MCSB serves as a valuable resource for enhancing the security of your workloads, data, and services within Azure and multi-cloud environments. It offers a comprehensive framework of best practices and recommendations to bolster your cloud security posture, drawing insights from Microsoft’s expertise and broader industry security guidance. The following diagram depicts how MCSB consolidates different frameworks (CIS, PCI DSS, and NIST) together for a comprehensive security approach for a multi-cloud environment:
Figure 14.1 – MCSB (Source: https://learn.microsoft.com/en-us/security/benchmark/azure/overview)
Let us take a look at the key elements of MCSB.
Security controls
A security control serves as a broad and high-level description of a feature or action that requires attention, irrespective of the particular technology or implementation. These recommendations are relevant and can be applied across all your cloud workloads. They are crafted to assist you in implementing security measures in alignment with industry standards, including the likes of CIS Controls, NIST, PCI DSS, and more. For example, identity and access management (IAM) is one of the security control families. IAM contains specific actions that must be addressed to help ensure identity is protected.
Security baseline
A baseline involves applying a specific control to individual Azure services. Within this context, each organization defines its own benchmark recommendation, and Azure requires corresponding configurations to be implemented. These guidelines are tailored to specific workload types, encompassing areas such as computing, storage, networking, and identity management. They offer valuable insights on configuring your workloads securely.
Note
As of now (at the time of writing this section), Microsoft offers service baselines only for Azure.
The components that constitute MCSB include:
- Cloud Adoption Framework: This section provides insights into the security aspect of your cloud journey. It covers various aspects such as strategy, defining roles and responsibilities, Azure’s top 10 security best practices, and even includes reference implementations.
- Azure WAF: Focusing on securing your workloads specifically within the Azure environment, this part of MCSB offers guidance on best practices.
- Chief Information Security Officer (CISO) Workshop: For those aiming to modernize their security practices in line with Zero Trust principles, this section offers program guidance and reference strategies to accelerate the process.
- Other Industry and Cloud Service Providers’ Standards: MCSB doesn’t exist in isolation. It takes into account established security best practices and frameworks from other industry leaders and CSPs. Examples include AWS WAF, CIS Controls, NIST, and PCI DSS, among others.
Note
MCSB is the evolution of the Azure Security Benchmark (ASB), which underwent a rebranding in October 2022. Security recommendations offered by Microsoft’s CSPM solution, Defender for Cloud, are also completely integrated and aligned with MCSB.
You can conveniently access and download the MCSB recommendations in PDF or Excel format from the official Microsoft website, making it a valuable resource to help fortify your cloud security strategy. For more details, refer to https://learn.microsoft.com/en-us/security/benchmark/azure/overview.
Let us now understand at a very high-level how an organization can adapt cloud governance.
