Microsoft Cloud Security Benchmark Guide MCSB with Control Domain Security Principle Azure AWS Guidance

Microsoft Cloud Security Benchmark Guide (MCSB) with Control Domain Security Principle Azure AWS Guidance. The Microsoft Security Benchmark Guide is a comprehensive resource that provides detailed recommendations and best practices for helping organizations secure their cloud and on-premises environments.

The Microsoft Cloud Security Benchmark (MCSB) is an essential collection of security recommendations designed to help secure your cloud environment. It provides high-impact security controls and service-specific baselines, allowing you to protect your workloads across single or multi-cloud platforms.

Whether working with Azure or planning multi-cloud deployments, MCSB offers best practices for strengthening your security posture and keeping your resources safe from misconfigurations and attacks.

In this post, we’ll explain the Microsoft Security Benchmark Guide to help you understand its importance in securing cloud and on-premises environments. The guide provides a set of high-impact security controls and best practices designed to align with industry standards and ensure consistent security across Microsoft services, particularly in Azure.

Patch My PC

Can we use MCSB with Multi-cloud Environments?

Microsoft Cloud Security Benchmark Guide MCSB with Control Domain Security Principle Azure AWS Guidance 1

MCSB supports multi-cloud environments, allowing you to manage and monitor security controls across different cloud platforms consistently.

Does MCSB Align with Other Security Frameworks?

Microsoft Security Benchmark Guide

MCSB maps to several well-known security frameworks, including CIS, NIST, and PCI-DSS, helping you ensure compliance with industry standards.

Adaptiva

Microsoft Cloud Security Benchmark Guide

The screenshot below provides an early preview of the Microsoft Cloud Security Benchmark (MCSB) V1 for the web version of the content. It includes a control mapping between MCSB and industry benchmarks like NIST, CIS, and PCI. This mapping shows how specific Azure features can help meet some or all of the requirements defined by these benchmarks.

However, it’s essential to understand that using these Azure features doesn’t guarantee full CIS, NIST, or PCI compliance. The document is meant to be a helpful guide, but it shouldn’t be the only resource for meeting specific compliance requirements. Customers should consult their organization’s legal team to ensure their implementation meets all necessary regulations.

Principles for Multi-Cloud Security Guidance

Let’s discuss the Principles of Multicloud Guidance. The list below will help you to see more details.

  • The security guidance for non-Azure platforms will follow the same cloud-neutral security principles at each control level of Azure’s
  • The security guidance for non-Azure platforms will provide the same granularity and scope in the technical guidance as Azure’s.
  • The non Microsoft cloud service provider’s CSP native solution or feature will usually be recommended as the first preference for each control. However, when a more mature multi-cloud solution is available in Azure, it will be prioritized as the default recommendation.
  • If neither the CSP’s native technology nor Azure solutions are available to satisfy a secure principle, Azure or the other CSP’s Marketplace will recommend a third-party solution. However, Microsoft Cloud Security Benchmark will not name any third-party vendor product or solution.
GuidanceDetails
ID#The Microsoft Cloud security Benchmark ID
Control DomainThe security control domain
Security PrincipleThe technology agnostic and cloud neutral principle for various security topics in each control domains.
RecommendationThe control recommendation in summarized format
Azure GuidanceThe technical guidance for Azure platforms
AWS GuidanceThe technical guidance for Amazon Web Service platforms
Implementation and Additional ContextThe implementation details and other relevant contexts that link to Azure or AWS service-offering documentation articles are also included.
Microsoft Cloud Security Benchmark Guide MCSB with Control Domain Security Principle Azure AWS Guidance – Table 1
Microsoft Security Benchmark Guide - Fig.1 - Creds to MS
Microsoft Cloud Security Benchmark Guide MCSB with Control Domain Security Principle Azure AWS Guidance – Fig.1 – Creds to MS

Control Domain Network Security

Here is a summary of the network security controls based on various standards and Azure implementation guidelines. The NS-1: Network Segmentation & Traffic Filtering Controls: CIS: Use approved ports, protocols, and host-based firewalls and deny communication with malicious IPs.NIST: Implement information flow enforcement and boundary protection. PCI: Segment networks and enable firewall filtering. The table below provides more details.

IDControl DomainCIS Control V7.1 ID(s)CIS Control V8 ID(s)NIST SP800-53 r4 ID(s)PCI-DSS v3.2.1RecommendationsSecurity PrincipleAzure GuidanceImplementation and additional context
NS-1Network security9.2 Ensure only Approved ports, protocols and services are running

9.4 Apply Host- based firewall or port filtering

12.3 Deny communications with known malicious IP addresses


12.4 Deny communication over unauthorised ports

14.1 Segment the Network based on sensitivity

14.2 Enable Firewall Filtering between VLANs
3.12 segment Data processing and storage based on sensitivity

13.4 perform Traffic filtering between Network segments

4.4 Implement and Manage a firewall on servers
Ac-4 Information flow enforcement

SC-2:Application partitioning

SC-7:Boundary protection
1.1
1.2
1.3
Establish network
segmentation
boundaries
Ensure that your virtual network deployment aligns with your enterprise
segmentation strategy defined in the GS-2 security control. Any workload
that could incur higher risk for the organization should be in an isolated
virtual networks.
Examples of high-risk workloads include:
An application storing or processing highly sensitive data.
An external network-facing application accessible by the public or users
outside of your organization.
An application using insecure architecture or containing vulnerabilities
that cannot be quickly remediated.
To enhance your enterprise segmentation strategy, restrict or monitor
traffic between internal resources using network controls. For specific,
well-defined applications (such as a 3-tier app), this can be a highly
secure “deny by default, permit by exception” approach by restricting the
ports, protocols, source, and destination IPs of the network traffic. If you
have many applications and endpoints interacting with each other,
blocking traffic may not scale well, and you may only be able to monitor
traffic.
Create a virtual network (VNet) as a fundamental segmentation approach in your Azure
network, so resources such as VMs can be deployed into the VNet within a network boundary.
To further segment the network, you can create subnets inside VNet for smaller sub-networks.
Use network security groups (NSG) as a network layer control to restrict or monitor traffic by
port, protocol, source IP address, or destination IP address. Refer to NS-7 Simplify network
security configuration to use Adaptive Network Hardening to recommend NSG hardening rules
based on threat intelligence and traffic analysis result.
You can also use application security groups (ASGs) to simplify complex configuration. Instead
of defining policy based on explicit IP addresses in network security groups, ASGs enable you
to configure network security as a natural extension of an application’s structure, allowing you
to group virtual machines and define network security policies based on those groups.
Azure Virtual Network concepts and best practices:
https://docs.microsoft.com/azure/virtual-network/concepts-and-best-
practices
Add, change, or delete a virtual network subnet:
https://docs.microsoft.com/azure/virtual-network/virtual-network-
manage-subnet
How to create a network security group with security rules:
https://docs.microsoft.com/azure/virtual-network/tutorial-filter-
network-traffic
Understand and use application security groups:
https://docs.microsoft.com/azure/virtual-network/network-security-
groups-overview#application-security-groups
NS-2Network security14.1 – Segment the
Network Based on
Sensitivity
3.12 – Segment Data
Processing and
Storage Based on
Sensitivity
4.4 – Implement and
Manage a Firewall on
Servers
AC-4: INFORMATION
FLOW ENFORCEMENT
SC-2: APPLICATION
PARTITIONING
SC-7: BOUNDARY
PROTECTION
1.1
1.2
1.3
Secure cloud services by establishing a private access point for the
resources. You should also disable or restrict access from public network when possible.
Secure cloud services by establishing a private access point for the resources. You should also disable or restrict access from public network whenpossible.Deploy private endpoints for all Azure resources that support the Private Link feature, to establish a private access point for the resources. Using Private Link will keep the private connection from routing through the public network.
Note: Certain Azure services may also allow private communication through the service endpoint feature, though it is recommended to use Azure Private Link for secure and private access to services hosted on Azure platform.
For certain services, you can choose to deploy VNet integration for the service where you can restrict/isolate the VNET to establish a private access point for the service.
You also have the option to configure the service native network ACL rules or simply disable public network access to block access from the public network.
For Azure VMs, unless there is a strong use case, you should avoid assigning public IPs/subnet directly to the VM interface and instead use gateway or load balancer services as the front-end for access by the public network.
Understand Azure Private Link:
https://docs.microsoft.com/azure/private-link/private-link-overview
Integrate Azure services with virtual networks for network isolation:
https://learn.microsoft.com/en-us/azure/virtual-network/vnet-
integration-for-azure-services
NS-3Network security9.2 – Ensure Only
Approved Ports,
Protocols and Services
Are Running
9.4 – Apply Host-Based Firewalls or port filtering
12.3 – Deny
4.4 – Implement and
Manage a Firewall on
Servers
4.8 – Uninstall or
Disable Unnecessary
services on enterprise
Assets and Software
AC-4: INFORMATION
FLOW ENFORCEMENT
SC-7: BOUNDARY
PROTECTION
CM-7: LEAST
FUNCTIONALITY
1.1
1.2
1.3
Deploy firewall at the edge of enterprise networkDeploy a firewall to perform advanced filtering on network traffic to and
from external networks. You can also use firewalls between internal
segments to support a segmentation strategy. If required, use custom
routes for your subnet to override the system route when you need to
force the network traffic to go through a network appliance for security
control purpose.
Use Azure Firewall to provide fully stateful application layer traffic restriction (such as URL filtering) and/or central management over a large number of enterprise segments or spokes (in a hub/spoke topology).
If you have a complex network topology, such as a hub/spoke setup, you may need to create user-defined routes (UDR) to ensure the traffic goes through the desired route. For example, you have the option to use an UDR to redirect egress internet traffic through a specific Azure.
How to deploy Azure Firewall:
https://docs.microsoft.com/azure/firewall/tutorial-firewall-deploy-
portal
Virtual network traffic routing:
https://docs.microsoft.com/azure/virtual-network/virtual-networks-
udr-overview
Microsoft Cloud Security Benchmark Guide MCSB with Control Domain Security Principle Azure AWS Guidance- Table 2

You can download the spreadsheet from the GitHub repository mentioned in the post below.

Microsoft Cloud Security Benchmark Guide MCSB with Control Domain Security Principle Azure AWS Guidance - Fig.2 - Creds to MS
Microsoft Cloud Security Benchmark Guide MCSB with Control Domain Security Principle Azure AWS Guidance – Fig.2 – Creds to MS

Control Domain Identity Management

Here is a structured summary of the Identity Management Control (IM-1, IM2, etc), focusing on best practices, relevant controls, and Azure guidance. The table below helps you show more details.

IDControl DomainCIS Controls v7.1 ID(s)CIS Controls v8 ID(s)NIST SP800-53 r4 ID(s)PCI-DSS v3.2.1 ID(s)RecommendationSecurity PrincipleAzure GuidanceImplementation and additional context
IM-1Identity Management16.1 – Maintain an Inventory of Authentication Systems
16.2 – Configure Centralized Authentication, Point of Authentication
6.7 – Centralize Access Control
12.5 – Centralize Network Authorization, and Auditing (ORGANIZATIONAL USERS)
(AAA)
AC-2: ACCOUNT MANAGEMENT 7.2
AC-3: ACCESS ENFORCEMENT
IA-2: IDENTIFICATION AND AUTHENTICATION
IA-8: IDENTIFICATION AND AUTHENTICATION (NON-
ORGANIZATIONAL USERS)
7.2
8.3
Use centralized identity and authentication systemUse a centralized identity and authentication system to govern your organization’s identities and authentications for cloud and non-cloud resources.Azure Active Directory (Azure AD) is Azure’s identity and authentication management
service. You should standardize on Azure AD to govern your organization’s identity and authentication in:
Microsoft cloud resources, such as Azure Storage, Azure Virtual Machines (Linux and
Windows), Azure Key Vault, PaaS, and SaaS applications.
Your organization’s resources, such as applications on Azure, third-party applications
running on your corporate network resources, and third-party SaaS applications.
Your enterprise identities in Active Directory by synchronization to Azure AD to ensure a
consistent and centrally managed identity strategy.

For the Azure services that apply, avoid use of local authentication methods and instead use Azure Active Directory to centralize your service authentications.
Note: As soon as it is technically feasible, you should migrate on-premises Active
Directory-based applications to Azure AD. This could be an Azure AD Enterprise Directory, Business to Business configuration, or Business to consumer configuration.
Tenancy in Azure AD: https://docs.microsoft.com/azure/active-directory/develop/single-and-multi-
tenant-apps

How to create and configure an Azure AD instance:
https://docs.microsoft.com/azure/active-directory/fundamentals/active-
directory-access-create-new-tenant
Define Azure AD tenants:
https://azure.microsoft.com/resources/securing-azure-environments-with-
azure-active-directory/
Use external identity providers for an application:
https://docs.microsoft.com/azure/active-directory/b2b/identity-providers
IM-2Identity Management4.3 – Ensure the Use of
Dedicated Administrative
Accounts

4.5 – Use Multi-Factor
Authentication for All
Administrative Access
5.4 – Restrict Administrator
Privileges to Dedicated
Administrator Accounts
6.5 – Require MFA for
Administrative Access
AC-2: ACCOUNT MANAGEMENT
AC-3: ACCESS ENFORCEMENT
IA-2: IDENTIFICATION AND
AUTHENTICATION
(ORGANIZATIONAL USERS)
IA-8: IDENTIFICATION AND
AUTHENTICATION (NON-
ORGANIZATIONAL USERS)
SI-4: INFORMATION SYSTEM
MONITORING
8.2
8.3
Protect identity and authentication systemsSecure your identity and authentication system
as a high priority in your organization’s cloud
security practice. Common security controls
include:
Restrict privileged roles and accounts
Require strong authentication for all privileged
access
Monitor and audit high risk activities
Use the Azure AD security baseline and the Azure AD Identity Secure Score to evaluate
your Azure AD identity security posture, and remediate security and configuration gaps.
The Azure AD Identity Secure Score evaluates Azure AD for the following configurations:
Use limited administrative roles
Turn on user risk policy
Designate more than one global admin
Enable policy to block legacy authentication
Ensure all users can complete multi-factor authentication for secure access
Require MFA for administrative roles
Enable self-service password reset
Do not expire passwords
Turn on sign-in risk policy
Do not allow users to grant consent to unmanaged applications
Use Azure AD Identity Protection to detect, investigate, and remediate identity-based
risks. To similarly protect your on-premises Active Directory domain, use Defender for
Identity.
Note: Follow published best practices for all other identity components, including your on-
premises Active Directory and any third party capabilities, and the infrastructure (such as
operating systems, networks, databases) that host them.
What is the identity secure score in Azure AD:
https://docs.microsoft.com/azure/active-directory/fundamentals/identity-
secure-score
Best Practices for Securing Active Directory:
https://docs.microsoft.com/windows-server/identity/ad-ds/plan/security-
best-practices/best-practices-for-securing-active-directory
What is Identity Protection?
https://learn.microsoft.com/en-us/azure/active-directory/identity-
protection/overview-identity-protection
What is Microsoft Defender for Identity?
https://learn.microsoft.com/en-us/defender-for-identity/what-is
Microsoft Cloud Security Benchmark Guide MCSB with Control Domain Security Principle Azure AWS Guidance – Table 3
Microsoft Cloud Security Benchmark Guide MCSB with Control Domain Security Principle Azure AWS Guidance - Fig.3 - Creds to MS
Microsoft Cloud Security Benchmark Guide MCSB with Control Domain Security Principle Azure AWS Guidance – Fig.3 – Creds to MS

More Details

Join the LinkedIn Page and Telegram group to get the latest step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, Join the WhatsApp Community to get the latest news on Microsoft Technologies. We are there on Reddit as well.

Author

Anoop C Nair has been Microsoft MVP from 2015 onwards for 10 consecutive years! He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is also a Blogger, Speaker, and Local User Group Community leader. His primary focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career, etc.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.