4 min read
The Regulatory Compliance dashboard in Azure Security Center is an excellent tool for helping organizations understand their compliance posture relative to industry standards. Reporting on compliance with specific standards is obviously critical for regulated customers, though tracking compliance status is also relevant to many other organizations who want to align with industry-defined best practices. Many of our customers use compliance frameworks as the basis of their organizational security model.
Azure Security Center improves your organization's overall compliance readiness. By performing ongoing assessments, Azure Security Center provides rich, actionable insights and reports to simplify your regulatory compliance journey.
Several significant upgrades have recently been released to the compliance management experience in Azure Security Center, including Azure Security Benchmark integration with Secure Score, a new section for downloading audit certification reports, integration of shared responsibility model details into the product, and Workflow Automation functionality.
Azure Security Benchmark
Azure Security Benchmark is now fully integrated into the regulatory compliance dashboard as the default standard, available to all Azure Security Center customers for free. Azure Security Benchmark comprises the canonical set of controls that Microsoft defines and recommends as a security baseline, aligned with industry frameworks and customized to Azure and cloud environments. The Benchmark is thus a superset of security controls related to cloud security in Azure, covering the full set of security requirements related to cloud security from each of the standards it maps to.
Secure Score is built on top of Azure Security Benchmark and provides a key performance indicator (KPI) measurement against Azure Security Benchmark controls. Secure Score provides a prioritized set of recommendations, allowing you to quickly identify the highest risk factors in your environment. All Security Center customers now have access to both the Azure Security Benchmark view from the compliance controls perspective, along with the Secure Score view to prioritize action by risk.
Figure 1: Azure Security Benchmark framework in the Security Center regulatory compliance dashboard
A large set of additional industry and regulatory standards are supported in the Azure Security Center regulatory compliance experience, including ISO 27001, NIST SP 800-53 R4, PCI DSS 3.2.1, and more, and can be added to the dashboard individually and applied on any scope, depending on your organizational requirements. Within the dashboard, you can download a point-in-time report on your compliance status, including both a summary executive-level report in PDF format and a detailed report of compliance per resource in CSV format. These reports are available for Azure Security Benchmark as well as all other compliance standards in the dashboard.
For continuous real-time reporting, we've recently added the ability to configure Continuous Export on compliance frameworks, so you can get real-time compliance data continuously streamed to your Log Analytics workspace or Azure Event Hub for streaming to any external system.
Audit reports and shared responsibility in the cloud
Managing compliance in the cloud isn't only about what you need to do, it is based on a shared responsibility model with your cloud provider. That's why we've recently added access to Azure compliance certification artifacts directly in the Azure Security Center compliance experience. We provide access to documents on Azure certifications for many compliance standards, including ISO standards, Payment Card Industry data security standard (PCI), Sevice Orgainzation Controls (SOC), and more. You are now able to filter and search to find exactly the document you need and download it directly from the Audit Reports area in Azure Security Center. Access to these documents was previously available through the Service Trust Portal, requiring separate authentication.
Figure 2: Audit Certification reports in Security Center
In addition to audit reports, we've recently added information on shared responsibility baked in directly to the compliance management experience in the dashboard. Across many standards, we've added an indication of responsibility to each control requirement, whether Microsoft responsibility, customer responsibility, or shared responsibility. This can give a more complete picture of what each control requirement fully entails and helps you understand where the platform responsibility ends, and your responsibility begins.
For NIST SP 800-53 R4, we have additionally added in-depth platform implementation details on compliance controls, consisting of a set of assessments from the Azure Control Framework that describes how Azure as a platform implements its part of that control. This will become available for additional compliance standards over time. Finally, we've also added extended control details for each compliance requirement, giving you access to a detailed description of the control and guidance for how to become compliant with that control.
Figure 3: Shared Responsibility Model and control information in the regulatory compliance dashboard
Workflow automation for compliance events
An additional new feature that has recently been released is the ability to configure workflow automations for regulatory compliance data. This capability allows you to trigger a Logic App automatically any time there is a status change on a regulatory compliance assessment and run any action based on that event. The automation can be configured on one or more standards that you are tracking in the compliance dashboard. You can configure any number of automated actions implemented by Logic Apps. There are several built-in, predefined templates, such as sending an email to specific users or opening a new ticket in a ticketing system. You can also create your own custom Logic App with the automation logic of your choice.
Explore regulatory compliance data in Azure Resource Graph
All the regulatory compliance data is available for customers in Azure Resource Graph for easy exploration and querying. Now, accessing this data is also available directly as an option in the regulatory compliance dashboard. Just click on the Open Query button in the dashboard to automatically load a query returning detailed resource compliance data for the standard you currently have loaded in the dashboard. You can then adjust this query as needed to generate a view of your choice on the compliance data, as well as cross-reference and filter by other data stored in Azure Resource Graph for advanced exploration.
Tell us what you think
We encourage you to try out these new compliance capabilities in Azure Security Center, and we're looking forward to hearing your feedback.
For more information on regulatory compliance in Security Center, check out this documentation: