Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
CIS_Azure_1.1.0 |
9.1 |
CIS_Azure_1.1.0_9.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 9.1 |
9 AppService |
Ensure App Service Authentication is set on Azure App Service |
Shared |
The customer is responsible for implementing this recommendation. |
Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented. |
link |
5 |
CIS_Azure_1.1.0 |
9.4 |
CIS_Azure_1.1.0_9.4 |
CIS Microsoft Azure Foundations Benchmark recommendation 9.4 |
9 AppService |
Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' |
Shared |
The customer is responsible for implementing this recommendation. |
Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. |
link |
3 |
CIS_Azure_1.3.0 |
1.22 |
CIS_Azure_1.3.0_1.22 |
CIS Microsoft Azure Foundations Benchmark recommendation 1.22 |
1 Identity and Access Management |
Ensure Security Defaults is enabled on Azure Active Directory |
Shared |
The customer is responsible for implementing this recommendation. |
Security defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks.
Microsoft is making security defaults available to everyone. The goal is to ensure that all organizations have a basic level of security-enabled at no extra cost. You turn on security defaults in the Azure portal. |
link |
9 |
CIS_Azure_1.3.0 |
9.1 |
CIS_Azure_1.3.0_9.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 9.1 |
9 AppService |
Ensure App Service Authentication is set on Azure App Service |
Shared |
The customer is responsible for implementing this recommendation. |
Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented. |
link |
5 |
CIS_Azure_1.3.0 |
9.4 |
CIS_Azure_1.3.0_9.4 |
CIS Microsoft Azure Foundations Benchmark recommendation 9.4 |
9 AppService |
Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' |
Shared |
The customer is responsible for implementing this recommendation. |
Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. |
link |
3 |
CIS_Azure_1.4.0 |
1.21 |
CIS_Azure_1.4.0_1.21 |
CIS Microsoft Azure Foundations Benchmark recommendation 1.21 |
1 Identity and Access Management |
Ensure Security Defaults is enabled on Azure Active Directory |
Shared |
The customer is responsible for implementing this recommendation. |
Security defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks.
Microsoft is making security defaults available to everyone. The goal is to ensure that all organizations have a basic level of security-enabled at no extra cost. You turn on security defaults in the Azure portal. |
link |
9 |
CIS_Azure_1.4.0 |
9.1 |
CIS_Azure_1.4.0_9.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 9.1 |
9 AppService |
Ensure App Service Authentication is set up for apps in Azure App Service |
Shared |
The customer is responsible for implementing this recommendation. |
Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented. |
link |
5 |
CIS_Azure_1.4.0 |
9.4 |
CIS_Azure_1.4.0_9.4 |
CIS Microsoft Azure Foundations Benchmark recommendation 9.4 |
9 AppService |
Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' |
Shared |
The customer is responsible for implementing this recommendation. |
Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. |
link |
3 |
FedRAMP_High_R4 |
IA-7 |
FedRAMP_High_R4_IA-7 |
FedRAMP High IA-7 |
Identification And Authentication |
Cryptographic Module Authentication |
Shared |
n/a |
The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
Supplemental Guidance: Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role. Related controls: SC-12, SC-13.
Control Enhancements: None.
References: FIPS Publication 140; Web: csrc.nist.gov/groups/STM/cmvp/index.html. |
link |
1 |
FedRAMP_Moderate_R4 |
IA-7 |
FedRAMP_Moderate_R4_IA-7 |
FedRAMP Moderate IA-7 |
Identification And Authentication |
Cryptographic Module Authentication |
Shared |
n/a |
The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
Supplemental Guidance: Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role. Related controls: SC-12, SC-13.
Control Enhancements: None.
References: FIPS Publication 140; Web: csrc.nist.gov/groups/STM/cmvp/index.html. |
link |
1 |
hipaa |
0904.10f2Organizational.1-10.f |
hipaa-0904.10f2Organizational.1-10.f |
0904.10f2Organizational.1-10.f |
09 Transmission Protection |
0904.10f2Organizational.1-10.f 10.03 Cryptographic Controls |
Shared |
n/a |
Key management is implemented based on specific roles and responsibilities, and in consideration of national and international regulations, restrictions, and issues. |
|
10 |
hipaa |
0945.09y1Organizational.3-09.y |
hipaa-0945.09y1Organizational.3-09.y |
0945.09y1Organizational.3-09.y |
09 Transmission Protection |
0945.09y1Organizational.3-09.y 09.09 Electronic Commerce Services |
Shared |
n/a |
Protocols used to communicate between all involved parties are secured using cryptographic techniques (e.g., SSL). |
|
6 |
hipaa |
1005.01d1System.1011-01.d |
hipaa-1005.01d1System.1011-01.d |
1005.01d1System.1011-01.d |
10 Password Management |
1005.01d1System.1011-01.d 01.02 Authorized Access to Information Systems |
Shared |
n/a |
The organization transmits passwords only when cryptographically-protected and stores passwords using an approved hash algorithm. |
|
6 |
ISO27001-2013 |
A.18.1.5 |
ISO27001-2013_A.18.1.5 |
ISO 27001:2013 A.18.1.5 |
Compliance |
Regulation of cryptographic controls |
Shared |
n/a |
Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations. |
link |
2 |
NIST_SP_800-53_R4 |
IA-7 |
NIST_SP_800-53_R4_IA-7 |
NIST SP 800-53 Rev. 4 IA-7 |
Identification And Authentication |
Cryptographic Module Authentication |
Shared |
n/a |
The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
Supplemental Guidance: Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role. Related controls: SC-12, SC-13.
Control Enhancements: None.
References: FIPS Publication 140; Web: csrc.nist.gov/groups/STM/cmvp/index.html. |
link |
1 |
NIST_SP_800-53_R5 |
IA-7 |
NIST_SP_800-53_R5_IA-7 |
NIST SP 800-53 Rev. 5 IA-7 |
Identification and Authentication |
Cryptographic Module Authentication |
Shared |
n/a |
Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication. |
link |
1 |
PCI_DSS_v4.0 |
3.3.2 |
PCI_DSS_v4.0_3.3.2 |
PCI DSS v4.0 3.3.2 |
Requirement 03: Protect Stored Account Data |
Sensitive authentication data (SAD) is not stored after authorization |
Shared |
n/a |
SAD that is stored electronically prior to completion of authorization is encrypted using strong cryptography. |
link |
1 |
PCI_DSS_v4.0 |
3.3.3 |
PCI_DSS_v4.0_3.3.3 |
PCI DSS v4.0 3.3.3 |
Requirement 03: Protect Stored Account Data |
Sensitive authentication data (SAD) is not stored after authorization |
Shared |
n/a |
Additional requirement for issuers and companies that support issuing services and store sensitive authentication data: Any storage of sensitive authentication data is:
• Limited to that which is needed for a legitimate issuing business need and is secured.
• Encrypted using strong cryptography. This bullet is a best practice until its effective date; refer to Applicability Notes below for details. |
link |
13 |