Merge pull request #89450 from msmbaldwin/csa-backup

Organizing security content udner a Concepts >> Security node

Author: ktoliver

articles/backup/backup-security-controls.md

@@ -6,7 +6,7 @@ author: dcurwin
 manager: carmonm
 ms.service: backup
 ms.topic: conceptual
-ms.date: 09/04/2019
+ms.date: 09/23/2019
 ms.author: dacurwin
 
 ---
@@ -18,43 +18,43 @@ This article documents the security controls built into Azure Backup.
 
 ## Network
 
-| Security control | Yes/No | Notes |
+| Security control | Yes/No | Notes | Documentation
 |---|---|--|
-| Service endpoint support| No |  |
-| VNet injection support| No |  |
-| Network isolation and firewalling support| Yes | Forced tunneling is supported for VM backup. Forced tunneling is not supported for workloads running inside VMs. |
-| Forced tunneling support| No |  |
+| Service endpoint support| No |  |  |
+| VNet injection support| No |  |  |
+| Network isolation and firewalling support| Yes | Forced tunneling is supported for VM backup. Forced tunneling is not supported for workloads running inside VMs. |  |
+| Forced tunneling support| No |  |  |
 
 ## Monitoring & logging
 
-| Security control | Yes/No | Notes|
+| Security control | Yes/No | Notes| | Documentation
 |---|---|--|
-| Azure monitoring support (Log analytics, App insights, etc.)| Yes | Log Analytics is supported via diagnostic logs. See [Monitor Azure Backup protected workloads using Log Analytics](https://azure.microsoft.com/blog/monitor-all-azure-backup-protected-workloads-using-log-analytics/) for more information. |
-| Control and management plane logging and audit| Yes | All customer triggered actions from the Azure portal are logged to activity logs. |
-| Data plane logging and audit| No | Azure Backup data plane can't be reached directly.  |
+| Azure monitoring support (Log analytics, App insights, etc.)| Yes | Log Analytics is supported via diagnostic logs. See [Monitor Azure Backup protected workloads using Log Analytics](https://azure.microsoft.com/blog/monitor-all-azure-backup-protected-workloads-using-log-analytics/) for more information. |  |
+| Control and management plane logging and audit| Yes | All customer triggered actions from the Azure portal are logged to activity logs. |  |
+| Data plane logging and audit| No | Azure Backup data plane can't be reached directly.  |  |
 
 ## Identity
 
-| Security control | Yes/No | Notes|
+| Security control | Yes/No | Notes| | Documentation
 |---|---|--|
-| Authentication| Yes | Authentication is through Azure Active Directory. |
-| Authorization| Yes | Customer created and built-in RBAC roles are used. See [Use Role-Based Access Control to manage Azure Backup recovery points](/azure/backup/backup-rbac-rs-vault) for more information. |
+| Authentication| Yes | Authentication is through Azure Active Directory. |  |
+| Authorization| Yes | Customer created and built-in RBAC roles are used. See [Use Role-Based Access Control to manage Azure Backup recovery points](/azure/backup/backup-rbac-rs-vault) for more information. |  |
 
 ## Data protection
 
-| Security control | Yes/No | Notes |
+| Security control | Yes/No | Notes | | Documentation
 |---|---|--|
-| Server-side encryption at rest: Microsoft-managed keys | Yes | Using storage service encryption for storage accounts. |
-| Server-side encryption at rest: customer-managed keys (BYOK) | No |  |
-| Column level encryption (Azure Data Services)| No |  |
-| Encryption in transit (such as ExpressRoute encryption, in VNet encryption, and VNet-VNet encryption)| No | Using HTTPS. |
-| API calls encrypted| Yes |  |
+| Server-side encryption at rest: Microsoft-managed keys | Yes | Using storage service encryption for storage accounts. |  |
+| Server-side encryption at rest: customer-managed keys (BYOK) | No |  |  |
+| Column level encryption (Azure Data Services)| No |  |  |
+| Encryption in transit (such as ExpressRoute encryption, in VNet encryption, and VNet-VNet encryption)| No | Using HTTPS. |  |
+| API calls encrypted| Yes |  |  |
 
 ## Configuration management
 
-| Security control | Yes/No | Notes|
+| Security control | Yes/No | Notes| | Documentation
 |---|---|--|
-| Configuration management support (versioning of configuration, etc.)| Yes|  |
+| Configuration management support (versioning of configuration, etc.)| Yes|  |  |
 
 ## Next steps
 

articles/backup/toc.yml

@@ -50,6 +50,16 @@
       href: backup-support-matrix-mabs-dpm.md
     - name: MARS agent support matrix
       href: backup-support-matrix-mars-agent.md
+  - name: Security
+    items:
+    - name: Role-Based Access Control
+      href: backup-rbac-rs-vault.md
+    - name: Security for cloud workloads
+      href: backup-azure-security-feature-cloud.md
+    - name: Security for hybrid backups
+      href: backup-azure-security-feature.md
+    - name: Built-in security controls
+      href: backup-security-controls.md
   - name: Frequently asked questions (FAQ)
     items:
     - name: FAQ-Recovery Services vaults
@@ -68,20 +78,12 @@
       href: backup-azure-monitor-alert-faq.md
   - name: Backup architecture
     href: backup-architecture.md
-  - name: Role-Based Access Control
-    href: backup-rbac-rs-vault.md
-  - name: Security for cloud workloads
-    href: backup-azure-security-feature-cloud.md
-  - name: Security for hybrid backups
-    href: backup-azure-security-feature.md
   - name: Configure offline-backup
     href: backup-azure-backup-import-export.md
   - name: Offline backup for DPM and Azure Backup Server
     href: backup-azure-backup-server-import-export-.md
   - name: Replace your tape library
     href: backup-azure-backup-cloud-as-tape.md
-  - name: Built-in security controls
-    href: backup-security-controls.md
 - name: How to
   items:
   - name: Azure Backup Server