was to ensure the consistency of security best practices and controls across
cloud providers. Many enterprises pursue multi-cloud strategies. In these sce-
narios, the proposition of having different foundational security policies, and
different foundational security controls, across cloud providers is worrisome.
Security risks for these multi-cloud deployments are better managed when
organizations establish a consistent set of best practices and security controls
across providers.
Another reason to start from the AWS Foundations Benchmark was that it
offers detailed, step-by-step audit procedures for its set of security rules and
we wanted to leverage that approach. For each rule put into the CTP Azure
Foundations Benchmark, we defined the following sections:
• Description: the ‘What’ of the security rule
• Rationale: the ‘Why’ of the security rule
• Audit: the ‘How’ of the security rule — step-by-step guidance on how
Audit and Security professionals can validate the rule
• Remediation: manual, ad hoc remediation steps
• Mapping and References: mapping the rule to the CIS Top 20 Security
Controls and Microsoft documentation.
The CTP Azure Foundations Benchmark has the same number of rules as the
CIS AWS Foundations Benchmark and, similarly, four sections: Identity and
Access Management, Monitoring, Logging and Network. The services and
areas covered by the CTP Azure Foundations Benchmark are Azure services
which are analogous to services covered in the CIS AWS Foundations
Benchmark:
12 | THE DOPPLER | WINTER 2018