Forum Discussion

GlavniArhivator's avatar
GlavniArhivator
Copper Contributor
Aug 04, 2020

ASC Security Policies & Compliance Wording

Hi all

 

I have some questions i don't find clear answers in the documentation, so i hope you may share your insights here.

 

First, I don't see how the regulatory compliance impact the secure score? Some of them are in the recommendations, some of them are not.

 

Second, what's actually the difference between the Azure CIS 1.1.0 and the Azure Benchmark? And how they are connected with Azure Policy? Additionally, i though the ASC recommendations are based on Azure Policy, but then i read also that they are based on Benchmarks?

 

4th thing: Is it possible to e.g. set up one of the policies from ASC Default in that way that it only monitor it for a specific resource group? Let's say I want that one of that ASC default policies regarding VM security (e.g. Disk encryption on VM's) only monitor a specific resource group. How can i handle that? I tried to add custom initiatives with a defined scope for a specific resource but then there are no recommendations. 

 

Thank you in advance

Azure Policy
  • Tom_Janetscheck's avatar
    Tom_Janetscheck
    Aug 05, 2020

    Hi GlavniArhivator

    thanks for asking these great questions, I'll try to answer them in the respective order using a numbered list. 

    1. Regulatory compliance is part of the ASC Standard tier, whereas Secure Score comes with the ASC free tier. Today, we do not map the compliance assessment results to your Secure Score.
    2. The Azure Security Benchmark is not exactly the same, as the CIS 1.1.0 benchmark we have integrated in ASC. However, its controls are consistent with other well-known security benchmarks, such as CIS 7.1. You can find more information about the Azure Security Benchmark at https://docs.microsoft.com/en-us/azure/security/benchmarks/overview
    3. Benchmarks and Azure Policy are not the same. You can see Azure Policy as the tool for technically implementing auditing of security benchmarks. So, the recommendations you see in your Security Controls in the Resource Security Hygiene part of Azure Security Center are derived from well-known security benchmarks and the technical implementation under the hood is based on Azure Policy. In other words: we are using Azure Policy to create the recommendations you see in Azure Security Center, but these recommendations are based on industry-standard security best-practices.
    4. No, this is not possible today. The security policy Azure Security Center relies on is scoped to the Management Group or Subscription level.

    Best regards,

    Tom Janetscheck

    Senior Program Manager

    CxE | Azure Security Center

     

  • Tom_Janetscheck's avatar
    Tom_Janetscheck
    Icon for Microsoft rankMicrosoft
    Aug 05, 2020

    Hi GlavniArhivator

    thanks for asking these great questions, I'll try to answer them in the respective order using a numbered list. 

    1. Regulatory compliance is part of the ASC Standard tier, whereas Secure Score comes with the ASC free tier. Today, we do not map the compliance assessment results to your Secure Score.
    2. The Azure Security Benchmark is not exactly the same, as the CIS 1.1.0 benchmark we have integrated in ASC. However, its controls are consistent with other well-known security benchmarks, such as CIS 7.1. You can find more information about the Azure Security Benchmark at https://docs.microsoft.com/en-us/azure/security/benchmarks/overview
    3. Benchmarks and Azure Policy are not the same. You can see Azure Policy as the tool for technically implementing auditing of security benchmarks. So, the recommendations you see in your Security Controls in the Resource Security Hygiene part of Azure Security Center are derived from well-known security benchmarks and the technical implementation under the hood is based on Azure Policy. In other words: we are using Azure Policy to create the recommendations you see in Azure Security Center, but these recommendations are based on industry-standard security best-practices.
    4. No, this is not possible today. The security policy Azure Security Center relies on is scoped to the Management Group or Subscription level.

    Best regards,

    Tom Janetscheck

    Senior Program Manager

    CxE | Azure Security Center

     

    • GlavniArhivator's avatar
      GlavniArhivator
      Copper Contributor
      Aug 06, 2020

      Tom_Janetscheck 

      Hi Tom

       

      Many thanks for your answer. ASC looks very simple but actually it's much more magic behind:)  I have a few follow-up questions to your answers.

      1. How does it then come that many of the CIS 1.1.0 i also see in the recommendations? Am I right that many but not all of the regulatory compliance advices are in the recommendations which in the end effect impact the secure score?
      2.  Ok, i see that they are not the same. But i don't see the connection between them and the baseline from the AZ-500 learnings and the best practices. Are they all connected?

      3. Ok, so I understand it like that: the idea of ASC recommendations isbased on the benchmarks and best practices and Azure Policy is just used to make them visible in a technical perspective.
        Would you recommend here to not only remediate them but also to create new Policy or even Azure Blueprint for future deployments in order to have the secure score stable?

      4. Yes, that was was my question, if I could do exceptions for a specific resource group:)?

       

      Many thanks in advance!

       

      • Tom_Janetscheck's avatar
        Tom_Janetscheck
        Icon for Microsoft rankMicrosoft
        Aug 06, 2020

        Hi GlavniArhivator,

        it's all about the details :smile:

         

        Regarding your follow-up questions:

        1. The recommendations you see in the Resource Security Hygiene part of ASC, and which influence your secure score, are derived from several sources, benchmarks, and best practices. That said, if they apply to the CIS1.1.0 benchmark, they will also appear there.
        2. I currently don't have insights into what baselines are the source of AZ-500, but in the end, the learnings from this exam also reflect real-life best-practices (such as make sure your accounts are protected with MFA, NSGs are important for network security, and so on).
        3. You understand this correctly. Furthermore, if you take a look at the Azure Policy Initiative itself, you might see policies which appear as having non-compliant resources, but in ASC they are not shown. This is because ASC uses some other backend mechanisms besides Azure Policy only. For example, if a recommendation does not apply to a third-party firewall appliance which basically is a Linux VM, the Policy might say that this resource is non-compliant, whereas ASC will tell you that the recommendation does not apply to that resource. So, for your security policy, you should always look to ASC instead of the respective Azure Policy Initiative. Regarding the second part of your question: this is something many customers are asking for and this is why I've published a dedicated article to describe how Secure Score affects governance concepts. I would highly recommend to not only remediate security controls, but at the same time, to make sure you either have Deny or DINE (Deploy if not exists) policies or Azure Blueprints in place that will make sure your future resources are deployed secure by default, or to change your deployment pipeline (ARM templates, PowerShell scripts, Terraform templates,...) accordingly. You should make sure to have policies and deployment scripts in sync, not to create conflicts during deployment.
        4. We're currently working on a capability like this, but there's no ETA, yet.

        I hope, this helps?

         

        Thanks and best,

        Tom

Resources