You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
-[How to create and use Tags](https://docs.microsoft.com/azure/azure-resource-manager/resource-group-using-tags)
30
26
31
27
## 4.2: Isolate systems storing or processing sensitive information
32
28
33
29
| Azure ID | CIS IDs | Responsibility |
34
30
|--|--|--|
35
-
| 4.2 | 13.2 | Customer |
36
-
37
-
Implement separate subscriptions and/or management groups for development, test, and production. Resources should be separated by VNet/Subnet, tagged appropriately, and secured by an NSG or Azure Firewall. Resources storing or processing sensitive data should be sufficiently isolated. For Virtual Machines storing or processing sensitive data, implement policy and procedure(s) to turn them off when not in use.
Implement isolation using separate subscriptions and management groups for individual security domains such as environment type and data sensitivity level. You can restrict the level of access to your Azure resources that your applications and enterprise environments demand. You can control access to Azure resources via Azure Active Directory role-based access control.
58
34
59
-
How to deploy Azure Firewall:
35
+
-[How to create additional Azure subscriptions](https://docs.microsoft.com/azure/billing/billing-create-subscription)
-[How to create and use tags](https://docs.microsoft.com/azure/azure-resource-manager/resource-group-using-tags)
66
40
67
41
## 4.3: Monitor and block unauthorized transfer of sensitive information
68
42
69
43
| Azure ID | CIS IDs | Responsibility |
70
44
|--|--|--|
71
-
| 4.3 | 13.3 | Customer |
45
+
| 4.3 | 13.3 | Shared |
46
+
47
+
Leverage a third-party solution from Azure Marketplace on network perimeters that monitors for unauthorized transfer of sensitive information and blocks such transfers while alerting information security professionals.
48
+
49
+
For the underlying platform which is managed by Microsoft, Microsoft treats all customer content as sensitive and guard against customer data loss and exposure. To ensure customer data within Azure remains secure, Microsoft has implemented and maintains a suite of robust data protection controls and capabilities.
72
50
73
-
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of sensitive information and blocks such transfers while alerting information security professionals.
51
+
-[Understand customer data protection in Azure](https://docs.microsoft.com/azure/security/fundamentals/protection-customer-data)
74
52
75
53
## 4.4: Encrypt all sensitive information in transit
76
54
@@ -82,53 +60,47 @@ Encrypt all sensitive information in transit. Ensure that any clients connecting
82
60
83
61
Follow Azure Security Center recommendations for encryption at rest and encryption in transit, where applicable.
-[Understand encryption in transit with Azure](https://docs.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit)
88
64
89
65
## 4.5: Use an active discovery tool to identify sensitive data
90
66
91
67
| Azure ID | CIS IDs | Responsibility |
92
68
|--|--|--|
93
-
| 4.5 | 14.5 |Customer|
69
+
| 4.5 | 14.5 |Shared|
94
70
95
71
When no feature is available for your specific service in Azure, use a third-party active discovery tool to identify all sensitive information stored, processed, or transmitted by the organization's technology systems, including those located on-site, or at a remote service provider, and update the organization's sensitive information inventory.
96
72
97
73
Use Azure Information Protection for identifying sensitive information within Office 365 documents.
98
74
99
75
Use Azure SQL Information Protection to assist in the classification and labeling of information stored in Azure SQL Databases.
-[How to configure RBAC in Azure](https://docs.microsoft.com/azure/role-based-access-control/role-assignments-portal)
124
92
125
93
## 4.7: Use host-based data loss prevention to enforce access control
126
94
127
95
| Azure ID | CIS IDs | Responsibility |
128
96
|--|--|--|
129
-
| 4.7 | 14.7 | Customer |
97
+
| 4.7 | 14.7 | Shared |
98
+
99
+
If required for compliance on compute resources, implement a third-party tool, such as an automated host-based Data Loss Prevention solution, to enforce access controls to data even when data is copied off a system.
130
100
131
-
Implement a third-party tool, such as an automated host-based Data Loss Prevention solution, to enforce access controls to data even when data is copied off a system.
101
+
For the underlying platform which is managed by Microsoft, Microsoft treats all customer content as sensitive and goes to great lengths to guard against customer data loss and exposure. To ensure customer data within Azure remains secure, Microsoft has implemented and maintains a suite of robust data protection controls and capabilities.
102
+
103
+
-[Understand customer data protection in Azure](https://docs.microsoft.com/azure/security/fundamentals/protection-customer-data)
132
104
133
105
## 4.8: Encrypt sensitive information at rest
134
106
@@ -138,13 +110,9 @@ Implement a third-party tool, such as an automated host-based Data Loss Preventi
138
110
139
111
Use encryption at rest on all Azure resources. Microsoft recommends allowing Azure to manage your encryption keys, however there is the option for you to manage your own keys in some instances.
-[How to backup key vault keys in Azure](https://docs.microsoft.com/powershell/module/azurerm.keyvault/backup-azurekeyvaultkey?view=azurermps-6.13.0)
46
38
47
39
## 9.3: Validate all backups including customer managed keys
48
40
49
41
| Azure ID | CIS IDs | Responsibility |
50
42
|--|--|--|
51
43
| 9.3 | 10.3 | Customer |
52
44
53
-
Ensure ability to periodically perform data restoration of content within Azure Backup. If necessary, test restore to an isolated VLAN. Test restoration of backed up customer managed keys.
54
-
55
-
How to recover files from Azure Virtual Machine backup:
45
+
Ensure ability to periodically perform data restoration of content within Azure Backup. Test restoration of backed up customer managed keys.
-[How to restore key vault keys in Azure](https://docs.microsoft.com/powershell/module/azurerm.keyvault/restore-azurekeyvaultkey?view=azurermps-6.13.0)
62
50
63
51
## 9.4: Ensure protection of backups and customer managed keys
64
52
65
53
| Azure ID | CIS IDs | Responsibility |
66
54
|--|--|--|
67
55
| 9.4 | 10.4 | Customer |
68
56
69
-
For on-premises backup, encryption-at-rest is provided using the passphrase you provide when backing up to Azure. For Azure VMs, data is encrypted-at-rest using Storage Service Encryption (SSE). You may enable Soft-Delete in Key Vault to protect keys against accidental or malicious deletion.
57
+
For on-premises backup, encryption-at-rest is provided using the passphrase you provide when backing up to Azure. For Azure VMs, data is encrypted-at-rest using Storage Service Encryption (SSE). Use role-based access control to protect backups and customer managed keys.
58
+
59
+
Enable Soft-Delete and purge protection in Key Vault to protect keys against accidental or malicious deletion. If Azure Storage is used to store backups, enable soft delete to save and recover your data when blobs or blob snapshots are deleted.
-[How to enable Soft-Delete and Purge protection in Key Vault](https://docs.microsoft.com/azure/storage/blobs/storage-blob-soft-delete?tabs=azure-portal)
70
64
71
-
How to enable Soft-Delete in Key Vault:
65
+
-[Soft delete for Azure Storage blobs](https://docs.microsoft.com/azure/storage/blobs/storage-blob-soft-delete?tabs=azure-portal)
0 commit comments