We are pleased to announce the release of the Azure Security Benchmark (ASB) v3 with mappings to the CIS Critical Security Controls (CIS Controls) v8. The ASB includes high-impact security guidance to mitigate against high priority threats. While the ASB is specific to Azure, this mapping shows the applicability of CIS Controls v8 to an enterprise’s cybersecurity program regardless of architecture. If your architecture is cloud-based, on-premise or hybrid, the CIS Controls will work for you!
The Controls v8 update was released this past May. It includes technologies such as cloud and mobile which given the pandemic, proved to be timely as we saw wholesale movement to cloud and work-at-home. And since networks are borderless, we chose to organize v8 by activity instead of by who manages the devices. So, you’ll see some consolidation of Controls like “Secure Configuration of Enterprise Assets and Software.” Also, we added a whole new Control on “Service Provider Management” because so many of you rely on third-party service providers for infrastructure or applications.
The Microsoft Benchmark focuses on cloud-centric control areas with 12 different ASB Control Domains. The CIS Controls provide coverage across all of the domains. In fact, for several of the domains, such as Network Security and Asset Management, every ASB control maps to one or more CIS safeguards. We also map strongly to new ASB Control Domains such as DevOps Security, confirming the importance of our updates in version 8 to keep up with new threats, technologies (such as cloud), and security-related processes.
Not only can the CIS Controls help an enterprise secure their cloud deployments, but it is equally effective in securing your on-prem deployment. Microsoft’s mapping of ASB v3 to the CIS Controls is yet another example of how CIS security best practices work alongside other frameworks as part of an effective cybersecurity program.