize your assets by tagging and grouping your assets based on their service nature,
location, or other characteristics. Ensure your security organization has access to a
continuously updated inventory of assets.
Ensure your security organization can monitor the risks of the cloud assets by always
having security insights and risks aggregated centrally
Ensure that only approved cloud services can be used, by auditing and restricting which
services users can provision in the environment.
Ensure security attributes or configurations of the assets are always updated during the
asset lifecycle.
Enable Endpoint Detection and Response (EDR) capabilities for VMs and integrate with
SIEM and security operations processes.
Ensure backup data and operations are protected from data exfiltration, data
compromise, ransomware/malware and malicious insiders. The security controls that
should be applied include user and network access control, data encryption at-rest and
in-transit.
Ensure all business-critical protectable resources are compliant with the defined backup
policy and standard.
Periodically perform data recovery tests of your backup to verify that the backup
configurations and availability of the backup data meets the recovery needs as per
defined in the RTO (Recovery Time Objective) and RPO (Recovery Point Objective).
Ensure your organization follows industry best practice to develop processes and plans
to respond to security incidents on the cloud platforms. Be mindful about the shared
responsibility model and the variances across IaaS, PaaS and SaaS services. This will
have a direct impact to how you collaborate with your cloud provider in incident
response and handling activities, such as incident notification and triage, evidence
collection, investigation, eradication and recovery.
Regularly test the incident response plan and handling process to ensure they're up to
date.
Ensure the security alerts and incident notification from the cloud service provider's
platform and your environments can be received by correct contact in your incident
response organization.
Ensure you have a process to create high-quality alerts and measure the quality of
alerts. This allows you to learn lessons from past incidents and prioritize alerts for
analysts, so they don't waste time on false positives.
High-quality alerts can be built based on experience from past incidents, validated
community sources, and tools designed to generate and clean up alerts by fusing and
correlating diverse signal sources.
Ensure security operation team can query and use diverse data sources as they
investigate potential incidents, to build a full view of what happened. Diverse logs
should be collected to track the activities of a potential attacker across the kill chain to
avoid blind spots. You should also ensure insights and learnings are captured for other
analysts and for future historical reference.
Provide context to security operations teams to help them determine which incidents
ought to first be focused on, based on alert severity and asset sensitivity defined in your
organization’s incident response plan.
Automate the manual, repetitive tasks to speed up response time and reduce the
burden on analysts. Manual tasks take longer to execute, slowing each incident and
reducing how many incidents an analyst can handle. Manual tasks also increase analyst
fatigue, which increases the risk of human error that causes delays and degrades the
ability of analysts to focus effectively on complex tasks.
Conduct lesson learned in your organization periodically and/or after major incidents, to
improve your future capability in incident response and handling.
Based on the nature of the incident, retain the evidence related to the incident for the
period defined in the incident handling standard for further analysis or legal actions.
Perform threat modeling to identify the potential threats and enumerate the mitigating
controls. Ensure your threat modeling serves the following purposes:
- Secure your applications and services in the production run-time stage.
- Secure the artifacts, underlying CI/CD pipeline and other tooling environment used for
build, test, and deployment.
The threat modeling at least should include the following aspects:
- Define the security requirements of the application. Ensure these requirements are
adequately addressed in the threat modeling.
- Analyze application components, data connections and their relationship. Ensure this
analysis also includes the upstream and downstream connections outside of your
application scope.
- List the potential threats and attack vectors that your application components, data
connections and upstream and downstream services may be exposed to.
- Identify the applicable security controls that can be used to mitigate the threats
enumerated and identify any controls gaps (e.g., security vulnerabilities) that may
require additional treatment plans.
- Enumerate and design the controls that can mitigate the vulnerabilities identified.
The software supply chain security controls at least should include following aspects:
- Identify the upstream dependencies required at the development, build, integration
and deployment phase.
- Inventory and track the in-house and third-party software components for known
vulnerability when there is a fix available in the upstream.
- Assess the vulnerabilities and malware in the software components using static and
dynamic application testing for unknown vulnerabilities.
- Ensure the vulnerabilities and malware are mitigated using the appropriate approach.
This may include source code local or upstream fix, feature exclusion and/or applying
compensating controls if the direct mitigation is not available.
If closed source third-party components are used in your production environment, you
may have limited visibility to its security posture. You should consider additional
controls such as access control, network isolation and endpoint security to minimize the
impact if there is a malicious activity or vulnerability associated with the component.
Ensure the DevOps infrastructure and pipeline follow security best practices across
environments including your build, test, and production stages. This typically includes
the security controls for following scope:
- Artifact repositories that store source code, built packages and images, project
artifacts and business data.
- Servers, services, and tooling that hosting CI/CD pipelines.
- CI/CD pipeline configuration.
Ensure static application security testing (SAST) are part of the gating controls in the
CI/CD workflow. The gating can be set based on the testing results to prevent
vulnerable packages from committing into the repository, building into the packages, or
deploying into the production.
Ensure dynamic application security testing (DAST) are part of the gating controls in the
CI/CD workflow. The gating can be set based on the testing results to prevent
vulnerability from building into the packages or deploying into the production.
Ensure the workload is secured throughout the entire lifecycle in development, testing,
and deployment stage. Use Azure Security Benchmark to evaluate the controls (such as
network security, identity management, privileged access and so on) that can be set as
guardrails by default or shift left prior to the deployment stage. In particular, ensure the
following controls are in place in your DevOps process:
- Automate the deployment by using Azure or third-party tooling in the CI/CD workflow,
infrastructure management (infrastructure as code), and testing to reduce human error
and attack surface.
- Ensure VMs, container images and other artifacts are secure from malicious
manipulation.
- Scan the workload artifacts (in other words, container images, dependencies, SAST
and DAST scans) prior to the deployment in the CI/CD workflow
- Deploy vulnerability assessment and threat detection capability into the production
environment and continuously use these capabilities in the run-time.
Ensure your logging and monitoring scope includes non-production environments and
CI/CD workflow elements used in DevOps (and any other development processes). The
vulnerabilities and threats targeting these environments can introduce significant risks
to your production environment if they are not monitored properly. The events from
the CI/CD build, test and deployment workflow should also be monitored to identify
any deviations in the CI/CD workflow jobs.
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Azure Guidance
Create a virtual network (VNet) as a fundamental segmentation approach in your Azure network, so resources such as VMs ca
into the VNet within a network boundary. To further segment the network, you can create subnets inside VNet for smaller sub
Use network security groups (NSG) as a network layer control to restrict or monitor traffic by port, protocol, source IP address
destination IP address.
You can also use application security groups (ASGs) to simplify complex configuration. Instead of defining policy based on expl
addresses in network security groups, ASGs enable you to configure network security as a natural extension of an application's
allowing you to group virtual machines and define network security policies based on those groups.
Deploy private endpoints for all Azure resources that support the Private Link feature, to establish a private access point for th
You should also disable or restrict public network access to services where feasible.
For certain services, you also have the option to deploy VNet integration for the service where you can restrict the VNET to es
private access point for the service.
Use Azure Firewall to provide fully stateful application layer traffic restriction (such as URL filtering) and/or central manageme
large number of enterprise segments or spokes (in a hub/spoke topology).
If you have a complex network topology, such as a hub/spoke setup, you may need to create user-defined routes (UDR) to ens
goes through the desired route. For example, you have option to use an UDR to redirect egress internet traffic through a speci
Firewall or a network virtual appliance.
Use Azure Firewall’s IDPS capability on your network to alert on and/or block traffic to and from known malicious IP addresses
domains.
For more in-depth host level detection and prevention capability, deploy host-based IDS/IPS or a host-based endpoint detectio
response (EDR) solution, such as Microsoft Defender for Endpoint, at the VM level in conjunction with the network IDS/IPS.
Enable DDoS standard protection plan on your VNet to protect resources that are exposed to the public networks.
Use web application firewall (WAF) capabilities in Azure Application Gateway, Azure Front Door, and Azure Content Delivery N
to protect your applications, services and APIs against application layer attacks at the edge of your network. Set your WAF in "
"prevention mode," depending on your needs and threat landscape. Choose a built-in ruleset, such as OWASP Top 10 vulnerab
tune it to your application.
Use the following features to simplify the implementation and management of the NSG and Azure Firewall rules:
- Use Microsoft Defender for Cloud Adaptive Network Hardening to recommend NSG hardening rules that further limit ports, p
source IPs based on threat intelligence and traffic analysis result.
- Use Azure Firewall Manager to centralize the firewall policy and route management of the virtual network. To simplify the fir
and network security groups implementation, you can also use the Azure Firewall Manager ARM (Azure Resource Manager) te
Use Azure Sentinel’s built-in Insecure Protocol Workbook to discover the use of insecure services and protocols such as SSL/TL
SMBv1, LM/NTLMv1, wDigest, Unsigned LDAP Binds, and weak ciphers in Kerberos. Disable insecure services and protocols th
meet the appropriate security standard.
Note: If disabling insecure services or protocols is not possible, use compensating controls such as blocking access to the resou
network security group, Azure Firewall, or Azure Web Application Firewall to reduce the attack surface.
For lightweight connectivity between site-to-site or point-to-site, use Azure virtual private network (VPN) to create a secure co
between your on-premises site or end-user device to the Azure virtual network.
For enterprise-level high performance connection, use Azure ExpressRoute (or Virtual WAN) to connect Azure datacenters and
infrastructure in a co-location environment.
When connecting two or more Azure virtual networks together, use virtual network peering. Network traffic between peered
networks is private and is kept on the Azure backbone network.
Use Azure recursive DNS or a trusted external DNS server in your workload recursive DNS setup, such as in VM's operating sys
application.
Use Azure Private DNS for private DNS zone setup where the DNS resolution process does not leave the virtual network. Use a
to restrict the DNS resolution which only allows the trusted resolution to your client.
Use Azure Defender for DNS for the advanced protection against the following security threats to your workload or your DNS s
- Data exfiltration from your Azure resources using DNS tunneling
- Malware communicating with command-and-control server
- Communication with malicious domains as phishing and crypto mining
- DNS attacks in communication with malicious DNS resolvers
You can also use Azure Defender for App Service to detect dangling DNS records if you decommission an App Service website
removing its custom domain from your DNS registrar.
Use tools such as Azure Purview, Azure Information Protection and Azure SQL Data Discovery and Classification to centrally sc
and label the sensitive data that reside in the Azure, on-premises, Microsoft 365, and other locations.
Use Azure Information protection (AIP) to monitor the data that has been classified and labeled.
Use Azure Defender for Storage, Azure Defender for SQL and Azure Cosmos DB to alert on anomalous transfer of information
indicate unauthorized transfers of sensitive data information.
Note: If required for compliance of data loss prevention (DLP), you can use a host based DLP solution from Azure Marketplace
Microsoft 365 DLP solution to enforce detective and/or preventative controls to prevent data exfiltration.
Enforce secure transfer in services such as Azure Storage, where a native data in transit encryption feature is built in.
Enforce HTTPS for workload web application and services by ensuring that any clients connecting to your Azure resources use
transportation layer security (TLS) v1.2 or later. For remote management of VMs, use SSH (for Linux) or RDP/TLS (for Windows
an unencrypted protocol.
Note: Data in transit encryption is enabled for all Azure traffic traveling between Azure datacenters. TLS v1.2 or later is enable
Azure PaaS services by default.
Many Azure services have data at rest encryption enabled by default at the infrastructure layer using a service-managed key.
Where technically feasible and not enabled by default, you can enable data at rest encryption in the Azure services, or in your
storage level, file level, or database level encryption.
Azure also provides encryption option using keys managed by yourself (customer-managed keys) for certain services. Howeve
customer-managed key option requires additional operational efforts to manage the key lifecycle. This may include encryption
generation, rotation, revoke and access control, etc.
Use Azure Key Vault to create and control your encryption keys life cycle, including key generation, distribution, and storage. R
revoke your keys in Azure Key Vault and your service based on the defined schedule and when there is a key retirement or com
When there is a need to use customer-managed key (CMK) in the workload services or applications, ensure you follow the bes
- Use a key hierarchy to generate a separate data encryption key (DEK) with your key encryption key (KEK) in your key vault.
- Ensure keys are registered with Azure Key Vault and implement via key IDs in each service or application.
If you need to bring your own key (BYOK) to the services (i.e., importing HSM-protected keys from your on-premises HSMs int
Vault), follow the recommended guideline to perform the key generation and key transfer.
Note: Refer to the below for the FIPS 140-2 level for Azure Key Vault types and FIPS compliance level.
- Software-protected keys in vaults (Premium & Standard SKUs): FIPS 140-2 Level 1
- HSM-protected keys in vaults (Premium SKU): FIPS 140-2 Level 2
- HSM-protected keys in Managed HSM: FIPS 140-2 Level 3
Use Azure Key Vault to create and control the certificate lifecycle, including creation/import, rotation, revocation, storage, and
certificate. Ensure the certificate generation follows the defined standard without using any insecure properties, such as insuffi
size, overly long validity period, insecure cryptography and so on. Setup automatic rotation of the certificate in Azure Key Vaul
service (if supported) based on the defined schedule and when there is a certificate expiration. If automatic rotation is not sup
front application, use a manual rotation in Azure Key Vault.
Avoid using self-signed certificate and wildcard certificate in your critical services due to the limited security assurance. Instea
create public signed certificate in Azure Key Vault. The following CAs are the current partnered providers with Azure Key Vault
- DigiCert: Azure Key Vault offers OV TLS/SSL certificates with DigiCert.
- GlobalSign: Azure Key Vault offers OV TLS/SSL certificates with GlobalSign.
Note: Use only approved Certificate Authority (CA) and ensure the known bad CA root/intermediate certificates and certificate
these CAs are disabled.
Secure your cryptographic keys and certificates by hardening your Azure Key Vault service through the following controls:
- Restrict the access to keys and certificates in Azure Key Vault using built-in access policies or Azure RBAC to ensure the least
principle are in place for management plane access and data plane access.
- Secure the Azure Key Vault using Private Link and Azure Firewall to ensure the minimal exposure of the service
- Ensure separation of duties is place for users who manages encryption keys not have the ability to access encrypted data, an
- Use managed identity to access keys stored in the Azure Key Vault in your workload applications.
- Never have the keys stored in plaintext format outside of the Azure Key Vault.
- When purging data, ensure your keys are not deleted before the actual data, backups and archives are purged.
- Backup your keys and certificates using the Azure Key Vault. Enable soft delete and purge protection to avoid accidental dele
- Turn on Azure Key Vault logging to ensure the critical management plane and data plane activities are logged.
Azure Active Directory (Azure AD) is Azure's identity and authentication management service. You should standardize on Azur
govern your organization's identity and authentication in:
- Microsoft cloud resources, such as the Azure Storage, Azure Virtual Machines (Linux and Windows), Azure Key Vault, PaaS, an
applications.
- Your organization's resources, such as applications on Azure, third-party applications running on your corporate network reso
third-party SaaS applications.
- Your enterprise identities in Active Directory by synchronization to Azure AD to ensure a consistent and centrally managed id
strategy.
Note: As soon as it is technically feasible, you should migrate on-premises Active Directory based applications to Azure AD. Th
Azure AD Enterprise Directory, Business to Business configuration, or Business to consumer configuration.
Use the Azure AD security baseline and the Azure AD Identity Secure Score to evaluate your Azure AD identity security posture
remediate security and configuration gaps.
The Azure AD Identity Secure Score evaluates Azure AD for the following configurations:
-Use limited administrative roles
- Turn on user risk policy
- Designate more than one global admin
- Enable policy to block legacy authentication
- Ensure all users can complete multi-factor authentication for secure access
- Require MFA for administrative roles
- Enable self-service password reset
- Do not expire passwords
- Turn on sign-in risk policy
- Do not allow users to grant consent to unmanaged applications
Note: Follow published best practices for all other identity components, including the on-premises Active Directory and any th
capabilities, and the infrastructures (such as operating systems, networks, databases) that host them.
Use Azure managed identities, which can authenticate to Azure services and resources that support Azure AD authentication.
identity credentials are fully managed, rotated, and protected by the platform, avoiding hard-coded credentials in source code
configuration files.
For services that don't support managed identities, use Azure AD to create a service principal with restricted permissions at th
level. It is recommended to configure service principals with certificate credentials and fall back to client secrets for authentica
Many Azure services support TLS authentication by default. For the services supporting TLS enable/disable switch by the user,
always enabled to support the server/service authentication. Your client application should also be designed to verify server/s
identity (by verifying the server’s certificate issued by a trusted certificate authority) in the handshake stage.
Use Azure AD for workload application access through Azure AD single sign-on (SSO), obviating the need for multiple accounts
provides identity and access management to Azure resources (management plane including CLI, PowerShell, portal), cloud app
on-premises applications.
Azure AD supports SSO for enterprise identities such as corporate user identities, as well as external user identities from truste
and public users.
Azure AD supports strong authentication controls through passwordless methods and multi-factor authentication (MFA).
- Passwordless authentication: Use passwordless authentication as your default authentication method. There are three optio
passwordless authentication: Windows Hello for Business, Microsoft Authenticator app phone sign-in, and FIDO 2Keys. In addi
customers can use on-premises authentication methods such as smart cards.
- Multi-factor authentication: Azure MFA can be enforced on all users, select users, or at the per-user level based on sign-in co
risk factors. Enable Azure MFA and follow Microsoft Defender for Cloud identity and access management recommendations fo
setup.
If legacy password-based authentication is still used for Azure AD authentication, be aware that cloud-only accounts (user acc
directly in Azure) have a default baseline password policy. And hybrid accounts (user accounts that come from on-premises Ac
Directory) follow the on-premises password policies.
For third-party applications and services that may have default IDs and passwords, you should disable or change them during
setup.
Use Azure AD conditional access for more granular access controls based on user-defined conditions, such as requiring user lo
certain IP ranges (or devices) to use MFA. Azure AD Conditional Access allows you to enforce access controls on your organiza
based on certain conditions.
Define the applicable conditions and criteria for Azure AD conditional access in the workload. Consider the following common
- Requiring multi-factor authentication for users with administrative roles
- Requiring multi-factor authentication for Azure management tasks
- Blocking sign-ins for users attempting to use legacy authentication protocols
- Requiring trusted locations for Azure AD Multi-Factor Authentication registration
- Blocking or granting access from specific locations
- Blocking risky sign-in behaviors
- Requiring organization-managed devices for specific applications
Note: A granular authentication session management can also be used to through Azure AD conditional access policy for contr
sign-in frequency and persistent browser session.
Ensure that secrets and credentials are stored in secure locations such as Azure Key Vault, instead of embedding them into the
configuration files.
- Implement Azure DevOps Credential Scanner to identify credentials within the code.
- For GitHub, use the native secret scanning feature to identify credentials or other form of secrets within the code.
Clients such as Azure Functions, Azure Apps services, and VMs can use managed identities to access Azure Key Vault securely.
Protection controls related to the use of Azure Key Vault for secrets management.
Protect your on-premises and non-native cloud applications using legacy authentication by connecting them to:
- Azure AD Application Proxy in conjunction with header-based authentication for publishing legacy on-premises applications t
users with single sign-on (SSO) while explicitly validating the trustworthiness of both remote users and devices with Azure AD
Access. If required, use third-party Software-Defined Perimeter (SDP) solution which can offer similar functionality.
- Your existing third-party application delivery controllers and networks
- Microsoft Cloud App Security (MCAS), using it as a cloud access security broker (CASB) service to provide controls for monito
application sessions and blocking actions (for both legacy on-premises applications and cloud software as a service (SaaS) appl
Note: VPNs are commonly used to access legacy applications, they often have only basic access control and limited session mo
Azure Active Directory (Azure AD) is Azure's default identity and access management service. The most critical built-in roles in
Global Administrator and Privileged Role Administrator, because users assigned to these two roles can delegate administrator
these privileges, users can directly or indirectly read and modify every resource in your Azure environment:
- Global Administrator / Company Administrator: Users with this role have access to all administrative features in Azure AD, as
services that use Azure AD identities.
- Privileged Role Administrator: Users with this role can manage role assignments in Azure AD, as well as within Azure AD Privi
Management (PIM). In addition, this role allows management of all aspects of PIM and administrative units.
Outside of the Azure AD, Azure has built-in roles that can be critical for privileged access at the resource level.
- Owner: Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.
- Contributor: Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignm
Azure Blueprints, or share image galleries.
- User Access Administrator: Lets you manage user access to Azure resources.
Note: You may have other critical roles that need to be governed if you use custom roles in the Azure AD level or resource leve
privileged permissions assigned.
Ensure that you also restrict privileged accounts in other management, identity, and security systems that have administrative
your business-critical assets, such as Active Directory Domain Controllers (DCs), security tools, and system management tools
installed on business critical systems. Attackers who compromise these management and security systems can immediately w
them to compromise business critical assets.
Enable just-in-time (JIT) privileged access to Azure resources and Azure AD using Azure AD Privileged Identity Management (PI
model in which users receive temporary permissions to perform privileged tasks, which prevents malicious or unauthorized us
gaining access after the permissions have expired. Access is granted only when users need it. PIM can also generate security a
there is suspicious or unsafe activity in your Azure AD organization.
Restrict inbound traffic to your sensitive virtual machines (VM) management ports with Microsoft Defender for Cloud's just-in
VM access feature. This ensures the privileged access to the VM are granted only when users need it.
Use Azure AD entitlement management features to automate access (for Azure resource groups) request workflows. This enab
workflows for Azure resource groups to manage access assignments, reviews, expiration, and dual or multi-stage approval.
Review all privileged accounts and the access entitlements in Azure including such as Azure tenant, Azure services, VM/IaaS, C
processes, and enterprise management and security tools.
Use Azure AD access reviews to review Azure AD roles and Azure resource access roles, group memberships, access to enterpr
applications. Azure AD reporting can also provide logs to help discover stale accounts, accounts not being used for certain amo
In addition, Azure AD Privileged Identity Management can be configured to alert when an excessive number of administrator a
created for a specific role, and to identify administrator accounts that are stale or improperly configured.
To prevent being accidentally locked out of your Azure AD organization, set up an emergency access account (e.g. an account
Administrator role) for access when normal administrative accounts cannot be used. Emergency access accounts are usually h
privileged, and they should not be assigned to specific individuals. Emergency access accounts are limited to emergency or "br
scenarios where normal administrative accounts can't be used.
You should ensure that the credentials (such as password, certificate, or smart card) for emergency access accounts are kept s
known only to individuals who are authorized to use them only in an emergency. You may also use additional controls, such du
(e.g., splitting the credential into two pieces and giving it to separate persons) to enhance the security of this process. You sho
monitor the sign-in and audit logs to ensure the emergency access accounts can only be used under authorization.
Use Azure Active Directory, Microsoft Defender, and/or Microsoft Intune to deploy privileged access workstations (PAW) on-p
the Azure for privileged tasks. The PAW should be centrally managed to enforce secured configuration, including strong authe
software and hardware baselines, and restricted logical and network access.
You may also use Azure Bastion which is a fully platform-managed PaaS service that can be provisioned inside your virtual netw
Bastion allows RDP/SSH connectivity to your virtual machines directly from the Azure portal using browser.
Use Azure role-based access control (Azure RBAC) to manage Azure resource access through role assignments. Through RBAC,
assign roles to users, group service principals, and managed identities. There are pre-defined built-in roles for certain resource
roles can be inventoried or queried through tools such as Azure CLI, Azure PowerShell, and the Azure portal.
The privileges you assign to resources through Azure RBAC should always be limited to what's required by the roles. Limited p
complement the just-in-time (JIT) approach of Azure AD Privileged Identity Management (PIM), and those privileges should be
periodically. If required, you can also use PIM to define the time-length (time-bound-assignment) condition in role assignment
can activate or use the role only within start and end dates.
Note: Use Azure built-in roles to allocate permissions and only create custom roles when required.
In support scenarios where Microsoft needs to access your data, use Customer Lockbox to review and approve or reject each M
data access request.
Use the Azure Security Benchmark and service baseline to define your configuration baseline for each respective Azure offerin
Refer to Azure reference architecture and Cloud Adoption Framework landing zone architecture to understand the critical sec
and configurations that may need across Azure resources.
Use Azure Blueprints to automate deployment and configuration of services and application environments, including Azure Re
Manager templates, Azure RBAC controls, and policies, in a single blueprint definition.
Use Microsoft Defender for Cloud to configure Azure Policy to audit and enforce configurations of your Azure resources. Use A
to create alerts when there is a configuration deviation detected on the resources.
Use Azure Policy [deny] and [deploy if not exist] rule to enforce secure configuration across Azure resources.
For resource configuration audit and enforcement not supported by Azure Policy, you may need to write your own scripts or u
tooling to implement the configuration audit and enforcement.
Use Azure recommended operating system baseline (for both Windows and Linux) as a benchmark to define your compute res
configuration baseline.
Additionally, you can use custom VM image or container image with Azure Policy guest configuration and Azure Automation S
Configuration to establish the desired security configuration.
Use Microsoft Defender for Cloud and Azure Policy guest configuration agent to regularly assess and remediate configuration
your Azure compute resources, including VMs, containers, and others. In addition, you can use Azure Resource Manager temp
operating system images, or Azure Automation State Configuration to maintain the security configuration of the operating sys
Microsoft VM templates in conjunction with Azure Automation State Configuration can assist in meeting and maintaining secu
requirements.
Note: Azure Marketplace VM images published by Microsoft are managed and maintained by Microsoft.
Follow recommendations from Microsoft Defender for Cloud for performing vulnerability assessments on your Azure virtual m
container images, and SQL servers. Microsoft Defender for Cloud has a built-in vulnerability scanner for virtual machine scan. U
party solution for performing vulnerability assessments on network devices and applications (e.g., web applications)
Export scan results at consistent intervals and compare the results with previous scans to verify that vulnerabilities have been
When using vulnerability management recommendations suggested by Microsoft Defender for Cloud, you can pivot into the s
solution's portal to view historical scan data.
When conducting remote scans, do not use a single, perpetual, administrative account. Consider implementing JIT (Just In Tim
provisioning methodology for the scan account. Credentials for the scan account should be protected, monitored, and used on
vulnerability scanning.
Note: Azure Defender services (including Defender for server, container registry, App Service, SQL, and DNS) embed certain vu
assessment capabilities. The alerts generated from Azure Defender services should be monitored and reviewed together with
from Microsoft Defender for Cloud vulnerability scanning tool.
Note: Ensure your setup email notifications in Microsoft Defender for Cloud.
Use Azure Automation Update Management or a third-party solution to ensure that the most recent security updates are inst
Windows and Linux VMs. For Windows VMs, ensure Windows Update has been enabled and set to update automatically.
For third-party software, use a third-party patch management solution or System Center Updates Publisher for Configuration M
Prioritize which updates to deploy first using a common risk scoring program (such as Common Vulnerability Scoring System) o
risk ratings provided by your third-party scanning tool and tailor to your environment. You should also consider which applicati
a high security risk and which ones require high uptime.
As required, conduct penetration testing or red team activities on your Azure resources and ensure remediation of all critical s
findings.
Follow the Microsoft Cloud Penetration Testing Rules of Engagement to ensure your penetration tests are not in violation of M
policies. Use Microsoft's strategy and execution of Red Teaming and live site penetration testing against Microsoft-managed c
infrastructure, services, and applications.
Use the threat detection capability of Azure Defender services in Microsoft Defender for Cloud for the respective Azure service
For threat detection not included in Azure Defender services, refer to the Azure Security Benchmark service baselines for the r
services to enable the threat detection or security alert capabilities within the service. Extract the alerts to your Azure Monito
Sentinel to build analytics rules, which hunt threats that match specific criteria across your environment.
For Operational Technology (OT) environments that include computers that control or monitor Industrial Control System (ICS)
Supervisory Control and Data Acquisition (SCADA) resources, use Defender for IoT to inventory assets and detect threats and v
For services that do not have a native threat detection capability, consider collecting the data plane logs and analyze the threa
Azure Sentinel.
Azure AD provides the following logs that can be viewed in Azure AD reporting or integrated with Azure Monitor, Azure Sentin
SIEM/monitoring tools for more sophisticated monitoring and analytics use cases:
- Sign-ins: The sign-ins report provides information about the usage of managed applications and user sign-in activities.
- Audit logs: Provides traceability through logs for all changes done by various features within Azure AD. Examples of audit log
changes made to any resources within Azure AD like adding or removing users, apps, groups, roles and policies.
- Risky sign-ins: A risky sign-in is an indicator for a sign-in attempt that might have been performed by someone who is not the
owner of a user account.
- Users flagged for risk: A risky user is an indicator for a user account that might have been compromised.
Azure AD also provides an Identity Protection module to detect, and remediate risks related to user accounts and sign-in beha
Examples risks include leaked credentials, sign-in from anonymous or malware linked IP addresses, password spray. The polici
Azure AD Identity Protection allow you to enforce risk-based MFA authentication in conjunction with Azure Conditional Access
accounts.
In addition, Microsoft Defender for Cloud can be configured to alert on deprecated accounts in the subscription and suspiciou
such as an excessive number of failed authentication attempts. In addition to the basic security hygiene monitoring, Microsoft
Cloud's Threat Protection module can also collect more in-depth security alerts from individual Azure compute resources (such
machines, containers, app service), data resources (such as SQL DB and storage), and Azure service layers. This capability allow
account anomalies inside the individual resources.
Note: If you are connecting your on-premises Active Directory for synchronization, use the Microsoft Defender for Identity sol
consume your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identiti
malicious insider actions directed at your organization.
Enable logging capability for resources at the different tiers, such as logs for Azure resources, operating systems and applicatio
your VMs and other log types.
Be mindful about different type of logs for security, audit, and other operation logs at the management/control plane and dat
There are three types of the logs available at the Azure platform:
- Azure resource log: Logging of operations that are performed within an Azure resource (the data plane). For example, getting
from a key vault or making a request to a database. The content of resource logs varies by the Azure service and resource type
- Azure activity log: Logging of operations on each Azure resource at the subscription layer, from the outside (the managemen
can use the Activity Log to determine the what, who, and when for any write operations (PUT, POST, DELETE) taken on the res
your subscription. There is a single Activity log for each Azure subscription.
- Azure Active Directory logs: Logs of the history of sign-in activity and audit trail of changes made in the Azure Active Director
particular tenant.
You can also use Microsoft Defender for Cloud and Azure Policy to enable resource logs and log data collecting on Azure resou
Enable and collect network security group (NSG) resource logs, NSG flow logs, Azure Firewall logs, and Web Application Firewa
for security analysis to support incident investigations, and security alert generation. You can send the flow logs to an Azure M
Analytics workspace and then use Traffic Analytics to provide insights.
Ensure that you are integrating Azure activity logs into a centralized Log Analytics workspace. Use Azure Monitor to query and
analytics and create alert rules using the logs aggregated from Azure services, endpoint devices, network resources, and other
systems.
In addition, enable and onboard data to Azure Sentinel which provides the security information event management (SIEM) an
orchestration automated response (SOAR) capability.
Logs such as Azure Activity Logs events are retained for 90 days then deleted. You should create a diagnostic setting and route
entries to another location (such as Azure Monitor Log Analytics workspace, Event Hubs or Azure Storage) based on your need
strategy also applies to the other resource logs and resources managed by yourself such as logs in the operating systems and a
inside the VMs.
Note: Azure Sentinel uses Log Analytics workspace as its backend for log storage. You should consider a long-term storage stra
plan to retain SIEM logs for longer time.
Microsoft maintains time sources for most Azure PaaS and SaaS services. For your compute resources operating systems, use
default NTP server for time synchronization unless you have a specific requirement. If you need to stand up your own network
protocol (NTP) server, ensure you secure the UDP service port 123.
All logs generated by resources within Azure provide time stamps with the time zone specified by default.
The Microsoft Defender for Cloud inventory feature and Azure Resource Graph can query for and discover all resources in you
subscriptions, including Azure services, applications, and network resources. Logically organize assets according to your organ
taxonomy using Tags as well as other metadata in Azure (Name, Description, and Category).
Ensure that security organizations have access to a continuously updated inventory of assets on Azure. Security teams often n
inventory to evaluate their organization's potential exposure to emerging risks, and as an input to continuously security impro
Ensure security organizations are granted Security Reader permissions in your Azure tenant and subscriptions so they can mon
security risks using Microsoft Defender for Cloud. Security Reader permissions can be applied broadly to an entire tenant (Roo
Management Group) or scoped to management groups or specific subscriptions.
Note: Additional permissions might be required to get visibility into workloads and services.
Use Azure Policy to audit and restrict which services users can provision in your environment. Use Azure Resource Graph to qu
discover resources within their subscriptions. You can also use Azure Monitor to create rules to trigger alerts when a non-appr
is detected.
Establish or update security policies/process that address asset lifecycle management processes for potentially high impact m
These modifications include changes to identity providers and access, data sensitivity, network configuration, and administrati
assignment.
Azure Resource Manager is the deployment and management service for Azure. It provides a management layer that enables
update, and delete resources (assets) in Azure. Use Azure AD Conditional Access to limit users' ability to interact with Azure Re
Manager by configuring "Block access" for the "Microsoft Azure Management" App.
Use Microsoft Defender for Cloud adaptive application controls to discover and generate an application allow list. You can also
adaptive application controls to ensure that only authorized software executes and all unauthorized software is blocked from
Azure Virtual Machines.
Use Azure Automation Change Tracking and Inventory to automate the collection of inventory information from your Window
VMs. Software name, version, publisher, and refresh time are available from the Azure portal. To get the software installation
other information, enable guest-level diagnostics and direct the Windows Event Logs to Log Analytics workspace.
Depending on the type of scripts, you can use operating system-specific configurations or third-party resources to limit users'
execute scripts in Azure compute resources.
You can also use a third-party solution to discover and identify unapproved software.
Azure Defender for servers (with Microsoft Defender for Endpoint integrated) provides EDR capability to prevent, detect, inve
respond to advanced threats.
Use Azure Security Center to deploy Azure Defender for servers for your endpoint and integrate the alerts to your SIEM solutio
Azure Sentinel.
Microsoft Defender for Cloud can automatically identify the use of a number of popular anti-malware solutions for your virtua
and on-premises machines with Azure Arc configured, and report the endpoint protection running status and make recommen
Microsoft Defender Antivirus is the default anti-malware solution for Windows server 2016 and above. For Windows server 20
Microsoft Antimalware extension to enable SCEP (System Center Endpoint Protection), and Microsoft Defender for Cloud to di
assess the health status. For Linux VMs, use Microsoft Defender for Endpoint on Linux.
Note: You can also use Microsoft Defender for Cloud's Defender for Storage to detect malware uploaded to Azure Storage acc
Follow recommendations in Microsoft Defender for Cloud: "Compute & Apps" to keep all endpoints up to date with the latest
Microsoft Antimalware will automatically install the latest signatures and engine updates by default. For Linux, ensure the sign
updated in the third-party anti-malware solution.
For Azure Backup supported resources, enable Azure Backup and configure the backup source (such as Azure VMs, SQL Server
databases, or File Shares) on the desired frequency and retention period. For Azure VM, you can use Azure Policy to have back
automatically enabled using Azure Policy.
For resources not supported by Azure Backup, enable the backup as part of its resource creation. Where applicable, use built-
(Azure Policy) to ensure that your Azure resources are configured for backup.
Use Azure RBAC and multi-factor-authentication to secure the critical Azure Backup operations (such as delete, change retenti
to backup config). For Azure Backup supported resources, use Azure RBAC to segregate duties and enable fine grained access,
private endpoints within your Azure Virtual Network to securely backup and restore data from your Recovery Services vaults.
For Azure Backup supported resources, backup data is automatically encrypted using Azure platform-managed keys with 256-
encryption. You can also choose to encrypt the backups using customer managed key. In this case, ensure this customer-mana
the Azure Key Vault is also in the backup scope. If you use customer-managed key options, use soft delete and purge protectio
Key Vault to protect keys from accidental or malicious deletion. For on-premises backups using Azure Backup, encryption-at-re
using the passphrase you provide.
Safeguard backup data from accidental or malicious deletion (such as ransomware attacks/attempts to encrypt or tamper bac
Azure Backup supported resources, enable soft delete to ensure recovery of items with no data loss for up to 14 days after an
deletion, and enable multifactor authentication using a PIN generated in the Azure portal. Also enable cross-region restore to
backup data is restorable when there is a disaster in primary region.
Note: If you use resource's native backup feature or backup services other than Azure Backup, refer to the Azure Security Ben
service baselines) to implement the above controls.
Monitor your Azure environment to ensure that all your critical resources are compliant from a backup perspective. Use Azure
backup to audit and enforce such control. For Azure Backup supported resources: Backup Center helps you centrally govern y
estate.
Ensure critical Backup operations (delete, change retention, updates to backup config) are monitored, audited and have alerts
Azure Backup supported resources, monitor overall backup health, get alerted to critical backup incidents, audit user triggered
vaults.
Periodically perform data recovery tests of your backup to verify that the backup configurations and availability of the backup
the recovery needs as per defined in the RTO and RPO.
You may need to define your backup recovery test strategy, including the test scope, frequency and method as performing the
test each time can be difficult.
Update your organization's incident response process to include the handling of incident in Azure platform. Based on the Azur
used and your application nature, customize the incident response plan and playbook to ensure they can be used to respond t
in the cloud environment.
Set up security incident contact information in Microsoft Defender for Cloud. This contact information is used by Microsoft to
the Microsoft Security Response Center (MSRC) discovers that your data has been accessed by an unlawful or unauthorized pa
have options to customize incident alert and notification in different Azure services based on your incident response needs.
Microsoft Defender for Cloud provides high-quality alerts across many Azure assets. You can use the Microsoft Defender for C
connector to stream the alerts to Azure Sentinel. Azure Sentinel lets you create advanced alert rules to generate incidents aut
an investigation.
Export your Microsoft Defender for Cloud alerts and recommendations using the export feature to help identify risks to Azure
Export alerts and recommendations either manually or in an ongoing, continuous fashion.
The data sources for investigation are the centralized logging sources that are already being collected from the in-scope servic
running systems, but can also include:
- Network data: Use network security groups' flow logs, Azure Network Watcher, and Azure Monitor to capture network flow
analytics information.
- Snapshots of running systems:
a) Azure virtual machine's snapshot capability, to create a snapshot of the running system's disk.
b) The operating system's native memory dump capability, to create a snapshot of the running system's memory.
c) The snapshot feature of the Azure services or your software's own capability, to create snapshots of the running systems.
Azure Sentinel provides extensive data analytics across virtually any log source and a case management portal to manage the
incidents. Intelligence information during an investigation can be associated with an incident for tracking and reporting purpo
Microsoft Defender for Cloud assigns a severity to each alert to help you prioritize which alerts should be investigated first. Th
based on how confident Security Center is in the finding or the analytics used to issue the alert, as well as the confidence level
was malicious intent behind the activity that led to the alert.
Additionally, mark resources using tags and create a naming system to identify and categorize Azure resources, especially thos
sensitive data. It is your responsibility to prioritize the remediation of alerts based on the criticality of the Azure resources and
where the incident occurred.
Use workflow automation features in Microsoft Defender for Cloud and Azure Sentinel to automatically trigger actions or run
respond to incoming security alerts. The playbook takes actions, such as sending notifications, disabling accounts, and isolatin
networks.
Use the outcome from the lesson learned activity to update your incident response plan, playbook (such as Azure Sentinel pla
reincorporate findings into your environments (such as logging and threat detection to address any logging gap areas) to impr
future capability in detecting, respond, and handling of the incident in Azure.
Keep the evidence collected during the "Detection and analysis - investigate an incident step" such as system logs, network tra
and running system snapshot in storage such as Azure Storage account for retention.
Use threat modeling tools such as Microsoft threat modeling tool with Azure threat model template embedded to drive your t
modeling process. Use the STRIDE model to enumerate the threats from both internal and external and identify the controls a
Ensure the threat modeling process includes the threat scenarios in the DevOps process, such as malicious code injection thro
insecure artifacts repository with misconfigured access control policy.
If using a threat modeling tool is not applicable you should, at the minimum, use a questionnaire-based threat modeling proce
the threats.
Ensure the threat modeling or analysis results are recorded and updated when there is a major security-impact change in your
or in the threat landscape.
For the GitHub platform, ensure the software supply chain security through the following capability or tools from GitHub Adva
or GitHub’s native feature:
- Use Dependency Graph to scan, inventory and identify all your project’s dependencies and related vulnerabilities through Ad
Database.
- Use Dependabot to ensure that the vulnerable dependency is tracked and remediated, and ensure your repository automati
with the latest releases of the packages and applications it depends on.
- Use GitHub native code scanning capability to scan the source code when sourcing the code from external.
- Use Microsoft Defender for Cloud to integrate vulnerability assessment for your container image in the CI/CD workflow.
For Azure DevOps, you can use third-party extensions to implement similar controls to inventory, analyze and remediate the t
software components and their vulnerabilities.
As part of applying the Azure Security Benchmark to your DevOps infrastructure security controls, prioritize the following cont
- Protect artifacts and underlying environment to ensure the CI/CD pipelines don’t become avenues to insert malicious code. F
review your CI/CD pipeline to identify any misconfiguration in core areas of Azure DevOps such as Organization, Projects, User
(Build & Release), Connections, and Build Agent to identify any misconfigurations such as open access, weak authentication, in
connection setup and so on. For GitHub, use the similar controls to secure the Organization permission levels
- Configure identity/role permissions and entitlement policies in Azure AD, native services, and CI/CD tools in your pipeline to
changes to the pipelines are authorized.
- Avoid providing permanent “standing” privileged access to the human accounts such as developers or testers by using featur
Azure managed identifies, just-in-time access.
- Remove keys, credentials, and secrets from code and scripts used in CI/CD workflow jobs and keep them in key store or Azur
- If you run self-hosted build/deployment agents, follow Azure Security Benchmark controls including network security, postur
vulnerability management, and endpoint security to secure your environment.
Integrate SAST into your pipeline so the source code can be scanned automatically in your CI/CD workflow. Azure DevOps Pipe
GitHub can integrate tools below and third-party SAST tools into the workflow.
- GitHub CodeQL for source code analysis.
- Microsoft BinSkim Binary Analyzer for Windows and *nix binary analysis.
- Azure DevOps Credential Scanner and GitHub native secret scanning for credential scan in the source code.
Integrate DAST into your pipeline so the runtime application can be tested automatically in your CI/CD workflow set in the Azu
GitHub. The automated penetration testing (with manual assisted validation) should also be part of the DAST.
Azure DevOps Pipeline or GitHub supports the integrate of third-party DAST tools into the CI/CD workflow.
Guidance for Azure VMs:
- Use Azure Shared Image Gallery to share and control access to your images by different users, service principals, or AD group
organization. Use Azure role-based access control (Azure RBAC) to ensure that only authorized users can access your custom i
- Define the secure configuration baselines for the VMs to eliminate unnecessary credentials, permissions, and packages. Thro
images, Azure Resource Manager template, and/or Azure Policy guest configuration to deploy and enforce these the configura
For Azure serverless services, adopt the similar controls to ensure security controls are shift left to the stage prior to the deplo
Enable and configure the audit logging capabilities in non-production and CI/CD tooling environments (such as Azure DevOps a
used throughout the DevOps process.
The events from the Azure DevOps and GitHub CI/CD work for the build, test and deployment jobs should also be monitored t
exception results in the CI/CD jobs.
Ingest the above logs and events into Azure Sentinel or other SIEM tools through logging stream or API to ensure the security
properly monitored and triaged for handling.
Follow Azure Security Benchmark – Logging and Threat Detection as the guideline to implement your logging and monitoring c
workload.
Ensure that you define and communicate a clear strategy for roles and responsibilities in your security organization. Prioritize
clear accountability for security decisions, educating everyone on the shared responsibility model, and educate technical team
technology to secure the cloud.
Establish an enterprise-wide strategy to segment access to assets using a combination of identity, network, application, subscr
management group, and other controls.
Carefully balance the need for security separation with the need to enable daily operation of the systems that need to commu
each other and access data.
Ensure that the segmentation strategy is implemented consistently in the workload, including network security, identity and a
and application permission/access models, and human process controls.
The security configuration management in Azure should include the following areas:
- Define the secure configuration baselines for different resource types in the cloud, such as the Azure portal, management an
plane, and resources running in the IaaS, PaaS and SaaS services.
- Ensure the security baselines address the risks in different control areas such as network security, identity management, priv
data protection and so on.
- Use tools to continuously measure, audit, and enforce the configuration to prevent configuration deviating from the baseline
- Develop a cadence to stay update with Azure security features, for instance, subscribe to the service updates.
- Utilize Secure Score in Microsoft Defender for Cloud to regularly review Azure’s security configuration posture and remediate
identified.
The vulnerability management in Azure should include the following security aspects:
- Regularly assess and remediate vulnerabilities in all cloud resource types, such as Azure native services, operating systems, a
components.
- Use a risk-based approach to prioritize assessment and remediation.
- Subscribe to the relevant Microsoft / Azure security advisory notices and blogs to receive the latest security updates about A
- Ensure the vulnerability assessment and remediation (such as schedule, scope, and techniques) meet the regularly complian
requirements for your organization.
Establish an Azure identity and privileged access approach as part of your organization’s overall security access control strateg
strategy should include documented guidance, policy, and standards for the following aspects:
- Centralized identity and authentication system (Azure AD) and its interconnectivity with other internal and external identity s
- Privileged identity and access governance (such as access request, review and approval)
- Privileged accounts in emergency (break-glass) situation
- Strong authentication (passwordless authentication and multifactor authentication) methods in different use cases and cond
- Secure access by administrative operations through Azure portal, CLI and API.
For exception cases, where an enterprise system isn’t used, ensure adequate security controls are in place for identity, authen
access management, and governed. These exceptions should be approved and periodically reviewed by the enterprise team. T
exceptions are typically in cases such as:
- Use of a non-enterprise designated identity and authentication system, such as cloud-based third-party systems (may introdu
risks)
- Privileged users authenticated locally and/or use non-strong authentication methods
Establish a logging, threat detection and incident response strategy to rapidly detect and remediate threats and meeting comp
requirements. Security operations (SecOps / SOC) team should prioritize high quality alerts and seamless experiences so that t
on threats rather than log integration and manual steps.
This strategy should include documented policy, procedure and standards for the following aspects:
- The security operations (SecOps) organization's role and responsibilities
- A well-defined and regularly tested incident response plan and handling process aligning with NIST or other industry framew
- Communication and notification plan with your customers, suppliers, and public parties of interest.
- Preference of using extended detection and response (XDR) capabilities like Azure Defender capabilities to detect threats in t
areas.
- Use of Azure native capability (e.g., as Microsoft Defender for Cloud) and third-party platforms for incident handling, such as
threat detection, forensics, and attack remediation and eradication.
- Define key scenarios (such as threat detection, incident response, and compliance) and set up log capture and retention to m
scenario requirements.
- Centralized visibility of and correlation information about threats, using SIEM, native Azure threat detection capability, and o
- Post-incident activities, such as lessons learned and evidence retention.
Establish an Azure backup and recovery strategy for your organization. This strategy should include documented guidance, po
standards in the following aspects:
- Recovery time objective (RTO) and recovery point objective (RPO) definitions in accordance with your business resiliency obj
regulatory compliance requirements.
- Redundancy design (including backup, restore and replication) in your applications and infrastructure for both in cloud and o
Consider regional, region-pairs, cross-regional recovery and off-site storage location as part of your strategy.
- Protection of backup from unauthorized access and tempering using controls such as data access control, encryption and net
security.
- Use of backup and recovery to mitigate the risks from emerging threats, such as ransomware attack. And also secure the bac
recovery data itself from these attacks.
- Monitoring the backup and recovery data and operations for audit and alerting purposes.
Establish a cloud endpoint security strategy which includes the following aspects:
- Deploy the endpoint detection and response and antimalware capability into your endpoint and integrate with the threat de
SIEM solution and security operations process.
- Follow Azure Security Benchmark to ensure endpoint related security settings in other respective areas (such as network sec
vulnerability management, identity and privileged access, and logging and threat detections) are also in place to provide a def
protection for your endpoint.
- Prioritize the endpoint security in your production environment, but ensure the non-production environments (such as test a
environment used in the DevOps process) are also secured and monitored, as these environment can also be used to introduc
malware and vulnerabilities into the production.
Mandate the security controls as part of the organization’s DevOps engineering and operation standard. Define the security ob
control requirements, and tooling specifications in accordance with enterprise and cloud security standards in your organizatio
Encourage the use of DevOps as an essential operating model in your organization for its benefits in rapidly identifying and rem
vulnerabilities using different type of automations (such as infrastructure as code provision, and automated SAST and DAST sc
throughout the CI/CD workflow. This ‘shift left’ approach also increases visibility and ability to enforce consistent security chec
deployment pipeline, effectively deploying security guardrails into the environment ahead of time to avoid last minute securit
when deploying a workload into production.
When shifting security controls left into the pre-deployment phases, implement security guardrails to ensure the controls are
enforced throughout your DevOps process. This technology could include Azure ARM templates to define guardrails in the IaC
(infrastructure as code), resource provisioning and Azure Policy to audit and restrict which services or configurations can be pr
into the environment.
For the run-time security controls of your workload, follow the Azure Security Benchmark to design and implement effective t
such as identity and privileged access, network security, endpoint security, and data protection inside your workload applicati
services.
Implementation and additional context
Azure Virtual Network concepts and best practices:
https://docs.microsoft.com/azure/virtual-network/concepts-and-best-practices
Securing privileged access for hybrid and cloud deployments in Azure AD:
https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-admin-roles-secure
Azure Blueprints:
https://docs.microsoft.com/azure/governance/blueprints/overview
Understand Azure Policy effects:
https://docs.microsoft.com/azure/governance/policy/concepts/effects
Gather insights about your DNS infrastructure with the DNS Analytics solution:
https://docs.microsoft.com/azure/azure-monitor/insights/dns-analytics
For more information about tagging assets, see the resource naming and tagging decision guide:
https://docs.microsoft.com/azure/cloud-adoption-framework/decision-guides/resource-tagging/?toc=/azure/azure-resource-
manager/management/toc.json
How to configure Microsoft Antimalware for Cloud Services and virtual machines:
https://docs.microsoft.com/azure/security/fundamentals/antimalware
How to deploy Microsoft Antimalware for Cloud Services and virtual machine:
https://docs.microsoft.com/azure/security/fundamentals/antimalware
GitHub Dependabot:
https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/about-
dependabot-version-updates
GitHub CodeQL:
https://codeql.github.com/docs/
GitHub logging:
https://docs.github.com/en/organizations/keeping-your-organization-secure/reviewing-the-audit-log-for-your-organization
Azure Security Best Practice 1 – People: Educate Teams on Cloud Security Journey:
https://docs.microsoft.com/azure/cloud-adoption-framework/security/security-top-10#1-people-educate-teams-about-the-cl
security-journey
Azure Security Best Practice 2 - People: Educate Teams on Cloud Security Technology:
https://docs.microsoft.com/azure/cloud-adoption-framework/security/security-top-10#2-people-educate-teams-on-cloud-sec
technology
Azure Security Best Practice 3 - Process: Assign Accountability for Cloud Security Decisions:
https://docs.microsoft.com/azure/cloud-adoption-framework/security/security-top-10#4-process-update-incident-response-i
processes-for-cloud
Security in the Microsoft Cloud Adoption Framework for Azure - Segmentation: Separate to protect
https://docs.microsoft.com/azure/cloud-adoption-framework/secure/access-control#segmentation-separate-to-protect
Security in the Microsoft Cloud Adoption Framework for Azure - Architecture: establish a single unified security strategy:
https://docs.microsoft.com/azure/cloud-adoption-framework/secure/security-top-10#11-architecture-establish-a-single-unifi
security-strategy
Cloud Adoption Framework - Azure data security and encryption best practices:
https://docs.microsoft.com/azure/security/fundamentals/data-encryption-best-practices
Azure Security Best Practice 4 - Process. Update Incident Response Processes for Cloud:
https://aka.ms/AzSec4
Azure Well-Architecture Framework - Backup and disaster recover for Azure applications:
https://docs.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery
Secure DevOps:
https://www.microsoft.com/securityengineering/devsecops
No applicable policy
Adaptive network hardening recommendations should be applied on internet facing virtual machines
No applicable policy
[Preview]: Azure Defender for DNS should be enabled
Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage
resources
Transparent Data Encryption on SQL databases should be enabled
Automation account variables should be encrypted
Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign
SQL managed instances should use customer-managed keys to encrypt data at rest
SQL servers should use customer-managed keys to encrypt data at rest
PostgreSQL servers should use customer-managed keys to encrypt data at rest
Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest
Container registries should be encrypted with a customer-managed key
Cognitive Services accounts should enable data encryption with a customer-managed key
Storage accounts should use customer-managed key for encryption
MySQL servers should use customer-managed keys to encrypt data at rest
Azure Machine Learning workspaces should be encrypted with a customer-managed key
No applicable policy
No applicable policy
No applicable policy
No applicable policy
There should be more than one owner assigned to your subscription
A maximum of 3 owners should be designated for your subscription
Deprecated accounts with owner permissions should be removed from your subscription
External accounts with owner permissions should be removed from your subscription
Management ports of virtual machines should be protected with just-in-time network access control
No applicable policy
External accounts with write permissions should be removed from your subscription
External accounts with read permissions should be removed from your subscription
Deprecated accounts should be removed from your subscription
Deprecated accounts with owner permissions should be removed from your subscription
External accounts with owner permissions should be removed from your subscription
No applicable policy
No applicable policy
No applicable policy
CORS should not allow every resource to access your Function Apps
Kubernetes cluster pod hostPath volumes should only use allowed host paths
Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters
Ensure API app has 'Client Certificates (Incoming client certificates)' set to 'On'
Remote debugging should be turned off for Function Apps
Kubernetes clusters should not allow container privilege escalation
Kubernetes cluster services should listen only on allowed ports
CORS should not allow every resource to access your API App
[Preview]: Kubernetes clusters should disable automounting API credentials
Kubernetes cluster containers should only listen on allowed ports
Kubernetes cluster containers should not share host process ID or host IPC namespace
Kubernetes cluster containers should only use allowed AppArmor profiles
CORS should not allow every resource to access your Web Applications
Operating system version should be the most current version for your cloud service roles
Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On'
Kubernetes cluster pods should only use approved host network and port range
Kubernetes cluster should not allow privileged containers
[Preview]: Kubernetes clusters should not use the default namespace
Kubernetes cluster containers should only use allowed capabilities
Remote debugging should be turned off for Web Applications
[Preview]: Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities
Kubernetes cluster containers should run with a read only root file system
Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits
Remote debugging should be turned off for API Apps
Function apps should have 'Client Certificates (Incoming client certificates)' enabled
Kubernetes cluster pods and containers should only run with approved user and group IDs
Kubernetes cluster containers should only use allowed images
Kubernetes clusters should gate deployment of vulnerable images
No applicable policy
[Preview]: vTPM should be enabled on supported virtual machines
[Preview]: Guest Attestation extension should be installed on supported Windows virtual machines
[Preview]: Guest Attestation extension should be installed on supported Linux virtual machines
[Preview]: Windows machines should meet requirements of the Azure compute security baseline
[Preview]: Secure Boot should be enabled on supported Windows virtual machines
[Preview]: Guest Attestation extension should be installed on supported Linux virtual machines scale sets
Guest Configuration extension should be installed on your machines
Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
[Preview]: Guest Attestation extension should be installed on supported Windows virtual machines scale sets
[Preview]: Linux machines should meet requirements for the Azure compute security baseline
No applicable policy
Azure Defender for open-source relational databases should be enabled
Azure Defender for Key Vault should be enabled
Azure Defender for App Service should be enabled
Azure Defender for Storage should be enabled
Azure Defender for servers should be enabled
Azure Defender for Kubernetes should be enabled
Azure Defender for SQL servers on machines should be enabled
Azure Defender for Azure SQL Database servers should be enabled
[Preview]: Azure Arc enabled Kubernetes clusters should have Azure Defender's extension installed
[Preview]: Azure Kubernetes Service clusters should have Azure Defender profile enabled
Azure Defender for SQL should be enabled for unprotected Azure SQL servers
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances
[Preview]: Azure Defender for DNS should be enabled
Windows Defender Exploit Guard should be enabled on your machines
Azure Defender for container registries should be enabled
Azure Defender for Resource Manager should be enabled
Azure Defender for open-source relational databases should be enabled
Azure Defender for Key Vault should be enabled
Azure Defender for App Service should be enabled
Azure Defender for Storage should be enabled
Azure Defender for servers should be enabled
Azure Defender for Kubernetes should be enabled
Azure Defender for SQL servers on machines should be enabled
Azure Defender for Azure SQL Database servers should be enabled
[Preview]: Azure Arc enabled Kubernetes clusters should have Azure Defender's extension installed
[Preview]: Azure Kubernetes Service clusters should have Azure Defender profile enabled
Azure Defender for SQL should be enabled for unprotected Azure SQL servers
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances
[Preview]: Azure Defender for DNS should be enabled
Windows Defender Exploit Guard should be enabled on your machines
Azure Defender for container registries should be enabled
Azure Defender for Resource Manager should be enabled
Resource logs in Azure Kubernetes Service should be enabled
Resource logs in Azure Data Lake Store should be enabled
Resource logs in Logic Apps should be enabled
Resource logs in IoT Hub should be enabled
Resource logs in Batch accounts should be enabled
Resource logs in Virtual Machine Scale Sets should be enabled
Resource logs in Event Hub should be enabled
Auditing on SQL server should be enabled
Resource logs in Search services should be enabled
Diagnostic logs in App Services should be enabled
Resource logs in Data Lake Analytics should be enabled
Resource logs in Key Vault should be enabled
Resource logs in Service Bus should be enabled
Resource logs in Azure Stream Analytics should be enabled
[Preview]: Network traffic data collection agent should be installed on Linux virtual machines
[Preview]: Network traffic data collection agent should be installed on Windows virtual machines
Auto provisioning of the Log Analytics agent should be enabled on your subscription
[Preview]: Log Analytics agent should be installed on your Linux Azure Arc machines
Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center
monitoring
Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
Log Analytics agent health issues should be resolved on your machines
[Preview]: Log Analytics agent should be installed on your Windows Azure Arc machines
SQL servers with auditing to storage account destination should be configured with 90 days retention or
higher
No applicable policy
No applicable policy
No applicable policy
No applicable policy
Allowlist rules in your adaptive application control policy should be updated
Adaptive application controls for defining safe applications should be enabled on your machines
No applicable policy
No applicable policy
Email notification to subscription owner for high severity alerts should be enabled
Subscriptions should have a contact email address for security issues
Email notification for high severity alerts should be enabled
Azure Defender for open-source relational databases should be enabled
Azure Defender for Key Vault should be enabled
Azure Defender for App Service should be enabled
Azure Defender for Storage should be enabled
Azure Defender for servers should be enabled
Azure Defender for Kubernetes should be enabled
Azure Defender for SQL servers on machines should be enabled
Azure Defender for Azure SQL Database servers should be enabled
Azure Defender for SQL should be enabled for unprotected Azure SQL servers
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances
[Preview]: Azure Defender for DNS should be enabled
Azure Defender for container registries should be enabled
Azure Defender for Resource Manager should be enabled
No applicable policy
No applicable policy
No applicable policy
No applicable policy
No applicable policy
No applicable policy
No applicable policy
Vulnerabilities in Azure Container Registry images should be remediated
Vulnerabilities in container security configurations should be remediated
No applicable policy
No applicable policy
No applicable policy
No applicable policy
No applicable policy
No applicable policy
No applicable policy
No applicable policy
No applicable policy
No applicable policy
No applicable policy
Azure Policy GUID
08e6af2d-db70-460a-bfe9-d5bd474ba9d6
9daedab3-fb2d-461e-b861-71790eead4f6
bb91dfba-c30d-4263-9add-9c2384e659a6
e71308d3-144b-4262-b144-efdc3cc90517
f6de0be7-9a8a-4b8a-b349-43cf02d22f7c
037eea7a-bd0a-46c5-9a66-03aea78705d3
0564d078-92f5-4f97-8398-b9f58a51f70b
0725b4dd-7e76-479c-a735-68e7ee23d5ca
0a1302fb-a631-4106-9753-f3d494733990
0e246bcf-5f6f-4f87-bc6f-775d4712c7ea
1b8ca024-1d5c-4dec-8995-b1a932b41780
2154edb9-244f-4741-9970-660785bccdaa
2a1a9cdf-e04d-429a-8416-3bfb72a1b26f
34c877ad-507e-4c82-993e-3452a6e0ad3c
40cec1dd-a100-4920-b15b-3024fe8901ab
4b90e17e-8448-49db-875e-bd83fb6f804f
4fa4b6c0-31ca-4c0d-b10d-24b96f62a751
53503636-bcc9-4748-9663-5348217f160f
55615ac9-af46-4a59-874e-391cc3dfb490
5f0bc445-3935-4915-9981-011aa2b46147
6edd7eda-6dd8-40f7-810d-67160c639cd9
7595c971-233d-4bcf-bd18-596129188c49
7698e800-9299-47a6-b3b6-5a0fee576eed
7d092e0a-7acd-40d2-a975-dca21cae48c4
862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb
9830b652-8523-49cc-b1b3-e17dce1127ca
af35e2a4-ef96-44e7-a9ae-853dd97032c4
b52376f7-9612-48a1-81cd-1ffe4b61032c
ca610c1d-041c-4332-9d88-7ed3094967c7
d0793b48-0edc-4296-a390-4c75d1bdfd71
d9844e8a-1437-4aeb-a32c-0c992f056095
e8eef0a8-67cf-4eb4-9386-14b0e78733d4
ef619a2c-cc4d-4d03-b2ba-8c94a834d85b
22730e10-96f6-4aac-ad84-9383d35b5917
b0f33259-77d7-4c9e-aac6-3aabcfae693c
bd352bd5-2853-4985-bf0d-73806b4a5744
fc5e4038-4584-4632-8c85-c0448d374b2c
N/A
a7aca53f-2ed4-4466-a25e-0b45ade68efd
055aa869-bc98-4af8-bafc-23f1ab6ffe2c
564feb30-bf6a-4854-b4bb-0d2d2d1e6c66
08e6af2d-db70-460a-bfe9-d5bd474ba9d6
8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e
f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b
f9d614c5-c173-4d56-95a7-b4437057d193
N/A
bdc59948-5574-49b3-bb91-76b7c986428d
cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349
0a9fbe0d-c5c4-4da8-87d8-f4fd77338835
308fbb08-4ab8-4e67-9b29-592e93fb94fa
6581d072-105e-4418-827f-bd446d56421b
7fe3b40f-802b-4cdd-8bd4-fd799c948cc2
abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9
abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9
1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d
22bee202-a82f-4305-9a2a-6d7f44d4dedb
399b2637-a50f-4f95-96f8-3a145476eb15
404c3081-a854-4457-ae30-26a93ef643f9
4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b
5752e6d6-1206-46d8-8ab1-ecc2f71a8112
6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab
8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e
9a1b8c48-453a-4044-86c3-d8bfd823e4f5
a4af4a39-4135-47fb-b175-47fbdf85311d
b7ddfbdc-1260-477d-91fd-98bd9be789a6
d158790f-bfb0-486c-8631-2dc6b4e8e6af
e802a67a-daf5-4436-9ea6-f6d821dd0c5d
f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b
f9d614c5-c173-4d56-95a7-b4437057d193
0961003e-5a0a-4549-abde-af6a37f2724d
17k78e20-9358-41c9-923c-fb736d382a12
3657f5a0-770e-44a3-b44e-9431ba1e9735
617c02be-7f02-4efd-8836-3180d47b6c68
048248b0-55cd-46da-b1ff-39efd52db260
0d134df8-db83-46fb-ad72-fe0c9428c8dd
18adea5e-f416-4d0f-8aa8-d24321e3e274
1f905d99-2ab7-462c-a6b0-f709acca6c8f
5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580
67121cc7-ff39-4ab8-b7e3-95b84dab487d
6fac406b-40ca-413b-bf8e-0bf964659c25
83cef61d-dbd1-4b20-a4fc-5fbc7da10833
ba769a63-b8cc-4b2d-abf6-ac33c7204be8
152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0
98728c90-32c7-4049-8429-847dc0f4fe37
0a075868-4c26-42ef-914c-5bc007359560
0b60c0b2-2dc2-4e1c-b5c9-abbed971de53
0e6763cc-5078-4e64-889d-ff4d9a839047
1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d
55615ac9-af46-4a59-874e-391cc3dfb490
5f0bc445-3935-4915-9981-011aa2b46147
cf820ca0-f99e-4f3e-84fb-66e913812d21
1f314764-cb73-4fc9-b863-8eca98ac36e9
b54ed75b-3e1a-44ac-a333-05ba39b99ff0
N/A
0da106f2-4ca3-48e8-bc85-c638fe6aea8f
2b9ad585-36bc-4615-b300-fd4435808332
6646a0bd-e110-40ca-bb97-84fcee63c414
c4d441f8-f9d9-4a9e-9cef-e82117cb3eef
d26f7642-7545-4e18-9b75-8c9bbdee3a9a
N/A
N/A
630c64f9-8b6b-4c64-b511-6544ceff6fd6
9297c21d-2ed6-4474-b48f-163f75654ce3
aa633080-8b72-40c4-a2d7-d00c03e80bed
e3576e28-8b17-4677-84c3-db2990658d64
N/A
N/A
N/A
09024ccc-0c5f-475e-9457-b7c0d9ed487b
4f11b553-d42e-4e3a-89be-32ca364cad4c
ebb62a0c-3560-49e1-89ed-27e074e9f8ad
f8456c1c-aa66-4dfb-861a-25d127b775c9
b0f33259-77d7-4c9e-aac6-3aabcfae693c
N/A
5c607a2e-c700-4744-8254-d77e7c9eb5e4
5f76cf89-fbf2-47fd-a3f4-b891fa780b60
6b1cbf55-e8b6-442f-ba4c-7246b6381474
ebb62a0c-3560-49e1-89ed-27e074e9f8ad
f8456c1c-aa66-4dfb-861a-25d127b775c9
N/A
N/A
a451c1ef-c6ca-483d-87ed-f49761e3ffb5
ac4a19c2-fa67-49b4-8ae5-0b2e78c49457
N/A
N/A
0820b7b9-23aa-4725-a1ce-ae4558f718e5
098fc59e-46c7-4d99-9b16-64990e543d75
0a15ec92-a229-4763-bb14-0ea34a568f8d
0c192fe8-9cbb-4516-85b3-0ade8bd03886
0e60b895-3786-45da-8377-9c6b4b6ac5f9
1c6e92c9-99f0-4e55-9cf2-0c234dc48f99
233a2a17-77ca-4fb1-9b6b-69223d272a44
358c20a6-3f9e-4f0e-97ff-c6ce485e2aac
423dd1ba-798e-40e4-9c4d-b6902674b423
440b515e-a580-421e-abeb-b159a61ddcbc
47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8
511f5417-5d12-434d-ab2e-816901e72a5e
5744710e-cc2f-4ee8-8809-3b11e89f4bc9
5a913c68-0590-402c-a531-e57e19379da3
5bb220d9-2698-4ee4-8404-b9c30c9df609
82985f06-dc18-4a48-bc1c-b9f4f0098cfe
95edb821-ddaf-4404-9732-666045e056b4
9f061a12-e40d-4183-a00e-171812443373
c26596ff-4d70-4e6a-9a30-c2506bd2f80c
cb510bfd-1cba-4d9f-a230-cb0976f4bb71
d2e7ea85-6b44-4317-a0be-1b951587f626
df49d893-a74c-421d-bc95-c663042e5b80
e345eecc-fa47-480f-9e88-67dcc122b164
e9c8d085-d9cc-4b17-9cdc-059f1f01f19e
eaebaea7-8013-4ceb-9d14-7eb32271373c
f06ddb64-5fa3-4b77-b166-acb36f7f6042
febd0533-8e55-448f-b837-bd0e06f16469
13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759
N/A
1c30f9cd-b84c-49cc-aa2c-9288447cc3b3
1cb4d9c2-f88f-4069-bee0-dba239a57b09
672fe5a1-2fcd-42d7-b85d-902b6e28c6ff
72650e9f-97bc-4b2a-ab5f-9781a9fcecbc
97566dd7-78ae-4997-8b36-1c7bfe0d8121
a21f8c92-9e22-4f09-b759-50500d1d2dda
ae89ebca-1c92-4898-ac2c-9f63decb045c
d26f7642-7545-4e18-9b75-8c9bbdee3a9a
f655e522-adff-494d-95c2-52d4f6d56a42
fc9b3da7-8347-4380-8e70-0a0361d8dedd
1b7aa243-30e4-4c9e-bca8-d0d3022b634a
501541f7-f7e7-4cd6-868c-4190fdad3ac9
ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9
1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba
1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba
3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4
496223c3-ad65-4ecd-878a-bae78737e9ed
496223c3-ad65-4ecd-878a-bae78737e9ed
5f0f936f-2f01-4bf5-b6be-d423792fa562
6ba6d016-e7c3-4842-b8f2-4992ebc0d72d
7008174a-fd10-4ef0-817e-fc820a951d73
7008174a-fd10-4ef0-817e-fc820a951d73
7238174a-fd10-4ef0-817e-fc820a951d73
7238174a-fd10-4ef0-817e-fc820a951d73
7261b898-8a84-4db8-9e04-18527132abb3
7261b898-8a84-4db8-9e04-18527132abb3
74c3584d-afae-46f7-a20a-6f8adba71a16
74c3584d-afae-46f7-a20a-6f8adba71a16
760a85ff-6162-42b3-8d70-698e268f648c
86b3d65f-7626-441e-b690-81a8b71cff60
88999f4c-376a-45c8-bcb3-4058f713cf39
88999f4c-376a-45c8-bcb3-4058f713cf39
9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc
9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc
c3f317a7-a95c-4547-b7e7-11017ebdf2fe
e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15
e8cbc669-f12d-49eb-93e7-9273119e9933
fb893a29-21bb-418c-a157-e99480ec364c
feedbf84-6b99-488c-acc2-71c829aa5ffc
N/A
0a9fbe0d-c5c4-4da8-87d8-f4fd77338835
0e6763cc-5078-4e64-889d-ff4d9a839047
2913021d-f2fd-4f3d-b958-22354e2bdbcb
308fbb08-4ab8-4e67-9b29-592e93fb94fa
4da35fc9-c9e7-4960-aec9-797fe7d9051d
523b5cd1-3e23-492f-a539-13118b6d1e3a
6581d072-105e-4418-827f-bd446d56421b
7fe3b40f-802b-4cdd-8bd4-fd799c948cc2
8dfab9c4-fe7b-49ad-85e4-1e9be085358f
a1840de2-8088-4ea8-b153-b4c723e9cb01
abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9
abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9
bdc59948-5574-49b3-bb91-76b7c986428d
bed48b13-6647-468e-aa2f-1af1d3f4dd40
c25d9a16-bc35-4e15-a7e5-9db606bf9ed4
c3d20c29-b36d-48fe-808b-99a87530ad99
0a9fbe0d-c5c4-4da8-87d8-f4fd77338835
0e6763cc-5078-4e64-889d-ff4d9a839047
2913021d-f2fd-4f3d-b958-22354e2bdbcb
308fbb08-4ab8-4e67-9b29-592e93fb94fa
4da35fc9-c9e7-4960-aec9-797fe7d9051d
523b5cd1-3e23-492f-a539-13118b6d1e3a
6581d072-105e-4418-827f-bd446d56421b
7fe3b40f-802b-4cdd-8bd4-fd799c948cc2
8dfab9c4-fe7b-49ad-85e4-1e9be085358f
a1840de2-8088-4ea8-b153-b4c723e9cb01
abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9
abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9
bdc59948-5574-49b3-bb91-76b7c986428d
bed48b13-6647-468e-aa2f-1af1d3f4dd40
c25d9a16-bc35-4e15-a7e5-9db606bf9ed4
c3d20c29-b36d-48fe-808b-99a87530ad99
245fc9df-fa96-4414-9a0b-3738c2f7341c
057ef27e-665e-4328-8ea3-04b3122bd9fb
34f95f76-5386-4de7-b824-0d8478470c9d
383856f8-de7f-44a2-81fc-e5135b5c2aa4
428256e6-1fac-4f48-a757-df34c2b3336d
7c1b1214-f927-48bf-8882-84f0af6588b1
83a214f7-d01a-484b-91a9-ed54470c9a6a
a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9
b4330a05-a843-4bc8-bf9a-cacce50c67f4
b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0
c95c74d9-38fe-4f0d-af86-0c7d626a315c
cf820ca0-f99e-4f3e-84fb-66e913812d21
f8d36e2f-389b-4ee4-898d-21aeb69a0f45
f9be5368-9bf5-4b84-9e0a-7850da98bb46
04c4380f-3fae-46e8-96c9-30193528f602
2f2ee1de-44aa-4762-b6bd-0893fc3f306d
475aae12-b88a-4572-8b36-9b712b2b3a17
842c54e8-c2f9-4d79-ae8d-38d8b8019373
a3a6ea0c-e018-4933-9ef0-5aaa1501449b
a4fe33eb-e377-4efb-ab31-0784311bc499
d62cfe2b-3ab0-4d41-980d-76803b58ca65
d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e
89099bee-89e0-4b26-a5f4-165451757743
N/A
N/A
1d84d5fb-01f6-4d12-ba4f-4a26081d403d
37e0d2fe-28a5-43d6-a273-67d37d1f5606
N/A
N/A
123a3936-f020-408a-ba0c-47873faf1534
47a6b606-51aa-4496-8bb7-64b11cf66adc
4da35fc9-c9e7-4960-aec9-797fe7d9051d
1f7c564c-0a90-4d44-b7e1-9d456cffaee8
26a828e1-e88f-464e-bbb3-c134a282b9de
8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2
af6cd1bd-1635-48cb-bde7-5b15693900b9
bed48b13-6647-468e-aa2f-1af1d3f4dd40
8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2
013e242c-8828-4970-87b3-ab247555486d
0ec47710-77ff-4a3d-9181-6aa50af424d0
48af4db5-9b8b-401c-8e74-076be876a430
82339799-d096-41ae-8538-b108becf0970
013e242c-8828-4970-87b3-ab247555486d
0ec47710-77ff-4a3d-9181-6aa50af424d0
48af4db5-9b8b-401c-8e74-076be876a430
82339799-d096-41ae-8538-b108becf0970
N/A
N/A
N/A
0b15565f-aa9e-48ba-8619-45960f2c314d
4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7
6e2593d9-add6-4083-9c9b-4b7d2188c899
0a9fbe0d-c5c4-4da8-87d8-f4fd77338835
0e6763cc-5078-4e64-889d-ff4d9a839047
2913021d-f2fd-4f3d-b958-22354e2bdbcb
308fbb08-4ab8-4e67-9b29-592e93fb94fa
4da35fc9-c9e7-4960-aec9-797fe7d9051d
523b5cd1-3e23-492f-a539-13118b6d1e3a
6581d072-105e-4418-827f-bd446d56421b
7fe3b40f-802b-4cdd-8bd4-fd799c948cc2
abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9
abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9
bdc59948-5574-49b3-bb91-76b7c986428d
c25d9a16-bc35-4e15-a7e5-9db606bf9ed4
c3d20c29-b36d-48fe-808b-99a87530ad99
b6e2945c-0b7b-40f5-9233-7a5323b5cdc6
0a9fbe0d-c5c4-4da8-87d8-f4fd77338835
0e6763cc-5078-4e64-889d-ff4d9a839047
2913021d-f2fd-4f3d-b958-22354e2bdbcb
308fbb08-4ab8-4e67-9b29-592e93fb94fa
4da35fc9-c9e7-4960-aec9-797fe7d9051d
523b5cd1-3e23-492f-a539-13118b6d1e3a
6581d072-105e-4418-827f-bd446d56421b
7fe3b40f-802b-4cdd-8bd4-fd799c948cc2
abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9
abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9
bdc59948-5574-49b3-bb91-76b7c986428d
c25d9a16-bc35-4e15-a7e5-9db606bf9ed4
c3d20c29-b36d-48fe-808b-99a87530ad99
N/A
N/A
N/A
N/A
N/A
N/A
N/A
5f0f936f-2f01-4bf5-b6be-d423792fa562
e8cbc669-f12d-49eb-93e7-9273119e9933
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A