last sync: 2024-Apr-24 17:46:58 UTC

Authenticate to cryptographic module | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Authenticate to cryptographic module
Id 6f1de470-79f3-1572-866e-db0771352fc8
Version 1.1.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description CMA_0021 - Authenticate to cryptographic module
Additional metadata Name/Id: CMA_0021 / CMA_0021
Category: Operational
Title: Authenticate to cryptographic module
Ownership: Customer
Description: Microsoft recommends that your organization implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. Create and maintain Identification and Authentication policies and standard operating procedures for procuring any required cryptographic certificates from a trusted Certification Authority.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 21 compliance controls are associated with this Policy definition 'Authenticate to cryptographic module' (6f1de470-79f3-1572-866e-db0771352fc8)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
CIS_Azure_1.1.0 9.1 CIS_Azure_1.1.0_9.1 CIS Microsoft Azure Foundations Benchmark recommendation 9.1 9 AppService Ensure App Service Authentication is set on Azure App Service Shared The customer is responsible for implementing this recommendation. Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented. link 5
CIS_Azure_1.1.0 9.4 CIS_Azure_1.1.0_9.4 CIS Microsoft Azure Foundations Benchmark recommendation 9.4 9 AppService Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' Shared The customer is responsible for implementing this recommendation. Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. link 3
CIS_Azure_1.3.0 1.22 CIS_Azure_1.3.0_1.22 CIS Microsoft Azure Foundations Benchmark recommendation 1.22 1 Identity and Access Management Ensure Security Defaults is enabled on Azure Active Directory Shared The customer is responsible for implementing this recommendation. Security defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks. Microsoft is making security defaults available to everyone. The goal is to ensure that all organizations have a basic level of security-enabled at no extra cost. You turn on security defaults in the Azure portal. link 9
CIS_Azure_1.3.0 9.1 CIS_Azure_1.3.0_9.1 CIS Microsoft Azure Foundations Benchmark recommendation 9.1 9 AppService Ensure App Service Authentication is set on Azure App Service Shared The customer is responsible for implementing this recommendation. Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented. link 5
CIS_Azure_1.3.0 9.4 CIS_Azure_1.3.0_9.4 CIS Microsoft Azure Foundations Benchmark recommendation 9.4 9 AppService Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' Shared The customer is responsible for implementing this recommendation. Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. link 3
CIS_Azure_1.4.0 1.21 CIS_Azure_1.4.0_1.21 CIS Microsoft Azure Foundations Benchmark recommendation 1.21 1 Identity and Access Management Ensure Security Defaults is enabled on Azure Active Directory Shared The customer is responsible for implementing this recommendation. Security defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks. Microsoft is making security defaults available to everyone. The goal is to ensure that all organizations have a basic level of security-enabled at no extra cost. You turn on security defaults in the Azure portal. link 9
CIS_Azure_1.4.0 9.1 CIS_Azure_1.4.0_9.1 CIS Microsoft Azure Foundations Benchmark recommendation 9.1 9 AppService Ensure App Service Authentication is set up for apps in Azure App Service Shared The customer is responsible for implementing this recommendation. Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented. link 5
CIS_Azure_1.4.0 9.4 CIS_Azure_1.4.0_9.4 CIS Microsoft Azure Foundations Benchmark recommendation 9.4 9 AppService Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' Shared The customer is responsible for implementing this recommendation. Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. link 3
CIS_Azure_2.0.0 1.1.1 CIS_Azure_2.0.0_1.1.1 CIS Microsoft Azure Foundations Benchmark recommendation 1.1.1 1.1 Ensure Security Defaults is enabled on Azure Active Directory Shared This recommendation should be implemented initially and then may be overridden by other service/product specific CIS Benchmarks. Administrators should also be aware that certain configurations in Azure Active Directory may impact other Microsoft services such as Microsoft 365. Security defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks. Security defaults is available to everyone. The goal is to ensure that all organizations have a basic level of security enabled at no extra cost. You may turn on security defaults in the Azure portal. Security defaults provide secure default settings that we manage on behalf of organizations to keep customers safe until they are ready to manage their own identity security settings. For example, doing the following: - Requiring all users and admins to register for MFA. - Challenging users with MFA - when necessary, based on factors such as location, device, role, and task. - Disabling authentication from legacy authentication clients, which can’t do MFA. link 9
CIS_Azure_2.0.0 9.1 CIS_Azure_2.0.0_9.1 CIS Microsoft Azure Foundations Benchmark recommendation 9.1 9 Ensure App Service Authentication is set up for apps in Azure App Service Shared This is only required for App Services which require authentication. Enabling on site like a marketing or support website will prevent unauthenticated access which would be undesirable. Adding Authentication requirement will increase cost of App Service and require additional security components to facilitate the authentication. Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching a Web Application or authenticate those with tokens before they reach the app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented. By Enabling App Service Authentication, every incoming HTTP request passes through it before being handled by the application code. It also handles authentication of users with the specified provider (Azure Active Directory, Facebook, Google, Microsoft Account, and Twitter), validation, storing and refreshing of tokens, managing the authenticated sessions and injecting identity information into request headers. link 5
CIS_Azure_2.0.0 9.4 CIS_Azure_2.0.0_9.4 CIS Microsoft Azure Foundations Benchmark recommendation 9.4 9 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' Shared Utilizing and maintaining client certificates will require additional work to obtain and manage replacement and key rotation. Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. The TLS mutual authentication technique in enterprise environments ensures the authenticity of clients to the server. If incoming client certificates are enabled, then only an authenticated client who has valid certificates can access the app. link 3
FedRAMP_High_R4 IA-7 FedRAMP_High_R4_IA-7 FedRAMP High IA-7 Identification And Authentication Cryptographic Module Authentication Shared n/a The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. Supplemental Guidance: Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role. Related controls: SC-12, SC-13. Control Enhancements: None. References: FIPS Publication 140; Web: csrc.nist.gov/groups/STM/cmvp/index.html. link 1
FedRAMP_Moderate_R4 IA-7 FedRAMP_Moderate_R4_IA-7 FedRAMP Moderate IA-7 Identification And Authentication Cryptographic Module Authentication Shared n/a The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. Supplemental Guidance: Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role. Related controls: SC-12, SC-13. Control Enhancements: None. References: FIPS Publication 140; Web: csrc.nist.gov/groups/STM/cmvp/index.html. link 1
hipaa 0904.10f2Organizational.1-10.f hipaa-0904.10f2Organizational.1-10.f 0904.10f2Organizational.1-10.f 09 Transmission Protection 0904.10f2Organizational.1-10.f 10.03 Cryptographic Controls Shared n/a Key management is implemented based on specific roles and responsibilities, and in consideration of national and international regulations, restrictions, and issues. 10
hipaa 0945.09y1Organizational.3-09.y hipaa-0945.09y1Organizational.3-09.y 0945.09y1Organizational.3-09.y 09 Transmission Protection 0945.09y1Organizational.3-09.y 09.09 Electronic Commerce Services Shared n/a Protocols used to communicate between all involved parties are secured using cryptographic techniques (e.g., SSL). 6
hipaa 1005.01d1System.1011-01.d hipaa-1005.01d1System.1011-01.d 1005.01d1System.1011-01.d 10 Password Management 1005.01d1System.1011-01.d 01.02 Authorized Access to Information Systems Shared n/a The organization transmits passwords only when cryptographically-protected and stores passwords using an approved hash algorithm. 6
ISO27001-2013 A.18.1.5 ISO27001-2013_A.18.1.5 ISO 27001:2013 A.18.1.5 Compliance Regulation of cryptographic controls Shared n/a Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations. link 2
NIST_SP_800-53_R4 IA-7 NIST_SP_800-53_R4_IA-7 NIST SP 800-53 Rev. 4 IA-7 Identification And Authentication Cryptographic Module Authentication Shared n/a The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. Supplemental Guidance: Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role. Related controls: SC-12, SC-13. Control Enhancements: None. References: FIPS Publication 140; Web: csrc.nist.gov/groups/STM/cmvp/index.html. link 1
NIST_SP_800-53_R5 IA-7 NIST_SP_800-53_R5_IA-7 NIST SP 800-53 Rev. 5 IA-7 Identification and Authentication Cryptographic Module Authentication Shared n/a Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication. link 1
PCI_DSS_v4.0 3.3.2 PCI_DSS_v4.0_3.3.2 PCI DSS v4.0 3.3.2 Requirement 03: Protect Stored Account Data Sensitive authentication data (SAD) is not stored after authorization Shared n/a SAD that is stored electronically prior to completion of authorization is encrypted using strong cryptography. link 1
PCI_DSS_v4.0 3.3.3 PCI_DSS_v4.0_3.3.3 PCI DSS v4.0 3.3.3 Requirement 03: Protect Stored Account Data Sensitive authentication data (SAD) is not stored after authorization Shared n/a Additional requirement for issuers and companies that support issuing services and store sensitive authentication data: Any storage of sensitive authentication data is: • Limited to that which is needed for a legitimate issuing business need and is secured. • Encrypted using strong cryptography. This bullet is a best practice until its effective date; refer to Applicability Notes below for details. link 13
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
CIS Microsoft Azure Foundations Benchmark v1.1.0 1a5bb27d-173f-493e-9568-eb56638dde4d Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v1.3.0 612b5213-9160-4969-8578-1518bd2a000c Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v1.4.0 c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5 Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v2.0.0 06f19060-9e68-4070-92ca-f15cc126059e Regulatory Compliance GA BuiltIn
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-02 16:33:37 add 6f1de470-79f3-1572-866e-db0771352fc8
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC