last sync: 2024-Mar-18 18:48:08 UTC

[Preview]: Storage account public access should be disallowed

Azure BuiltIn Policy definition

Source Azure Portal
Display name [Preview]: Storage account public access should be disallowed
Id 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751
Version 3.1.0-preview
Details on versioning
Category Storage
Microsoft Learn
Description Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.
Mode Indexed
Type BuiltIn
Preview True
Deprecated False
Effect Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
RBAC role(s) none
Rule aliases IF (1)
Alias Namespace ResourceType DefaultPath Modifiable
Microsoft.Storage/storageAccounts/allowBlobPublicAccess Microsoft.Storage storageAccounts properties.allowBlobPublicAccess true
Rule resource types IF (1)
Microsoft.Storage/storageAccounts
Compliance
The following 41 compliance controls are associated with this Policy definition '[Preview]: Storage account public access should be disallowed' (4fa4b6c0-31ca-4c0d-b10d-24b96f62a751)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
Azure_Security_Benchmark_v2.0 DP-2 Azure_Security_Benchmark_v2.0_DP-2 Azure Security Benchmark DP-2 Data Protection Protect sensitive data Shared Protect sensitive data by restricting access using Azure Role Based Access Control (Azure RBAC), network-based access controls, and specific controls in Azure services (such as encryption in SQL and other databases). To ensure consistent access control, all types of access control should be aligned to your enterprise segmentation strategy. The enterprise segmentation strategy should also be informed by the location of sensitive or business critical data and systems. For the underlying platform, which is managed by Microsoft, Microsoft treats all customer content as sensitive and guards against customer data loss and exposure. To ensure customer data within Azure remains secure, Microsoft has implemented some default data protection controls and capabilities. Azure Role Based Access Control (RBAC): https://docs.microsoft.com/azure/role-based-access-control/overview Understand customer data protection in Azure: https://docs.microsoft.com/azure/security/fundamentals/protection-customer-data n/a link 6
Azure_Security_Benchmark_v3.0 NS-2 Azure_Security_Benchmark_v3.0_NS-2 Microsoft cloud security benchmark NS-2 Network Security Secure cloud services with network controls Shared **Security Principle:** Secure cloud services by establishing a private access point for the resources. You should also disable or restrict access from public network when possible. **Azure Guidance:** Deploy private endpoints for all Azure resources that support the Private Link feature, to establish a private access point for the resources. You should also disable or restrict public network access to services where feasible. For certain services, you also have the option to deploy VNet integration for the service where you can restrict the VNET to establish a private access point for the service. **Implementation and additional context:** Understand Azure Private Link: https://docs.microsoft.com/azure/private-link/private-link-overview n/a link 40
CIS_Azure_1.1.0 3.6 CIS_Azure_1.1.0_3.6 CIS Microsoft Azure Foundations Benchmark recommendation 3.6 3 Storage Accounts Ensure that 'Public access level' is set to Private for blob containers Shared The customer is responsible for implementing this recommendation. Disable anonymous access to blob containers. link 7
CIS_Azure_1.1.0 5.1.5 CIS_Azure_1.1.0_5.1.5 CIS Microsoft Azure Foundations Benchmark recommendation 5.1.5 5 Logging and Monitoring Ensure the storage container storing the activity logs is not publicly accessible Shared The customer is responsible for implementing this recommendation. The storage account container containing the activity log export should not be publicly accessible. link 3
CIS_Azure_1.3.0 3.5 CIS_Azure_1.3.0_3.5 CIS Microsoft Azure Foundations Benchmark recommendation 3.5 3 Storage Accounts Ensure that 'Public access level' is set to Private for blob containers Shared The customer is responsible for implementing this recommendation. Disable anonymous access to blob containers and disallow blob public access on storage account. link 7
CIS_Azure_1.3.0 5.1.3 CIS_Azure_1.3.0_5.1.3 CIS Microsoft Azure Foundations Benchmark recommendation 5.1.3 5 Logging and Monitoring Ensure the storage container storing the activity logs is not publicly accessible Shared The customer is responsible for implementing this recommendation. The storage account container containing the activity log export should not be publicly accessible. link 3
CIS_Azure_1.4.0 3.5 CIS_Azure_1.4.0_3.5 CIS Microsoft Azure Foundations Benchmark recommendation 3.5 3 Storage Accounts Ensure that 'Public access level' is set to Private for blob containers Shared The customer is responsible for implementing this recommendation. Disable anonymous access to blob containers and disallow blob public access on storage account. link 7
CIS_Azure_1.4.0 5.1.3 CIS_Azure_1.4.0_5.1.3 CIS Microsoft Azure Foundations Benchmark recommendation 5.1.3 5 Logging and Monitoring Ensure the storage container storing the activity logs is not publicly accessible Shared The customer is responsible for implementing this recommendation. The storage account container containing the activity log export should not be publicly accessible. link 3
CIS_Azure_2.0.0 3.7 CIS_Azure_2.0.0_3.7 CIS Microsoft Azure Foundations Benchmark recommendation 3.7 3 Ensure that 'Public access level' is disabled for storage accounts with blob containers Shared Access will have to be managed using shared access signatures or via Azure AD RBAC. Disallowing public access for a storage account overrides the public access settings for individual containers in that storage account. The default configuration for a storage account permits a user with appropriate permissions to configure public (anonymous) access to containers and blobs in a storage account. Keep in mind that public access to a container is always turned off by default and must be explicitly configured to permit anonymous requests. It grants read-only access to these resources without sharing the account key, and without requiring a shared access signature. It is recommended not to provide anonymous access to blob containers until, and unless, it is strongly desired. A shared access signature token or Azure AD RBAC should be used for providing controlled and timed access to blob containers. If no anonymous access is needed on any container in the storage account, it’s recommended to set allowBlobPublicAccess false at the account level, which forbids any container to accept anonymous access in the future. link 7
CIS_Azure_2.0.0 5.1.3 CIS_Azure_2.0.0_5.1.3 CIS Microsoft Azure Foundations Benchmark recommendation 5.1.3 5.1 Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible Shared Configuring container `Access policy` to `private` will remove access from the container for everyone except owners of the storage account. Access policy needs to be set explicitly in order to allow access to other desired users. The storage account container containing the activity log export should not be publicly accessible. Allowing public access to activity log content may aid an adversary in identifying weaknesses in the affected account's use or configuration. link 3
CMMC_2.0_L2 AC.L2-3.1.3 CMMC_2.0_L2_AC.L2-3.1.3 404 not found n/a n/a 54
CMMC_2.0_L2 SC.L1-3.13.1 CMMC_2.0_L2_SC.L1-3.13.1 404 not found n/a n/a 58
CMMC_2.0_L2 SC.L1-3.13.5 CMMC_2.0_L2_SC.L1-3.13.5 404 not found n/a n/a 53
CMMC_2.0_L2 SC.L2-3.13.2 CMMC_2.0_L2_SC.L2-3.13.2 404 not found n/a n/a 53
CMMC_2.0_L2 SC.L2-3.13.6 CMMC_2.0_L2_SC.L2-3.13.6 404 not found n/a n/a 28
CMMC_L3 AC.1.001 CMMC_L3_AC.1.001 CMMC L3 AC.1.001 Access Control Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). Shared Microsoft and the customer share responsibilities for implementing this requirement. Access control policies (e.g., identity- or role-based policies, control matrices, and cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, and domains) in systems. Access enforcement mechanisms can be employed at the application and service level to provide increased information security. Other systems include systems internal and external to the organization. This requirement focuses on account management for systems and applications. The definition of and enforcement of access authorizations, other than those determined by account type (e.g., privileged verses non-privileged) are addressed in requirement AC.1.002. link 32
CMMC_L3 AC.1.002 CMMC_L3_AC.1.002 CMMC L3 AC.1.002 Access Control Limit information system access to the types of transactions and functions that authorized users are permitted to execute. Shared Microsoft and the customer share responsibilities for implementing this requirement. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. System account types include individual, shared, group, system, anonymous, guest, emergency, developer, manufacturer, vendor, and temporary. Other attributes required for authorizing access include restrictions on time-of-day, day-of-week, and point-oforigin. In defining other account attributes, organizations consider system-related requirements (e.g., system upgrades scheduled maintenance,) and mission or business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). link 28
CMMC_L3 AC.2.016 CMMC_L3_AC.2.016 CMMC L3 AC.2.016 Access Control Control the flow of CUI in accordance with approved authorizations. Shared Microsoft and the customer share responsibilities for implementing this requirement. Information flow control regulates where information can travel within a system and between systems (versus who can access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include the following: keeping exportcontrolled information from being transmitted in the clear to the Internet; blocking outside traffic that claims to be from within the organization; restricting requests to the Internet that are not from the internal web proxy server; and limiting information transfers between organizations based on data structures and content. Organizations commonly use information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within systems and between interconnected systems. Flow control is based on characteristics of the information or the information path. Enforcement occurs in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict system services, provide a packetfiltering capability based on header information, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering and inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Transferring information between systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners or stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes: prohibiting information transfers between interconnected systems (i.e., allowing access only); employing hardware mechanisms to enforce one-way information flows; and implementing trustworthy regrading mechanisms to reassign security attributes and security labels. link 18
CMMC_L3 CM.3.068 CMMC_L3_CM.3.068 CMMC L3 CM.3.068 Configuration Management Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. Shared Microsoft and the customer share responsibilities for implementing this requirement. Restricting the use of nonessential software (programs) includes restricting the roles allowed to approve program execution; prohibiting auto-execute; program blacklisting and whitelisting; or restricting the number of program instances executed at the same time. The organization makes a security-based determination which functions, ports, protocols, and/or services are restricted. Bluetooth, File Transfer Protocol (FTP), and peer-to-peer networking are examples of protocols organizations consider preventing the use of, restricting, or disabling. link 25
CMMC_L3 SC.1.175 CMMC_L3_SC.1.175 CMMC L3 SC.1.175 System and Communications Protection Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Shared Microsoft and the customer share responsibilities for implementing this requirement. Communications can be monitored, controlled, and protected at boundary components and by restricting or prohibiting interfaces in organizational systems. Boundary components include gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a system security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Restricting or prohibiting interfaces in organizational systems includes restricting external web communications traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security requirements associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions. link 32
CMMC_L3 SC.3.183 CMMC_L3_SC.3.183 CMMC L3 SC.3.183 System and Communications Protection Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). Shared Microsoft and the customer share responsibilities for implementing this requirement. This requirement applies to inbound and outbound network communications traffic at the system boundary and at identified points within the system. A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed. link 32
FedRAMP_High_R4 AC-4 FedRAMP_High_R4_AC-4 FedRAMP High AC-4 Access Control Information Flow Enforcement Shared n/a The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organization-defined information flow control policies]. Supplemental Guidance: Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include, for example, keeping export-controlled information from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the organization, restricting web requests to the Internet that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between information systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes, for example: (i) prohibiting information transfers between interconnected systems (i.e., allowing access only); (ii) employing hardware mechanisms to enforce one-way information flows; and (iii) implementing trustworthy regarding mechanisms to reassign security attributes and security labels. Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within information systems and between interconnected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict information system services, provide a packet-filtering capability based on header information, or message- filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering/inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 22 primarily address cross-domain solution needs which focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, for example, high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf information technology products. Related controls: AC-3, AC-17, AC-19, AC-21, CM-6, CM-7, SA-8, SC-2, SC-5, SC-7, SC-18. References: None. link 54
FedRAMP_High_R4 SC-7 FedRAMP_High_R4_SC-7 FedRAMP High SC-7 System And Communications Protection Boundary Protection Shared n/a The information system: a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. Supplemental Guidance: Managed interfaces include, for example, gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational information systems includes, for example, restricting external web traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security controls associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers, and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions. Related controls: AC-4, AC-17, CA-3, CM-7, CP-8, IR-4, RA-3, SC-5, SC-13. References: FIPS Publication 199; NIST Special Publications 800-41, 800-77. link 54
FedRAMP_High_R4 SC-7(3) FedRAMP_High_R4_SC-7(3) FedRAMP High SC-7 (3) System And Communications Protection Access Points Shared n/a The organization limits the number of external network connections to the information system. Supplemental Guidance: Limiting the number of external network connections facilitates more comprehensive monitoring of inbound and outbound communications traffic. The Trusted Internet Connection (TIC) initiative is an example of limiting the number of external network connections. link 53
FedRAMP_Moderate_R4 AC-4 FedRAMP_Moderate_R4_AC-4 FedRAMP Moderate AC-4 Access Control Information Flow Enforcement Shared n/a The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organization-defined information flow control policies]. Supplemental Guidance: Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include, for example, keeping export-controlled information from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the organization, restricting web requests to the Internet that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between information systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes, for example: (i) prohibiting information transfers between interconnected systems (i.e., allowing access only); (ii) employing hardware mechanisms to enforce one-way information flows; and (iii) implementing trustworthy regarding mechanisms to reassign security attributes and security labels. Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within information systems and between interconnected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict information system services, provide a packet-filtering capability based on header information, or message- filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering/inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 22 primarily address cross-domain solution needs which focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, for example, high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf information technology products. Related controls: AC-3, AC-17, AC-19, AC-21, CM-6, CM-7, SA-8, SC-2, SC-5, SC-7, SC-18. References: None. link 54
FedRAMP_Moderate_R4 SC-7 FedRAMP_Moderate_R4_SC-7 FedRAMP Moderate SC-7 System And Communications Protection Boundary Protection Shared n/a The information system: a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. Supplemental Guidance: Managed interfaces include, for example, gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational information systems includes, for example, restricting external web traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security controls associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers, and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions. Related controls: AC-4, AC-17, CA-3, CM-7, CP-8, IR-4, RA-3, SC-5, SC-13. References: FIPS Publication 199; NIST Special Publications 800-41, 800-77. link 54
FedRAMP_Moderate_R4 SC-7(3) FedRAMP_Moderate_R4_SC-7(3) FedRAMP Moderate SC-7 (3) System And Communications Protection Access Points Shared n/a The organization limits the number of external network connections to the information system. Supplemental Guidance: Limiting the number of external network connections facilitates more comprehensive monitoring of inbound and outbound communications traffic. The Trusted Internet Connection (TIC) initiative is an example of limiting the number of external network connections. link 53
NIST_SP_800-171_R2_3 .1.3 NIST_SP_800-171_R2_3.1.3 NIST SP 800-171 R2 3.1.3 Access Control Control the flow of CUI in accordance with approved authorizations. Shared Microsoft and the customer share responsibilities for implementing this requirement. Information flow control regulates where information can travel within a system and between systems (versus who can access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include the following: keeping export-controlled information from being transmitted in the clear to the Internet; blocking outside traffic that claims to be from within the organization; restricting requests to the Internet that are not from the internal web proxy server; and limiting information transfers between organizations based on data structures and content. Organizations commonly use information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within systems and between interconnected systems. Flow control is based on characteristics of the information or the information path. Enforcement occurs in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering and inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Transferring information between systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners or stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes: prohibiting information transfers between interconnected systems (i.e., allowing access only); employing hardware mechanisms to enforce one-way information flows; and implementing trustworthy regrading mechanisms to reassign security attributes and security labels. link 58
NIST_SP_800-171_R2_3 .13.1 NIST_SP_800-171_R2_3.13.1 NIST SP 800-171 R2 3.13.1 System and Communications Protection Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Shared Microsoft and the customer share responsibilities for implementing this requirement. Communications can be monitored, controlled, and protected at boundary components and by restricting or prohibiting interfaces in organizational systems. Boundary components include gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a system security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Restricting or prohibiting interfaces in organizational systems includes restricting external web communications traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security requirements associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions. [SP 800-41] provides guidance on firewalls and firewall policy. [SP 800-125B] provides guidance on security for virtualization technologies. [28] There is no prescribed format or specified level of detail for system security plans. However, organizations ensure that the required information in 3.12.4 is conveyed in those plans. link 53
NIST_SP_800-171_R2_3 .13.2 NIST_SP_800-171_R2_3.13.2 NIST SP 800-171 R2 3.13.2 System and Communications Protection Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems. Shared Microsoft and the customer share responsibilities for implementing this requirement. Organizations apply systems security engineering principles to new development systems or systems undergoing major upgrades. For legacy systems, organizations apply systems security engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems. The application of systems security engineering concepts and principles helps to develop trustworthy, secure, and resilient systems and system components and reduce the susceptibility of organizations to disruptions, hazards, and threats. Examples of these concepts and principles include developing layered protections; establishing security policies, architecture, and controls as the foundation for design; incorporating security requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk. Organizations that apply security engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risk to acceptable levels; and make informed risk-management decisions. [SP 800-160-1] provides guidance on systems security engineering. link 53
NIST_SP_800-171_R2_3 .13.5 NIST_SP_800-171_R2_3.13.5 NIST SP 800-171 R2 3.13.5 System and Communications Protection Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. Shared Microsoft and the customer share responsibilities for implementing this requirement. Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones (DMZs). DMZs are typically implemented with boundary control devices and techniques that include routers, gateways, firewalls, virtualization, or cloud-based technologies. [SP 800-41] provides guidance on firewalls and firewall policy. [SP 800-125B] provides guidance on security for virtualization technologies link 53
NIST_SP_800-171_R2_3 .13.6 NIST_SP_800-171_R2_3.13.6 NIST SP 800-171 R2 3.13.6 System and Communications Protection Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). Shared Microsoft and the customer share responsibilities for implementing this requirement. This requirement applies to inbound and outbound network communications traffic at the system boundary and at identified points within the system. A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed. link 24
NIST_SP_800-53_R4 AC-4 NIST_SP_800-53_R4_AC-4 NIST SP 800-53 Rev. 4 AC-4 Access Control Information Flow Enforcement Shared n/a The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organization-defined information flow control policies]. Supplemental Guidance: Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include, for example, keeping export-controlled information from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the organization, restricting web requests to the Internet that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between information systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes, for example: (i) prohibiting information transfers between interconnected systems (i.e., allowing access only); (ii) employing hardware mechanisms to enforce one-way information flows; and (iii) implementing trustworthy regarding mechanisms to reassign security attributes and security labels. Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within information systems and between interconnected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict information system services, provide a packet-filtering capability based on header information, or message- filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering/inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 22 primarily address cross-domain solution needs which focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, for example, high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf information technology products. Related controls: AC-3, AC-17, AC-19, AC-21, CM-6, CM-7, SA-8, SC-2, SC-5, SC-7, SC-18. References: None. link 54
NIST_SP_800-53_R4 SC-7 NIST_SP_800-53_R4_SC-7 NIST SP 800-53 Rev. 4 SC-7 System And Communications Protection Boundary Protection Shared n/a The information system: a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. Supplemental Guidance: Managed interfaces include, for example, gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational information systems includes, for example, restricting external web traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security controls associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers, and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions. Related controls: AC-4, AC-17, CA-3, CM-7, CP-8, IR-4, RA-3, SC-5, SC-13. References: FIPS Publication 199; NIST Special Publications 800-41, 800-77. link 54
NIST_SP_800-53_R4 SC-7(3) NIST_SP_800-53_R4_SC-7(3) NIST SP 800-53 Rev. 4 SC-7 (3) System And Communications Protection Access Points Shared n/a The organization limits the number of external network connections to the information system. Supplemental Guidance: Limiting the number of external network connections facilitates more comprehensive monitoring of inbound and outbound communications traffic. The Trusted Internet Connection (TIC) initiative is an example of limiting the number of external network connections. link 53
NIST_SP_800-53_R5 AC-4 NIST_SP_800-53_R5_AC-4 NIST SP 800-53 Rev. 5 AC-4 Access Control Information Flow Enforcement Shared n/a Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies]. link 54
NIST_SP_800-53_R5 SC-7 NIST_SP_800-53_R5_SC-7 NIST SP 800-53 Rev. 5 SC-7 System and Communications Protection Boundary Protection Shared n/a a. Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system; b. Implement subnetworks for publicly accessible system components that are [Selection: physically;logically] separated from internal organizational networks; and c. Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture. link 54
NIST_SP_800-53_R5 SC-7(3) NIST_SP_800-53_R5_SC-7(3) NIST SP 800-53 Rev. 5 SC-7 (3) System and Communications Protection Access Points Shared n/a Limit the number of external network connections to the system. link 53
RBI_CSF_Banks_v2016 14.1 RBI_CSF_Banks_v2016_14.1 Anti-Phishing Anti-Phishing-14.1 n/a Subscribe to Anti-phishing/anti-rouge app services from external service providers for identifying and taking down phishing websites/rouge applications. 31
RBI_CSF_Banks_v2016 7.7 RBI_CSF_Banks_v2016_7.7 Patch/Vulnerability & Change Management Patch/Vulnerability & Change Management-7.7 n/a Periodically evaluate the access device configurations and patch levels to ensure that all access points, nodes between (i) different VLANs in the Data Centre (ii) LAN/WAN interfaces (iii) bank???s network to external network and interconnections with partner, vendor and service provider networks are to be securely configured. 25
U.07.1 - Isolated U.07.1 - Isolated 404 not found n/a n/a 54
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
[Deprecated]: Azure Security Benchmark v2 bb522ac1-bc39-4957-b194-429bcd3bcb0b Regulatory Compliance Deprecated BuiltIn
[Preview]: CMMC 2.0 Level 2 4e50fd13-098b-3206-61d6-d1d78205cb45 Regulatory Compliance Preview BuiltIn
[Preview]: Reserve Bank of India - IT Framework for Banks d0d5578d-cc08-2b22-31e3-f525374f235a Regulatory Compliance Preview BuiltIn
CIS Microsoft Azure Foundations Benchmark v1.1.0 1a5bb27d-173f-493e-9568-eb56638dde4d Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v1.3.0 612b5213-9160-4969-8578-1518bd2a000c Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v1.4.0 c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5 Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v2.0.0 06f19060-9e68-4070-92ca-f15cc126059e Regulatory Compliance GA BuiltIn
CMMC Level 3 b5629c75-5c77-4422-87b9-2509e680f8de Regulatory Compliance GA BuiltIn
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
Microsoft cloud security benchmark 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 Security Center GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
NL BIO Cloud Theme 6ce73208-883e-490f-a2ac-44aac3b3687f Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-04-01 20:29:14 change Minor, suffix remains equal (3.0.1-preview > 3.1.0-preview)
2021-08-30 14:27:30 change Major, suffix remains equal (2.0.1-preview > 3.0.1-preview)
2020-12-11 15:42:52 change Patch, suffix remains equal (2.0.0-preview > 2.0.1-preview)
2020-11-10 16:00:42 change Major, suffix remains equal (1.0.1-preview > 2.0.0-preview)
2020-08-27 15:39:26 add 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC