NIST 800-53 controls mapped to Azure services and features

The NIST 800-53 standard has over 400 controls that span a multitude of domains, from Access Control to System and Information Integrity:

  • AC.Access Control
  • AT.Awareness and Training
  • AU.Audit and Accountability
  • CA.Security Assessment and Authorization
  • CM.Configuration Management
  • CP.Contingency Planning
  • IA.Identification and Authentication
  • IR.Incident Response
  • MA.Maintenance
  • MP.Media Protection
  • PE.Physical and Environmental Protection
  • PL.Planning
  • PS.Personnel Security
  • RA.Risk Assessment
  • SA.System and Services Acquisition
  • SC.System and Communications Protection
  • SI.System and Information Integrity

At this time not all the security controls can be mapped one-to-one to an Azure service or feature and the list below could change at any given time, as more features and services are added to Azure.

Here is a list of controls that can be mapped, according to the official Microsoft Azure documentation (the remediation of any violation/non-compliance controls is mostly a manual process prone to errors, but our managed security services solve this problem!)

AC-2 Account Management

This control helps you review accounts that may not comply with your organization’s account management requirements. This security control deals with the auditing of external accounts with read, write and owner permissions on a subscription and deprecated accounts. By reviewing the accounts audited, you can take appropriate action to ensure account management requirements are met.

  • Deprecated accounts should be removed from your subscription
  • Deprecated accounts with owner permissions should be removed from your subscription
  • External accounts with owner permissions should be removed from your subscription
  • External accounts with read permissions should be removed from your subscription
  • External accounts with write permissions should be removed from your subscription

AC-2 (7) Account Management | Role-Based Schemes

Azure implements role-based access control (RBAC) to help you manage who has access to resources in Azure. Using the Azure portal, you can review who has access to Azure resources and their permissions. This control is auditing the use of Azure Active Directory authentication for SQL Servers and Service Fabric. Using Azure Active Directory authentication enables simplified permission management and centralized identity management of database users and other Microsoft services. Additionally, this control is auditing the use of custom RBAC rules. Understanding where custom RBAC rules are implemented can help you verify need and proper implementation, as custom RBAC rules are error prone.

  • An Azure Active Directory administrator should be provisioned for SQL servers
  • Audit usage of custom RBAC rules
  • Service Fabric clusters should only use Azure Active Directory for client authentication

AC-2 (12) Account Management | Account Monitoring / Atypical Usage

Just-in-time (JIT) virtual machine access locks down inbound traffic to Azure virtual machines, reducing exposure to attacks while providing easy access to connect to VMs when needed. All JIT requests to access virtual machines are logged in the Activity Log allowing you to monitor for atypical usage. This control helps you audit the monitoring of virtual machines that can support just-in-time access but have not yet been configured.

  • Just-In-Time network access control should be applied on virtual machines

AC-4 Information Flow Enforcement

Cross origin resource sharing (CORS) can allow App Services resources to be requested from an outside domain. Microsoft recommends that you allow only required domains to interact with your API, function, and web applications. This control helps you audit the monitoring of CORS resources access restrictions in Azure Security Center. Understanding CORS implementations can help you verify that information flow controls are implemented.

  • CORS should not allow every resource to access your Web Application

AC-5 Separation of Duties

Having only one Azure subscription owner doesn’t allow for administrative redundancy. Conversely, having too many Azure subscription owners can increase the potential for a breach via a compromised owner account. This control helps you maintain an appropriate number of Azure subscription owners by auditing the number of owners for Azure subscriptions. This control also help you control membership of the Administrators group on Windows virtual machines. Managing subscription owner and virtual machine administrator permissions can help you implement appropriate separation of duties.

  • A maximum of 3 owners should be designated for your subscription
  • Audit Windows VMs in which the Administrators group contains any of the specified members
  • Audit Windows VMs in which the Administrators group does not contain all of the specified members
  • There should be more than one owner assigned to your subscription

AC-6 (7) Least Privilege | Review of User Privileges

Azure implements role-based access control (RBAC) to help you manage who has access to resources in Azure. Using the Azure portal, you can review who has access to Azure resources and their permissions. This control is auditing the accounts that should be prioritized for review. Reviewing these account indicators can help you ensure least privilege controls are implemented.

  • A maximum of 3 owners should be designated for your subscription
  • Audit Windows VMs in which the Administrators group contains any of the specified members
  • Audit Windows VMs in which the Administrators group does not contain all of the specified members

AC-16 Security Attributes

The data discovery and classification capability of advanced data security for Azure SQL Database provides capabilities for discovering, classifying, labeling, and protecting the sensitive data in your databases. It can be used to provide visibility into your database classification state, and to track the access to sensitive data within the database and beyond its borders. Advanced data security can help you ensure information as associated with the appropriate security attributes for your organization. This control is used to monitor the use of advanced data security on SQL server.

  • Advanced data security should be enabled on your managed instances
  • Advanced data security should be enabled on your SQL servers

AC-17 (1) Remote Access | Automated Monitoring / Control

This controls helps you monitor and control remote access by auditing that remote debugging for Azure App Service application is turned off. The controls also is auditing Linux virtual machines that allow remote connections from accounts without passwords. Additionally, the control helps you monitor unrestricted access to storage accounts. Monitoring these indicators can help you ensure remote access methods comply with your security policy.

  • Audit Linux VMs that allow remote connections from accounts without passwords
  • Audit unrestricted network access to storage accounts
  • Remote debugging should be turned off for API App
  • Remote debugging should be turned off for Function App
  • Remote debugging should be turned off for Web Application

AU-3 (2) Content of Audit Records | Centralized Management of Planned Audit Record Content

Log data collected by Azure Monitor is stored in a Log Analytics workspace enabling centralized configuration and management. This control helps you ensure events are logged by auditing the deployment of the Log Analytics agent on Azure virtual machines.

  • Audit Log Analytics Agent Deployment – VM Image (OS) unlisted
  • Audit Log Analytics Agent Deployment in VMSS – VM Image (OS) unlisted
  • Audit Log Analytics Workspace for VM – Report Mismatch

AU-5 Response to Audit Processing Failures

This control is auditing event logging configurations. Monitoring these configurations can provide an indicator of an audit system failure or misconfiguration and help you take corrective action.

  • Audit diagnostic setting
  • Audit SQL server level Auditing settings
  • Advanced data security should be enabled on your managed instances
  • Advanced data security should be enabled on your SQL servers

AU-6 (4) Audit Review, Analysis, and Reporting | Central Review and Analysis

Log data collected by Azure Monitor is stored in a Log Analytics workspace enabling centralized reporting and analysis. This control helps you ensure events are logged by auditing the Log Analytics agent on Azure virtual machines.

  • Audit Log Analytics Agent Deployment – VM Image (OS) unlisted
  • Audit Log Analytics Agent Deployment in VMSS – VM Image (OS) unlisted
  • Audit Log Analytics Workspace for VM – Report Mismatch

AU-12 Audit Generation

This control helps you ensure system events are logged by auditing log settings on Azure resources. Also auditing the deployment of the Log Analytics agent on Azure virtual machines and configuration of audit settings for other Azure resource types. It also audits configuration of diagnostic logs to provide insight into operations that are performed within Azure resources. Additionally, is auditing that the Advanced Data Security is configured on SQL servers.

  • Audit Log Analytics Agent Deployment – VM Image (OS) unlisted
  • Audit Log Analytics Agent Deployment in VMSS – VM Image (OS) unlisted
  • Audit Log Analytics Workspace for VM – Report Mismatch
  • Audit diagnostic setting
  • Audit SQL server level Auditing settings
  • Advanced data security should be enabled on your managed instances
  • Advanced data security should be enabled on your SQL servers

CM-7 (2) Least Functionality | Prevent Program Execution

Adaptive application control in Azure Security Center is an intelligent, automated end-to-end application whitelisting solution that can block or prevent specific software from running on your virtual machines. Application control can run in an enforcement mode that prohibits non-approved application from running. This control helps you monitor virtual machines where an application whitelist is recommended but has not yet been configured.

  • Adaptive Application Controls should be enabled on virtual machines

CM-7 (5) Least Functionality | Authorized Software / Whitelisting

Adaptive application control in Azure Security Center is an intelligent, automated end-to-end application whitelisting solution that can block or prevent specific software from running on your virtual machines. Application control helps you create approved application lists for your virtual machines. This control helps you monitor virtual machines where an application whitelist is recommended but has not yet been configured.

  • Adaptive Application Controls should be enabled on virtual machines

CM-11 User-Installed Software

Adaptive application control in Azure Security Center is an intelligent, automated end-to-end application whitelisting solution that can block or prevent specific software from running on your virtual machines. Application control can help you enforce and monitor compliance with software restriction policies. This control helps you monitor virtual machines where an application whitelist is recommended but has not yet been configured.

  • Adaptive Application Controls should be enabled on virtual machines

CP-7 Alternate Processing Site

Azure Site Recovery replicates workloads running on virtual machines from a primary location to a secondary location. If an outage occurs at the primary site, the workload fails over the secondary location. This control audits virtual machines without disaster recovery configured. Monitoring this indicator can help you ensure necessary contingency controls are in place.

  • Audit virtual machines without disaster recovery configured

IA-2 (1) Identification and Authentication (Organizational Users) | Network Access to Privileged Accounts

This control helps you restrict and control privileged access by auditing accounts with owner and/or write permissions that don’t have multi-factor authentication enabled. Multi-factor authentication helps keep accounts secure even if one piece of authentication information is compromised. By monitoring accounts without multi-factor authentication enabled, you can identify accounts that may be more likely to be compromised.

  • MFA should be enabled on accounts with owner permissions on your subscription
  • MFA should be enabled on accounts with write permissions on your subscription

IA-2 (2) Identification and Authentication (Organizational Users) | Network Access to Non-Privileged Accounts

This control is auditing accounts with read permissions that don’t have multi-factor authentication enabled. Multi-factor authentication helps keep accounts secure even if one piece of authentication information is compromised. By monitoring accounts without multi-factor authentication enabled, you can identify accounts that may be more likely to be compromised.

  • MFA should be enabled on accounts with read permissions on your subscription

IA-5 Authenticator Management

This control is auditing Linux virtual machines that allow remote connections from accounts without passwords and/or have incorrect permissions set on the passwd file. This control also is auditing the configuration of the password encryption type for Windows virtual machines. Monitoring these indicators helps you ensure that system authenticators comply with your organization’s identification and authentication policy.

  • Audit Linux VMs that do not have the passwd file permissions set to 0644
  • Audit Linux VMs that have accounts without passwords
  • Audit Windows VMs that do not store passwords using reversible encryption

IA-5 (1) Authenticator Management | Password-Based Authentication

This control helps you enforce strong passwords by auditing Windows virtual machines that don’t enforce minimum strength and other password requirements. Awareness of virtual machines in violation of the password strength policy helps you take corrective actions to ensure passwords for all virtual machine user accounts comply with your organization’s password policy.

  • Audit Windows VMs that allow re-use of the previous 24 passwords
  • Audit Windows VMs that do not have a maximum password age of 70 days
  • Audit Windows VMs that do not have a minimum password age of 1 day
  • Audit Windows VMs that do not have the password complexity setting enabled
  • Audit Windows VMs that do not restrict the minimum password length to 14 characters
  • Audit Windows VMs that do not store passwords using reversible encryption

RA-5 Vulnerability Scanning

This control helps you manage information system vulnerabilities by monitoring operating system vulnerabilities, SQL vulnerabilities, and virtual machine vulnerabilities in Azure Security Center. Azure Security Center provides reporting capabilities that enable you to have real-time insight into the security state of deployed Azure resources. This control is auditing the Advanced Data Security on SQL servers. Advanced data security included vulnerability assessment and advanced threat protection capabilities to help you understand vulnerabilities in your deployed resources.

  • Advanced data security should be enabled on your managed instances
  • Advanced data security should be enabled on your SQL servers
  • Vulnerabilities in security configuration on your virtual machine scale sets should be remediated
  • Vulnerabilities in security configuration on your virtual machines should be remediated
  • Vulnerabilities on your SQL databases should be remediated
  • Vulnerabilities should be remediated by a Vulnerability Assessment solution

SC-5 Denial of Service Protection

Azure’s distributed denial of service (DDoS) standard tier provides additional features and mitigation capabilities over the basic service tier. These additional features include Azure Monitor integration and the ability to review post-attack mitigation reports. This control audits if the DDoS standard tier is enabled. Understanding the capability difference between the service tiers can help you select the best solution to address denial of service protections for your Azure environment.

  • DDoS Protection Standard should be enabled

SC-7 Boundary Protection

This control helps you manage and control the system boundary by monitoring for network security group hardening recommendations in Azure Security Center. Azure Security Center analyzes traffic patterns of Internet facing virtual machines and provides network security group rule recommendations to reduce the potential attack surface. Additionally, this blueprint also assigns policy definitions that monitor unprotected endpoints, applications, and storage accounts. Endpoints and applications that aren’t protected by a firewall, and storage accounts with unrestricted access can allow unintended access to information contained within the information system.

  • Network Security Group Rules for Internet facing virtual machines should be hardened
  • Access through Internet facing endpoint should be restricted
  • The NSGs rules for web applications on IaaS should be hardened
  • Audit unrestricted network access to storage accounts

SC-7 (3) Boundary Protection | Access Points

Just-in-time (JIT) virtual machine access locks down inbound traffic to Azure virtual machines, reducing exposure to attacks while providing easy access to connect to VMs when needed. JIT virtual machine access helps you limit the number of external connections to your resources in Azure. This control helps you monitor virtual machines that can support just-in-time access but have not yet been configured.

  • Just-In-Time network access control should be applied on virtual machines

SC-7 (4) Boundary Protection | External Telecommunications Services

Just-in-time (JIT) virtual machine access locks down inbound traffic to Azure virtual machines, reducing exposure to attacks while providing easy access to connect to VMs when needed. JIT virtual machine access helps you manage exceptions to your traffic flow policy by facilitating the access request and approval processes. This control helps you monitor virtual machines that can support just-in-time access but have not yet been configured.

  • Just-In-Time network access control should be applied on virtual machines

SC-8 (1) Transmission Confidentiality and Integrity | Cryptographic or Alternate Physical Protection

This control helps you protect the confidential and integrity of transmitted information by monitoring cryptographic mechanism implemented for communications protocols. Ensuring communications are properly encrypted can help you meet your organization’s requirements or protecting information from unauthorized disclosure and modification.

  • API App should only be accessible over HTTPS
  • Audit Windows web servers that are not using secure communication protocols
  • Function App should only be accessible over HTTPS
  • Only secure connections to your Redis Cache should be enabled
  • Secure transfer to storage accounts should be enabled
  • Web Application should only be accessible over HTTPS

SC-28 (1) Protection of Information at Rest | Cryptographic Protection

This control helps you enforce your policy on the use of cryptograph controls to protect information at rest by auditing specific cryptograph controls and audit use of weak cryptographic settings. Understanding where your Azure resources may have non-optimal cryptographic configurations can help you take corrective actions to ensure resources are configured in accordance with your information security policy.

  • Advanced data security should be enabled on your managed instances
  • Advanced data security should be enabled on your SQL servers
  • Disk encryption should be applied on virtual machines
  • Require encryption on Data Lake Store accounts
  • Transparent Data Encryption on SQL databases should be enabled

SI-2 Flaw Remediation

This control helps you manage information system flaws by monitoring missing system updates, operating system vulnerabilities, SQL vulnerabilities, and virtual machine vulnerabilities in Azure Security Center. Azure Security Center provides reporting capabilities that enable you to have real-time insight into the security state of deployed Azure resources.

  • Require automatic OS image patching on Virtual Machine Scale Sets
  • System updates on virtual machine scale sets should be installed
  • System updates should be installed on your virtual machines
  • Vulnerabilities in security configuration on your virtual machine scale sets should be remediated
  • Vulnerabilities in security configuration on your virtual machines should be remediated
  • Vulnerabilities on your SQL databases should be remediated
  • Vulnerabilities should be remediated by a Vulnerability Assessment solution

SI-3 Malicious Code Protection

This control helps you manage endpoint protection, including malicious code protection, by auditing for missing endpoint protection on virtual machines in Azure Security Center.

  • Endpoint protection solution should be installed on virtual machine scale sets
  • Monitor missing Endpoint Protection in Azure Security Center

SI-3 (1) Malicious Code Protection | Central Management

This control helps you manage endpoint protection, including malicious code protection, by auditing for missing endpoint protection on virtual machines in Azure Security Center. Azure Security Center provides centralized management and reporting capabilities that enable you to have real-time insight into the security state of deployed Azure resources.

  • Endpoint protection solution should be installed on virtual machine scale sets
  • Monitor missing Endpoint Protection in Azure Security Center

SI-4 Information System Monitoring

This control helps you monitor your system by auditing logging and data security across Azure resources. Specifically, the control audits the deployment of the Log Analytics agent, and enhanced security settings for SQL databases, storage accounts and network resources. These capabilities can help you detect anomalous behavior and indicators of attacks so you can take appropriate action.

  • Audit Log Analytics Agent Deployment – VM Image (OS) unlisted
  • Audit Log Analytics Agent Deployment in VMSS – VM Image (OS) unlisted
  • Audit Log Analytics Workspace for VM – Report Mismatch
  • Advanced data security should be enabled on your managed instances
  • Advanced data security should be enabled on your SQL servers

SI-4 (18) Information System Monitoring | Analyze Traffic / Covert Exfiltration

Advanced Threat Protection for Azure Storage detects unusual and potentially harmful attempts to access or exploit storage accounts. Protection alerts include anomalous access patterns, anomalous extracts/uploads, and suspicious storage activity. These indicators can help you detect covert exfiltration of information.

  • Audit the deployment of Advanced Threat Protection on Storage Accounts