last sync: 2023-Jan-27 18:40:07 UTC

Azure Policy definition

Authenticate to cryptographic module

Name Authenticate to cryptographic module
Azure Portal
Id 6f1de470-79f3-1572-866e-db0771352fc8
Version 1.1.0
details on versioning
Category Regulatory Compliance
Microsoft docs
Description CMA_0021 - Authenticate to cryptographic module
Mode All
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Default
Manual
Allowed
Manual, Disabled
RBAC
Role(s)
none
Rule
Aliases
Rule
ResourceTypes
IF (1)
Microsoft.Resources/subscriptions
Compliance The following 18 compliance controls are associated with this Policy definition 'Authenticate to cryptographic module' (6f1de470-79f3-1572-866e-db0771352fc8)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
CIS_Azure_1.1.0 9.1 CIS_Azure_1.1.0_9.1 CIS Microsoft Azure Foundations Benchmark recommendation 9.1 9 AppService Ensure App Service Authentication is set on Azure App Service Shared The customer is responsible for implementing this recommendation. Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented. link 5
CIS_Azure_1.1.0 9.4 CIS_Azure_1.1.0_9.4 CIS Microsoft Azure Foundations Benchmark recommendation 9.4 9 AppService Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' Shared The customer is responsible for implementing this recommendation. Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. link 3
CIS_Azure_1.3.0 1.22 CIS_Azure_1.3.0_1.22 CIS Microsoft Azure Foundations Benchmark recommendation 1.22 1 Identity and Access Management Ensure Security Defaults is enabled on Azure Active Directory Shared The customer is responsible for implementing this recommendation. Security defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks. Microsoft is making security defaults available to everyone. The goal is to ensure that all organizations have a basic level of security-enabled at no extra cost. You turn on security defaults in the Azure portal. link 9
CIS_Azure_1.3.0 9.1 CIS_Azure_1.3.0_9.1 CIS Microsoft Azure Foundations Benchmark recommendation 9.1 9 AppService Ensure App Service Authentication is set on Azure App Service Shared The customer is responsible for implementing this recommendation. Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented. link 5
CIS_Azure_1.3.0 9.4 CIS_Azure_1.3.0_9.4 CIS Microsoft Azure Foundations Benchmark recommendation 9.4 9 AppService Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' Shared The customer is responsible for implementing this recommendation. Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. link 3
CIS_Azure_1.4.0 1.21 CIS_Azure_1.4.0_1.21 CIS Microsoft Azure Foundations Benchmark recommendation 1.21 1 Identity and Access Management Ensure Security Defaults is enabled on Azure Active Directory Shared The customer is responsible for implementing this recommendation. Security defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks. Microsoft is making security defaults available to everyone. The goal is to ensure that all organizations have a basic level of security-enabled at no extra cost. You turn on security defaults in the Azure portal. link 9
CIS_Azure_1.4.0 9.1 CIS_Azure_1.4.0_9.1 CIS Microsoft Azure Foundations Benchmark recommendation 9.1 9 AppService Ensure App Service Authentication is set up for apps in Azure App Service Shared The customer is responsible for implementing this recommendation. Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented. link 5
CIS_Azure_1.4.0 9.4 CIS_Azure_1.4.0_9.4 CIS Microsoft Azure Foundations Benchmark recommendation 9.4 9 AppService Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' Shared The customer is responsible for implementing this recommendation. Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. link 3
FedRAMP_High_R4 IA-7 FedRAMP_High_R4_IA-7 FedRAMP High IA-7 Identification And Authentication Cryptographic Module Authentication Shared n/a The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. Supplemental Guidance: Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role. Related controls: SC-12, SC-13. Control Enhancements: None. References: FIPS Publication 140; Web: csrc.nist.gov/groups/STM/cmvp/index.html. link 1
FedRAMP_Moderate_R4 IA-7 FedRAMP_Moderate_R4_IA-7 FedRAMP Moderate IA-7 Identification And Authentication Cryptographic Module Authentication Shared n/a The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. Supplemental Guidance: Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role. Related controls: SC-12, SC-13. Control Enhancements: None. References: FIPS Publication 140; Web: csrc.nist.gov/groups/STM/cmvp/index.html. link 1
hipaa 0904.10f2Organizational.1-10.f hipaa-0904.10f2Organizational.1-10.f 0904.10f2Organizational.1-10.f 09 Transmission Protection 0904.10f2Organizational.1-10.f 10.03 Cryptographic Controls Shared n/a Key management is implemented based on specific roles and responsibilities, and in consideration of national and international regulations, restrictions, and issues. 10
hipaa 0945.09y1Organizational.3-09.y hipaa-0945.09y1Organizational.3-09.y 0945.09y1Organizational.3-09.y 09 Transmission Protection 0945.09y1Organizational.3-09.y 09.09 Electronic Commerce Services Shared n/a Protocols used to communicate between all involved parties are secured using cryptographic techniques (e.g., SSL). 6
hipaa 1005.01d1System.1011-01.d hipaa-1005.01d1System.1011-01.d 1005.01d1System.1011-01.d 10 Password Management 1005.01d1System.1011-01.d 01.02 Authorized Access to Information Systems Shared n/a The organization transmits passwords only when cryptographically-protected and stores passwords using an approved hash algorithm. 6
ISO27001-2013 A.18.1.5 ISO27001-2013_A.18.1.5 ISO 27001:2013 A.18.1.5 Compliance Regulation of cryptographic controls Shared n/a Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations. link 2
NIST_SP_800-53_R4 IA-7 NIST_SP_800-53_R4_IA-7 NIST SP 800-53 Rev. 4 IA-7 Identification And Authentication Cryptographic Module Authentication Shared n/a The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. Supplemental Guidance: Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role. Related controls: SC-12, SC-13. Control Enhancements: None. References: FIPS Publication 140; Web: csrc.nist.gov/groups/STM/cmvp/index.html. link 1
NIST_SP_800-53_R5 IA-7 NIST_SP_800-53_R5_IA-7 NIST SP 800-53 Rev. 5 IA-7 Identification and Authentication Cryptographic Module Authentication Shared n/a Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication. link 1
PCI_DSS_v4.0 3.3.2 PCI_DSS_v4.0_3.3.2 PCI DSS v4.0 3.3.2 Requirement 03: Protect Stored Account Data Sensitive authentication data (SAD) is not stored after authorization Shared n/a SAD that is stored electronically prior to completion of authorization is encrypted using strong cryptography. link 1
PCI_DSS_v4.0 3.3.3 PCI_DSS_v4.0_3.3.3 PCI DSS v4.0 3.3.3 Requirement 03: Protect Stored Account Data Sensitive authentication data (SAD) is not stored after authorization Shared n/a Additional requirement for issuers and companies that support issuing services and store sensitive authentication data: Any storage of sensitive authentication data is: • Limited to that which is needed for a legitimate issuing business need and is secured. • Encrypted using strong cryptography. This bullet is a best practice until its effective date; refer to Applicability Notes below for details. link 13
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-02 16:33:37 add 6f1de470-79f3-1572-866e-db0771352fc8
Initiatives
usage
Initiative DisplayName Initiative Id Initiative Category State Type
CIS Microsoft Azure Foundations Benchmark v1.1.0 1a5bb27d-173f-493e-9568-eb56638dde4d Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v1.3.0 612b5213-9160-4969-8578-1518bd2a000c Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v1.4.0 c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5 Regulatory Compliance GA BuiltIn
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
JSON
changes

JSON