What you must know about CIS Benchmarks for Microsoft Azure

The Center for Internet Security (CIS) is a cybersecurity organization that sets standards for various internet-connected technologies. One crucial area of focus is cloud platforms, with Microsoft Azure being a prominent player. Azure integrates well with Microsoft technologies like Windows Server and Active Directory.

For organizations utilizing CloudDefense.AI’s CSPM (Cloud Security Posture Management), it’s essential to recognize that the cloud represents a significant potential cyber attack surface, especially given the ever-evolving threat landscape. To enhance Azure security, it’s advisable to regularly assess configurations using CIS Benchmarks. You can request these benchmarks from CIS via their website, and they will provide you with a PDF containing the relevant information. In essence, this approach helps ensure that your Azure environment remains secure and aligned with industry best practices.

Here are five key areas covered by CIS Benchmarks for Microsoft Azure:

1. Identity and Access Management (IAM): Strengthen your IAM settings by enabling Security Defaults, implementing Multi-Factor Authentication (MFA) for users, disabling MFA remember features, and enforcing MFA policies for Administrative Groups and All Users. Define trusted locations, restrict Azure AD Tenant creation, review guest users, and notify users on password resets. Adjust permissions settings to limit application registration and security group creation.
2. Microsoft Defender: Utilize Microsoft Defender to protect Azure infrastructure from malware and cyber threats. Ensure active scanning across various Azure components and confirm that system updates are applied. Enable essential resources like Log analytics agents and Vulnerability assessment. Configure roles and severity levels for effective threat detection.
3. Storage Accounts: Secure storage accounts by enforcing secure transfers, enabling infrastructure encryption, and setting up key rotation reminders. Allow authorized access for Azure services and enable Soft Delete for recovery. Implement storage logging, set the Minimum TLS version to 1.2, and default Network Access Rules to deny.
4. Networking: Evaluate and restrict RDP, SSH, UDP, and HTTP(S) access from the internet. Configure Network Security Group Flow Logs, set retention periods, and enable Network Watcher. Deploy Azure Bastion Host for secure remote access, use Managed Disks for VMs, encrypt disks, install approved extensions, and enable endpoint protection.
5. Key Vault: Secure Key Vault by setting expiration dates for keys and secrets, enabling Role-Based Access Control, ensuring recoverability, using Private Endpoints, and enabling automatic key rotation. For App Service, use up-to-date versions, disable FTP deployments, store secrets in Key Vaults, and implement Azure AD registration and App Service Authentication. Apply resource locks to mission-critical resources.

Implementing these CIS Benchmark recommendations will significantly enhance the security of your Microsoft Azure environment. Keep in mind that cybersecurity is an ongoing process, requiring regular reviews and updates to adapt to evolving threats.