8.1 Enforce multifactor authentication - It's often said, attackers don’t break-in, they sign-in and it’s therefore necessary to enforce additional controls to help protect all users, especially administrators.  Multifactor Authentication adds a critical second layer of security to sign-ins to help protect access to data and applications while still providing a simple and efficient sign-in experience.

• Microsoft Learn: Microsoft Entra multifactor authentication
• Microsoft Learn: Azure Identity Management and access control security best practices

8.2 Protect administrative accounts - At Microsoft, a combination of layered defenses are used to protect administrative access to production systems, including Secure Admin Workstations (SAWs), alternate credentials with MFA for administration, and Just in Time privilege elevation (JIT) with role-based access control (RBAC). For more on how to do this see:

• Microsoft: Improving security by protecting elevated-privilege accounts
• Microsoft Learn: Role-based access control
  

8.3 Implement security baselines - All operational environments need to have security baselines defined and enforced. These can be created as policies that detect drift from configuration standards and implement automated remediation

• Microsoft Learn: Microsoft cloud security benchmark (MCSB) guidance for multi-cloud environments
  
• Microsoft Learn: Cloud Security Posture Management (Defender for Cloud)

8.4 Create isolation layers - Isolation layers refers to the various levels at which security controls are applied to ensure that systems are kept separate and secure, across process, compute, and network.

• Microsoft Learn: Isolation in the Azure public cloud

8.5 Use confidential compute -  Isolate sensitive data while it's being processed in the cloud. Since the dawn of cloud computing in Azure, we’ve recognized the crucial role of HBV in running customer workloads on VMs. However, VMs only protect the host machine from malicious activity within the VM. In many cases, a vulnerability in the VM interface could allow a bad actor to escape to the host, and from there they could fully access other customers’ VM. Confidential Compute presents a new layer of defense against these attacks by preventing bad actors with hosting environment access from accessing the content running in a VM. Our goal is to leverage Confidential VMs and Confidential Containers broadly across Azure Services, adding this extra layer of defense to VMs and containers utilized by our services. This has the potential to reduce the blast radius of a compromise at any level in Azure. While ambitious, one day using Confidential Compute should be as ubiquitous as other best practices have become such as encryption in transit or encryption at rest.

•  Microsoft Learn: Azure confidential computing
  

8.6 Reduce the attack surface - Attack surfaces are all the places where your organization is vulnerable to cyberthreats and attacks.

• GitHub: Secure DevOps kit for Azure
  A collection of scripts, tools, extensions, and automations that supports the end-to-end Azure subscription and resource security needs for dev ops teams.
• Microsoft Learn: AppLocker Overview 
• Microsoft Learn: Securing SQL Server
• Microsoft Learn: Windows security baselines
• Microsoft Learn: Device Guard

8.7 Perform platform penetration testing - Production running platform penetration testing, from physical data centers to cloud platforms.

• Microsoft Learn: Penetration testing

8.8 Implement operational terminals: device security - Microsoft has a privileged access strategy that guides on implementing secure accounts, workstations and devices and interface security. Device control is extremely important because an attacker with access to a device can impersonate users on it or steal credentials for future impersonation. For strongest security for highest impact assets and accounts, we recommend using privileged access workstation (PAW). This is the highest security configuration designed for extremely sensitive roles that would have a significant or material impact on the organization if their account was compromised. The PAW configuration includes security controls and policies that restrict local administrative access and productivity tools to minimize the attack surface to only what is absolutely required for performing sensitive job tasks. This makes the PAW device difficult for attackers to compromise because it blocks the most common vector for phishing attacks: email and web browsing. To provide productivity to these users, separate accounts and workstations must be provided for productivity applications and web browsing. While inconvenient, this is a necessary control to protect users whose account could inflict damage to most or all resources in the organization.

• Microsoft Learn: Privileged access devices
• Microsoft Learn: Privileged access deployment

• Microsoft Learn: How to keep your Windows computer up to date
• Microsoft Learn: Enterprise Mobility + Security documentation

8.10 Protect against DDoS attacks - Provide real-time mitigation to common network-level attacks. Distributed denial of service (DDoS) attacks are some of the largest availability and security concerns facing cloud applications, because any endpoint that's publicly reachable over the internet can be targeted. To address this, at a minimum traffic must be continually monitored and real-time mitigations must be provided for common network-level attacks. However, as DDoS attacks become more sophisticated and targeted, it may also be necessary to provide DDoS mitigations to protocol and application layer attacks.

• Microsoft Learn: Azure DDoS Protection
• Microsoft Learn: Create and configure Azure DDoS Network Protection using the Azure portal
  

See Practice 9: Implement security monitoring and response >