Creating a Secure Foundation: Building Your Security Baseline Governance Plan

Are you struggling to develop a comprehensive security baseline governance plan for your cloud infrastructure? Are you unsure which security benchmark or framework you should be following? Often when we talk to customers, they ask things like, “Should I get a security health check?” or “What security benchmark or framework is best for me?” or “Which security benchmark or framework should I aim for?” As always, the answer is, that depends. You need to ensure that you comply with the relevant compliance and regulatory requirements based on the type of data you host. You also need to make sure you are adhering to what policy and governance your organization wants you to follow.  

Developing a comprehensive Security Baseline Governance plan is essential for any cloud-based organization. It is not enough to simply know which compliance parameters you need to adhere to; you need a well-thought-out and documented plan that is based on your organization’s decisions and policies. It is also crucial to keep this plan up to date as it will change over time. Microsoft provides a template for security baseline governance and frameworks to use to document and operationalize your plan, which can be used for any cloud provider. 

If you are struggling to develop a security baseline governance plan, there are a few key steps you can follow. First, identify the security benchmarks and frameworks that are relevant to your organization, and then use them to build a comprehensive security baseline plan. It is important to consider your organization’s unique compliance and regulatory requirements, as well as your governance policies. By following these steps and utilizing the resources provided by Microsoft, you can create a robust and effective Security Baseline Governance plan for your organization. 

On the documentation side of the governance plan you should look at the Security Baseline Template and Azure Security Benchmark v3.  These tools are available for download so you can create your documentation.  

Downloads 

Download the Security Baseline discipline template 

Azure security Benchmark v3spreadsheet format 

Lets take a look at each 

Security baseline template you need to start developing Governance policy statement in the following areas below. There are also sample policy statements you can use here. 

Security Baseline discipline template: Download the template for documenting a Security Baseline discipline. 

Business risks: Understand the motives and risks commonly associated with the Security Baseline discipline. 

Indicators and metrics: Indicators to understand whether it’s the right time to invest in the Security Baseline discipline. 

Policy adherence processes: Suggested processes for supporting policy compliance in the Security Baseline discipline. 

Maturity: Align cloud management maturity with phases of cloud adoption. 

Toolchain: Azure services that can be implemented to support the Security Baseline discipline. 

Azure Security Benchmark v3: 

The Azure Security Benchmark focuses on cloud-centric control areas. These controls are consistent with well-known security benchmarks, such as those described by the Center for Internet Security (CIS) Controls, National Institute of Standards and Technology (NIST), and Payment Card Industry Data Security Standard (PCI-DSS). Using the ASB will surface critical controls in your environment to ensure they are included in planning and configuration.  

ASB Control Domains  Description 
Network security (NS)  Network Security covers controls to secure and protect Azure networks, including securing virtual networks, establishing private connections, preventing, and mitigating external attacks, and securing DNS. 

 

Identity Management (IM)  Identity Management covers controls to establish a secure identity and access controls using Azure Active Directory, including the use of single sign-on, strong authentications, managed identities (and service principals) for applications, conditional access, and account anomalies monitoring. 

 

Privileged Access (PA)  Privileged Access covers controls to protect privileged access to your Azure tenant and resources, including a range of controls to protect your administrative model, administrative accounts, and privileged access workstations against deliberate and inadvertent risk. 

 

Data Protection (DP)  Data Protection covers control of data protection at rest, in transit, and via authorized access mechanisms, including discover, classify, protect, and monitor sensitive data assets using access control, encryption, key and certificate management in Azure. 

 

Asset Management (AM)  Asset Management covers controls to ensure security visibility and governance over Azure resources, including recommendations on permissions for security personnel, security access to asset inventory, and managing approvals for services and resources (inventory, track, and correct). 

 

Logging and Threat Detection (LT)  Logging and Threat Detection covers controls for detecting threats on Azure and enabling, collecting, and storing audit logs for Azure services, including enabling detection, investigation, and remediation processes with controls to generate high-quality alerts with native threat detection in Azure services; it also includes collecting logs with Azure Monitor, centralizing security analysis with Azure Sentinel, time synchronization, and log retention. 

 

Incident Response (IR)  Incident Response covers controls in incident response life cycle – preparation, detection and analysis, containment, and post-incident activities, including using Azure services such as Microsoft Defender for Cloud and Sentinel to automate the incident response process. 

 

Posture and Vulnerability Management (PV)  Posture and Vulnerability Management focuses on controls for assessing and improving Azure security posture, including vulnerability scanning, penetration testing and remediation, as well as security configuration tracking, reporting, and correction in Azure resources. 

 

Endpoint Security (ES)  Endpoint Security covers controls in endpoint detection and response, including use of endpoint detection and response (EDR) and anti-malware service for endpoints in Azure environments. 

 

Backup and Recovery (BR)  Backup and Recovery covers controls to ensure that data and configuration backups at the different service tiers are performed, validated, and protected. 

 

DevOps Security (DS)  DevOps Security covers the controls related to the security engineering and operations in the DevOps processes, including deployment of critical security checks (such as static application security testing, vulnerability management) prior to the deployment phase to ensure the security throughout the DevOps process; it also includes common topics such as threat modeling and software supply security. 

 

Governance and Strategy (GS)  Governance and Strategy provides guidance for ensuring a coherent security strategy and documented governance approach to guide and sustain security assurance, including establishing roles and responsibilities for the different cloud security functions, unified technical strategy, and supporting policies and standards. 

 

 

Now that you have all of your governance documented, let’s take a look at how to operationalize this plan. The Cloud Adoption Framework is a very common framework we see most of our customers adopting.  

The Microsoft Cloud Adoption Framework for Azure is a comprehensive framework that facilitates cloud adoption for cloud architects, IT professionals, and business decision-makers. It encompasses the entire lifecycle of cloud adoption, providing a range of best practices, documentation, and tools to assist you in creating and implementing effective business and technology strategies for the cloud. By following the Cloud Adoption Framework’s best practices, your organization can achieve better alignment between business and technical strategies and increase your chances of success. 

In conclusion, building a security baseline governance plan is essential for any organization that uses cloud infrastructure. With the help of the tools provided by cloud providers like Microsoft, it is now easier than ever to create a plan that is tailored to your specific needs. Remember that a good plan must be well thought out and documented, and that it will need to be updated regularly to reflect changes in your organization’s policies and requirements. By taking the time to develop a comprehensive security baseline governance plan, you can establish a secure foundation that will protect your organization from potential cyber threats and help you achieve your business objectives. Additionally, we encourage you to engage with your cloud strategist to discuss your governance journey and determine the best way to get started. As always, our team is available to support you throughout your cloud adoption journey.