List view
Information is encrypted at rest demonstrating a layered approach (storage account encryption, OS-level encryption, DB encryption, etc.).
Overdue by 8 year(s)•Due by May 15, 2017•1/1 issues closedCommunications sessions are secured by cryptographic mechanisms (e.g., web sessions, RDP). Solution is pre-provisioned to use ExpressRoute (premium).
Overdue by 8 year(s)•Due by May 15, 2017•3/3 issues closedThe solution is designed for security. System component are partitioned to separate user and administrative functionality, functionality of information system components (e.g., web tier / DB tier). Management components (e.g., bastion host / jumpbox) are separated from production-side components. Information flow is enforced between the separated components of the system and external systems using boundary protections (e.g., NSGs, firewalls) configured in a deny-by-default scheme.
Overdue by 8 year(s)•Due by May 15, 2017•3/3 issues closedThe solution is designed for resiliency. The selection of architecture, storage, and configuration must consider resiliency of the solution (e.g., geo-redundant storage, multi-region load balancing (premium), data backup, SQL transaction recovery).
Overdue by 8 year(s)•Due by May 15, 2017•3/4 issues closedA baseline configuration is established for the information system. This baseline includes ARM templates and associated scripts and configurations. A security baseline is established for operating systems and includes restrictions on ports, protocols, services, and software installation/use. Operating systems and other software are configured for automate patching (or patching is invoked from OMS). Antimalware software is installed and configured in accordance with FedRAMP requirements. OMS is integrated into the solution to monitor configuration deviations, patching compliance, and the antimalware solution. The solution monitors the configuration and provides alerting via OMS / email when deviations from the established baseline occur.
Overdue by 8 year(s)•Due by May 15, 2017•4/4 issues closedThe solution employs a discrete set of explicitly defined account types (e.g., individual user, system/service). Accounts are managed for all solution components from the OS level to the Azure portal. Accounts are configured using role-based access control to implement the concepts of least privilege and separation of duties for specific roles (e.g., security admin, web admin, DB admin). The solution deploys example accounts to demonstrate this functionality. The solution enforces account management principles as required by FedRAMP, including inactivity controls, session lock/termination, system use notification, and other logon restrictions. Remote access to the solution is managed.
Overdue by 8 year(s)•Due by May 15, 2017•4/4 issues closedThe solution and all constituent components are configured to audit system events in accordance with FedRAMP requirements (including, OS-level auditing, application-level auditing (e.g., SQL Server), and within the Azure portal). Audit logs from system components are collected in OMS Log Analytics to provide a system-wide, time-correlated audit trail that is retained for a period of one year. An OMS Log Analytics dashboard provides an overview of key auditing metrics and indicators such as use of privileged functions, atypical activity, account actions, etc. The audit function is configured to protect against unauthorized record purging or alteration of audit records and limits access to audit functionality to a subset of authorized users.
Overdue by 8 year(s)•Due by May 15, 2017•7/7 issues closedThe solution demonstrates complaint use of account identifiers and authenticators. This includes identifiers/authenticators for both user accounts and system/service accounts. Identifiers are unique/non-default. Strong authenticators are used, meeting FedRAMP requirements for passwords. Authenticator management is integrated with Key Vault, where appropriate (e.g., SQL encryption key, BitLocker keys, etc.). The information system is configured to protect the confidentiality/integrity of authenticators (keys, password) when transmitted during authentication and when stored. Identifiers/authenticators for solution example accounts (see account management section) are compliant.
Overdue by 8 year(s)•Due by May 23, 2017•4/4 issues closed- Overdue by 8 year(s)•Due by May 15, 2017•6/6 issues closed