Cavirin Blog

Azure Hardening

Why an Azure CIS Security Benchmark?

This morning, Cavirin announced the near-term availability of the new CIS Microsoft Azure Foundations Benchmark.  The document is expected to be generally available within the next week or two, but why wait?  It is available today to anyone with CIS access, and is a milestone for public multi-cloud security as a foundational and prescriptive guideline for organizations to establish a healthy security posture in Azure Cloud investments.  This is the first hardening benchmark for Azure, completing an earlier available benchmark for AWS, also supported by Cavirin.  To address any confusion, other cloud security vendors do offer a view into one’s Azure security posture via published APIs.  We do the same, but the CIS Benchmark takes a different approach to uncover a deeper level of understanding.

The availability of the new CIS Benchmark is critical in securing hybrid cloud environments.  CNBC recently reported that AWS held a 62% market share for public cloud deployments, a drop from 68% a year earlier.  In the same timeframe, Azure jumped from 16% to 20%.  More importantly, ESG states that by the end of 2018, 81% of enterprises in the cloud will deploy on more than one provider. Cavirin’s goal is to enable hybrid cloud security, offering an organization a single, correlated view of their security posture across multiple public clouds, as well as on-premise.  This is very different from a simpler multi-cloud deployment that looks at each cloud in isolation, ‘clouds in the night’ if you will.

The recommendations fall into eight areas:

  • Identity and Access Management
  • Security Center
  • Storage Accounts
  • SQL Services
  • SQL Databases
  • Logging and Monitoring
  • Networking
  • Virtual Machines
  • Other Security Considerations

As with other CIS benchmarks, the document permits quantitative scoring of an organization’s Azure security posture, and with that, the ability to automatically assess and remediate any deficiencies.  These capabilities tie together cloud security and DevOps automation – DevSecOps for the cloud.

The Benchmark defines two levels of implementation, or ‘profiles,’ depending upon the importance of the security posture to one’s organization.  Level 1 is the basic set of recommendations, while Level 2 is for more security-focused environments.  It is developed in such a way as to be applicable across a wide range of IT professionals, from application administrators and security specialists, through auditors, help desk personnel, and platform developers.  When deployed within an automatic assessment platform, the intent is ease of use. 

We at Cavirin would also like to thank the other vendors that have contributed to the benchmark, as well as Pravin Goyal, who lead the effort.

The Cavirin Platform is available on the Azure Marketplace.




Cavirin provides security management across physical, public, and hybrid clouds, supporting AWS, Microsoft Azure, Google Cloud Platform, VMware, KVM, and Docker.