Security Control: Governance and strategy

Governance and Strategy provides guidance for ensuring a coherent security strategy and documented governance approach to guide and sustain security assurance, including establishing roles and responsibilities for the different cloud security functions, unified technical strategy, and supporting policies and standards.

GS-1: Align organization roles, responsibilities and accountabilities

CIS Controls v8 ID(s) NIST SP 800-53 r4 ID(s) PCI-DSS ID(s) v3.2.1
14.9 PL-9, PM-10, PM-13, AT-1, AT-3 2.4

General guidance: Ensure that you define and communicate a clear strategy for roles and responsibilities in your security organization. Prioritize providing clear accountability for security decisions, educate everyone on the shared responsibility model, and educate technical teams on technology to secure the cloud.

Implementation and additional context:

Customer security stakeholders (Learn more):

GS-2: Define and implement enterprise segmentation/separation of duties strategy

CIS Controls v8 ID(s) NIST SP 800-53 r4 ID(s) PCI-DSS ID(s) v3.2.1
3.12 AC-4, SC-7, SC-2 1.2, 6.4

General guidance: Establish an enterprise-wide strategy to segment access to assets using a combination of identity, network, application, subscription, management group, and other controls.

Carefully balance the need for security separation with the need to enable daily operation of the systems that need to communicate with each other and access data.

Ensure that the segmentation strategy is implemented consistently in the workload, including network security, identity and access models, and application permission/access models, and human process controls.

Implementation and additional context:

Customer security stakeholders (Learn more):

GS-3: Define and implement data protection strategy

CIS Controls v8 ID(s) NIST SP 800-53 r4 ID(s) PCI-DSS ID(s) v3.2.1
3.1, 3.7, 3.12 AC-4, SI-4, SC-8, SC-12, SC-17, SC-28, RA-2 3.1, 3.2, 3.3, 3.4, 3.5, 3.6, 3.7, 4.1, A3.2

General guidance: Establish an enterprise-wide strategy for data protection in your cloud environment:

  • Define and apply the data classification and protection standard in accordance with the enterprise data management standard and regulatory compliance to dictate the security controls required for each level of the data classification.
  • Set up your cloud resource management hierarchy aligned to the enterprise segmentation strategy. The enterprise segmentation strategy should also be informed by the location of sensitive or business critical data and systems.
  • Define and apply the applicable zero-trust principles in your cloud environment to avoid implementing trust based on network location within a perimeter. Instead, use device and user trust claims to gate access to data and resources.
  • Track and minimize the sensitive data footprint (storage, transmission, and processing) across the enterprise to reduce the attack surface and data protection cost. Consider techniques such as one-way hashing, truncation, and tokenization in the workload where possible, to avoid storing and transmitting sensitive data in its original form.
  • Ensure you have a full lifecycle control strategy to provide security assurance of the data and access keys.

Implementation and additional context:

Customer security stakeholders (Learn more):

GS-4: Define and implement network security strategy

CIS Controls v8 ID(s) NIST SP 800-53 r4 ID(s) PCI-DSS ID(s) v3.2.1
12.2, 12.4 AC-4, AC-17, CA-3, CM-1, CM-2, CM-6, CM-7, SC-1, SC-2, SC-5, SC-7, SC-20, SC-21, SI-4 1.1, 1.2, 1.3, 1.5, 4.1, 6.6, 11.4, A2.1, A2.2, A2.3, A3.2

General guidance: Establish a cloud network security strategy as part of your organization’s overall security strategy for access control. This strategy should include documented guidance, policy, and standards for the following elements:

  • Design a centralized/decentralized network management and security responsibility model to deploy and maintain network resources.
  • A virtual network segmentation model aligned with the enterprise segmentation strategy.
  • An Internet edge and ingress and egress strategy.
  • A hybrid cloud and on-premises interconnectivity strategy.
  • A network monitoring and logging strategy.
  • Up-to-date network security artifacts (such as network diagrams, reference network architecture).

Implementation and additional context:

Customer security stakeholders (Learn more):

GS-5: Define and implement security posture management strategy

CIS Controls v8 ID(s) NIST SP 800-53 r4 ID(s) PCI-DSS ID(s) v3.2.1
4.1, 4.2 CA-1, CA-8, CM-1, CM-2, CM-6, RA-1, RA-3, RA-5, SI-1, SI-2, SI-5 1.1, 1.2, 2.2, 6.1, 6.2, 6.5, 6.6, 11.2, 11.3, 11.5

General guidance: Establish a policy, procedure and standard to ensure the security configuration management and vulnerability management are in place in your cloud security mandate.

The security configuration management in cloud should include the following areas:

  • Define the secure configuration baselines for different resource types in the cloud, such as the web portal/console, management and control plane, and resources running in the IaaS, PaaS and SaaS services.
  • Ensure the security baselines address the risks in different control areas such as network security, identity management, privileged access, data protection and so on.
  • Use tools to continuously measure, audit, and enforce the configuration to prevent configuration deviating from the baseline.
  • Develop a cadence to stay updated with security features, for instance, subscribe to the service updates.
  • Utilize a security health or compliance check mechanism (such as Secure Score, Compliance Dashboard in Microsoft Defender for Cloud) to regularly review security configuration posture and remediate the gaps identified.

The vulnerability management in the cloud should include the following security aspects:

  • Regularly assess and remediate vulnerabilities in all cloud resource types, such as cloud native services, operating systems, and application components.
  • Use a risk-based approach to prioritize assessment and remediation.
  • Subscribe to the relevant CSPM's security advisory notices and blogs to receive the latest security updates.
  • Ensure the vulnerability assessment and remediation (such as schedule, scope, and techniques) meet the compliance requirements for your organization.dule, scope, and techniques) meet the regularly compliance requirements for your organization.

Implementation and additional context:

Customer security stakeholders (Learn more):

GS-6: Define and implement identity and privileged access strategy

CIS Controls v8 ID(s) NIST SP 800-53 r4 ID(s) PCI-DSS ID(s) v3.2.1
5.6, 6.5, 6.7 AC-1, AC-2, AC-3, AC-4, AC-5, AC-6, IA-1, IA-2, IA-4, IA-5, IA-8, IA-9, SI-4 7.1, 7.2, 7.3, 8.1, 8.2, 8.3, 8.4, 8.5, 8.6, 8.7, 8.8, A3.4

General guidance: Establish a cloud identity and privileged access approach as part of your organization’s overall security access control strategy. This strategy should include documented guidance, policy, and standards for the following aspects:

  • Centralized identity and authentication system (such as Azure AD) and its interconnectivity with other internal and external identity systems
  • Privileged identity and access governance (such as access request, review and approval)
  • Privileged accounts in emergency (break-glass) situation
  • Strong authentication (passwordless authentication and multifactor authentication) methods in different use cases and conditions.
  • Secure access by administrative operations through web portal/console, command-line and API.

For exception cases, where an enterprise system isn’t used, ensure adequate security controls are in place for identity, authentication and access management, and governed. These exceptions should be approved and periodically reviewed by the enterprise team. These exceptions are typically in cases such as:

  • Use of a non-enterprise designated identity and authentication system, such as cloud-based third-party systems (may introduce unknown risks)
  • Privileged users authenticated locally and/or use non-strong authentication methods

Implementation and additional context:

Customer security stakeholders (Learn more):

GS-7: Define and implement logging, threat detection and incident response strategy

CIS Controls v8 ID(s) NIST SP 800-53 r4 ID(s) PCI-DSS ID(s) v3.2.1
8.1, 13.1, 17.2, 17.4,17.7 AU-1, IR-1, IR-2, IR-10, SI-1, SI-5 10.1, 10.2, 10.3, 10.4, 10.5, 10.6, 10.7, 10.8, 10.9, 12.10, A3.5

General guidance: Establish a logging, threat detection and incident response strategy to rapidly detect and remediate threats and meet compliance requirements. Security operations (SecOps / SOC) team should prioritize high quality alerts and seamless experiences so that they can focus on threats rather than log integration and manual steps. This strategy should include documented policy, procedure and standards for the following aspects:

  • The security operations (SecOps) organization's role and responsibilities
  • A well-defined and regularly tested incident response plan and handling process aligning with NIST SP 800-61 (Computer Security Incident Handling Guide) or other industry frameworks.
  • Communication and notification plan with your customers, suppliers, and public parties of interest.
  • Simulate both expected and unexpected security events within your cloud environment to understand the effectiveness of your preparation. Iterate on the outcome of your simulation to improve the scale of your response posture, reduce time to value, and further reduce risk.
  • Preference of using extended detection and response (XDR) capabilities, such as Azure Defender capabilities, to detect threats in various areas.
  • Use of cloud native capability (e.g., as Microsoft Defender for Cloud) and third-party platforms for incident handling, such as logging and threat detection, forensics, and attack remediation and eradication.
  • Prepare the necessary runbooks, both manual and automated, to ensure reliable and consistent responses.
  • Define key scenarios (such as threat detection, incident response, and compliance) and set up log capture and retention to meet the scenario requirements.
  • Centralized visibility of and correlation information about threats, using SIEM, native cloud threat detection capability, and other sources.
  • Post-incident activities, such as lessons learned and evidence retention.

Implementation and additional context:

Customer security stakeholders (Learn more):

GS-8: Define and implement backup and recovery strategy

CIS Controls v8 ID(s) NIST SP 800-53 r4 ID(s) PCI-DSS ID(s) v3.2.1
11.1  CP-1, CP-9, CP-10 3.4

General guidance: Establish a backup and recovery strategy for your organization. This strategy should include documented guidance, policy, and standards in the following aspects:

  • Recovery time objective (RTO) and recovery point objective (RPO) definitions in accordance with your business resiliency objectives, and regulatory compliance requirements.
  • Redundancy design (including backup, restore and replication) in your applications and infrastructure for both in cloud and on-premises. Consider regional, region-pairs, cross-regional recovery and off-site storage location as part of your strategy.
  • Protection of backup from unauthorized access and tempering using controls such as data access control, encryption and network security.
  • Use of backup and recovery to mitigate the risks from emerging threats, such as ransomware attacks. And also secure the backup and recovery data itself from these attacks.
  • Monitoring the backup and recovery data and operations for audit and alerting purposes.

Implementation and additional context:

Customer security stakeholders (Learn more):

GS-9: Define and implement endpoint security strategy

CIS Controls v8 ID(s) NIST SP 800-53 r4 ID(s) PCI-DSS ID(s) v3.2.1
4.4, 10.1 SI-2, SI-3, SC-3 5.1, 5.2, 5.3, 5.4, 11.5

General guidance: Establish a cloud endpoint security strategy which includes the following aspects:- Deploy the endpoint detection and response and anti-malware capability into your endpoint and integrate with the threat detection and SIEM solution and the security operations process.

  • Follow the Microsoft Cloud Security Benchmark to ensure endpoint related security settings in other respective areas (such as network security, posture vulnerability management, identity and privileged access, and logging and threat detections) are also in place to provide a defense-in-depth protection for your endpoint.
  • Prioritize the endpoint security in your production environment but ensure that non-production environments (such as test and build environment used in the DevOps process) are also secured and monitored, as these environments can also be used to introduce malware and vulnerabilities into the production environment.

Implementation and additional context:

Customer security stakeholders (Learn more):

GS-10: Define and implement DevOps security strategy

CIS Controls v8 ID(s) NIST SP 800-53 r4 ID(s) PCI-DSS ID(s) v3.2.1
4.1, 4.2, 16.1, 16.2 SA-12, SA-15, CM-1, CM-2, CM-6, AC-2, AC-3, AC-6, SA-11, AU-6, AU-12, SI-4 2.2, 6.1, 6.2, 6.3, 6.5, 7.1, 10.1, 10.2, 10.3, 10.6, 12.2

General guidance: Mandate the security controls as part of the organization’s DevOps engineering and operation standard. Define the security objectives, control requirements, and tooling specifications in accordance with enterprise and cloud security standards in your organization.

Encourage the use of DevOps as an essential operating model in your organization for its benefits in rapidly identifying and remediating vulnerabilities using different type of automations (such as infrastructure as code provision, and automated SAST and DAST scan) throughout the CI/CD workflow. This ‘shift left’ approach also increases visibility and ability to enforce consistent security checks in your deployment pipeline, effectively deploying security guardrails into the environment ahead of time to avoid last minute security surprises when deploying a workload into production.

When shifting security controls left into the pre-deployment phases, implement security guardrails to ensure the controls are deployed and enforced throughout your DevOps process. This technology could include resource deployment templates (such as Azure ARM template) to define guardrails in the IaC (infrastructure as code), resource provisioning and audit to restrict which services or configurations can be provisioned into the environment.

For the run-time security controls of your workload, follow the Microsoft Cloud Security Benchmark to design and implement effective the controls, such as identity and privileged access, network security, endpoint security, and data protection inside your workload applications and services.

Implementation and additional context:

GS-11: Define and implement multi-cloud security strategy

CIS Controls v8 ID(s) NIST SP 800-53 r4 ID(s) PCI-DSS ID(s) v3.2.1
N/A N/A N/A

General guidance: Ensure a multi-cloud strategy is defined in your cloud and security governance, risk management, and operation process which should include the following aspects:

  • Multi-cloud adoption: For organizations that operate multi-cloud infrastructure and Educate your organization to ensure teams understand the feature difference between the cloud platforms and technology stack. Build, deploy, and/or migrate solutions that are portable. Allow for ease of movement between cloud platforms with minimum vendor lock-in while utilizing cloud native features adequately for the optimal result from the cloud adoption.
  • Cloud and security operations: Streamline security operations to support the solutions across each cloud, through a central set of governance and management processes which share common operations processes, regardless of where the solution is deployed and operated.
  • Tooling and technology stack: Choose the appropriate tooling that supports multi-cloud environment to help with establishing unified and centralized management platforms which may include all the security domains discussed in this security benchmark.

Implementation and additional context: