Forum Discussion
ASC Security Policies & Compliance Wording
Hi GlavniArhivator,
thanks for asking these great questions, I'll try to answer them in the respective order using a numbered list.
- Regulatory compliance is part of the ASC Standard tier, whereas Secure Score comes with the ASC free tier. Today, we do not map the compliance assessment results to your Secure Score.
- The Azure Security Benchmark is not exactly the same, as the CIS 1.1.0 benchmark we have integrated in ASC. However, its controls are consistent with other well-known security benchmarks, such as CIS 7.1. You can find more information about the Azure Security Benchmark at https://docs.microsoft.com/en-us/azure/security/benchmarks/overview.
- Benchmarks and Azure Policy are not the same. You can see Azure Policy as the tool for technically implementing auditing of security benchmarks. So, the recommendations you see in your Security Controls in the Resource Security Hygiene part of Azure Security Center are derived from well-known security benchmarks and the technical implementation under the hood is based on Azure Policy. In other words: we are using Azure Policy to create the recommendations you see in Azure Security Center, but these recommendations are based on industry-standard security best-practices.
- No, this is not possible today. The security policy Azure Security Center relies on is scoped to the Management Group or Subscription level.
Best regards,
Tom Janetscheck
Senior Program Manager
CxE | Azure Security Center
Hi guys. I am not sure if you are right here.
First of all, it is not really clear if the regulatories are that one that gives the security controls/recommendations and are showed in the recommendation tab or vice versa if the benchmarks of Microsoft are just creating recommendations and feed or map them to standards.
Because os it is confusing that it s not clear if all the recommendations are from one of the regulatories or not; and.. at the other side there are quite a lot of "empty" controls in the regulations.
Why I see this like that? - Exclusion of recommendations does not work
Yes; let's say i want to exclude a security recommendation control because I dont need it. When I exclude that policy in the ASC default and even when i delete the default ASC policy, I still see that recommendation in the out-of-the-box Azure CIS regulation or other regulatories and also in the recommendations. This leads to false positives and to a decreased security score.
MicrosoftHey marekatai,
I'm not sure if I could entirely follow your argumentation, but let me try to divide and explain the different parts.
Security Recommendations, which are part of Security Controls, and Regulatory Compliance are two different parts of the product. Security Controls combine Security Recommendations that belong together and influence your environment's Secure Score. These recommendations are based on the Security Policy Initiative, which you can customise. As you said, today you can only switch a security policy in this initiative on and off, but we are currently working on a resource exemption capability (no ETA, yet). It is correct that switching off a security policy in the security initiative will not influence the recommendations within the regulatory compliance policies, because they rely on separate compliance policies. Why is that?
In the regulatory compliance part of the product, we take standard definitions like ISO27001, SOC TSP, or HITRUST/HIPAA and map their regulations to assessments that will then show you how compliant your Azure environment is in regards of these standards. If you decide that for your environment, you want to switch off some of the recommendations in the resource security hygiene part, than this is okay and you can do it - but from a compliance perspective, your environment then might never be compliant regarding a particular compliance policy.
Let me give you an example:
You might decide, to switch off the recommendation External accounts with owner permissions should be removed from your subscription. You can do it with a Custom Security Policy, so you don't need to take care of it when remediating recommendations. But what if your company needs to comply to the SOC TSP compliance standard? This compliance standard contains section C1.2: Confidential information within the boundaries of the system is protected against unauthorized access, use, and disclosure during input, processing, retention, output, and disposition in accordance with confidentiality commitments and requirements. And part of this compliance standard is the above mentioned assessment. So, if you'd switch it off because you decide you cannot remove external accounts with owner permissions and take the risk which is associated with it, your environment would never be compliant regarding this particular compliance standard. This is why you cannot switch off parts of compliance policies. In this example, in order to comply to SOC TSP, you would have to disable external ownership and think of a different process.
I don't think that this leads to false positives. First of all, Secure Score is not part of Regulatory Compliance, but of resource security hygiene. That said, we don't score your achievements in the Regulatory Compliance towards the Secure Score, because it is a different idea behind. Of course, if you get your environment "green" regarding a particular compliance standard, your Secure Score might also have increased, because, at the same time, you'll have remediated some entire Security Controls when taking care of getting your environment compliant. But the main idea behind Regulatory Compliance in Azure Security Center is to give you an easy view on separate compliance rules and what assessments need to be remediated. Again, if you want to customise your Security Policy, you can do it. But compliance standards are not customisable because they simply demand several enforcements. It is not a false positive because the assessments belong to the standards. And your Secure Score will not decrease, but increase, once you switch off particular Security Controls or Recommendations.
I hope this helps and clarifies it a bit more.
Best regards,
Tom Janetscheck
Senior Program Manager
CxE | Azure Security Center
- Tom_Janetscheck
Hello Erik,
thanks for asking. I'm glad you like this thread and the Secure Score feature. Regarding your questions:
- That's correct. As mentioned above, Regulatory Compliance standards are another view on existing (and additional) recommendations. The default set of recommendations and the compliance standards technically consist of Azure Policy Initiatives, that share a common set of policies. If you already see a recommendation that is also part of the Compliance Standard you activate additionally, the same policy is used and, therefore, no second recommendation is added.
- Yes, the Regulatory Compliance Standards API contains the number of passed, failed, and not applicable controls:
I have published an automation artifact in our GitHub community, which will send a weekly compliance report per subscription by email. The email will contain the information gathered from the above mentioned API. Maybe you can use parts of this Playbook for your scenario?
- As long as you are using the builtin Policy Initiatives, they are automatically maintained.
Have a great weekend and best regards,
Tom Janetscheck
Senior Program Manager
CxE | Azure Security Center
Hi Tom,
This whole thread is most interesting en gives a lot of new insights on how to make optimal use of Security Center. Everybody has his own insights and use-cases and I want to check my insights after reading this thread. I'm working on a large project and we would like to govern our subscriptions based on the Azure CIS 1.1.0 (new) Compliance policy.
- To a default configuration of Security Center I manually added the 'Azure CIS 1.1.0 (new)' policy from Regulatory Compliance. In the 'Recommendations'-pane I see under "Custom Recommendations" several items (controls) added from Azure CIS 1.1.0. (new), but not all. Is it correct to assume that the CIS 1.1.0 (new) controls not visible under 'Custom Recommendations' overlap with the ASC policy/benchmark and therefore are not specifically named in the recommendations?
- We want to empower our projects team as much as possible in managing their own subscriptions. Secure score is fantastic tool for the project-teams to provide insigths in the general security posture of the subscription. We would also like to provide that insight based on the Azure CIS 1.1.0 (new) compliance policy. Is the number of 'passed controls' in the dashboard available in the API? Or maybe you have another suggestion?
- We want to keep our Azure CIS 1.1.0 (new) policy up to date. What would be the recommended way to be notified/informed of new releases of this policy.
Thank you for your time.
Regards, Erik
