compliance controls are associated with this Policy definition 'Azure SQL Database should be running TLS version 1.2 or newer' (32e6bbec-16b6-44c2-be37-c5b672d103cf)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| ACAT_Security_Policies |
|
ACAT_Security_Policies |
ACAT Security Policies |
Guidelines for M365 Certification |
Protecting systems and resources
|
Shared |
n/a |
Ensures that apps have strong security and compliance practices in place to protect customer data, security, and privacy. |
link |
24 |
| Azure_Security_Benchmark_v3.0 |
DP-3 |
Azure_Security_Benchmark_v3.0_DP-3 |
Microsoft cloud security benchmark DP-3 |
Data Protection |
Encrypt sensitive data in transit |
Shared |
**Security Principle:**
Protect the data in transit against 'out of band' attacks (such as traffic capture) using encryption to ensure that attackers cannot easily read or modify the data.
Set the network boundary and service scope where data in transit encryption is mandatory inside and outside of the network. While this is optional for traffic on private networks, this is critical for traffic on external and public networks.
**Azure Guidance:**
Enforce secure transfer in services such as Azure Storage, where a native data in transit encryption feature is built in.
Enforce HTTPS for workload web application and services by ensuring that any clients connecting to your Azure resources use transportation layer security (TLS) v1.2 or later. For remote management of VMs, use SSH (for Linux) or RDP/TLS (for Windows) instead of an unencrypted protocol.
Note: Data in transit encryption is enabled for all Azure traffic traveling between Azure datacenters. TLS v1.2 or later is enabled on most Azure PaaS services by default.
**Implementation and additional context:**
Double encryption for Azure data in transit:
https://docs.microsoft.com/azure/security/fundamentals/double-encryption#data-in-transit
Understand encryption in transit with Azure:
https://docs.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit
Information on TLS Security:
https://docs.microsoft.com/security/engineering/solving-tls1-problem
Enforce secure transfer in Azure storage:
https://docs.microsoft.com/azure/storage/common/storage-require-secure-transfer?toc=/azure/storage/blobs/toc.json#require-secure-transfer-for-a-new-storage-account |
n/a |
link |
14 |
| Azure_Security_Benchmark_v3.0 |
IM-4 |
Azure_Security_Benchmark_v3.0_IM-4 |
Microsoft cloud security benchmark IM-4 |
Identity Management |
Authenticate server and services |
Shared |
**Security Principle:**
Authenticate remote servers and services from your client side to ensure you are connecting to trusted server and services. The most common server authentication protocol is Transport Layer Security (TLS), where the client-side (often a browser or client device) verifies the server by verifying the server’s certificate was issued by a trusted certificate authority.
Note: Mutual authentication can be used when both the server and the client authenticate one-another.
**Azure Guidance:**
Many Azure services support TLS authentication by default. For the services supporting TLS enable/disable switch by the user, ensure it's always enabled to support the server/service authentication. Your client application should also be designed to verify server/service identity (by verifying the server’s certificate issued by a trusted certificate authority) in the handshake stage.
**Implementation and additional context:**
Enforce Transport Layer Security (TLS) for a storage account:
https://docs.microsoft.com/azure/storage/common/transport-layer-security-configure-minimum-version?tabs=portal#use-azure-policy-to-enforce-the-minimum-tls-version |
n/a |
link |
4 |
| RMiT_v1.0 |
Appendix_5.6 |
RMiT_v1.0_Appendix_5.6 |
RMiT Appendix 5.6 |
Control Measures on Cybersecurity |
Control Measures on Cybersecurity - Appendix 5.6 |
Customer |
n/a |
Ensure security controls for remote access to server include the following:
(a) restrict access to only hardened and locked down end-point devices;
(b) use secure tunnels such as TLS and VPN IPSec;
(c) deploy ‘gateway’ server with adequate perimeter defences and protection such as firewall, IPS and antivirus; and
(d) close relevant ports immediately upon expiry of remote access. |
link |
19 |
| SWIFT_CSCF_v2021 |
2.1 |
SWIFT_CSCF_v2021_2.1 |
SWIFT CSCF v2021 2.1 |
Reduce Attack Surface and Vulnerabilities |
Internal Data Flow Security |
|
n/a |
Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related applications. |
link |
14 |
| SWIFT_CSCF_v2021 |
2.6 |
SWIFT_CSCF_v2021_2.6 |
SWIFT CSCF v2021 2.6 |
Reduce Attack Surface and Vulnerabilities |
Operator Session Confidentiality and Integrity |
|
n/a |
Protect the confidentiality and integrity of interactive operator sessions connecting to the local or the remote (operated by a service provider) SWIFT-related infrastructure or applications. |
link |
8 |