last sync: 2024-Jun-13 18:14:14 UTC

Microsoft Managed Control 1618 - Security Function Isolation | Regulatory Compliance - System and Communications Protection

Azure BuiltIn Policy definition

Source Azure Portal
Display name Microsoft Managed Control 1618 - Security Function Isolation
Id f52f89aa-4489-4ec4-950e-8c96a036baa9
Version 1.0.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description Microsoft implements this System and Communications Protection control
Additional metadata Name/Id: ACF1618 / Microsoft Managed Control 1618
Category: System and Communications Protection
Title: Security Function Isolation
Ownership: Customer, Microsoft
Description: The information system isolates security functions from nonsecurity functions.
Requirements: All Azure assets run modern operating systems as identified in the Azure inventory. These operating systems maintain separate execution domains for each executing process by assigning a private virtual address space to each process. See the following for more information: All Azure servers use either Intel or AMD processors. Both processor types implement isolation by means of protection rings with various privilege levels. User code runs in ring 3, while kernel code runs in ring 0. Security software on the servers, such as antimalware software, is protected using access control lists at the file system level via file permissions. This ensures that only approved users have access to security software. These are technological implementations and are in place continuously. At the network level, Azure implements Jumpboxes, Debug Servers, Hop Boxes, and a VPN to restrict access to security functions. To access security functions, users must first log on to the Jumpboxes, Debug Servers, Hop Boxes, or VPN using multifactor authentication. Azure monitors and audits access using the logging and monitoring pipeline. Azure users must also use JIT to access production assets. In this way, Azure restricts access to security functions by implementing least privilege capabilities throughout the environment.
Mode Indexed
Type Static
Preview False
Deprecated False
Effect Fixed
audit
RBAC role(s) none
Rule aliases none
Rule resource types IF (2)
Microsoft.Resources/subscriptions
Microsoft.Resources/subscriptions/resourceGroups
Compliance Not a Compliance control
Initiatives usage none
History none
JSON compare n/a
JSON
api-version=2021-06-01
EPAC