CIS Azure Foundations Benchmark. Armor for your data on Azure

By Ojashwi Chaturvedi – CloudGuard, Research Team, published December 19, 2022

In today’s world, when everything is going digital, cloud misconfigurations and cyber attacks are a constant concern for organizations where security is of utmost importance.

To keep data safe and secure online, it’s important to have cloud security best practices that are easy to understand and implement.

CIS (Centre for Internet Security) Benchmarks are a collection of best practices to securely configure IT systems, software, networks, and cloud infrastructure, developed by a global community of cybersecurity professionals.

Check Point CloudGuard helps you test your cloud environment and attain CIS Compliance.

What Is CIS Azure Foundations Benchmark?

Azure Foundations Benchmark is a set of controls that provides prescriptive guidance to establish a secure baseline configuration for Microsoft Azure. Primarily, this benchmark focuses on the foundation level of security for anyone adopting Microsoft Azure.

Why Is It Important?

CIS Benchmarks are important because they outline the security best practices, which are developed by security professionals and subject matter experts. CIS Benchmarks help organizations set up IT and technology systems to ensure best-practice cybersecurity defense. These guidelines play an important role in the formation of an organization’s cybersecurity policy.

CIS Benchmarks comprise the only consensus-based, best-practice security configuration guide available, which is accepted by governments, businesses, industries, and academia.

The CIS Benchmarks goal is to help organisations harden their machine configurations and to secure their customer’s data.

CIS Major Releases

The first CIS Microsoft Azure Foundations Benchmark v1.0.0 was released in February 2018. Since then, Benchmarks continue to evolve, and several upgraded versions were released.

Latest CIS Azure Foundations Benchmark – CISv1.5

The latest CISv1.5 Azure Foundations Benchmark is composed of 10 sections with a total of 147 controls known as “recommendations”. CISv1.5 is the latest Benchmark (as of today) released in August 2022.

To comply with this CIS Benchmark, organizations must adhere to these Sections:

  1. Identity and Access Management – Identity and Access Management policies are the first step towards a defense-in-depth approach to securing an Azure Cloud Platform environment. This section contains 33 security controls.
  2. Microsoft Defender for Cloud – This section covers recommendations to consider for tenant-wide security policies and plans related to Microsoft Defender. This section contains 23 security controls.
  3. Storage Accounts – This section covers security recommendations to follow in order to set storage account policies. An Azure storage account provides a unique namespace to store and access Azure Storage data objects. This section contains 15 Security Controls.
  4. Database Services – This section covers security recommendations to follow in order to set the general database services policies on an Azure Subscription. Subsections address specific database types such as MySQL,PostgreSQL, and more. This section contains 25 security controls.
  5. Logging and Monitoring – This section covers security recommendations to follow in order to set the logging and monitoring policies on an Azure Subscription. This section contains 18 security controls.
  6. Networking – This section covers security recommendations to follow in order to set the networking policies on an Azure subscription. This section contains 7 security controls.
  7. Virtual Machines – This section covers security recommendations to follow in order to set the configurations of Virtual Machines on an Azure subscription. This section contains 6 security controls.
  8. Key Vault – This section covers security recommendations to follow in order to set the configuration of Azure Key Vault. This section contains 8 security controls.
  9. AppService – This section covers security recommendations for Azure AppService. This section contains 11 security controls.
  10. Miscellaneous – This section covers other security recommendations. This section contains 1 security control.

CIS Coverage in Check Point

Check Point CloudGuard helps you to test your cloud environment and to achieve CIS Compliance. CloudGuard consists of a set of rules called “Rulesets” for all CIS Foundations versions. For example, see the Azure CIS Foundations v1.0.0 Ruleset below.

How to detect CIS Compliance violations ?

  1. Go to CloudGuard and make sure to onboard your Azure Cloud Environment.
  2. From the main menu, select Posture Management.
  3. Click Rulesets and search Azure CIS Ruleset.
  4. Select the CIS Ruleset that you want to run and click Run Assessment.
  5. A detailed test analysis of the assessment done, the test scores, and failed/passed rules now shows (see the Screenshot below).
  6. The results can be further used to determine the rules with which the organization is non-compliance, as well as the steps to take to remediate the issues. You can see:
    1. A dashboard with Flexible Report function and with consolidated views of compliance efforts
    2. Graphical views of the compliance progress in the controls

How to Remediate?

Based on the Assessment Results, when you expand the rules that were detected as non-compliant on your Azure environment, the CloudGuard will present you with detailed steps to remediate those in various platforms such as Portal, CLI etc.

Conclusion

Cloud security is an essential component of doing business in our digital world and is a concern for all businesses. As more and more businesses are moving some or all there assets to the cloud, they introduce themselves to a new set of risks and at the same time changing the nature of others. Complying such standards becoming an integral part of daily work to keep there organization secured.

At Check Point, we help you build your environment to be more secure and trusted, because you deserve the best cloud security.

Check out some related articles:

For more information about Check Point CloudGuard, please read here.

For a free cloud security assessment, please click here.