Microsoft Cloud Security Benchmark

Jonas Bøgvad
Jonas Bøgvad

Table of Contents

To help increase the security of workloads, data, and services on Azure and in your multi-cloud environment, the Microsoft cloud security benchmark (MCSB) offers recommended practice and suggestions. This score is based on a set of comprehensive security recommendations from Microsoft and the industry.

CIS Controls, PCI Controls, and NIST Controls are just a few of the frameworks that Microsoft Cloud Security Benchmark assists you with implementing.

This is a fantastic opportunity to ensure that you comply with these well-known frameworks that the security industry is well aware of. I recommend reading my prior post if you want to learn more about frameworks.

What is a Cybersecurity framework? ⚔️
Let’s look at cybersecurity frameworks, which are critical for everything IT

If your company has implemented Microsoft recommendations over the last couple of years, you are already ahead of schedule and ready to step up and compare your security with these comprehensive frameworks.

Why implement such a framework?

Some must be certified because clients or suppliers require it, such as ISO/IEC 27001. Others may be involved in a merger or acquisition when technology, cultures, and working techniques must be integrated for efficiency and unity. Any security framework aims to standardize working procedures so they're followed across the company. Standardization improves compliance, operations, productivity, and security.

Microsoft 365 cloud security benchmark speeds up implementation for various frameworks (NIST, CIS, PCI).

Do I need a Framework for my business?

The quick answer is "yes," but we must differentiate between small, medium, and enterprise due to complexity and their experiences working with modern security. It is your responsibility as a security consultant to minimize buzzwords and determine the appropriate strategy for the current client.

Enterprise Business

If your company has more than 100 employees and falls under the enterprise category, you should have various frameworks in place. I expect that a Microsoft enterprise environment currently follows recommended practices and is equipped to put a framework in place. Ask simple questions like "How do you measure security right now?" to the people in charge of security at an enterprise business.

Below are some buzzwords I usually see as answers to my questions, but I've never seen anyone master how to explain their journey with modern security (which is their responsibility).

Responsibility drives progress

  • Zero Trust (Strategy)
  • SOC Type 2 (Prove that you have implemented)
  • ISO 27001 Finalize NIST, CIS, PCI (Not required to apply all of them)
  • CIS (recommend since it covers all Industries)
  • Microsoft Cloud security Benchmark (mapping recommended practices to controls in NIST, CIS, PCI)
  • Microsoft recommended practices (implementation focus and no mapping to controls or policies)

Right now, I understand Microsoft's recommendations better than anything else, but I think understanding the rest would be the next step!

Small or medium-sized Business

If you run a small or medium-sized company, I advise you to get started slowly and learn what your target market would expect from you. Always be truthful to maintain your integrity, and if you haven't started using recommended practices yet, you should probably do so right away before working with a more important client.

For a small or medium-sized business, it's best to use the Microsoft portal recommendations and aim for CIS Controls and ISO 27001. Then, get a SOC Type 2 to show that you've put these practices in place.

Check out the Microsoft Cloud Security Benchmark here.