Regulatory compliance is basically on everyone’s mind these days. With GPDR now behind us and Brexit looming on the horizon, knowing whether your cloud resources are in compliance with standards mandated by governments or industry organizations is essential for survival in today’s globalized world. Sasha Kranjac has been a careful observer of what has been happening on this topic in Microsoft’s corner of the world. Sasha is a Security and Azure expert and Instructor with more than two decades of experience in the field. He began programming in Assembler on Sir Clive Sinclair’s ZX, met Windows NT 3.5, and the love has existed ever since. Sasha owns an IT training and consulting company that helps companies and individuals to embrace the cloud and be safe in cyberspace, delivering Microsoft, EC-Council and his own bespoke Azure and Security Courses and PowerClass Workshops internationally. He is a Microsoft MVP, MCT, MCT Regional Lead, Certified EC-Council Instructor (CEI), and currently holds more than 60 technical certifications. Sasha is a frequent speaker at various international conferences and is a consultant and trainer for some of the largest Fortune 500 companies. You can follow Sasha on Twitter @SasaKranjac. Let’s now watch and learn as Sasha illuminates our understanding concerning the new Regulatory Compliance Dashboard of the Azure Security Center.
How Azure Security Center has evolved
I’ve been following the development of the Azure Security Center (ASC) from the very beginning, since its birth. We can debate whether ASC’s birthday is the date it was announced or the date it went into Public Preview — the first is Sept. 29, 2015, and the latter is Dec. 1 in the same year — but one thing is sure, I am always excited to see new features added to ASC. The journey was a long one and it is not over, security is an extremely important and delicate cog in Azure (well, not just in Azure but in every aspect of computing) and it took a lot of hard work to get here from where it was.
Just for the sake of curiosity, compare how the Azure Security Center looked back in December 2015, and how it looks today in February 2019. First, here is what Azure Security Center looked like in December 2015:
Now let’s look at the Azure Security Center today:
Why am I telling you this? Because ASC is always improving and getting better and better protecting your Azure environment.
Recently, two weeks ago, Azure Security Center became richer with another feature: Regulatory Compliance Dashboard.
Why the new dashboard?
What does regulatory compliance mean and why should you care? Basically, compliance, or being compliant means meeting the requirements of a policy, standard or rule, while regulatory compliance is alignment or conforming to policies, regulations, and laws. Often, when the term regulatory compliance is mentioned, it refers to a regulation or a standard, but to a law as well. So, you’d say, why do we need the standards for after all, if there are laws that define information security? Many countries have security-related laws, but they are often loosely defined, address the security topics from a wide-angle covering bigger audiences, that is, all people and organizations. These laws indeed define important topics such as retention of important documents or management of sensitive and personal information but also lack to define numerous security issues in detail, like risk management. Standards and regulations fill the uniformity gap, add detailed and industry-specific security coverage that individuals and organizations need to follow to be considered secure, trusted and worthy of doing business with.
Regulatory Compliance Dashboard in Azure Security Center helps you to get insight into the position of your Azure environment against the currently supported security standards: Azure CIS, ISO 27001, PCI DSS 3.2 and SOC TSP. I hope these won’t be the only supported standards; while I would like to see more standards supported in the future, I am happy these four important standards made it to the list. Note that to preview the Regulatory Compliance Dashboard, you need to set the Standard pricing tier of Azure Security Center for the particular subscription.
Examining the Regulatory Compliance Dashboard
Regulatory Compliance Dashboard makes its debut as the fourth entry under the Policy & Compliance section, and on the ASC Overview dashboard as well, at the top, between Secure score and Subscription coverage, giving you instantaneous view at the least compliant regulatory standards list and the number of rules affecting the score:
The Azure Security Center Regulatory Compliance Dashboard goes straight to the point, showing you the overall score of the regulatory compliance assessment in the number of failed and passed assessments as well as in percentage if you hover the pointer over the individual graph colors. Right to the overall score, you’ll find the compliance status of individual regulatory standards and the number of rules passed the assessment:
According to the information on the dashboard, an additional and very useful functionality, compliance reporting features, will be incorporated in the compliance blade too:
Each regulatory standard has a list of controls, and each control has a list of compliance rules. If a control is green, it means all the rules within that control have passed the assessment and are green as well. If a control is red, at least one rule under a control is red and did not pass the assessment.
If you expand a rule, you’ll see the individual assessments, resource type, total resources affected and a graphical representation of the assessment results.
There is also a third color, gray, telling you either the compliance assessment is not yet supported or it is not applicable. In the screenshot below, the control 2.8 is gray because there is no Web Application Firewall to evaluate at the moment:
To resolve an issue is easy: Clicking on an assessment name takes you right to the blade where you can resolve the problem, such as installing a monitoring agent on a virtual machine or identifying which virtual machines need updating and installing the missing updates
Resolving the compliance issues can be performed also from the All tab, where the recommendations are grouped and show which standards are affected by a particular assessment or a recommendation:
Furthermore, the data from the ASC Regulatory Compliance Dashboard will be available in the Compliance Manager, aggregating the data from Azure and Office 365 environments in one convenient place, from where you can improve data protection and compliance further, following the recommendations:
Improving the compliance of your Azure environment using Azure Security Center is greatly simplified. Fast and effective, with Regulatory Compliance blade, compliance can be significantly improved, directly within the dashboard.
Have you tried out the Regulatory Compliance Dashboard in Azure Security Center? Share your thoughts about it using the commenting feature below.
Featured image: Pixabay