Microsoft Azure

Configuration baseline for Azure subscriptions. Covers identity, storage, database, logging, networking, and virtual machines security.

Azure provides IaaS, PaaS, and SaaS. NIST: "PaaS consumer does not manage the underlying cloud infrastructure but has control over deployed applications." Azure Shared Responsibility: Microsoft secures the platform, customers secure their data and identities.

NIST SP 800-144 Executive Summary: "Carefully plan the security and privacy aspects of cloud computing solutions before engaging them." §4.3: "Trust must be established between the organization and the cloud provider. Assurances furnished by the cloud provider to support security or privacy claims should be verified whenever possible through independent assessment." §4.5: "Identity and access management requires establishing trust in user identities and controlling access to resources based on the authenticated identity." §4.9: "Incident response in cloud computing requires close coordination between the organization and the cloud provider to effectively detect and investigate security incidents."

NIST SP 800-125B §3.1: "Virtual networks must provide traffic isolation equivalent to physically separate networks." §4.2: "Virtual network devices such as virtual switches and routers should be configured to restrict traffic between VMs based on security policy." Azure VNets and NSGs implement these virtualization security requirements.

Official Azure security recommendations covering network security, identity, data protection, and more with automation guidance.

CCM DSP (Data Security & Privacy): "Mechanisms for data classification, handling and labeling shall be defined." CCM IVS-01: "The hypervisor, host OS, and virtual machines shall be hardened to an industry standard." CCM CEK (Cryptography, Encryption & Key Management): "Cryptographic key management shall be established." Azure services map to CCM cloud security domains. Source: CSA Cloud Controls Matrix v4.0.

SOC 2 CC6.1: "The entity implements logical access security software, infrastructure, and architectures over protected information assets." CC6.6: "The entity implements logical access security measures to protect against threats from sources outside its system boundaries." CC7.2: "The entity monitors system components for anomalies." Azure Defender and NSGs implement SOC 2 access and monitoring requirements. Source: AICPA TSC-NIST Mapping.

ISO 27001:2022 A.5.23: "Information security requirements for cloud services shall be established." A.8.20: "Network controls shall be implemented to protect information in systems and applications." A.8.21: "Security of network services shall be identified and documented in agreements." Azure implements ISO 27001 controls through Azure Policy and Defender. Source: NIST OLIR Informative Reference Catalog.