Merge pull request #99120 from msmbaldwin/security-controls

Security Controls articles v1

Author: ktoliver

articles/security/benchmarks/TOC.yml

@@ -0,0 +1,30 @@
+- name: Azure Security Benchmark
+  href: index.yml
+- name: Introduction
+  href: introduction.md
+- name: Security Controls
+  items:
+  - name: Overview
+    href: overview.md
+  - name: Network Security
+    href: security-control-network-security.md
+  - name: Logging and Monitoring
+    href: security-control-logging-monitoring.md
+  - name: Identity and Access Control
+    href: security-control-identity-access-control.md
+  - name: Data Protection
+    href: security-control-data-protection.md
+  - name: Vulnerability Management
+    href: security-control-vulnerability-management.md
+  - name: Inventory and Asset Management
+    href: security-control-inventory-asset-management.md
+  - name: Secure Configuration
+    href: security-control-secure-configuration.md
+  - name: Malware Defense
+    href: security-control-malware-defense.md
+  - name: Data Recovery
+    href: security-control-data-recovery.md
+  - name: Incident Response
+    href: security-control-incident-response.md
+  - name: Penetration Tests and Red Team Exercises
+    href: security-control-penetration-tests-red-team-exercises.md

articles/security/benchmarks/index.yml

@@ -0,0 +1,59 @@
+### YamlMime:Landing
+
+title: Azure security benchmarks documentation
+summary: Learn how to secure your cloud solutions on Azure with our best practices and guidance.
+
+metadata:
+  title: Azure security benchmarks
+  description: The Azure Security Controls Benchmark contains recommendations that help you improve the security of your applications and data on Azure.
+  services: security
+  ms.service: security
+  ms.subservice: fundamentals
+  ms.topic: landing-page
+  author: msmbaldwin
+  ms.author: mbaldwin
+  manager: rkarlin
+  ms.date: 12/23/2019
+
+
+landingContent:
+  # Card
+  - title: About the Azure Security Benchmark
+    linkLists:
+      - linkListType: overview
+        links:
+          - text: Overview
+            url: overview.md
+          - text: Introduction to Security Controls
+            url: introduction.md
+          - text: Shared responsibility in the cloud
+            url: ../fundamentals/shared-responsibility.md
+  # Card  
+  - title: Security Controls
+    linkLists:
+      - linkListType: overview
+        links:
+          - text: Network Security
+            url: security-control-network-security.md
+          - text: Logging and Monitoring
+            url: security-control-logging-monitoring.md
+          - text: Identity and Access Control
+            url: security-control-identity-access-control.md
+          - text: Data Protection
+            url: security-control-data-protection.md
+          - text: Vulnerability Management
+            url: security-control-vulnerability-management.md
+          - text: See more
+            url: security-control-inventory-asset-management.md
+  # Card
+  - title: More Azure Security Information
+    linkLists:
+      - linkListType: learn
+        links:
+
+          - text: Azure Security Fundamentals
+            url: ../fundamentals/index.yml
+          - text: Azure Security Center
+            url: ../../security-center/index.yml
+          - text: Azure Key Vault
+            url: ../../key-vault/index.yml

articles/security/benchmarks/introduction.md

@@ -0,0 +1,38 @@
+---
+title: Azure Security Benchmark Introduction
+description: Security Benchmark introduction
+author: msmbaldwin
+manager: rkarlin
+
+ms.service: security
+ms.topic: conceptual
+ms.date: 12/16/2019
+ms.author: mbaldwin
+ms.custom: security-baselines
+
+---
+
+# Azure security benchmarks introduction
+
+You may have several years or even decades of experience with on-premises computing. You know how to secure those deployments. But the cloud is different. How do you know if your cloud deployments are secure? What are the differences between security practices for on-premises systems and security practices for cloud deployments?
+
+There is a large collection of white papers, best practices, reference architectures, web guidance, open-source tools, commercial solutions, intelligence feeds, and more that can be used to help secure the cloud. Which option should you use? What can you do to get an acceptable level of security in the cloud? 
+
+One of the best ways to secure your cloud deployments is to focus on cloud security benchmark recommendations. Benchmark recommendations for securing any service begin with a fundamental understanding of cybersecurity risk and how to manage it. You can then use this understanding by adopting benchmark security recommendations from your cloud service provider to help select specific security configuration settings in your environment. 
+
+The Azure Security Benchmark includes a collection of high-impact security recommendations you can use to help secure most of the services you use in Azure. You can think of these recommendations as "general" or "organizational" as they are applicable to most Azure services. The Azure Security Benchmark recommendations are then customized for each Azure service, and this customized guidance is contained in service recommendations articles. 
+
+The Azure Security Benchmark documentation specify Security Controls and Service Recommendations.
+
+- **Security Controls**: The Azure Security Benchmark recommendations are categorized by security controls. Security controls represent high-level vendor-agnostic security requirements, such as network security and data protection. Each security control has a set of security recommendations and instructions that help you enable those recommendations. 
+- **Service Recommendations**: When available, benchmark recommendations for Azure services will include Azure Security Benchmark recommendations that are tailored for the service, as well as additional recommendations that are unique for the particular service. 
+
+The terms "Control", "Benchmark", and "Baseline" are used often in the Azure Security Benchmark documentation and it's important to understand how Azure uses those terms. 
+
+| Term | Description | Example |
+|--|--|--|
+| Control | A **control** is a high-level description of a feature or activity that needs to be addressed, and is not specific to a technology or implementation. | Data Protection is one of the security controls. This control contains specific actions that need to be addressed to help ensure data is protected. |
+| Benchmark | A **benchmark** contains security recommendations for a specific technology, such as Azure. The recommendations are categorized by the control to which they belong. | The Azure Security benchmark comprises the security recommendations specific to the Azure platform  |
+| Baseline | A **baseline** is the security requirements for an organization. The security requirements are based on benchmark recommendations. Each organization decides which benchmark recommendations to include in their baseline. | The Contoso company creates its security baseline by choosing to require specific recommendations in the Azure Security Benchmark. |
+
+We welcome your feedback on the Azure Security Benchmark! We encourage you to provide comments in the feedback area below. If you prefer to share your input more privately with the Azure Security Benchmark team, you are welcome to fill out the form at https://aka.ms/AzSecBenchmark 

articles/security/benchmarks/overview.md

@@ -0,0 +1,50 @@
+---
+title: Azure Security Benchmark Overview
+description: Security Benchmark overview
+author: msmbaldwin
+manager: rkarlin
+
+ms.service: security
+ms.topic: conceptual
+ms.date: 12/16/2019
+ms.author: mbaldwin
+ms.custom: security-baselines
+
+---
+
+# Overview
+
+The Azure Security Benchmark contains recommendations that help you improve the security of your applications and data on Azure.   
+
+This Benchmark focuses on cloud-centric control areas. These controls are consistent with well-known security benchmarks, such as those described by the Center for Internet Security (CIS) Controls Version 7.1 
+
+The following controls are used in the Azure Security Benchmark: 
+
+- Network security 
+- Logging & Monitoring 
+- Identity and Access Control 
+- Data protection 
+- Identity & Access Management 
+- Data Protection 
+- Vulnerability Management 
+- Inventory & Asset Management 
+- Secure Configuration 
+- Malware Defense 
+- Data Recovery 
+- Incident Response 
+- Penetration Tests and Red Teaming 
+
+## Azure Security Benchmark Recommendations 
+
+Each recommendation includes the following information: 
+
+- **Azure ID**: The Azure Security Benchmark ID that corresponds to the recommendation. 
+- **CIS ID(s)**: The CIS benchmark recommendation # that corresponds to this recommendation.  
+- **Responsibility**: Whether the customer or the service-provider (or both) is (are) responsible for implementing this recommendation. Security responsibilities are shared in the public cloud. Some security controls are only available to the cloud service provider and therefore the provider is responsible  for addressing those. These are general observations – for some individual services, the responsibility will be different than what is listed in the Azure Security Benchmark. Those differences are described in the baseline recommendations for the individual service. 
+- **Details**: The rationale for the recommendation and links to guidance on how to implement the recommendation. If the recommendation is supported by Azure Security Center, that information will be listed here.  
+
+We welcome your detailed feedback and active participation in the Azure Security Benchmark effort. If you would like to provide the Benchmark team direct input, please fill out the form at [https://aka.ms/AzSecBenchmark](https://aka.ms/AzSecBenchmark).
+
+## Next Steps
+
+Read the [Azure Security Benchmark Overview](overview.md)

articles/security/benchmarks/security-control-data-protection.md

@@ -0,0 +1,164 @@
+---
+title: Azure Security Control - Data Protection
+description: Security Control Data Protection
+author: msmbaldwin
+manager: rkarlin
+
+ms.service: security
+ms.topic: conceptual
+ms.date: 12/30/2019
+ms.author: mbaldwin
+ms.custom: security-recommendations
+
+---
+
+# Security Control: Data Protection
+
+Data protection recommendations focus on addressing issues related to encryption, access control lists, identity-based access control, and audit logging for data access.
+
+## 4.1: Maintain an inventory of sensitive Information
+
+| Azure ID | CIS IDs | Responsibility |
+|--|--|--|
+| 4.1 | 13.1 | Customer |
+
+Use Tags to assist in tracking Azure resources that store or process sensitive information.
+
+How to create and use Tags:
+
+https://docs.microsoft.com/azure/azure-resource-manager/resource-group-using-tags
+
+## 4.2: Isolate systems storing or processing sensitive information
+
+| Azure ID | CIS IDs | Responsibility |
+|--|--|--|
+| 4.2 | 13.2 | Customer |
+
+Implement separate subscriptions and/or management groups for development, test, and production. Resources should be separated by VNet/Subnet, tagged appropriately, and secured by an NSG or Azure Firewall. Resources storing or processing sensitive data should be sufficiently isolated. For Virtual Machines storing or processing sensitive data, implement policy and procedure(s) to turn them off when not in use.
+
+How to create additional Azure subscriptions:
+
+https://docs.microsoft.com/azure/billing/billing-create-subscription
+
+How to create Management Groups:
+
+https://docs.microsoft.com/azure/governance/management-groups/create
+
+How to create and use Tags:
+
+https://docs.microsoft.com/azure/azure-resource-manager/resource-group-using-tags
+
+How to create a Virtual Network:
+
+https://docs.microsoft.com/azure/virtual-network/quick-create-portal
+
+How to create an NSG with a Security Config:
+
+https://docs.microsoft.com/azure/virtual-network/tutorial-filter-network-traffic
+
+How to deploy Azure Firewall:
+
+https://docs.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal
+
+How to configure alert or alert and deny with Azure Firewall:
+
+https://docs.microsoft.com/azure/firewall/threat-intel
+
+## 4.3: Monitor and block unauthorized transfer of sensitive information
+
+| Azure ID | CIS IDs | Responsibility |
+|--|--|--|
+| 4.3 | 13.3 | Customer |
+
+Deploy an automated tool on network perimeters that monitors for unauthorized transfer of sensitive information and blocks such transfers while alerting information security professionals.
+
+## 4.4: Encrypt all sensitive information in transit
+
+| Azure ID | CIS IDs | Responsibility |
+|--|--|--|
+| 4.4 | 14.4 | Shared |
+
+Encrypt all sensitive information in transit. Ensure that any clients connecting to your Azure resources are able to negotiate TLS 1.2 or greater.
+
+Follow Azure Security Center recommendations for encryption at rest and encryption in transit, where applicable.
+
+Understanding encryption in transit with Azure:
+
+https://docs.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit
+
+## 4.5: Use an active discovery tool to identify sensitive data
+
+| Azure ID | CIS IDs | Responsibility |
+|--|--|--|
+| 4.5 | 14.5 | Customer |
+
+When no feature is available for your specific service in Azure, use a third-party active discovery tool to identify all sensitive information stored, processed, or transmitted by the organization's technology systems, including those located on-site, or at a remote service provider, and update the organization's sensitive information inventory.
+
+Use Azure Information Protection for identifying sensitive information within Office 365 documents.
+
+Use Azure SQL Information Protection to assist in the classification and labeling of information stored in Azure SQL Databases.
+
+How to implement Azure SQL Data Discovery:
+
+https://docs.microsoft.com/azure/sql-database/sql-database-data-discovery-and-classification
+
+How to implement Azure Information Protection:
+
+https://docs.microsoft.com/azure/information-protection/deployment-roadmap
+
+## 4.6: Use Azure RBAC to control access to resources
+
+| Azure ID | CIS IDs | Responsibility |
+|--|--|--|
+| 4.6 | 14.6 | Customer |
+
+Use Azure AD RBAC to control access to data and resources, otherwise use service specific access control methods.
+
+Understanding Azure RBAC:
+
+https://docs.microsoft.com/azure/role-based-access-control/overview
+
+How to configure RBAC in Azure:
+
+https://docs.microsoft.com/azure/role-based-access-control/role-assignments-portal
+
+## 4.7: Use host-based data loss prevention to enforce access control
+
+| Azure ID | CIS IDs | Responsibility |
+|--|--|--|
+| 4.7 | 14.7 | Customer |
+
+Implement a third-party tool, such as an automated host-based Data Loss Prevention solution, to enforce access controls to data even when data is copied off a system.
+
+## 4.8: Encrypt sensitive information at rest
+
+| Azure ID | CIS IDs | Responsibility |
+|--|--|--|
+| 4.8 | 14.8 | Customer |
+
+Use  encryption at rest on all Azure resources. Microsoft recommends allowing Azure to manage your encryption keys, however there is the option for you to manage your own keys in some instances. 
+
+Understand encryption at rest in Azure:
+
+https://docs.microsoft.com/azure/security/fundamentals/encryption-atrest
+
+How to configure customer managed encryption keys:
+
+https://docs.microsoft.com/azure/storage/common/storage-encryption-keys-portal
+
+## 4.9: Log and alert on changes to critical Azure resources
+
+| Azure ID | CIS IDs | Responsibility |
+|--|--|--|
+| 4.9 | 14.9 | Customer |
+
+Use Azure Monitor with the Azure Activity Log to create alerts for when changes take place to critical Azure resources.
+
+How to create alerts for Azure Activity Log events:
+
+https://docs.microsoft.com/azure/azure-monitor/platform/alerts-activity-log
+
+## Next steps
+
+See the next security control: [Vulnerability Management](security-control-vulnerability-management.md)
+