compliance controls are associated with this Policy definition 'Protect data in transit using encryption' (b11697e8-9515-16f1-7a35-477d5c8a1344)
Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
CIS_Azure_1.1.0 |
2.11 |
CIS_Azure_1.1.0_2.11 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.11 |
2 Security Center |
Ensure ASC Default policy setting "Monitor Storage Blob Encryption" is not "Disabled" |
Shared |
The customer is responsible for implementing this recommendation. |
Enable storage encryption recommendations. |
link |
4 |
CIS_Azure_1.1.0 |
2.15 |
CIS_Azure_1.1.0_2.15 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.15 |
2 Security Center |
Ensure ASC Default policy setting "Monitor SQL Encryption" is not "Disabled" |
Shared |
The customer is responsible for implementing this recommendation. |
Enable SQL encryption recommendations. |
link |
5 |
CIS_Azure_1.1.0 |
2.6 |
CIS_Azure_1.1.0_2.6 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.6 |
2 Security Center |
Ensure ASC Default policy setting "Monitor Disk Encryption" is not "Disabled" |
Shared |
The customer is responsible for implementing this recommendation. |
Enable Disk encryption recommendations for virtual machines. |
link |
4 |
CIS_Azure_1.1.0 |
3.1 |
CIS_Azure_1.1.0_3.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 3.1 |
3 Storage Accounts |
Ensure that 'Secure transfer required' is set to 'Enabled' |
Shared |
The customer is responsible for implementing this recommendation. |
Enable data encryption in transit. |
link |
4 |
CIS_Azure_1.1.0 |
3.5 |
CIS_Azure_1.1.0_3.5 |
CIS Microsoft Azure Foundations Benchmark recommendation 3.5 |
3 Storage Accounts |
Ensure that shared access signature tokens are allowed only over https |
Shared |
The customer is responsible for implementing this recommendation. |
Shared access signature tokens should be allowed only over HTTPS protocol. |
link |
3 |
CIS_Azure_1.1.0 |
4.10 |
CIS_Azure_1.1.0_4.10 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.10 |
4 Database Services |
Ensure SQL server's TDE protector is encrypted with BYOK (Use your own key) |
Shared |
The customer is responsible for implementing this recommendation. |
TDE with BYOK support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties.
With TDE, data is encrypted at rest with a symmetric key (called the database encryption key) stored in the database or data warehouse distribution. To protect this data encryption key (DEK) in the past, only a certificate that the Azure SQL Service managed could be used. Now, with BYOK support for TDE, the DEK can be protected with an asymmetric key that is stored in the Key Vault. Key Vault is a highly available and scalable cloud-based key store which offers central key management, leverages FIPS 140-2 Level 2 validated hardware security modules (HSMs), and allows separation of management of keys and data, for additional security.
Based on business needs or criticality of data/databases hosted a SQL server, it is recommended that the TDE protector is encrypted by a key that is managed by the data owner (BYOK). |
link |
6 |
CIS_Azure_1.1.0 |
4.11 |
CIS_Azure_1.1.0_4.11 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.11 |
4 Database Services |
Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server |
Shared |
The customer is responsible for implementing this recommendation. |
Enable 'SSL connection' on 'MYSQL' Servers. |
link |
4 |
CIS_Azure_1.1.0 |
4.13 |
CIS_Azure_1.1.0_4.13 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.13 |
4 Database Services |
Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server |
Shared |
The customer is responsible for implementing this recommendation. |
Enable 'SSL connection' on 'PostgreSQL' Servers. |
link |
4 |
CIS_Azure_1.1.0 |
4.9 |
CIS_Azure_1.1.0_4.9 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.9 |
4 Database Services |
Ensure that 'Data encryption' is set to 'On' on a SQL Database |
Shared |
The customer is responsible for implementing this recommendation. |
Enable Transparent Data Encryption on every SQL server. |
link |
5 |
CIS_Azure_1.1.0 |
7.1 |
CIS_Azure_1.1.0_7.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 7.1 |
7 Virtual Machines |
Ensure that 'OS disk' are encrypted |
Shared |
The customer is responsible for implementing this recommendation. |
Ensure that OS disks (boot volumes) are encrypted, where possible. |
link |
4 |
CIS_Azure_1.1.0 |
7.2 |
CIS_Azure_1.1.0_7.2 |
CIS Microsoft Azure Foundations Benchmark recommendation 7.2 |
7 Virtual Machines |
Ensure that 'Data disks' are encrypted |
Shared |
The customer is responsible for implementing this recommendation. |
Ensure that data disks (non-boot volumes) are encrypted, where possible. |
link |
4 |
CIS_Azure_1.1.0 |
7.3 |
CIS_Azure_1.1.0_7.3 |
CIS Microsoft Azure Foundations Benchmark recommendation 7.3 |
7 Virtual Machines |
Ensure that 'Unattached disks' are encrypted |
Shared |
The customer is responsible for implementing this recommendation. |
Ensure that unattached disks in a subscription are encrypted. |
link |
4 |
CIS_Azure_1.1.0 |
9.2 |
CIS_Azure_1.1.0_9.2 |
CIS Microsoft Azure Foundations Benchmark recommendation 9.2 |
9 AppService |
Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service |
Shared |
The customer is responsible for implementing this recommendation. |
Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default.
Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic. |
link |
4 |
CIS_Azure_1.1.0 |
9.3 |
CIS_Azure_1.1.0_9.3 |
CIS Microsoft Azure Foundations Benchmark recommendation 9.3 |
9 AppService |
Ensure web app is using the latest version of TLS encryption |
Shared |
The customer is responsible for implementing this recommendation. |
The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS. |
link |
5 |
CIS_Azure_1.3.0 |
3.1 |
CIS_Azure_1.3.0_3.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 3.1 |
3 Storage Accounts |
Ensure that 'Secure transfer required' is set to 'Enabled' |
Shared |
The customer is responsible for implementing this recommendation. |
Enable data encryption in transit. |
link |
4 |
CIS_Azure_1.3.0 |
3.9 |
CIS_Azure_1.3.0_3.9 |
CIS Microsoft Azure Foundations Benchmark recommendation 3.9 |
3 Storage Accounts |
Ensure storage for critical data are encrypted with Customer Managed Key |
Shared |
The customer is responsible for implementing this recommendation. |
Enable sensitive data encryption at rest using Customer Managed Keys rather than Microsoft Managed keys |
link |
5 |
CIS_Azure_1.3.0 |
4.1.2 |
CIS_Azure_1.3.0_4.1.2 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.1.2 |
4 Database Services |
Ensure that 'Data encryption' is set to 'On' on a SQL Database |
Shared |
The customer is responsible for implementing this recommendation. |
Enable Transparent Data Encryption on every SQL server. |
link |
5 |
CIS_Azure_1.3.0 |
4.3.1 |
CIS_Azure_1.3.0_4.3.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.3.1 |
4 Database Services |
Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server |
Shared |
The customer is responsible for implementing this recommendation. |
Enable 'SSL connection' on 'PostgreSQL' Servers. |
link |
4 |
CIS_Azure_1.3.0 |
4.3.2 |
CIS_Azure_1.3.0_4.3.2 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.3.2 |
4 Database Services |
Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server |
Shared |
The customer is responsible for implementing this recommendation. |
Enable 'SSL connection' on 'MYSQL' Servers. |
link |
4 |
CIS_Azure_1.3.0 |
4.5 |
CIS_Azure_1.3.0_4.5 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.5 |
4 Database Services |
Ensure SQL server's TDE protector is encrypted with Customer-managed key |
Shared |
The customer is responsible for implementing this recommendation. |
TDE with Customer-managed key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties.
With TDE, data is encrypted at rest with a symmetric key (called the database encryption key) stored in the database or data warehouse distribution. To protect this data encryption key (DEK) in the past, only a certificate that the Azure SQL Service managed could be used. Now, with Customer-managed key support for TDE, the DEK can be protected with an asymmetric key that is stored in the Key Vault. Key Vault is a highly available and scalable cloud-based key store which offers central key management, leverages FIPS 140-2 Level 2 validated hardware security modules (HSMs), and allows separation of management of keys and data, for additional security.
Based on business needs or criticality of data/databases hosted a SQL server, it is recommended that the TDE protector is encrypted by a key that is managed by the data owner (Customer-managed key). |
link |
6 |
CIS_Azure_1.3.0 |
7.2 |
CIS_Azure_1.3.0_7.2 |
CIS Microsoft Azure Foundations Benchmark recommendation 7.2 |
7 Virtual Machines |
Ensure that 'OS and Data' disks are encrypted with CMK |
Shared |
The customer is responsible for implementing this recommendation. |
Ensure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with CMK. |
link |
4 |
CIS_Azure_1.3.0 |
7.3 |
CIS_Azure_1.3.0_7.3 |
CIS Microsoft Azure Foundations Benchmark recommendation 7.3 |
7 Virtual Machines |
Ensure that 'Unattached disks' are encrypted with CMK |
Shared |
The customer is responsible for implementing this recommendation. |
Ensure that unattached disks in a subscription are encrypted with a Customer Managed Key (CMK). |
link |
4 |
CIS_Azure_1.3.0 |
7.7 |
CIS_Azure_1.3.0_7.7 |
CIS Microsoft Azure Foundations Benchmark recommendation 7.7 |
7 Virtual Machines |
Ensure that VHD's are encrypted |
Shared |
The customer is responsible for implementing this recommendation. |
VHD (Virtual Hard Disks) are stored in BLOB storage and are the old style disks that were attached to Virtual Machines, and the BLOB VHD was then leased to the VM. By Default storage accounts are not encrypted, and Azure Defender(Security Centre) would then recommend that the OS disks should be encrypted. Storage accounts can be encrypted as a whole using PMK or CMK and this should be turned on for storage accounts containing VHD's. |
link |
4 |
CIS_Azure_1.3.0 |
9.10 |
CIS_Azure_1.3.0_9.10 |
CIS Microsoft Azure Foundations Benchmark recommendation 9.10 |
9 AppService |
Ensure FTP deployments are disabled |
Shared |
The customer is responsible for implementing this recommendation. |
By default, Azure Functions, Web and API Services
can be deployed over FTP. If FTP is required for an
essential deployment workflow, FTPS should be required
for FTP login for all App Service Apps and Functions. |
link |
5 |
CIS_Azure_1.3.0 |
9.2 |
CIS_Azure_1.3.0_9.2 |
CIS Microsoft Azure Foundations Benchmark recommendation 9.2 |
9 AppService |
Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service |
Shared |
The customer is responsible for implementing this recommendation. |
Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default.
Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic. |
link |
4 |
CIS_Azure_1.3.0 |
9.3 |
CIS_Azure_1.3.0_9.3 |
CIS Microsoft Azure Foundations Benchmark recommendation 9.3 |
9 AppService |
Ensure web app is using the latest version of TLS encryption |
Shared |
The customer is responsible for implementing this recommendation. |
The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS. |
link |
5 |
CIS_Azure_1.4.0 |
3.1 |
CIS_Azure_1.4.0_3.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 3.1 |
3 Storage Accounts |
Ensure that 'Secure transfer required' is set to 'Enabled' |
Shared |
The customer is responsible for implementing this recommendation. |
Enable data encryption in transit. |
link |
4 |
CIS_Azure_1.4.0 |
3.12 |
CIS_Azure_1.4.0_3.12 |
CIS Microsoft Azure Foundations Benchmark recommendation 3.12 |
3 Storage Accounts |
Ensure the "Minimum TLS version" is set to "Version 1.2" |
Shared |
The customer is responsible for implementing this recommendation. |
Azure Storage sets the minimum TLS version to be version 1.0 by default. TLS 1.0 is a legacy version and has known vulnerabilities. This minimum TLS version can be configured to be later protocols such as TLS 1.2. |
link |
3 |
CIS_Azure_1.4.0 |
3.9 |
CIS_Azure_1.4.0_3.9 |
CIS Microsoft Azure Foundations Benchmark recommendation 3.9 |
3 Storage Accounts |
Ensure Storage for Critical Data are Encrypted with Customer Managed Keys |
Shared |
The customer is responsible for implementing this recommendation. |
Enable sensitive data encryption at rest using Customer Managed Keys rather than Microsoft Managed keys |
link |
5 |
CIS_Azure_1.4.0 |
4.1.2 |
CIS_Azure_1.4.0_4.1.2 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.1.2 |
4 Database Services |
Ensure that 'Data encryption' is set to 'On' on a SQL Database |
Shared |
The customer is responsible for implementing this recommendation. |
Enable Transparent Data Encryption on every SQL server. |
link |
5 |
CIS_Azure_1.4.0 |
4.3.1 |
CIS_Azure_1.4.0_4.3.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.3.1 |
4 Database Services |
Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server |
Shared |
The customer is responsible for implementing this recommendation. |
Enable 'SSL connection' on 'PostgreSQL' Servers. |
link |
4 |
CIS_Azure_1.4.0 |
4.3.8 |
CIS_Azure_1.4.0_4.3.8 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.3.8 |
4 Database Services |
Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled' |
Shared |
The customer is responsible for implementing this recommendation. |
Enable encryption at rest for PostgreSQL Databases. |
link |
4 |
CIS_Azure_1.4.0 |
4.4.1 |
CIS_Azure_1.4.0_4.4.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.4.1 |
4 Database Services |
Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server |
Shared |
The customer is responsible for implementing this recommendation. |
Enable 'SSL connection' on 'MYSQL' Servers. |
link |
3 |
CIS_Azure_1.4.0 |
4.4.2 |
CIS_Azure_1.4.0_4.4.2 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.4.2 |
4 Database Services |
Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server |
Shared |
The customer is responsible for implementing this recommendation. |
Ensure 'TLS version' on 'MySQL flexible' servers is set to the default value. |
link |
3 |
CIS_Azure_1.4.0 |
4.6 |
CIS_Azure_1.4.0_4.6 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.6 |
4 Database Services |
Ensure SQL server's TDE protector is encrypted with Customer-managed key |
Shared |
The customer is responsible for implementing this recommendation. |
TDE with Customer-managed key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties.
With TDE, data is encrypted at rest with a symmetric key (called the database encryption key) stored in the database or data warehouse distribution. To protect this data encryption key (DEK) in the past, only a certificate that the Azure SQL Service managed could be used. Now, with Customer-managed key support for TDE, the DEK can be protected with an asymmetric key that is stored in the Key Vault. Key Vault is a highly available and scalable cloud-based key store which offers central key management, leverages FIPS 140-2 Level 2 validated hardware security modules (HSMs), and allows separation of management of keys and data, for additional security.
Based on business needs or criticality of data/databases hosted a SQL server, it is recommended that the TDE protector is encrypted by a key that is managed by the data owner (Customer-managed key). |
link |
6 |
CIS_Azure_1.4.0 |
7.2 |
CIS_Azure_1.4.0_7.2 |
CIS Microsoft Azure Foundations Benchmark recommendation 7.2 |
7 Virtual Machines |
Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK) |
Shared |
The customer is responsible for implementing this recommendation. |
Ensure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with CMK (Customer Managed Keys).
Customer Managed keys can be either ADE or Server Side Encryption(SSE) |
link |
4 |
CIS_Azure_1.4.0 |
7.3 |
CIS_Azure_1.4.0_7.3 |
CIS Microsoft Azure Foundations Benchmark recommendation 7.3 |
7 Virtual Machines |
Ensure that 'Unattached disks' are encrypted with CMK |
Shared |
The customer is responsible for implementing this recommendation. |
Ensure that unattached disks in a subscription are encrypted with a Customer Managed Key (CMK). |
link |
4 |
CIS_Azure_1.4.0 |
7.7 |
CIS_Azure_1.4.0_7.7 |
CIS Microsoft Azure Foundations Benchmark recommendation 7.7 |
7 Virtual Machines |
Ensure that VHD's are Encrypted |
Shared |
The customer is responsible for implementing this recommendation. |
VHD (Virtual Hard Disks) are stored in BLOB storage and are the old style disks that were attached to Virtual Machines, and the BLOB VHD was then leased to the VM. By Default storage accounts are not encrypted, and Azure Defender(Security Centre) would then recommend that the OS disks should be encrypted. Storage accounts can be encrypted as a whole using PMK or CMK and this should be turned on for storage accounts containing VHD's. |
link |
4 |
CIS_Azure_1.4.0 |
9.10 |
CIS_Azure_1.4.0_9.10 |
CIS Microsoft Azure Foundations Benchmark recommendation 9.10 |
9 AppService |
Ensure FTP deployments are Disabled |
Shared |
The customer is responsible for implementing this recommendation. |
By default, Azure Functions, Web and API Services
can be deployed over FTP. If FTP is required for an
essential deployment workflow, FTPS should be required
for FTP login for all App Service Apps and Functions. |
link |
5 |
CIS_Azure_1.4.0 |
9.2 |
CIS_Azure_1.4.0_9.2 |
CIS Microsoft Azure Foundations Benchmark recommendation 9.2 |
9 AppService |
Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service |
Shared |
The customer is responsible for implementing this recommendation. |
Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default.
Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic. |
link |
4 |
CIS_Azure_1.4.0 |
9.3 |
CIS_Azure_1.4.0_9.3 |
CIS Microsoft Azure Foundations Benchmark recommendation 9.3 |
9 AppService |
Ensure Web App is using the latest version of TLS encryption |
Shared |
The customer is responsible for implementing this recommendation. |
The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS. |
link |
5 |
CIS_Azure_2.0.0 |
3.1 |
CIS_Azure_2.0.0_3.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 3.1 |
3 |
Ensure that 'Secure transfer required' is set to 'Enabled' |
Shared |
n/a |
Enable data encryption in transit.
The secure transfer option enhances the security of a storage account by only allowing requests to the storage account by a secure connection. For example, when calling REST APIs to access storage accounts, the connection must use HTTPS. Any requests using HTTP will be rejected when 'secure transfer required' is enabled. When using the Azure files service, connection without encryption will fail, including scenarios using SMB 2.1, SMB 3.0 without encryption, and some flavors of the Linux SMB client. Because Azure storage doesn’t support HTTPS for custom domain names, this option is not applied when using a custom domain name. |
link |
4 |
CIS_Azure_2.0.0 |
3.12 |
CIS_Azure_2.0.0_3.12 |
CIS Microsoft Azure Foundations Benchmark recommendation 3.12 |
3 |
Ensure Storage for Critical Data are Encrypted with Customer Managed Keys |
Shared |
If the key expires by setting the 'activation date' and 'expiration date', the user must rotate the key manually.
Using Customer Managed Keys may also incur additional man-hour requirements to create, store, manage, and protect the keys as needed. |
Enable sensitive data encryption at rest using Customer Managed Keys rather than Microsoft Managed keys.
By default, data in the storage account is encrypted using Microsoft Managed Keys at rest. All Azure Storage resources are encrypted, including blobs, disks, files, queues, and tables. All object metadata is also encrypted. If you want to control and manage this encryption key yourself, however, you can specify a customer-managed key. That key is used to protect and control access to the key that encrypts your data. You can also choose to automatically update the key version used for Azure Storage encryption whenever a new version is available in the associated Key Vault. |
link |
5 |
CIS_Azure_2.0.0 |
3.15 |
CIS_Azure_2.0.0_3.15 |
CIS Microsoft Azure Foundations Benchmark recommendation 3.15 |
3 |
Ensure the "Minimum TLS version" for storage accounts is set to "Version 1.2" |
Shared |
When set to TLS 1.2 all requests must leverage this version of the protocol. Applications leveraging legacy versions of the protocol will fail. |
In some cases, Azure Storage sets the minimum TLS version to be version 1.0 by default. TLS 1.0 is a legacy version and has known vulnerabilities. This minimum TLS version can be configured to be later protocols such as TLS 1.2.
TLS 1.0 has known vulnerabilities and has been replaced by later versions of the TLS protocol. Continued use of this legacy protocol affects the security of data in transit. |
link |
4 |
CIS_Azure_2.0.0 |
4.1.3 |
CIS_Azure_2.0.0_4.1.3 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.1.3 |
4.1 |
Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key |
Shared |
Once TDE protector is encrypted with a Customer-managed key, it transfers entire responsibility of respective key management on to you, and hence you should be more careful about doing any operations on the particular key in order to keep data from corresponding SQL server and Databases hosted accessible.
When deploying Customer Managed Keys, it is prudent to ensure that you also deploy an automated toolset for managing these keys (this should include discovery and key rotation), and Keys should be stored in an HSM or hardware backed keystore, such as Azure Key Vault.
As far as toolsets go, check with your cryptographic key provider, as they may well provide one as an add-on to their service. |
Transparent Data Encryption (TDE) with Customer-managed key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties.
With TDE, data is encrypted at rest with a symmetric key (called the database encryption key) stored in the database or data warehouse distribution. To protect this data encryption key (DEK) in the past, only a certificate that the Azure SQL Service managed could be used. Now, with Customer-managed key support for TDE, the DEK can be protected with an asymmetric key that is stored in the Azure Key Vault. The Azure Key Vault is a highly available and scalable cloud-based key store which offers central key management, leverages FIPS 140-2 Level 2 validated hardware security modules (HSMs), and allows separation of management of keys and data for additional security.
Based on business needs or criticality of data/databases hosted on a SQL server, it is recommended that the TDE protector is encrypted by a key that is managed by the data owner (Customer-managed key).
Customer-managed key support for Transparent Data Encryption (TDE) allows user control of TDE encryption keys and restricts who can access them and when. Azure Key Vault, Azure’s cloud-based external key management system, is the first key management service where TDE has integrated support for Customer-managed keys. With Customer-managed key support, the database encryption key is protected by an asymmetric key stored in the Key Vault. The asymmetric key is set at the server level and inherited by all databases under that server. |
link |
6 |
CIS_Azure_2.0.0 |
4.1.5 |
CIS_Azure_2.0.0_4.1.5 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.1.5 |
4.1 |
Ensure that 'Data encryption' is set to 'On' on a SQL Database |
Shared |
n/a |
Enable Transparent Data Encryption on every SQL server.
Azure SQL Database transparent data encryption helps protect against the threat of malicious activity by performing real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application. |
link |
5 |
CIS_Azure_2.0.0 |
4.3.1 |
CIS_Azure_2.0.0_4.3.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.3.1 |
4.3 |
Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server |
Shared |
n/a |
Enable `SSL connection` on `PostgreSQL` Servers.
`SSL connectivity` helps to provide a new layer of security by connecting database server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between database server and client applications helps protect against "man in the middle" attacks by encrypting the data stream between the server and application. |
link |
4 |
CIS_Azure_2.0.0 |
4.3.8 |
CIS_Azure_2.0.0_4.3.8 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.3.8 |
4.3 |
Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled' |
Shared |
The read and write speeds to the database will be impacted if both default encryption and Infrastructure Encryption are checked, as a secondary form of encryption requires more resource overhead for the cryptography of information. This cost is justified for information security.
Customer managed keys are recommended for the most secure implementation, leading to overhead of key management. The key will also need to be backed up in a secure location, as loss of the key will mean loss of the information in the database. |
Azure Database for PostgreSQL servers should be created with 'infrastructure double encryption' enabled.
If Double Encryption is enabled, another layer of encryption is implemented at the hardware level before the storage or network level. Information will be encrypted before it is even accessed, preventing both interception of data in motion if the network layer encryption is broken and data at rest in system resources such as memory or processor cache. Encryption will also be in place for any backups taken of the database, so the key will secure access the data in all forms. For the most secure implementation of key based encryption, it is recommended to use a Customer Managed asymmetric RSA 2048 Key in Azure Key Vault. |
link |
5 |
CIS_Azure_2.0.0 |
4.4.1 |
CIS_Azure_2.0.0_4.4.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.4.1 |
4.4 |
Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server |
Shared |
n/a |
Enable `SSL connection` on `MYSQL` Servers.
SSL connectivity helps to provide a new layer of security by connecting database server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between database server and client applications helps protect against "man in the middle" attacks by encrypting the data stream between the server and application. |
link |
4 |
CIS_Azure_2.0.0 |
4.4.2 |
CIS_Azure_2.0.0_4.4.2 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.4.2 |
4.4 |
Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server |
Shared |
n/a |
Ensure `TLS version` on `MySQL flexible` servers is set to the default value.
TLS connectivity helps to provide a new layer of security by connecting database server to client applications using Transport Layer Security (TLS). Enforcing TLS connections between database server and client applications helps protect against "man in the middle" attacks by encrypting the data stream between the server and application. |
link |
3 |
CIS_Azure_2.0.0 |
7.3 |
CIS_Azure_2.0.0_7.3 |
CIS Microsoft Azure Foundations Benchmark recommendation 7.3 |
7 |
Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK) |
Shared |
Using CMK/BYOK will entail additional management of keys.
**NOTE:** You must have your key vault set up to utilize this. |
Ensure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with CMK (Customer Managed Keys).
Customer Managed keys can be either ADE or Server Side Encryption (SSE).
Encrypting the IaaS VM's OS disk (boot volume) and Data disks (non-boot volume) ensures that the entire content is fully unrecoverable without a key, thus protecting the volume from unwanted reads. PMK (Platform Managed Keys) are enabled by default in Azure-managed disks and allow encryption at rest. CMK is recommended because it gives the customer the option to control which specific keys are used for the encryption and decryption of the disk. The customer can then change keys and increase security by disabling them instead of relying on the PMK key that remains unchanging. There is also the option to increase security further by using automatically rotating keys so that access to disk is ensured to be limited. Organizations should evaluate what their security requirements are, however, for the data stored on the disk. For high-risk data using CMK is a must, as it provides extra steps of security. If the data is low risk, PMK is enabled by default and provides sufficient data security. |
link |
4 |
CIS_Azure_2.0.0 |
7.4 |
CIS_Azure_2.0.0_7.4 |
CIS Microsoft Azure Foundations Benchmark recommendation 7.4 |
7 |
Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK) |
Shared |
**NOTE:** You must have your key vault set up to utilize this.
Encryption is available only on Standard tier VMs. This might cost you more.
Utilizing and maintaining Customer-managed keys will require additional work to create, protect, and rotate keys. |
Ensure that unattached disks in a subscription are encrypted with a Customer Managed Key (CMK).
Managed disks are encrypted by default with Platform-managed keys. Using Customer-managed keys may provide an additional level of security or meet an organization's regulatory requirements. Encrypting managed disks ensures that its entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads.
Even if the disk is not attached to any of the VMs, there is always a risk where a compromised user account with administrative access to VM service can mount/attach these data disks, which may lead to sensitive information disclosure and tampering. |
link |
5 |
CIS_Azure_2.0.0 |
7.7 |
CIS_Azure_2.0.0_7.7 |
CIS Microsoft Azure Foundations Benchmark recommendation 7.7 |
7 |
[Legacy] Ensure that VHDs are Encrypted |
Shared |
Depending on how the encryption is implemented will change the size of the impact. If provider-managed keys(PMK) are utilized, the impact is relatively low, but processes need to be put in place to regularly rotate the keys. If Customer-managed keys(CMK) are utilized, a key management process needs to be implemented to store and manage key rotation, thus the impact is medium to high depending on user maturity with key management. |
**NOTE: This is a legacy recommendation. Managed Disks are encrypted by default and recommended for all new VM implementations.**
VHD (Virtual Hard Disks) are stored in blob storage and are the old-style disks that were attached to Virtual Machines. The blob VHD was then leased to the VM. By default, storage accounts are not encrypted, and Microsoft Defender will then recommend that the OS disks should be encrypted. Storage accounts can be encrypted as a whole using PMK or CMK. This should be turned on for storage accounts containing VHDs.
While it is recommended to use Managed Disks which are encrypted by default, "legacy" VHDs may exist for a variety of reasons and may need to remain in VHD format. VHDs are not encrypted by default, so this recommendation intends to address the security of these disks. In these niche cases, VHDs should be encrypted using the procedures in this recommendation to encrypt and protect the data content.
If a virtual machine is using a VHD and can be converted to a managed disk, instructions for this procedure can be found in the resources section of this recommendation under the title "Convert VHD to Managed Disk." |
link |
4 |
CIS_Azure_2.0.0 |
9.10 |
CIS_Azure_2.0.0_9.10 |
CIS Microsoft Azure Foundations Benchmark recommendation 9.10 |
9 |
Ensure FTP deployments are Disabled |
Shared |
Any deployment workflows that rely on FTP or FTPs rather than the WebDeploy or HTTPs endpoints may be affected. |
By default, Azure Functions, Web, and API Services
can be deployed over FTP. If FTP is required for an
essential deployment workflow, FTPS should be required
for FTP login for all App Service Apps and Functions.
Azure FTP deployment endpoints are public. An attacker listening to traffic on a wifi network used by a remote employee or a corporate network could see login traffic in clear-text which would then grant them full control of the code base of the app or service. This finding is more severe if User Credentials for deployment are set at the subscription level rather than using the default Application Credentials which are unique per App. |
link |
5 |
CIS_Azure_2.0.0 |
9.2 |
CIS_Azure_2.0.0_9.2 |
CIS Microsoft Azure Foundations Benchmark recommendation 9.2 |
9 |
Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service |
Shared |
When it is enabled, every incoming HTTP request is redirected to the HTTPS port. This means an extra level of security will be added to the HTTP requests made to the app. |
Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default.
Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic.
Enabling HTTPS-only traffic will redirect all non-secure HTTP requests to HTTPS ports. HTTPS uses the TLS/SSL protocol to provide a secure connection which is both encrypted and authenticated. It is therefore important to support HTTPS for the security benefits. |
link |
4 |
CIS_Azure_2.0.0 |
9.3 |
CIS_Azure_2.0.0_9.3 |
CIS Microsoft Azure Foundations Benchmark recommendation 9.3 |
9 |
Ensure Web App is using the latest version of TLS encryption |
Shared |
n/a |
The TLS (Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards such as PCI DSS.
App service currently allows the web app to set TLS versions 1.0, 1.1 and 1.2. It is highly recommended to use the latest TLS 1.2 version for web app secure connections. |
link |
5 |
FedRAMP_High_R4 |
AC-17(2) |
FedRAMP_High_R4_AC-17(2) |
FedRAMP High AC-17 (2) |
Access Control |
Protection Of Confidentiality / Integrity Using Encryption |
Shared |
n/a |
The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.
Supplemental Guidance: The encryption strength of mechanism is selected based on the security categorization of the information. Related controls: SC-8, SC-12, SC-13. |
link |
2 |
FedRAMP_High_R4 |
AC-19(5) |
FedRAMP_High_R4_AC-19(5) |
FedRAMP High AC-19 (5) |
Access Control |
Full Device / Container-Based Encryption |
Shared |
n/a |
The organization employs [Selection: full-device encryption; container encryption] to protect the confidentiality and integrity of information on [Assignment: organization-defined mobile devices].
Supplemental Guidance: Container-based encryption provides a more fine-grained approach to the encryption of data/information on mobile devices, including for example, encrypting selected data structures such as files, records, or fields. Related controls: MP-5, SC-13, SC-28.
References: OMB Memorandum 06-16; NIST Special Publications 800-114, 800-124, 800-164. |
link |
2 |
FedRAMP_High_R4 |
SC-28(1) |
FedRAMP_High_R4_SC-28(1) |
FedRAMP High SC-28 (1) |
System And Communications Protection |
Cryptographic Protection |
Shared |
n/a |
The information system implements cryptographic mechanisms to prevent unauthorized disclosure and modification of [Assignment: organization-defined information] on [Assignment: organization-defined information system components].
Supplemental Guidance: Selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category and/or classification of the information. This control enhancement applies to significant concentrations of digital media in organizational areas designated for media storage and also to limited quantities of media generally associated with information system components in operational environments (e.g., portable storage devices, mobile devices). Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). Organizations employing cryptographic mechanisms to protect information at rest also consider cryptographic key management solutions. Related controls: AC-19, SC-12. |
link |
16 |
FedRAMP_High_R4 |
SC-8 |
FedRAMP_High_R4_SC-8 |
FedRAMP High SC-8 |
System And Communications Protection |
Transmission Confidentiality And Integrity |
Shared |
n/a |
The information system protects the [Selection (one or more): confidentiality; integrity] of transmitted information.
Supplemental Guidance: This control applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and/or integrity of organizational information can be accomplished by physical means (e.g., by employing physical distribution systems) or by logical means (e.g., employing encryption techniques). Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission confidentiality/integrity. In such situations, organizations determine what types of confidentiality/integrity services are available in standard, commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness through appropriate contracting vehicles, organizations implement appropriate compensating security controls or explicitly accept the additional risk. Related controls: AC-17, PE-4.
References: FIPS Publications 140-2, 197; NIST Special Publications 800-52, 800-77, 800-81, 800-113; CNSS Policy 15; NSTISSI No. 7003. |
link |
15 |
FedRAMP_Moderate_R4 |
AC-17(2) |
FedRAMP_Moderate_R4_AC-17(2) |
FedRAMP Moderate AC-17 (2) |
Access Control |
Protection Of Confidentiality / Integrity Using Encryption |
Shared |
n/a |
The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.
Supplemental Guidance: The encryption strength of mechanism is selected based on the security categorization of the information. Related controls: SC-8, SC-12, SC-13. |
link |
2 |
FedRAMP_Moderate_R4 |
AC-19(5) |
FedRAMP_Moderate_R4_AC-19(5) |
FedRAMP Moderate AC-19 (5) |
Access Control |
Full Device / Container-Based Encryption |
Shared |
n/a |
The organization employs [Selection: full-device encryption; container encryption] to protect the confidentiality and integrity of information on [Assignment: organization-defined mobile devices].
Supplemental Guidance: Container-based encryption provides a more fine-grained approach to the encryption of data/information on mobile devices, including for example, encrypting selected data structures such as files, records, or fields. Related controls: MP-5, SC-13, SC-28.
References: OMB Memorandum 06-16; NIST Special Publications 800-114, 800-124, 800-164. |
link |
2 |
FedRAMP_Moderate_R4 |
SC-28(1) |
FedRAMP_Moderate_R4_SC-28(1) |
FedRAMP Moderate SC-28 (1) |
System And Communications Protection |
Cryptographic Protection |
Shared |
n/a |
The information system implements cryptographic mechanisms to prevent unauthorized disclosure and modification of [Assignment: organization-defined information] on [Assignment: organization-defined information system components].
Supplemental Guidance: Selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category and/or classification of the information. This control enhancement applies to significant concentrations of digital media in organizational areas designated for media storage and also to limited quantities of media generally associated with information system components in operational environments (e.g., portable storage devices, mobile devices). Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). Organizations employing cryptographic mechanisms to protect information at rest also consider cryptographic key management solutions. Related controls: AC-19, SC-12. |
link |
16 |
FedRAMP_Moderate_R4 |
SC-8 |
FedRAMP_Moderate_R4_SC-8 |
FedRAMP Moderate SC-8 |
System And Communications Protection |
Transmission Confidentiality And Integrity |
Shared |
n/a |
The information system protects the [Selection (one or more): confidentiality; integrity] of transmitted information.
Supplemental Guidance: This control applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and/or integrity of organizational information can be accomplished by physical means (e.g., by employing physical distribution systems) or by logical means (e.g., employing encryption techniques). Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission confidentiality/integrity. In such situations, organizations determine what types of confidentiality/integrity services are available in standard, commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness through appropriate contracting vehicles, organizations implement appropriate compensating security controls or explicitly accept the additional risk. Related controls: AC-17, PE-4.
References: FIPS Publications 140-2, 197; NIST Special Publications 800-52, 800-77, 800-81, 800-113; CNSS Policy 15; NSTISSI No. 7003. |
link |
15 |
hipaa |
0227.09k2Organizational.12-09.k |
hipaa-0227.09k2Organizational.12-09.k |
0227.09k2Organizational.12-09.k |
02 Endpoint Protection |
0227.09k2Organizational.12-09.k 09.04 Protection Against Malicious and Mobile Code |
Shared |
n/a |
The organization takes specific actions to protect against mobile code performing unauthorized actions. |
|
18 |
hipaa |
0301.09o1Organizational.123-09.o |
hipaa-0301.09o1Organizational.123-09.o |
0301.09o1Organizational.123-09.o |
03 Portable Media Security |
0301.09o1Organizational.123-09.o 09.07 Media Handling |
Shared |
n/a |
The organization, based on the data classification level, registers media (including laptops) prior to use, places reasonable restrictions on how such media are used, and provides an appropriate level of physical and logical protection (including encryption) for media containing covered information until properly destroyed or sanitized. |
|
14 |
hipaa |
0401.01x1System.124579-01.x |
hipaa-0401.01x1System.124579-01.x |
0401.01x1System.124579-01.x |
04 Mobile Device Security |
0401.01x1System.124579-01.x 01.07 Mobile Computing and Teleworking |
Shared |
n/a |
Mobile computing devices are protected at all times by access controls, usage restrictions, connection requirements, encryption, virus protections, host-based firewalls, or equivalent functionality, secure configurations, and physical protections. |
|
7 |
hipaa |
0403.01x1System.8-01.x |
hipaa-0403.01x1System.8-01.x |
0403.01x1System.8-01.x |
04 Mobile Device Security |
0403.01x1System.8-01.x 01.07 Mobile Computing and Teleworking |
Shared |
n/a |
The organization monitors for unauthorized connections of mobile devices. |
|
7 |
hipaa |
0410.01x1System.12-01.xMobileComputingandCommunications |
hipaa-0410.01x1System.12-01.xMobileComputingandCommunications |
0410.01x1System.12-01.xMobileComputingandCommunications |
04 Mobile Device Security |
0410.01x1System.12-01.xMobileComputingandCommunications 01.07 Mobile Computing and Teleworking |
Shared |
n/a |
If it is determined that encryption is not reasonable and appropriate, the organization documents its rationale and acceptance of risk. |
|
2 |
hipaa |
0416.01y3Organizational.4-01.y |
hipaa-0416.01y3Organizational.4-01.y |
0416.01y3Organizational.4-01.y |
04 Mobile Device Security |
0416.01y3Organizational.4-01.y 01.07 Mobile Computing and Teleworking |
Shared |
n/a |
The organization instructs all personnel working from home to implement fundamental security controls and practices; including, but not limited to, passwords, virus protection, personal firewalls, laptop cable locks, recording serial numbers and other identification information about laptops, and disconnecting modems at alternate worksites. |
|
4 |
hipaa |
0426.01x2System.1-01.x |
hipaa-0426.01x2System.1-01.x |
0426.01x2System.1-01.x |
04 Mobile Device Security |
0426.01x2System.1-01.x 01.07 Mobile Computing and Teleworking |
Shared |
n/a |
A centralized, mobile device management solution has been deployed to all mobile devices permitted to store, transmit, or process organizational and/or customer data, enforcing built-in detective and preventative controls. |
|
7 |
hipaa |
0427.01x2System.2-01.x |
hipaa-0427.01x2System.2-01.x |
0427.01x2System.2-01.x |
04 Mobile Device Security |
0427.01x2System.2-01.x 01.07 Mobile Computing and Teleworking |
Shared |
n/a |
The organization ensures that mobile devices connecting to corporate networks, or storing and accessing company information, allow for remote software version/patch validation. |
|
4 |
hipaa |
0428.01x2System.3-01.x |
hipaa-0428.01x2System.3-01.x |
0428.01x2System.3-01.x |
04 Mobile Device Security |
0428.01x2System.3-01.x 01.07 Mobile Computing and Teleworking |
Shared |
n/a |
The organization ensures that mobile devices connecting to corporate networks, or storing and accessing company information, allow for remote wipe. |
|
4 |
hipaa |
0429.01x1System.14-01.x |
hipaa-0429.01x1System.14-01.x |
0429.01x1System.14-01.x |
04 Mobile Device Security |
0429.01x1System.14-01.x 01.07 Mobile Computing and Teleworking |
Shared |
n/a |
The organization prohibits the circumvention of built-in security controls on mobile devices (e.g., jailbreaking or rooting). |
|
7 |
hipaa |
0810.01n2Organizational.5-01.n |
hipaa-0810.01n2Organizational.5-01.n |
0810.01n2Organizational.5-01.n |
08 Network Protection |
0810.01n2Organizational.5-01.n 01.04 Network Access Control |
Shared |
n/a |
Transmitted information is secured and, at a minimum, encrypted over open, public networks. |
|
16 |
hipaa |
08101.09m2Organizational.14-09.m |
hipaa-08101.09m2Organizational.14-09.m |
08101.09m2Organizational.14-09.m |
08 Network Protection |
08101.09m2Organizational.14-09.m 09.06 Network Security Management |
Shared |
n/a |
The organization uses secured and encrypted communication channels when migrating physical servers, applications, or data to virtualized servers. |
|
8 |
hipaa |
0859.09m1Organizational.78-09.m |
hipaa-0859.09m1Organizational.78-09.m |
0859.09m1Organizational.78-09.m |
08 Network Protection |
0859.09m1Organizational.78-09.m 09.06 Network Security Management |
Shared |
n/a |
The organization ensures the security of information in networks, availability of network services and information services using the network, and the protection of connected services from unauthorized access. |
|
13 |
hipaa |
0862.09m2Organizational.8-09.m |
hipaa-0862.09m2Organizational.8-09.m |
0862.09m2Organizational.8-09.m |
08 Network Protection |
0862.09m2Organizational.8-09.m 09.06 Network Security Management |
Shared |
n/a |
The organization ensures information systems protect the confidentiality and integrity of transmitted information, including during preparation for transmission and during reception. |
|
4 |
hipaa |
0901.09s1Organizational.1-09.s |
hipaa-0901.09s1Organizational.1-09.s |
0901.09s1Organizational.1-09.s |
09 Transmission Protection |
0901.09s1Organizational.1-09.s 09.08 Exchange of Information |
Shared |
n/a |
The organization formally addresses multiple safeguards before allowing the use of information systems for information exchange. |
|
31 |
hipaa |
0902.09s2Organizational.13-09.s |
hipaa-0902.09s2Organizational.13-09.s |
0902.09s2Organizational.13-09.s |
09 Transmission Protection |
0902.09s2Organizational.13-09.s 09.08 Exchange of Information |
Shared |
n/a |
Remote (external) access to the organization's information assets and access to external information assets (for which the organization has no control) is based on clearly defined terms and conditions. |
|
14 |
ISO27001-2013 |
A.11.2.6 |
ISO27001-2013_A.11.2.6 |
ISO 27001:2013 A.11.2.6 |
Physical And Environmental Security |
Security of equipment and assets off-premises |
Shared |
n/a |
Security shall be applied to off-site assets taking into account the different risks of working outside the organization's premises. |
link |
10 |
ISO27001-2013 |
A.13.1.1 |
ISO27001-2013_A.13.1.1 |
ISO 27001:2013 A.13.1.1 |
Communications Security |
Network controls |
Shared |
n/a |
Networks shall be managed and controlled to protect information in systems and applications. |
link |
40 |
ISO27001-2013 |
A.13.2.1 |
ISO27001-2013_A.13.2.1 |
ISO 27001:2013 A.13.2.1 |
Communications Security |
Information transfer policies and procedures |
Shared |
n/a |
Formal transfer policies, procedures and controls shall be in place to protect the transfer of information through the use of all types of communication facilities. |
link |
32 |
ISO27001-2013 |
A.13.2.3 |
ISO27001-2013_A.13.2.3 |
ISO 27001:2013 A.13.2.3 |
Communications Security |
Electronic messaging |
Shared |
n/a |
Information involved in electronic messaging shall be appropriately protected. |
link |
10 |
ISO27001-2013 |
A.14.1.2 |
ISO27001-2013_A.14.1.2 |
ISO 27001:2013 A.14.1.2 |
System Acquisition, Development And Maintenance |
Securing application services on public networks |
Shared |
n/a |
Information involved in application services passing over public networks shall be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification. |
link |
32 |
ISO27001-2013 |
A.14.1.3 |
ISO27001-2013_A.14.1.3 |
ISO 27001:2013 A.14.1.3 |
System Acquisition, Development And Maintenance |
Protecting application services transactions |
Shared |
n/a |
Information involved in application service transactions shall be protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay. |
link |
29 |
ISO27001-2013 |
A.6.2.1 |
ISO27001-2013_A.6.2.1 |
ISO 27001:2013 A.6.2.1 |
Organization of Information Security |
Mobile device policy |
Shared |
n/a |
A policy and supporting security measures shall be adopted to manage the risks introduced by using mobile devices. |
link |
13 |
ISO27001-2013 |
A.6.2.2 |
ISO27001-2013_A.6.2.2 |
ISO 27001:2013 A.6.2.2 |
Organization of Information Security |
Teleworking |
Shared |
n/a |
A policy and supporting security measures shall be implemented to protect information accessed, processed or stored at teleworking sites. |
link |
16 |
ISO27001-2013 |
A.8.2.3 |
ISO27001-2013_A.8.2.3 |
ISO 27001:2013 A.8.2.3 |
Asset Management |
Handling of assets |
Shared |
n/a |
Procedures for handling assets shall be developed and implemented in accordance with the information classification scheme adopted by the organization. |
link |
26 |
|
mp.com.2 Protection of confidentiality |
mp.com.2 Protection of confidentiality |
404 not found |
|
|
|
n/a |
n/a |
|
55 |
|
mp.com.3 Protection of integrity and authenticity |
mp.com.3 Protection of integrity and authenticity |
404 not found |
|
|
|
n/a |
n/a |
|
62 |
|
mp.com.4 Separation of information flows on the network |
mp.com.4 Separation of information flows on the network |
404 not found |
|
|
|
n/a |
n/a |
|
51 |
|
mp.eq.1 Clear desk |
mp.eq.1 Clear desk |
404 not found |
|
|
|
n/a |
n/a |
|
19 |
|
mp.eq.3 Protection of portable devices |
mp.eq.3 Protection of portable devices |
404 not found |
|
|
|
n/a |
n/a |
|
71 |
|
mp.eq.4 Other devices connected to the network |
mp.eq.4 Other devices connected to the network |
404 not found |
|
|
|
n/a |
n/a |
|
35 |
|
mp.info.2 Rating of information |
mp.info.2 Rating of information |
404 not found |
|
|
|
n/a |
n/a |
|
45 |
|
mp.info.3 Electronic signature |
mp.info.3 Electronic signature |
404 not found |
|
|
|
n/a |
n/a |
|
40 |
|
mp.info.4 Time stamps |
mp.info.4 Time stamps |
404 not found |
|
|
|
n/a |
n/a |
|
33 |
|
mp.s.1 E-mail protection |
mp.s.1 E-mail protection |
404 not found |
|
|
|
n/a |
n/a |
|
48 |
|
mp.si.2 Cryptography |
mp.si.2 Cryptography |
404 not found |
|
|
|
n/a |
n/a |
|
32 |
NIST_SP_800-171_R2_3 |
.1.13 |
NIST_SP_800-171_R2_3.1.13 |
NIST SP 800-171 R2 3.1.13 |
Access Control |
Employ cryptographic mechanisms to protect the confidentiality of remote access sessions. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. See [NIST CRYPTO]; [NIST CAVP]; [NIST CMVP]; National Security Agency Cryptographic Standards. |
link |
31 |
NIST_SP_800-171_R2_3 |
.1.19 |
NIST_SP_800-171_R2_3.1.19 |
NIST SP 800-171 R2 3.1.19 |
Access Control |
Encrypt CUI on mobile devices and mobile computing platforms |
Shared |
Microsoft is responsible for implementing this requirement. |
Organizations can employ full-device encryption or container-based encryption to protect the confidentiality of CUI on mobile devices and computing platforms. Container-based encryption provides a more fine-grained approach to the encryption of data and information including encrypting selected data structures such as files, records, or fields. See [NIST CRYPTO].
Mobile devices and computing platforms include, for example, smartphones and tablets. |
link |
2 |
NIST_SP_800-171_R2_3 |
.13.16 |
NIST_SP_800-171_R2_3.13.16 |
NIST SP 800-171 R2 3.13.16 |
System and Communications Protection |
Protect the confidentiality of CUI at rest. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Information at rest refers to the state of information when it is not in process or in transit and is located on storage devices as specific components of systems. The focus of protection at rest is not on the type of storage device or the frequency of access but rather the state of the information. Organizations can use different mechanisms to achieve confidentiality protections, including the use of cryptographic mechanisms and file share scanning. Organizations may also use other controls including secure off-line storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved or continuous monitoring to identify malicious code at rest. See [NIST CRYPTO]. |
link |
18 |
NIST_SP_800-171_R2_3 |
.13.8 |
NIST_SP_800-171_R2_3.13.8 |
NIST SP 800-171 R2 3.13.8 |
System and Communications Protection |
Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
This requirement applies to internal and external networks and any system components that can transmit information including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, and facsimile machines. Communication paths outside the physical protection of controlled boundaries are susceptible to both interception and modification. Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of the controls for transmission confidentiality. In such situations, organizations determine what types of confidentiality services are available in commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary safeguards and assurances of the effectiveness of the safeguards through appropriate contracting vehicles, organizations implement compensating safeguards or explicitly accept the additional risk. An example of an alternative physical safeguard is a protected distribution system (PDS) where the distribution medium is protected against electronic or physical intercept, thereby ensuring the confidentiality of the information being transmitted. See [NIST CRYPTO]. |
link |
16 |
NIST_SP_800-53_R4 |
AC-17(2) |
NIST_SP_800-53_R4_AC-17(2) |
NIST SP 800-53 Rev. 4 AC-17 (2) |
Access Control |
Protection Of Confidentiality / Integrity Using Encryption |
Shared |
n/a |
The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.
Supplemental Guidance: The encryption strength of mechanism is selected based on the security categorization of the information. Related controls: SC-8, SC-12, SC-13. |
link |
2 |
NIST_SP_800-53_R4 |
AC-19(5) |
NIST_SP_800-53_R4_AC-19(5) |
NIST SP 800-53 Rev. 4 AC-19 (5) |
Access Control |
Full Device / Container-Based Encryption |
Shared |
n/a |
The organization employs [Selection: full-device encryption; container encryption] to protect the confidentiality and integrity of information on [Assignment: organization-defined mobile devices].
Supplemental Guidance: Container-based encryption provides a more fine-grained approach to the encryption of data/information on mobile devices, including for example, encrypting selected data structures such as files, records, or fields. Related controls: MP-5, SC-13, SC-28.
References: OMB Memorandum 06-16; NIST Special Publications 800-114, 800-124, 800-164. |
link |
2 |
NIST_SP_800-53_R4 |
SC-28(1) |
NIST_SP_800-53_R4_SC-28(1) |
NIST SP 800-53 Rev. 4 SC-28 (1) |
System And Communications Protection |
Cryptographic Protection |
Shared |
n/a |
The information system implements cryptographic mechanisms to prevent unauthorized disclosure and modification of [Assignment: organization-defined information] on [Assignment: organization-defined information system components].
Supplemental Guidance: Selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category and/or classification of the information. This control enhancement applies to significant concentrations of digital media in organizational areas designated for media storage and also to limited quantities of media generally associated with information system components in operational environments (e.g., portable storage devices, mobile devices). Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). Organizations employing cryptographic mechanisms to protect information at rest also consider cryptographic key management solutions. Related controls: AC-19, SC-12. |
link |
16 |
NIST_SP_800-53_R4 |
SC-8 |
NIST_SP_800-53_R4_SC-8 |
NIST SP 800-53 Rev. 4 SC-8 |
System And Communications Protection |
Transmission Confidentiality And Integrity |
Shared |
n/a |
The information system protects the [Selection (one or more): confidentiality; integrity] of transmitted information.
Supplemental Guidance: This control applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and/or integrity of organizational information can be accomplished by physical means (e.g., by employing physical distribution systems) or by logical means (e.g., employing encryption techniques). Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission confidentiality/integrity. In such situations, organizations determine what types of confidentiality/integrity services are available in standard, commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness through appropriate contracting vehicles, organizations implement appropriate compensating security controls or explicitly accept the additional risk. Related controls: AC-17, PE-4.
References: FIPS Publications 140-2, 197; NIST Special Publications 800-52, 800-77, 800-81, 800-113; CNSS Policy 15; NSTISSI No. 7003. |
link |
15 |
NIST_SP_800-53_R5 |
AC-17(2) |
NIST_SP_800-53_R5_AC-17(2) |
NIST SP 800-53 Rev. 5 AC-17 (2) |
Access Control |
Protection of Confidentiality and Integrity Using Encryption |
Shared |
n/a |
Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions. |
link |
2 |
NIST_SP_800-53_R5 |
AC-19(5) |
NIST_SP_800-53_R5_AC-19(5) |
NIST SP 800-53 Rev. 5 AC-19 (5) |
Access Control |
Full Device or Container-based Encryption |
Shared |
n/a |
Employ [Selection: full-device encryption;container-based encryption] to protect the confidentiality and integrity of information on [Assignment: organization-defined mobile devices]. |
link |
2 |
NIST_SP_800-53_R5 |
SC-28(1) |
NIST_SP_800-53_R5_SC-28(1) |
NIST SP 800-53 Rev. 5 SC-28 (1) |
System and Communications Protection |
Cryptographic Protection |
Shared |
n/a |
Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on [Assignment: organization-defined system components or media]: [Assignment: organization-defined information]. |
link |
16 |
NIST_SP_800-53_R5 |
SC-8 |
NIST_SP_800-53_R5_SC-8 |
NIST SP 800-53 Rev. 5 SC-8 |
System and Communications Protection |
Transmission Confidentiality and Integrity |
Shared |
n/a |
Protect the [Selection (OneOrMore): confidentiality;integrity] of transmitted information. |
link |
15 |
|
op.acc.6 Authentication mechanism (organization users) |
op.acc.6 Authentication mechanism (organization users) |
404 not found |
|
|
|
n/a |
n/a |
|
78 |
|
op.ext.4 Interconnection of systems |
op.ext.4 Interconnection of systems |
404 not found |
|
|
|
n/a |
n/a |
|
68 |
|
op.mon.1 Intrusion detection |
op.mon.1 Intrusion detection |
404 not found |
|
|
|
n/a |
n/a |
|
50 |
|
op.pl.2 Security Architecture |
op.pl.2 Security Architecture |
404 not found |
|
|
|
n/a |
n/a |
|
65 |
|
op.pl.3 Acquisition of new components |
op.pl.3 Acquisition of new components |
404 not found |
|
|
|
n/a |
n/a |
|
61 |
PCI_DSS_v4.0 |
3.5.1 |
PCI_DSS_v4.0_3.5.1 |
PCI DSS v4.0 3.5.1 |
Requirement 03: Protect Stored Account Data |
Primary account number (PAN) is secured wherever it is stored |
Shared |
n/a |
PAN is rendered unreadable anywhere it is stored by using any of the following approaches:
• One-way hashes based on strong cryptography of the entire PAN.
• Truncation (hashing cannot be used to replace the truncated segment of PAN).
– If hashed and truncated versions of the same PAN, or different truncation formats of the same PAN, are present in an environment, additional controls are in place such that the different versions cannot be correlated to reconstruct the original PAN.
• Index tokens.
• Strong cryptography with associated keymanagement processes and procedures. |
link |
11 |
PCI_DSS_v4.0 |
3.5.1.1 |
PCI_DSS_v4.0_3.5.1.1 |
PCI DSS v4.0 3.5.1.1 |
Requirement 03: Protect Stored Account Data |
Primary account number (PAN) is secured wherever it is stored |
Shared |
n/a |
Hashes used to render PAN unreadable (per the first bullet of Requirement 3.5.1) are keyed cryptographic hashes of the entire PAN, with associated key-management processes and procedures in accordance with Requirements 3.6 and 3.7. |
link |
4 |
PCI_DSS_v4.0 |
3.5.1.2 |
PCI_DSS_v4.0_3.5.1.2 |
PCI DSS v4.0 3.5.1.2 |
Requirement 03: Protect Stored Account Data |
Primary account number (PAN) is secured wherever it is stored |
Shared |
n/a |
If disk-level or partition-level encryption (rather than file-, column-, or field-level database encryption) is used to render PAN unreadable, it is implemented only as follows:
• On removable electronic media, OR
• If used for non-removable electronic media, PAN is also rendered unreadable via another mechanism that meets Requirement 3.5.1. |
link |
4 |
PCI_DSS_v4.0 |
3.5.1.3 |
PCI_DSS_v4.0_3.5.1.3 |
PCI DSS v4.0 3.5.1.3 |
Requirement 03: Protect Stored Account Data |
Primary account number (PAN) is secured wherever it is stored |
Shared |
n/a |
If disk-level or partition-level encryption is used (rather than file-, column-, or field--level database encryption) to render PAN unreadable, it is managed as follows:
• Logical access is managed separately and independently of native operating system authentication and access control mechanisms.
• Decryption keys are not associated with user accounts. |
link |
4 |
PCI_DSS_v4.0 |
4.2.1 |
PCI_DSS_v4.0_4.2.1 |
PCI DSS v4.0 4.2.1 |
Requirement 04: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks |
PAN is protected with strong cryptography during transmission |
Shared |
n/a |
Strong cryptography and security protocols are implemented as follows to safeguard PAN during transmission over open, public networks:
• Only trusted keys and certificates are accepted.
• Certificates used to safeguard PAN during transmission over open, public networks are confirmed as valid and are not expired or revoked. This bullet is a best practice until its effective date; refer to applicability notes below for details.
• The protocol in use supports only secure versions or configurations and does not support fallback to, or use of insecure versions, algorithms, key sizes, or implementations.
• The encryption strength is appropriate for the encryption methodology in use. |
link |
12 |
PCI_DSS_v4.0 |
4.2.2 |
PCI_DSS_v4.0_4.2.2 |
PCI DSS v4.0 4.2.2 |
Requirement 04: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks |
PAN is protected with strong cryptography during transmission |
Shared |
n/a |
PAN is secured with strong cryptography whenever it is sent via end-user messaging technologies. |
link |
3 |
SOC_2 |
CC6.1 |
SOC_2_CC6.1 |
SOC 2 Type 2 CC6.1 |
Logical and Physical Access Controls |
Logical access security software, infrastructure, and architectures |
Shared |
The customer is responsible for implementing this recommendation. |
The following points of focus, specifically related to all engagements using the trust services criteria, highlight important characteristics relating to this criterion:
• Identifies and Manages the Inventory of Information Assets — The entity identifies,
Page 29
TSP
Ref. #
TRUST SERVICES CRITERIA AND POINTS OF FOCUS
inventories, classifies, and manages information assets.
• Restricts Logical Access — Logical access to information assets, including hardware, data (at-rest, during processing, or in transmission), software, administrative
authorities, mobile devices, output, and offline system components is restricted
through the use of access control software and rule sets.
• Identifies and Authenticates Users — Persons, infrastructure, and software are
identified and authenticated prior to accessing information assets, whether locally
or remotely.
• Considers Network Segmentation — Network segmentation permits unrelated portions of the entity's information system to be isolated from each other.
• Manages Points of Access — Points of access by outside entities and the types of
data that flow through the points of access are identified, inventoried, and managed. The types of individuals and systems using each point of access are identified,
documented, and managed.
• Restricts Access to Information Assets — Combinations of data classification, separate data structures, port restrictions, access protocol restrictions, user identification, and digital certificates are used to establish access-control rules for information assets.
• Manages Identification and Authentication — Identification and authentication requirements are established, documented, and managed for individuals and systems
accessing entity information, infrastructure, and software.
• Manages Credentials for Infrastructure and Software — New internal and external
infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point.
Credentials are removed and access is disabled when access is no longer required
or the infrastructure and software are no longer in use.
• Uses Encryption to Protect Data — The entity uses encryption to supplement other
measures used to protect data at rest, when such protections are deemed appropriate based on assessed risk.
• Protects Encryption Keys — Processes are in place to protect encryption keys during generation, storage, use, and destruction |
|
78 |
SOC_2 |
CC6.6 |
SOC_2_CC6.6 |
SOC 2 Type 2 CC6.6 |
Logical and Physical Access Controls |
Security measures against threats outside system boundaries |
Shared |
The customer is responsible for implementing this recommendation. |
• Restricts Access — The types of activities that can occur through a communication
channel (for example, FTP site, router port) are restricted.
• Protects Identification and Authentication Credentials — Identification and authentication credentials are protected during transmission outside its system boundaries.
• Requires Additional Authentication or Credentials — Additional authentication information or credentials are required when accessing the system from outside its
boundaries.
• Implements Boundary Protection Systems — Boundary protection systems (for example, firewalls, demilitarized zones, and intrusion detection systems) are implemented to protect external access points from attempts and unauthorized access and
are monitored to detect such attempts |
|
40 |
SOC_2 |
CC6.7 |
SOC_2_CC6.7 |
SOC 2 Type 2 CC6.7 |
Logical and Physical Access Controls |
Restrict the movement of information to authorized users |
Shared |
The customer is responsible for implementing this recommendation. |
• Restricts the Ability to Perform Transmission — Data loss prevention processes and
technologies are used to restrict ability to authorize and execute transmission,
movement, and removal of information.
• Uses Encryption Technologies or Secure Communication Channels to Protect Data
— Encryption technologies or secured communication channels are used to protect
transmission of data and other communications beyond connectivity access points.
• Protects Removal Media — Encryption technologies and physical asset protections
are used for removable media (such as USB drives and backup tapes), as appropriate.
• Protects Mobile Devices — Processes are in place to protect mobile devices (such
as laptops, smart phones, and tablets) that serve as information assets |
|
29 |
SWIFT_CSCF_v2022 |
2.1 |
SWIFT_CSCF_v2022_2.1 |
SWIFT CSCF v2022 2.1 |
2. Reduce Attack Surface and Vulnerabilities |
Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related components. |
Shared |
n/a |
Confidentiality, integrity, and authentication mechanisms are implemented to protect SWIFT-related component-to-component or system-to-system data flows. |
link |
36 |
SWIFT_CSCF_v2022 |
2.4 |
SWIFT_CSCF_v2022_2.4 |
SWIFT CSCF v2022 2.4 |
2. Reduce Attack Surface and Vulnerabilities |
Ensure the confidentiality, integrity, and mutual authenticity of data flows between local or remote SWIFT infrastructure components and the back-office first hops they connect to. |
Shared |
n/a |
Confidentiality, integrity, and authentication mechanisms (at system, transport or message level) are implemented to protect data flows between SWIFT infrastructure components and the back-office first hops they connect to. |
link |
7 |
SWIFT_CSCF_v2022 |
2.5 |
SWIFT_CSCF_v2022_2.5 |
SWIFT CSCF v2022 2.5 |
2. Reduce Attack Surface and Vulnerabilities |
Protect the confidentiality of SWIFT-related data transmitted or stored outside of the secure zone as part of operational processes. |
Shared |
n/a |
Sensitive SWIFT-related data that leaves the secure zone as a result of operating system/application back-ups, business transaction data replication for archiving or recovery purposes, or extraction for offline processing is protected when stored outside of a secure zone and is encrypted while in transit. |
link |
7 |
SWIFT_CSCF_v2022 |
2.6 |
SWIFT_CSCF_v2022_2.6 |
SWIFT CSCF v2022 2.6 |
2. Reduce Attack Surface and Vulnerabilities |
Protect the confidentiality and integrity of interactive operator sessions that connect to the local or remote (operated by a service provider) SWIFT infrastructure or service provider SWIFT-related applications |
Shared |
n/a |
The confidentiality and integrity of interactive operator sessions that connect to service provider SWIFT-related applications or into the secure zone are safeguarded. |
link |
17 |
SWIFT_CSCF_v2022 |
6.2 |
SWIFT_CSCF_v2022_6.2 |
SWIFT CSCF v2022 6.2 |
6. Detect Anomalous Activity to Systems or Transaction Records |
Ensure the software integrity of the SWIFT-related components and act upon results. |
Shared |
n/a |
A software integrity check is performed at regular intervals on messaging interface, communication interface, and other SWIFT-related components and results are considered for appropriate resolving actions. |
link |
6 |