The Azure Security Benchmark v1 was released in January 2020 and is being used by organizations to manage their security and compliance policies for their Azure workloads. We are pleased to share that you can now track and monitor your compliance with the benchmark across your Azure environment in Azure Security Center.
The Azure Security Benchmark is a collection of over 90 security best practice recommendations you can employ to increase the overall security and compliance of all your workloads in Azure. The Azure Security Benchmark is based on common compliance frameworks and standards but is tailored to cloud deployments and specifically to Azure workloads. The benchmark provides specific guidance on how these common controls apply to Azure, and what you specifically need to implement in Azure to meet those requirements.
Now, not only can you understand the fundamental compliance framework requirements in Azure terms, but you can also measure and track how your own deployed Azure workloads are meeting those requirements at any given time.
Azure Security Center provides built-in automation for monitoring your compliance with the benchmark controls across different Azure resource types and workloads. Azure Security Center not only measures your compliance with the controls but also provides actionable recommendations for how to remediate the non-compliant resources and meet the requirements. The benchmark guidance and recommendations are contextualized for each Azure service, making it easier for you to implement the controls for the Azure services you are actively using.
The benchmark can be monitored using the Azure Security Center Regulatory Compliance Dashboard. The Azure Security Center compliance dashboard enables you to track and monitor industry-driven common compliance frameworks like NIST 800-53, Azure CIS, PCI-DSS, and ISO 27001, among others. To monitor the benchmark in this dashboard, you need to onboard the Azure Security Benchmark as a tracked standard. Once you onboard, you get a clear view of how your currently deployed Azure environment is meeting the benchmark controls. You can use the dashboard to track the status of your Azure resources with respect to benchmark requirements, download a summary report, and improve your compliance posture using Azure Security Center remediation guidance and automation.
To onboard the benchmark to your Azure Security Center compliance dashboard, you need to add the Azure Security Benchmark initiative package to your compliance view. You can then view the dashboard and start tracking your compliance status with benchmark controls.
Increasing coverage of the Azure Security Benchmark
The Azure Security Benchmark core requirements are already being met by all major Azure services, and those controls can be monitored and tracked in this dashboard today. With time, coverage will increase even further as Azure services are working to create additional features supporting the full set of security and compliance requirements of the Azure Security Benchmark, and monitors for those.
Here are a couple of recent examples of Azure services providing added capabilities to help you implement the security benchmark:
- Encrypt sensitive information at rest: In some cases, you may want to use your own encryption key to protect your data. Fifty new services including Azure Cosmos DB and Azure Data Lake now support customer-managed keys for encryption at rest.
- Protect Azure resources within virtual networks: Private Link allows you to securely access an Azure Service over a private endpoint in your virtual network. Thirteen new services including Azure Kubernetes Service and Azure Data Explorer now support Private Link.
Over time, a larger portion of controls will be supported and will be monitorable using the dashboard.
The Azure Security Benchmark and Secure Score
Secure Score in Azure Security Center is a measure that helps you track your security posture, and effectively and efficiently improve your security by prioritizing the actions most likely to create a risk to your organization. Secure Score is comprised of a set of controls, where each control reflects a certain attack surface. Each control has an associated score (number of points) that represents your vulnerability for that attack surface, along with a set of security recommendations for reducing your vulnerability and improving your security. The cumulative scores for all controls are then used to calculate your overall Secure Score, which is a single KPI measurement representing your security posture.
The underlying security recommendations stipulated by Secure Score are the same as those associated with the Azure Security Benchmark controls. They are comprised of the same set of actions, that ultimately serve the common purpose of maximizing your Azure security posture. The Secure Score adds the additional dimension of threat analysis, risk, and vulnerability to each of those recommendations, and thus helps you prioritize action according to the most significant factors in reducing risk in your environment. The benchmark then illustrates how these security settings and factors apply to compliance framework requirements. It also adds some additional requirements that are compliance-focused but don’t have a direct impact on security risk.
Our recommendation is to use Azure Secure Score view to address misconfigurations starting with the highest priority recommendations. The Azure Security Benchmark view is helpful for understanding your compliance and is sorted by controls rather than score impact.
Summary and next steps
The Azure Security Benchmark compliance dashboard in Azure Security Center can help you continuously track your compliance posture in Azure and improve your Azure workloads’ adherence to compliance requirements.
You can look forward to seeing upcoming releases of the dashboard with additional automation and improved coverage for benchmark controls, as well as extended capabilities to manage compliance controls and additional report types.
We would love to hear your feedback, you can use this link to send us an email.