compliance controls are associated with this Policy definition 'Maintain availability of information' (3ad7f0bc-3d03-0585-4d24-529779bb02c2)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| CIS_Azure_1.1.0 |
8.4 |
CIS_Azure_1.1.0_8.4 |
CIS Microsoft Azure Foundations Benchmark recommendation 8.4 |
8 Other Security Considerations |
Ensure the key vault is recoverable |
Shared |
The customer is responsible for implementing this recommendation. |
The key vault contains object keys, secrets and certificates. Accidental unavailability of a key vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the key vault objects.
It is recommended the key vault be made recoverable by enabling the "Do Not Purge" and "Soft Delete" functions. This is in order to prevent loss of encrypted data including storage accounts, SQL databases, and/or dependent services provided by key vault objects (Keys, Secrets, Certificates) etc., as may happen in the case of accidental deletion by a user or from disruptive activity by a malicious user. |
link |
3 |
| CIS_Azure_1.3.0 |
8.4 |
CIS_Azure_1.3.0_8.4 |
CIS Microsoft Azure Foundations Benchmark recommendation 8.4 |
8 Other Security Considerations |
Ensure the key vault is recoverable |
Shared |
The customer is responsible for implementing this recommendation. |
The key vault contains object keys, secrets and certificates. Accidental unavailability of a key vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the key vault objects.
It is recommended the key vault be made recoverable by enabling the "Do Not Purge" and "Soft Delete" functions. This is in order to prevent loss of encrypted data including storage accounts, SQL databases, and/or dependent services provided by key vault objects (Keys, Secrets, Certificates) etc., as may happen in the case of accidental deletion by a user or from disruptive activity by a malicious user. |
link |
2 |
| CIS_Azure_1.3.0 |
9.11 |
CIS_Azure_1.3.0_9.11 |
CIS Microsoft Azure Foundations Benchmark recommendation 9.11 |
9 AppService |
Ensure Azure Keyvaults are used to store secrets |
Shared |
The customer is responsible for implementing this recommendation. |
Encryption keys ,Certificate thumbprints and Managed Identity Credentials can be coded into the APP service, this renders them visible as part of the configuration, to maintain security of these keys it is better to store in an Azure Keyvault and reference them from the Keyvault. |
link |
9 |
| CIS_Azure_1.4.0 |
8.6 |
CIS_Azure_1.4.0_8.6 |
CIS Microsoft Azure Foundations Benchmark recommendation 8.6 |
8 Other Security Considerations |
Ensure the key vault is recoverable |
Shared |
The customer is responsible for implementing this recommendation. |
The key vault contains object keys, secrets and certificates. Accidental unavailability of a key vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the key vault objects.
It is recommended the key vault be made recoverable by enabling the "Do Not Purge" and "Soft Delete" functions. This is in order to prevent loss of encrypted data including storage accounts, SQL databases, and/or dependent services provided by key vault objects (Keys, Secrets, Certificates) etc., as may happen in the case of accidental deletion by a user or from disruptive activity by a malicious user. |
link |
2 |
| CIS_Azure_1.4.0 |
9.11 |
CIS_Azure_1.4.0_9.11 |
CIS Microsoft Azure Foundations Benchmark recommendation 9.11 |
9 AppService |
Ensure Azure Keyvaults are Used to Store Secrets |
Shared |
The customer is responsible for implementing this recommendation. |
Encryption keys ,Certificate thumbprints and Managed Identity Credentials can be coded into the APP service, this renders them visible as part of the configuration, to maintain security of these keys it is better to store in an Azure Keyvault and reference them from the Keyvault. |
link |
9 |
| CIS_Azure_2.0.0 |
9.11 |
CIS_Azure_2.0.0_9.11 |
CIS Microsoft Azure Foundations Benchmark recommendation 9.11 |
9 |
Ensure Azure Key Vaults are Used to Store Secrets |
Shared |
Integrating references to secrets within the key vault are required to be specifically integrated within the application code. This will require additional configuration to be made during the writing of an application, or refactoring of an already written one. There are also additional costs that are charged per 10000 requests to the Key Vault. |
Azure Key Vault will store multiple types of sensitive information such as encryption keys, certificate thumbprints, and Managed Identity Credentials. Access to these 'Secrets' can be controlled through granular permissions.
The credentials given to an application have permissions to create, delete, or modify data stored within the systems they access. If these credentials are stored within the application itself, anyone with access to the application or a copy of the code has access to them. Storing within Azure Key Vault as secrets increases security by controlling access. This also allows for updates of the credentials without redeploying the entire application. |
link |
9 |
| FedRAMP_High_R4 |
SC-12(1) |
FedRAMP_High_R4_SC-12(1) |
FedRAMP High SC-12 (1) |
System And Communications Protection |
Availability |
Shared |
n/a |
The organization maintains availability of information in the event of the loss of cryptographic keys by users.
Supplemental Guidance: Escrowing of encryption keys is a common practice for ensuring availability in the event of loss of keys (e.g., due to forgotten passphrase). |
link |
1 |
| NIST_SP_800-53_R4 |
SC-12(1) |
NIST_SP_800-53_R4_SC-12(1) |
NIST SP 800-53 Rev. 4 SC-12 (1) |
System And Communications Protection |
Availability |
Shared |
n/a |
The organization maintains availability of information in the event of the loss of cryptographic keys by users.
Supplemental Guidance: Escrowing of encryption keys is a common practice for ensuring availability in the event of loss of keys (e.g., due to forgotten passphrase). |
link |
1 |
| NIST_SP_800-53_R5 |
SC-12(1) |
NIST_SP_800-53_R5_SC-12(1) |
NIST SP 800-53 Rev. 5 SC-12 (1) |
System and Communications Protection |
Availability |
Shared |
n/a |
Maintain availability of information in the event of the loss of cryptographic keys by users. |
link |
1 |
| PCI_DSS_v4.0 |
3.7.3 |
PCI_DSS_v4.0_3.7.3 |
PCI DSS v4.0 3.7.3 |
Requirement 03: Protect Stored Account Data |
Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented |
Shared |
n/a |
Key-management policies and procedures are implemented to include secure storage of cryptographic keys used to Protect Stored Account Data. |
link |
9 |
| PCI_DSS_v4.0 |
4.2.1.1 |
PCI_DSS_v4.0_4.2.1.1 |
PCI DSS v4.0 4.2.1.1 |
Requirement 04: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks |
PAN is protected with strong cryptography during transmission |
Shared |
n/a |
An inventory of the entity’s trusted keys and certificates used to protect PAN during transmission is maintained. |
link |
8 |
| SWIFT_CSCF_v2022 |
2.1 |
SWIFT_CSCF_v2022_2.1 |
SWIFT CSCF v2022 2.1 |
2. Reduce Attack Surface and Vulnerabilities |
Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related components. |
Shared |
n/a |
Confidentiality, integrity, and authentication mechanisms are implemented to protect SWIFT-related component-to-component or system-to-system data flows. |
link |
36 |