The NIST 800-53 standard has over 400 controls that span a multitude of domains, from Access Control to System and Information Integrity:
- AC.Access Control
- AT.Awareness and Training
- AU.Audit and Accountability
- CA.Security Assessment and Authorization
- CM.Configuration Management
- CP.Contingency Planning
- IA.Identification and Authentication
- IR.Incident Response
- MA.Maintenance
- MP.Media Protection
- PE.Physical and Environmental Protection
- PL.Planning
- PS.Personnel Security
- RA.Risk Assessment
- SA.System and Services Acquisition
- SC.System and Communications Protection
- SI.System and Information Integrity
At this time not all the security controls can be mapped one-to-one to an Azure service or feature and the list below could change at any given time, as more features and services are added to Azure.
Here is a list of controls that can be mapped, according to the official Microsoft Azure documentation (the remediation of any violation/non-compliance controls is mostly a manual process prone to errors, but our managed security services solve this problem!)
AC-2 Account Management
This control helps you review accounts that may not
comply with your organization’s account management requirements. This security
control deals with the auditing of external accounts with read, write and owner
permissions on a subscription and deprecated accounts. By reviewing the
accounts audited, you can take appropriate action to ensure account management
requirements are met.
- Deprecated accounts should be removed from your subscription
- Deprecated accounts with owner permissions should be removed from your
subscription
- External accounts with owner permissions should be removed from your
subscription
- External accounts with read permissions should be removed from your
subscription
- External accounts with write permissions should be removed from your
subscription
AC-2 (7) Account Management |
Role-Based Schemes
Azure implements role-based access control (RBAC)
to help you manage who has access to resources in Azure. Using the Azure
portal, you can review who has access to Azure resources and their permissions.
This control is auditing the use of Azure Active Directory authentication for
SQL Servers and Service Fabric. Using Azure Active Directory authentication
enables simplified permission management and centralized identity management of
database users and other Microsoft services. Additionally, this control is
auditing the use of custom RBAC rules. Understanding where custom RBAC rules
are implemented can help you verify need and proper implementation, as custom RBAC
rules are error prone.
- An Azure Active Directory administrator should be provisioned for SQL
servers
- Audit usage of custom RBAC rules
- Service Fabric clusters should only use Azure Active Directory for
client authentication
AC-2 (12) Account Management |
Account Monitoring / Atypical Usage
Just-in-time (JIT) virtual machine access locks
down inbound traffic to Azure virtual machines, reducing exposure to attacks
while providing easy access to connect to VMs when needed. All JIT requests to
access virtual machines are logged in the Activity Log allowing you to monitor
for atypical usage. This control helps you audit the monitoring of virtual
machines that can support just-in-time access but have not yet been configured.
- Just-In-Time network access control should be applied on virtual
machines
AC-4 Information Flow Enforcement
Cross origin resource sharing (CORS) can allow App
Services resources to be requested from an outside domain. Microsoft recommends
that you allow only required domains to interact with your API, function, and
web applications. This control helps you audit the monitoring of CORS resources
access restrictions in Azure Security Center. Understanding CORS
implementations can help you verify that information flow controls are
implemented.
- CORS should not allow every resource to access your Web Application
AC-5 Separation of Duties
Having only one Azure subscription owner doesn’t
allow for administrative redundancy. Conversely, having too many Azure
subscription owners can increase the potential for a breach via a compromised
owner account. This control helps you maintain an appropriate number of Azure
subscription owners by auditing the number of owners for Azure subscriptions.
This control also help you control membership of the Administrators group on
Windows virtual machines. Managing subscription owner and virtual machine
administrator permissions can help you implement appropriate separation of
duties.
- A maximum of 3 owners should be designated for your subscription
- Audit Windows VMs in which the Administrators group contains any of the
specified members
- Audit Windows VMs in which the Administrators group does not contain all
of the specified members
- There should be more than one owner assigned to your subscription
AC-6 (7) Least Privilege | Review of
User Privileges
Azure implements role-based access control (RBAC)
to help you manage who has access to resources in Azure. Using the Azure
portal, you can review who has access to Azure resources and their permissions.
This control is auditing the accounts that should be prioritized for review.
Reviewing these account indicators can help you ensure least privilege controls
are implemented.
- A maximum of 3 owners should be designated for your subscription
- Audit Windows VMs in which the Administrators group contains any of the
specified members
- Audit Windows VMs in which the Administrators group does not contain all
of the specified members
AC-16 Security Attributes
The data discovery and classification capability of
advanced data security for Azure SQL Database provides capabilities for
discovering, classifying, labeling, and protecting the sensitive data in your
databases. It can be used to provide visibility into your database
classification state, and to track the access to sensitive data within the
database and beyond its borders. Advanced data security can help you ensure
information as associated with the appropriate security attributes for your
organization. This control is used to monitor the use of advanced data security
on SQL server.
- Advanced data security should be enabled on your managed instances
- Advanced data security should be enabled on your SQL servers
AC-17 (1) Remote Access | Automated
Monitoring / Control
This controls helps you monitor and control remote
access by auditing that remote debugging for Azure App Service application is
turned off. The controls also is auditing Linux virtual machines that allow
remote connections from accounts without passwords. Additionally, the control helps
you monitor unrestricted access to storage accounts. Monitoring these
indicators can help you ensure remote access methods comply with your security
policy.
- Audit Linux VMs that allow remote connections from accounts without
passwords
- Audit unrestricted network access to storage accounts
- Remote debugging should be turned off for API App
- Remote debugging should be turned off for Function App
- Remote debugging should be turned off for Web Application
AU-3 (2) Content of Audit Records |
Centralized Management of Planned Audit Record Content
Log data collected by Azure Monitor is stored in a
Log Analytics workspace enabling centralized configuration and management. This
control helps you ensure events are logged by auditing the deployment of the
Log Analytics agent on Azure virtual machines.
- Audit Log Analytics Agent Deployment – VM Image (OS) unlisted
- Audit Log Analytics Agent Deployment in VMSS – VM Image (OS) unlisted
- Audit Log Analytics Workspace for VM – Report Mismatch
AU-5 Response to Audit Processing
Failures
This control is auditing event logging
configurations. Monitoring these configurations can provide an indicator of an
audit system failure or misconfiguration and help you take corrective action.
- Audit diagnostic setting
- Audit SQL server level Auditing settings
- Advanced data security should be enabled on your managed instances
- Advanced data security should be enabled on your SQL servers
AU-6 (4) Audit Review, Analysis, and
Reporting | Central Review and Analysis
Log data collected by Azure Monitor is stored in a
Log Analytics workspace enabling centralized reporting and analysis. This control
helps you ensure events are logged by auditing the Log Analytics agent on Azure
virtual machines.
- Audit Log Analytics Agent Deployment – VM Image (OS) unlisted
- Audit Log Analytics Agent Deployment in VMSS – VM Image (OS) unlisted
- Audit Log Analytics Workspace for VM – Report Mismatch
AU-12 Audit Generation
This control helps you ensure system events are
logged by auditing log settings on Azure resources. Also auditing the
deployment of the Log Analytics agent on Azure virtual machines and
configuration of audit settings for other Azure resource types. It also audits
configuration of diagnostic logs to provide insight into operations that are
performed within Azure resources. Additionally, is auditing that the Advanced
Data Security is configured on SQL servers.
- Audit Log Analytics Agent Deployment – VM Image (OS) unlisted
- Audit Log Analytics Agent Deployment in VMSS – VM Image (OS) unlisted
- Audit Log Analytics Workspace for VM – Report Mismatch
- Audit diagnostic setting
- Audit SQL server level Auditing settings
- Advanced data security should be enabled on your managed instances
- Advanced data security should be enabled on your SQL servers
CM-7 (2) Least Functionality |
Prevent Program Execution
Adaptive application control in Azure Security
Center is an intelligent, automated end-to-end application whitelisting
solution that can block or prevent specific software from running on your
virtual machines. Application control can run in an enforcement mode that
prohibits non-approved application from running. This control helps you monitor
virtual machines where an application whitelist is recommended but has not yet
been configured.
- Adaptive Application Controls should be enabled on virtual machines
CM-7 (5) Least Functionality |
Authorized Software / Whitelisting
Adaptive application control in Azure Security
Center is an intelligent, automated end-to-end application whitelisting
solution that can block or prevent specific software from running on your
virtual machines. Application control helps you create approved application
lists for your virtual machines. This control helps you monitor virtual
machines where an application whitelist is recommended but has not yet been
configured.
- Adaptive Application Controls should be enabled on virtual machines
CM-11 User-Installed Software
Adaptive application control in Azure Security
Center is an intelligent, automated end-to-end application whitelisting
solution that can block or prevent specific software from running on your
virtual machines. Application control can help you enforce and monitor
compliance with software restriction policies. This control helps you monitor
virtual machines where an application whitelist is recommended but has not yet
been configured.
- Adaptive Application Controls should be enabled on virtual machines
CP-7 Alternate Processing Site
Azure Site Recovery replicates workloads running on
virtual machines from a primary location to a secondary location. If an outage
occurs at the primary site, the workload fails over the secondary location.
This control audits virtual machines without disaster recovery configured.
Monitoring this indicator can help you ensure necessary contingency controls
are in place.
- Audit virtual machines without disaster recovery configured
IA-2 (1) Identification and
Authentication (Organizational Users) | Network Access to Privileged Accounts
This control helps you restrict and control
privileged access by auditing accounts with owner and/or write permissions that
don’t have multi-factor authentication enabled. Multi-factor authentication
helps keep accounts secure even if one piece of authentication information is
compromised. By monitoring accounts without multi-factor authentication
enabled, you can identify accounts that may be more likely to be compromised.
- MFA should be enabled on accounts with owner permissions on your
subscription
- MFA should be enabled on accounts with write permissions on your
subscription
IA-2 (2) Identification and
Authentication (Organizational Users) | Network Access to Non-Privileged
Accounts
This control is auditing accounts with read
permissions that don’t have multi-factor authentication enabled. Multi-factor
authentication helps keep accounts secure even if one piece of authentication
information is compromised. By monitoring accounts without multi-factor
authentication enabled, you can identify accounts that may be more likely to be
compromised.
- MFA should be enabled on accounts with read permissions on your
subscription
IA-5 Authenticator Management
This control is auditing Linux virtual machines
that allow remote connections from accounts without passwords and/or have
incorrect permissions set on the passwd file. This control also is auditing the
configuration of the password encryption type for Windows virtual machines.
Monitoring these indicators helps you ensure that system authenticators comply
with your organization’s identification and authentication policy.
- Audit Linux VMs that do not have the passwd file permissions set to 0644
- Audit Linux VMs that have accounts without passwords
- Audit Windows VMs that do not store passwords using reversible
encryption
IA-5 (1) Authenticator Management |
Password-Based Authentication
This control helps you enforce strong passwords by auditing
Windows virtual machines that don’t enforce minimum strength and other password
requirements. Awareness of virtual machines in violation of the password
strength policy helps you take corrective actions to ensure passwords for all
virtual machine user accounts comply with your organization’s password policy.
- Audit Windows VMs that allow re-use of the previous 24 passwords
- Audit Windows VMs that do not have a maximum password age of 70 days
- Audit Windows VMs that do not have a minimum password age of 1 day
- Audit Windows VMs that do not have the password complexity setting
enabled
- Audit Windows VMs that do not restrict the minimum password length to 14
characters
- Audit Windows VMs that do not store passwords using reversible
encryption
RA-5 Vulnerability Scanning
This control helps you manage information system
vulnerabilities by monitoring operating system vulnerabilities, SQL
vulnerabilities, and virtual machine vulnerabilities in Azure Security Center.
Azure Security Center provides reporting capabilities that enable you to have
real-time insight into the security state of deployed Azure resources. This control
is auditing the Advanced Data Security on SQL servers. Advanced data security
included vulnerability assessment and advanced threat protection capabilities
to help you understand vulnerabilities in your deployed resources.
- Advanced data security should be enabled on your managed instances
- Advanced data security should be enabled on your SQL servers
- Vulnerabilities in security configuration on your virtual machine scale
sets should be remediated
- Vulnerabilities in security configuration on your virtual machines
should be remediated
- Vulnerabilities on your SQL databases should be remediated
- Vulnerabilities should be remediated by a Vulnerability Assessment
solution
SC-5 Denial of Service Protection
Azure’s distributed denial of service (DDoS)
standard tier provides additional features and mitigation capabilities over the
basic service tier. These additional features include Azure Monitor integration
and the ability to review post-attack mitigation reports. This control audits
if the DDoS standard tier is enabled. Understanding the capability difference
between the service tiers can help you select the best solution to address
denial of service protections for your Azure environment.
- DDoS Protection Standard should be enabled
SC-7 Boundary Protection
This control helps you manage and control the
system boundary by monitoring for network security group hardening
recommendations in Azure Security Center. Azure Security Center analyzes
traffic patterns of Internet facing virtual machines and provides network
security group rule recommendations to reduce the potential attack surface.
Additionally, this blueprint also assigns policy definitions that monitor unprotected
endpoints, applications, and storage accounts. Endpoints and applications that
aren’t protected by a firewall, and storage accounts with unrestricted access
can allow unintended access to information contained within the information
system.
- Network Security Group Rules for Internet facing virtual machines should
be hardened
- Access through Internet facing endpoint should be restricted
- The NSGs rules for web applications on IaaS should be hardened
- Audit unrestricted network access to storage accounts
SC-7 (3) Boundary Protection | Access
Points
Just-in-time (JIT) virtual machine access locks
down inbound traffic to Azure virtual machines, reducing exposure to attacks
while providing easy access to connect to VMs when needed. JIT virtual machine
access helps you limit the number of external connections to your resources in
Azure. This control helps you monitor virtual machines that can support
just-in-time access but have not yet been configured.
- Just-In-Time network access control should be applied on virtual
machines
SC-7 (4) Boundary Protection |
External Telecommunications Services
Just-in-time (JIT) virtual machine access locks
down inbound traffic to Azure virtual machines, reducing exposure to attacks
while providing easy access to connect to VMs when needed. JIT virtual machine
access helps you manage exceptions to your traffic flow policy by facilitating
the access request and approval processes. This control helps you monitor
virtual machines that can support just-in-time access but have not yet been
configured.
- Just-In-Time network access control should be applied on virtual
machines
SC-8 (1) Transmission Confidentiality
and Integrity | Cryptographic or Alternate Physical Protection
This control helps you protect the confidential and
integrity of transmitted information by monitoring cryptographic mechanism
implemented for communications protocols. Ensuring communications are properly
encrypted can help you meet your organization’s requirements or protecting
information from unauthorized disclosure and modification.
- API App should only be accessible over HTTPS
- Audit Windows web servers that are not using secure communication
protocols
- Function App should only be accessible over HTTPS
- Only secure connections to your Redis Cache should be enabled
- Secure transfer to storage accounts should be enabled
- Web Application should only be accessible over HTTPS
SC-28 (1) Protection of Information
at Rest | Cryptographic Protection
This control helps you enforce your policy on the
use of cryptograph controls to protect information at rest by auditing specific
cryptograph controls and audit use of weak cryptographic settings.
Understanding where your Azure resources may have non-optimal cryptographic
configurations can help you take corrective actions to ensure resources are
configured in accordance with your information security policy.
- Advanced data security should be enabled on your managed instances
- Advanced data security should be enabled on your SQL servers
- Disk encryption should be applied on virtual machines
- Require encryption on Data Lake Store accounts
- Transparent Data Encryption on SQL databases should be enabled
SI-2 Flaw Remediation
This control helps you manage information system
flaws by monitoring missing system updates, operating system vulnerabilities,
SQL vulnerabilities, and virtual machine vulnerabilities in Azure Security Center.
Azure Security Center provides reporting capabilities that enable you to have
real-time insight into the security state of deployed Azure resources.
- Require automatic OS image patching on Virtual Machine Scale Sets
- System updates on virtual machine scale sets should be installed
- System updates should be installed on your virtual machines
- Vulnerabilities in security configuration on your virtual machine scale
sets should be remediated
- Vulnerabilities in security configuration on your virtual machines
should be remediated
- Vulnerabilities on your SQL databases should be remediated
- Vulnerabilities should be remediated by a Vulnerability Assessment
solution
SI-3 Malicious Code Protection
This control helps you manage endpoint protection,
including malicious code protection, by auditing for missing endpoint
protection on virtual machines in Azure Security Center.
- Endpoint protection solution should be installed on virtual machine
scale sets
- Monitor missing Endpoint Protection in Azure Security Center
SI-3 (1) Malicious Code Protection |
Central Management
This control helps you manage endpoint protection,
including malicious code protection, by auditing for missing endpoint protection
on virtual machines in Azure Security Center. Azure Security Center provides
centralized management and reporting capabilities that enable you to have
real-time insight into the security state of deployed Azure resources.
- Endpoint protection solution should be installed on virtual machine
scale sets
- Monitor missing Endpoint Protection in Azure Security Center
SI-4 Information System Monitoring
This control helps you monitor your system by
auditing logging and data security across Azure resources. Specifically, the control
audits the deployment of the Log Analytics agent, and enhanced security
settings for SQL databases, storage accounts and network resources. These
capabilities can help you detect anomalous behavior and indicators of attacks
so you can take appropriate action.
- Audit Log Analytics Agent Deployment – VM Image (OS) unlisted
- Audit Log Analytics Agent Deployment in VMSS – VM Image (OS) unlisted
- Audit Log Analytics Workspace for VM – Report Mismatch
- Advanced data security should be enabled on your managed instances
- Advanced data security should be enabled on your SQL servers
SI-4 (18) Information System
Monitoring | Analyze Traffic / Covert Exfiltration
Advanced Threat Protection for Azure Storage
detects unusual and potentially harmful attempts to access or exploit storage
accounts. Protection alerts include anomalous access patterns, anomalous
extracts/uploads, and suspicious storage activity. These indicators can help
you detect covert exfiltration of information.
- Audit the deployment of Advanced Threat Protection on Storage Accounts