compliance controls are associated with this Policy definition 'Authenticate to cryptographic module' (6f1de470-79f3-1572-866e-db0771352fc8)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| CIS_Azure_1.1.0 |
9.1 |
CIS_Azure_1.1.0_9.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 9.1 |
9 AppService |
Ensure App Service Authentication is set on Azure App Service |
Shared |
The customer is responsible for implementing this recommendation. |
Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented. |
link |
5 |
| CIS_Azure_1.1.0 |
9.4 |
CIS_Azure_1.1.0_9.4 |
CIS Microsoft Azure Foundations Benchmark recommendation 9.4 |
9 AppService |
Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' |
Shared |
The customer is responsible for implementing this recommendation. |
Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. |
link |
3 |
| CIS_Azure_1.3.0 |
1.22 |
CIS_Azure_1.3.0_1.22 |
CIS Microsoft Azure Foundations Benchmark recommendation 1.22 |
1 Identity and Access Management |
Ensure Security Defaults is enabled on Azure Active Directory |
Shared |
The customer is responsible for implementing this recommendation. |
Security defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks.
Microsoft is making security defaults available to everyone. The goal is to ensure that all organizations have a basic level of security-enabled at no extra cost. You turn on security defaults in the Azure portal. |
link |
9 |
| CIS_Azure_1.3.0 |
9.1 |
CIS_Azure_1.3.0_9.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 9.1 |
9 AppService |
Ensure App Service Authentication is set on Azure App Service |
Shared |
The customer is responsible for implementing this recommendation. |
Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented. |
link |
5 |
| CIS_Azure_1.3.0 |
9.4 |
CIS_Azure_1.3.0_9.4 |
CIS Microsoft Azure Foundations Benchmark recommendation 9.4 |
9 AppService |
Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' |
Shared |
The customer is responsible for implementing this recommendation. |
Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. |
link |
3 |
| CIS_Azure_1.4.0 |
1.21 |
CIS_Azure_1.4.0_1.21 |
CIS Microsoft Azure Foundations Benchmark recommendation 1.21 |
1 Identity and Access Management |
Ensure Security Defaults is enabled on Azure Active Directory |
Shared |
The customer is responsible for implementing this recommendation. |
Security defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks.
Microsoft is making security defaults available to everyone. The goal is to ensure that all organizations have a basic level of security-enabled at no extra cost. You turn on security defaults in the Azure portal. |
link |
9 |
| CIS_Azure_1.4.0 |
9.1 |
CIS_Azure_1.4.0_9.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 9.1 |
9 AppService |
Ensure App Service Authentication is set up for apps in Azure App Service |
Shared |
The customer is responsible for implementing this recommendation. |
Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented. |
link |
5 |
| CIS_Azure_1.4.0 |
9.4 |
CIS_Azure_1.4.0_9.4 |
CIS Microsoft Azure Foundations Benchmark recommendation 9.4 |
9 AppService |
Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' |
Shared |
The customer is responsible for implementing this recommendation. |
Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. |
link |
3 |
| CIS_Azure_2.0.0 |
1.1.1 |
CIS_Azure_2.0.0_1.1.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 1.1.1 |
1.1 |
Ensure Security Defaults is enabled on Azure Active Directory |
Shared |
This recommendation should be implemented initially and then may be overridden by other service/product specific CIS Benchmarks. Administrators should also be aware that certain configurations in Azure Active Directory may impact other Microsoft services such as Microsoft 365. |
Security defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks.
Security defaults is available to everyone. The goal is to ensure that all organizations have a basic level of security enabled at no extra cost. You may turn on security defaults in the Azure portal.
Security defaults provide secure default settings that we manage on behalf of organizations to keep customers safe until they are ready to manage their own identity security settings.
For example, doing the following:
- Requiring all users and admins to register for MFA.
- Challenging users with MFA - when necessary, based on factors such as location, device, role, and task.
- Disabling authentication from legacy authentication clients, which can’t do MFA. |
link |
9 |
| CIS_Azure_2.0.0 |
9.1 |
CIS_Azure_2.0.0_9.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 9.1 |
9 |
Ensure App Service Authentication is set up for apps in Azure App Service |
Shared |
This is only required for App Services which require authentication. Enabling on site like a marketing or support website will prevent unauthenticated access which would be undesirable.
Adding Authentication requirement will increase cost of App Service and require additional security components to facilitate the authentication. |
Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching a Web Application or authenticate those with tokens before they reach the app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented.
By Enabling App Service Authentication, every incoming HTTP request passes through it before being handled by the application code. It also handles authentication of users with the specified provider (Azure Active Directory, Facebook, Google, Microsoft Account, and Twitter), validation, storing and refreshing of tokens, managing the authenticated sessions and injecting identity information into request headers. |
link |
5 |
| CIS_Azure_2.0.0 |
9.4 |
CIS_Azure_2.0.0_9.4 |
CIS Microsoft Azure Foundations Benchmark recommendation 9.4 |
9 |
Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' |
Shared |
Utilizing and maintaining client certificates will require additional work to obtain and manage replacement and key rotation. |
Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app.
The TLS mutual authentication technique in enterprise environments ensures the authenticity of clients to the server. If incoming client certificates are enabled, then only an authenticated client who has valid certificates can access the app. |
link |
3 |
| FedRAMP_High_R4 |
IA-7 |
FedRAMP_High_R4_IA-7 |
FedRAMP High IA-7 |
Identification And Authentication |
Cryptographic Module Authentication |
Shared |
n/a |
The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
Supplemental Guidance: Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role. Related controls: SC-12, SC-13.
Control Enhancements: None.
References: FIPS Publication 140; Web: csrc.nist.gov/groups/STM/cmvp/index.html. |
link |
1 |
| FedRAMP_Moderate_R4 |
IA-7 |
FedRAMP_Moderate_R4_IA-7 |
FedRAMP Moderate IA-7 |
Identification And Authentication |
Cryptographic Module Authentication |
Shared |
n/a |
The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
Supplemental Guidance: Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role. Related controls: SC-12, SC-13.
Control Enhancements: None.
References: FIPS Publication 140; Web: csrc.nist.gov/groups/STM/cmvp/index.html. |
link |
1 |
| hipaa |
0904.10f2Organizational.1-10.f |
hipaa-0904.10f2Organizational.1-10.f |
0904.10f2Organizational.1-10.f |
09 Transmission Protection |
0904.10f2Organizational.1-10.f 10.03 Cryptographic Controls |
Shared |
n/a |
Key management is implemented based on specific roles and responsibilities, and in consideration of national and international regulations, restrictions, and issues. |
|
10 |
| hipaa |
0945.09y1Organizational.3-09.y |
hipaa-0945.09y1Organizational.3-09.y |
0945.09y1Organizational.3-09.y |
09 Transmission Protection |
0945.09y1Organizational.3-09.y 09.09 Electronic Commerce Services |
Shared |
n/a |
Protocols used to communicate between all involved parties are secured using cryptographic techniques (e.g., SSL). |
|
6 |
| hipaa |
1005.01d1System.1011-01.d |
hipaa-1005.01d1System.1011-01.d |
1005.01d1System.1011-01.d |
10 Password Management |
1005.01d1System.1011-01.d 01.02 Authorized Access to Information Systems |
Shared |
n/a |
The organization transmits passwords only when cryptographically-protected and stores passwords using an approved hash algorithm. |
|
6 |
| ISO27001-2013 |
A.18.1.5 |
ISO27001-2013_A.18.1.5 |
ISO 27001:2013 A.18.1.5 |
Compliance |
Regulation of cryptographic controls |
Shared |
n/a |
Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations. |
link |
2 |
|
mp.com.2 Protection of confidentiality |
mp.com.2 Protection of confidentiality |
404 not found |
|
|
|
n/a |
n/a |
|
55 |
|
mp.com.3 Protection of integrity and authenticity |
mp.com.3 Protection of integrity and authenticity |
404 not found |
|
|
|
n/a |
n/a |
|
62 |
|
mp.info.3 Electronic signature |
mp.info.3 Electronic signature |
404 not found |
|
|
|
n/a |
n/a |
|
40 |
|
mp.si.2 Cryptography |
mp.si.2 Cryptography |
404 not found |
|
|
|
n/a |
n/a |
|
32 |
| NIST_SP_800-53_R4 |
IA-7 |
NIST_SP_800-53_R4_IA-7 |
NIST SP 800-53 Rev. 4 IA-7 |
Identification And Authentication |
Cryptographic Module Authentication |
Shared |
n/a |
The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
Supplemental Guidance: Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role. Related controls: SC-12, SC-13.
Control Enhancements: None.
References: FIPS Publication 140; Web: csrc.nist.gov/groups/STM/cmvp/index.html. |
link |
1 |
| NIST_SP_800-53_R5 |
IA-7 |
NIST_SP_800-53_R5_IA-7 |
NIST SP 800-53 Rev. 5 IA-7 |
Identification and Authentication |
Cryptographic Module Authentication |
Shared |
n/a |
Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication. |
link |
1 |
|
op.acc.6 Authentication mechanism (organization users) |
op.acc.6 Authentication mechanism (organization users) |
404 not found |
|
|
|
n/a |
n/a |
|
78 |
|
op.exp.10 Cryptographic key protection |
op.exp.10 Cryptographic key protection |
404 not found |
|
|
|
n/a |
n/a |
|
53 |
|
org.1 Security policy |
org.1 Security policy |
404 not found |
|
|
|
n/a |
n/a |
|
94 |
| PCI_DSS_v4.0 |
3.3.2 |
PCI_DSS_v4.0_3.3.2 |
PCI DSS v4.0 3.3.2 |
Requirement 03: Protect Stored Account Data |
Sensitive authentication data (SAD) is not stored after authorization |
Shared |
n/a |
SAD that is stored electronically prior to completion of authorization is encrypted using strong cryptography. |
link |
1 |
| PCI_DSS_v4.0 |
3.3.3 |
PCI_DSS_v4.0_3.3.3 |
PCI DSS v4.0 3.3.3 |
Requirement 03: Protect Stored Account Data |
Sensitive authentication data (SAD) is not stored after authorization |
Shared |
n/a |
Additional requirement for issuers and companies that support issuing services and store sensitive authentication data: Any storage of sensitive authentication data is:
• Limited to that which is needed for a legitimate issuing business need and is secured.
• Encrypted using strong cryptography. This bullet is a best practice until its effective date; refer to Applicability Notes below for details. |
link |
13 |