Wednesday, November 3, 2021

Announcing Azure Security Benchmark v3

On Tuesday we announced the availability of Azure Security Benchmark v3 as part of the Microsoft Defender for Cloud news at Ignite 2021. In this blog post we will recap the announcement and provide more details on the release.


Azure Security Benchmark (ASB) is widely used by organizations to meet security control requirements in Azure. ASB provides clear and concrete guidance on how to securely configure Azure resources to meet both security and compliance requirements. ASB often plays a key role in Azure onboarding, enabling organizations to accelerate both initial Azure onboarding as well as ongoing onboarding/assessment of Azure Cloud Services.


ASB v3 highlights


Image 1: Azure Security Benchmark documentation and monitoring in the Microsoft Defender for Cloud portal


What’s new in ASB v3?

ASB as a harmonizing control framework

Today we see customers often have to reconcile and harmonize multiple control frameworks when planning and evaluating their Azure environments to meet security and compliance requirements. This often requires security teams to repeat the same evaluation process for the various control frameworks, creating unnecessary overhead, cost, and effort. To address this concern, we have developed ASB to function as a harmonizing control framework to help you quickly work with established standards in the context of a cloud environment—standards such as CIS Controls v8 and v7 , NIST SP800-53 Rev4 and PCI-DSS v3.2.1. Organizations can use ASB to consistently and easily evaluate their Azure deployments against these industry standards with minimal repeated work.

control - coverage 021-11-01 161413.jpg

    Image 2: Azure Security Benchmark Control Coverage


More in-depth guidance and new control categories

With the launch of ASB v3 we have fundamentally restructured our controls to provide customers with more granular and more actionable guidance by introducing Security Principles and Azure Guidance. Security Principles give you insight into the overall security objectives that build the foundation for our recommendations, while Azure Guidance is the technical “how-to” on meeting these objectives when implementing something in the cloud.


structure2021-11-01 161900.jpg

Image 3: Example of Azure Security Benchmark Control structure


In addition to refining all the existing controls for increased clarity and actionability, we have introduced brand new control categories. This brings the coverage of Azure Security Benchmark to a total of 85 controls, spanning 12 control domains. The new control categories include:

  • DevOps Security: As part of a shift-left strategy, we see many customers moving towards a “start secure and stay secure” mindset. We have added DevOps security as a control family in ASB v3 to help them better understand how to secure their DevOps infrastructure, as well as how to perform security validation earlier in the development lifecycle, so that they can start with secure application deployments from the get-go. The control recommendations also cover topics such as threat modeling and software supply chain security.
  • Key and certificate management: We added key and certificate management guidance into Data Protection control family to ensure users understand key and certification management best practices in Azure.

Continuous monitoring of ASB as part of Microsoft Defender for Cloud

Earlier this year, we announced ASB as the default security policy initiative for Microsoft Defender for Cloud. This enables you to view the state of your compliance relative to the benchmark controls in the Regulatory Compliance Dashboard, while also being able to view the detailed impact on your Secure Score. With the launch of ASB v3, it is now also available as the new default in Microsoft Defender for Cloud, so you can start monitoring your environment against the latest controls.


What’s next?

  • Azure Security Baselines based on ASB v3: So far, we have published security baselines for 95+ Azure services based on ASB v1 and v2. These baselines provide service guidance on how you can meet the Benchmark requirements for a specific service. Azure customers today use these baselines as part of their cloud service assessment process. In the upcoming months, we will be updating these baselines and adding more service baselines in a new and easy-to-use format based on ASB v3 controls.
  • Enhanced monitoring of ASB v3 controls in Microsoft Defender for CloudAdditional assessments will be added to the Azure Security Benchmark v3 policy set to provide more comprehensive monitoring coverage for ASB controls in Microsoft Defender for Cloud. We are also working on a growing set of compliance management and evidence gathering capabilities that will help you manage ASB requirements more completely within the Microsoft Defender for Cloud portal.
  • Enforcing Benchmark recommendations: We are currently working on providing customers a simplified way to enforce the Benchmark recommendations and meet the needs of running a start secure and stay secure model. Today you can use Enterprise scale landing zones to implement the Benchmark recommendations.
  • New control frameworks: We are continuously adding new control frameworks to our mapping, with the Cybersecurity Maturity Model Certification (CMMC) v1.0 and Cloud Security Alliance Cloud Control Matrix (CSA CCM) currently on our list. If you would like us to add other frameworks that matter to your organization, please reach out directly and let us know.


Get started today

If you would like to help us improve the benchmark or provide feedback, please send us an email.



Posted at