To help our customers manage their compliance obligations when hosting their environments in Microsoft Azure, we are publishing a series of blueprint samples built in to Azure. Our most recent release is the NIST SP 800-53 R4 blueprint that maps a core set of Azure Policy definitions to specific NIST SP 800-53 R4 controls. For US governmental entities and others with compliance requirements based on NIST SP 800-53, this blueprint helps customers proactively manage and monitor compliance of their Azure environments.
The free Azure Blueprints service helps enable cloud architects and information technology groups to define a repeatable set of Azure resources that implements and adheres to an organization’s standards, patterns, and requirements. Blueprints may help speed the creation of governed subscriptions, supporting the design of environments that comply with organizational standards and best practices and scale to support production implementations for large-scale migrations.
Azure leads the industry with more than 90 compliance offerings that meet a broad set of international and industry-specific compliance standards. This puts Microsoft in a unique position to help ease our customers’ burden to meet their compliance obligations. In fact, many of our customers, particularly those in regulated industries, have expressed strong interest in being able to leverage our internal compliance practices for their environments with a service that maps compliance settings automatically. The Azure Blueprints service is our natural response to that interest. Customers are ultimately responsible for meeting the compliance requirements applicable to their environments and must determine for themselves whether particular information helps meet their compliance needs.
The US National Institute of Standards and Technology (NIST) publishes a catalog of security and privacy controls, Special Publication (SP) 800-53, for all federal information systems in the United States (except those related to national security). It provides a process for selecting controls to protect organizations against cyberattacks, natural disasters, structural failures, and other threats.
The NIST SP 800-53 R4 blueprint provides governance guardrails using Azure Policy to help customers assess specific NIST SP 800-53 R4 controls. It also enables customers to deploy a core set of policies for any Azure-deployed architecture that must implement these controls.
NIST SP 800-53 R4 control mappings provide details on policies included within this blueprint and how these policies address various NIST SP 800-53 R4 controls. When assigned to an architecture, resources are evaluated by Azure Policy for non-compliance with assigned policies. These control mappings include:
- Account management. Helps with the review of accounts of that may not comply with an organization’s account management requirements.
- Separation of duties. Helps in maintaining an appropriate number of Azure subscription owners.
- Least privilege. Audits accounts that should be prioritized for review.
- Remote access. Helps with monitoring and control of remote access.
- Audit review, analysis, and reporting. Helps ensure that events are logged and enforces deployment of the Log Analytics agent on Azure virtual machines.
- Least functionality. Helps monitor virtual machines where an application white list is recommended but has not yet been configured.
- Identification and authentication. Helps restrict and control privileged access.
- Vulnerability scanning. Helps with the management of information system vulnerabilities.
- Denial of service protection. Audits if the Azure DDoS Protection standard tier is enabled.
- Boundary protection. Helps with the management and control of the system boundary.
- Transmission confidentiality and integrity. Helps protect the confidentiality and integrity of transmitted information.
- Flaw remediation. Helps with the management of information system flaws.
- Malicious code protection. Helps the management of endpoint protection, including malicious code protection.
- Information system monitoring. Helps with monitoring a system by auditing and enforcing logging across Azure resources.
At Microsoft, we will continue this commitment to helping our customers leverage Azure in a secure and compliant manner. Over the next few months we plan to release more new built-in blueprints for HITRUST, FedRAMP, NIST SP 800-171, the Center for Internet Security (CIS) Benchmark, and other standards.