Security Control v3: Governance and strategy

  • Article

Governance and Strategy provides guidance for ensuring a coherent security strategy and documented governance approach to guide and sustain security assurance, including establishing roles and responsibilities for the different cloud security functions, unified technical strategy, and supporting policies and standards.

GS-1: Align organization roles, responsibilities and accountabilities

CIS Controls v8 ID(s) NIST SP 800-53 r4 ID(s) PCI-DSS ID(s) v3.2.1
14.9 PL-9, PM-10, PM-13, AT-1, AT-3 2.4

Azure Guidance: Ensure that you define and communicate a clear strategy for roles and responsibilities in your security organization. Prioritize providing clear accountability for security decisions, educating everyone on the shared responsibility model, and educate technical teams on technology to secure the cloud.

Implementation and additional context:

Customer Security Stakeholders (Learn more):

GS-2: Define and implement enterprise segmentation/separation of duties strategy

CIS Controls v8 ID(s) NIST SP 800-53 r4 ID(s) PCI-DSS ID(s) v3.2.1
3.12 AC-4, SC-7, SC-2 1.2, 6.4

Azure Guidance: Establish an enterprise-wide strategy to segment access to assets using a combination of identity, network, application, subscription, management group, and other controls.

Carefully balance the need for security separation with the need to enable daily operation of the systems that need to communicate with each other and access data.

Ensure that the segmentation strategy is implemented consistently in the workload, including network security, identity and access models, and application permission/access models, and human process controls.

Implementation and additional context:

Customer Security Stakeholders (Learn more):

GS-3: Define and implement data protection strategy

CIS Controls v8 ID(s) NIST SP 800-53 r4 ID(s) PCI-DSS ID(s) v3.2.1
3.1, 3.7, 3.12 AC-4, SI-4, SC-8, SC-12, SC-17, SC-28, RA-2 3.1, 3.2, 3.3, 3.4, 3.5, 3.6, 3.7, 4.1, A3.2

Azure Guidance: Establish an enterprise-wide strategy for data protection in Azure:

  • Define and apply the data classification and protection standard in accordance with the enterprise data management standard and regulatory compliance to dictate the security controls required for each level of the data classification.
  • Set up your cloud resource management hierarchy aligned to the enterprise segmentation strategy. The enterprise segmentation strategy should also be informed by the location of sensitive or business critical data and systems.
  • Define and apply the applicable zero-trust principles in your cloud environment to avoid implementing trust based on network location within a perimeter. Instead, use device and user trust claims to gate access to data and resources.
  • Track and minimize the sensitive data footprint (storage, transmission and processing) across the enterprise to reduce the attack surface and data protection cost. Consider techniques such as one-way hashing, truncation, and tokenization in the workload where possible, to avoid storing and transmitting sensitive data in its original form.
  • Ensure you have a full lifecycle control strategy to provide security assurance of the data and access keys.

Implementation and additional context:

Customer Security Stakeholders (Learn more):

GS-4: Define and implement network security strategy

CIS Controls v8 ID(s) NIST SP 800-53 r4 ID(s) PCI-DSS ID(s) v3.2.1
12.2, 12.4 AC-4, AC-17, CA-3, CM-1, CM-2, CM-6, CM-7, SC-1, SC-2, SC-5, SC-7, SC-20, SC-21, SI-4 1.1, 1.2, 1.3, 1.5, 4.1, 6.6, 11.4, A2.1, A2.2, A2.3, A3.2

Azure Guidance: Establish an Azure network security strategy as part of your organization's overall security strategy for access control. This strategy should include documented guidance, policy, and standards for the following elements:

  • Design a centralized/decentralized network management and security responsibility model to deploy and maintain network resources.
  • A virtual network segmentation model aligned with the enterprise segmentation strategy.
  • An Internet edge and ingress and egress strategy.
  • A hybrid cloud and on-premises interconnectivity strategy.
  • A network monitoring and logging strategy.
  • An up-to-date network security artifacts (such as network diagrams, reference network architecture).

Implementation and additional context:

Customer Security Stakeholders (Learn more):

GS-5: Define and implement security posture management strategy

CIS Controls v8 ID(s) NIST SP 800-53 r4 ID(s) PCI-DSS ID(s) v3.2.1
4.1, 4.2 CA-1, CA-8, CM-1, CM-2, CM-6, RA-1, RA-3, RA-5, SI-1, SI-2, SI-5 1.1, 1.2, 2.2, 6.1, 6.2, 6.5, 6.6, 11.2, 11.3, 11.5

Azure Guidance: Establish a policy, procedure and standard to ensure the security configuration management and vulnerability management are in place in your cloud security mandate.

The security configuration management in Azure should include the following areas:

  • Define the secure configuration baselines for different resource types in the cloud, such as the Azure portal, management and control plane, and resources running in the IaaS, PaaS and SaaS services.
  • Ensure the security baselines address the risks in different control areas such as network security, identity management, privileged access, data protection and so on.
  • Use tools to continuously measure, audit, and enforce the configuration to prevent configuration deviating from the baseline.
  • Develop a cadence to stay update with Azure security features, for instance, subscribe to the service updates.
  • Utilize Secure Score in Azure Defender for Cloud to regularly review Azure's security configuration posture and remediate the gaps identified.

The vulnerability management in Azure should include the following security aspects:

  • Regularly assess and remediate vulnerabilities in all cloud resource types, such as Azure native services, operating systems, and application components.
  • Use a risk-based approach to prioritize assessment and remediation.
  • Subscribe to the relevant Microsoft / Azure security advisory notices and blogs to receive the latest security updates about Azure.
  • Ensure the vulnerability assessment and remediation (such as schedule, scope, and techniques) meet the regularly compliance requirements for your organization.

Implementation and additional context:

Customer Security Stakeholders (Learn more):

GS-6: Define and implement identity and privileged access strategy

CIS Controls v8 ID(s) NIST SP 800-53 r4 ID(s) PCI-DSS ID(s) v3.2.1
5.6, 6.5, 6.7 AC-1, AC-2, AC-3, AC-4, AC-5, AC-6, IA-1, IA-2, IA-4, IA-5, IA-8, IA-9, SI-4 7.1, 7.2, 7.3, 8.1, 8.2, 8.3, 8.4, 8.5, 8.6, 8.7, 8.8, A3.4

Azure Guidance: Establish an Azure identity and privileged access approach as part of your organization's overall security access control strategy. This strategy should include documented guidance, policy, and standards for the following aspects:

  • Centralized identity and authentication system (Azure AD) and its interconnectivity with other internal and external identity systems
  • Privileged identity and access governance (such as access request, review and approval)
  • Privileged accounts in emergency (break-glass) situation
  • Strong authentication (passwordless authentication and multifactor authentication) methods in different use cases and conditions
  • Secure access by administrative operations through Azure portal, CLI and API.

For exception cases, where an enterprise system isn't used, ensure adequate security controls are in place for identity, authentication and access management, and governance. These exceptions should be approved and periodically reviewed by the enterprise team. These exceptions are typically in cases such as:

  • Use of a non-enterprise designated identity and authentication system, such as cloud-based third-party systems (may introduce unknown risks)
  • Privileged users authenticated locally and/or use non-strong authentication methods

Implementation and additional context:

Customer Security Stakeholders (Learn more):

GS-7: Define and implement logging, threat detection and incident response strategy

CIS Controls v8 ID(s) NIST SP 800-53 r4 ID(s) PCI-DSS ID(s) v3.2.1
8.1, 13.1, 17.2, 17.4,17.7 AU-1, IR-1, IR-2, IR-10, SI-1, SI-5 10.1, 10.2, 10.3, 10.4, 10.5, 10.6, 10.7, 10.8, 10.9, 12.10, A3.5

Azure Guidance: Establish a logging, threat detection and incident response strategy to rapidly detect and remediate threats and meeting compliance requirements. Security operations (SecOps / SOC) team should prioritize high quality alerts and seamless experiences so that they can focus on threats rather than log integration and manual steps.

This strategy should include documented policy, procedure and standards for the following aspects:

  • The security operations (SecOps) organization's role and responsibilities
  • A well-defined and regularly tested incident response plan and handling process aligning with NIST or other industry frameworks.
  • Communication and notification plan with your customers, suppliers, and public parties of interest.
  • Preference of using extended detection and response (XDR) capabilities like Azure Defender capabilities to detect threats in the various areas.
  • Use of Azure native capability (e.g., as Microsoft Defender for Cloud) and third-party platforms for incident handling, such as logging and threat detection, forensics, and attack remediation and eradication.
  • Define key scenarios (such as threat detection, incident response, and compliance) and set up log capture and retention to meet the scenario requirements.
  • Centralized visibility of and correlation information about threats, using SIEM, native Azure threat detection capability, and other sources.
  • Post-incident activities, such as lessons learned and evidence retention.

Implementation and additional context:

Customer Security Stakeholders (Learn more):

GS-8: Define and implement backup and recovery strategy

CIS Controls v8 ID(s) NIST SP 800-53 r4 ID(s) PCI-DSS ID(s) v3.2.1
11.1  CP-1, CP-9, CP-10 3.4

Azure Guidance: Establish an Azure backup and recovery strategy for your organization. This strategy should include documented guidance, policy, and standards in the following aspects:

  • Recovery time objective (RTO) and recovery point objective (RPO) definitions in accordance with your business resiliency objectives, and regulatory compliance requirements.
  • Redundancy design (including backup, restore and replication) in your applications and infrastructure for both in cloud and on-premises. Consider regional, region-pairs, cross-regional recovery and off-site storage location as part of your strategy.
  • Protection of backup from unauthorized access and tempering using controls such as data access control, encryption and network security.
  • Use of backup and recovery to mitigate the risks from emerging threats, such as ransomware attack. And also secure the backup and recovery data itself from these attacks.
  • Monitoring the backup and recovery data and operations for audit and alerting purposes.

Implementation and additional context:

Customer Security Stakeholders (Learn more):

GS-9: Define and implement endpoint security strategy

CIS Controls v8 ID(s) NIST SP 800-53 r4 ID(s) PCI-DSS ID(s) v3.2.1
4.4, 10.1 SI-2, SI-3, SC-3 5.1, 5.2, 5.3, 5.4, 11.5

Azure Guidance: Establish a cloud endpoint security strategy which includes the following aspects:

  • Deploy the endpoint detection and response and antimalware capability into your endpoint and integrate with the threat detection and SIEM solution and security operations process.
  • Follow Azure Security Benchmark to ensure endpoint related security settings in other respective areas (such as network security, posture vulnerability management, identity and privileged access, and logging and threat detections) are also in place to provide a defense-in-depth protection for your endpoint.
  • Prioritize the endpoint security in your production environment, but ensure the non-production environments (such as test and build environment used in the DevOps process) are also secured and monitored, as these environment can also be used to introduce the malware and vulnerabilities into the production.

Implementation and additional context:

Customer Security Stakeholders (Learn more):

GS-10: Define and implement DevOps security strategy

CIS Controls v8 ID(s) NIST SP 800-53 r4 ID(s) PCI-DSS ID(s) v3.2.1
4.1, 4.2, 16.1, 16.2 SA-12, SA-15, CM-1, CM-2, CM-6, AC-2, AC-3, AC-6, SA-11, AU-6, AU-12, SI-4 2.2, 6.1, 6.2, 6.3, 6.5, 7.1, 10.1, 10.2, 10.3, 10.6, 12.2

Azure Guidance: Mandate the security controls as part of the organization's DevOps engineering and operation standard. Define the security objectives, control requirements, and tooling specifications in accordance with enterprise and cloud security standards in your organization.

Encourage the use of DevOps as an essential operating model in your organization for its benefits in rapidly identifying and remediating vulnerabilities using different type of automations (such as infrastructure as code provision, and automated SAST and DAST scan) throughout the CI/CD workflow. This 'shift left' approach also increases visibility and ability to enforce consistent security checks in your deployment pipeline, effectively deploying security guardrails into the environment ahead of time to avoid last minute security surprises when deploying a workload into production.

When shifting security controls left into the pre-deployment phases, implement security guardrails to ensure the controls are deployed and enforced throughout your DevOps process. This technology could include Azure ARM templates to define guardrails in the IaC (infrastructure as code), resource provisioning and Azure Policy to audit and restrict which services or configurations can be provisioned into the environment.

For the run-time security controls of your workload, follow the Azure Security Benchmark to design and implement effective the controls, such as identity and privileged access, network security, endpoint security, and data protection inside your workload applications and services.

Implementation and additional context:

Customer Security Stakeholders (Learn more):