Forum Discussion

GlavniArhivator's avatar
GlavniArhivator
Copper Contributor
Aug 04, 2020
Solved

ASC Security Policies & Compliance Wording

Hi all   I have some questions i don't find clear answers in the documentation, so i hope you may share your insights here.   First, I don't see how the regulatory compliance impact the secur...
azure policy
  • Tom_Janetscheck's avatar
    Tom_Janetscheck
    Aug 05, 2020

    Hi GlavniArhivator

    thanks for asking these great questions, I'll try to answer them in the respective order using a numbered list. 

    1. Regulatory compliance is part of the ASC Standard tier, whereas Secure Score comes with the ASC free tier. Today, we do not map the compliance assessment results to your Secure Score.
    2. The Azure Security Benchmark is not exactly the same, as the CIS 1.1.0 benchmark we have integrated in ASC. However, its controls are consistent with other well-known security benchmarks, such as CIS 7.1. You can find more information about the Azure Security Benchmark at https://docs.microsoft.com/en-us/azure/security/benchmarks/overview
    3. Benchmarks and Azure Policy are not the same. You can see Azure Policy as the tool for technically implementing auditing of security benchmarks. So, the recommendations you see in your Security Controls in the Resource Security Hygiene part of Azure Security Center are derived from well-known security benchmarks and the technical implementation under the hood is based on Azure Policy. In other words: we are using Azure Policy to create the recommendations you see in Azure Security Center, but these recommendations are based on industry-standard security best-practices.
    4. No, this is not possible today. The security policy Azure Security Center relies on is scoped to the Management Group or Subscription level.

    Best regards,

    Tom Janetscheck

    Senior Program Manager

    CxE | Azure Security Center

     

Erik_Snijder's avatar
Erik_Snijder
Copper Contributor
Sep 11, 2020

Tom_Janetscheck 

 

Hi Tom,

 

This whole thread is most interesting en gives a lot of new insights on how to make optimal use of Security Center. Everybody has his own insights and use-cases and I want to check my insights after reading this thread. I'm working on a large project and we would like to govern our subscriptions based on the Azure CIS 1.1.0 (new) Compliance policy.

  1. To a default configuration of Security Center I manually added the 'Azure CIS 1.1.0 (new)' policy from Regulatory Compliance. In the 'Recommendations'-pane I see under "Custom Recommendations" several items (controls) added from Azure CIS 1.1.0. (new), but not all. Is it correct to assume that the CIS 1.1.0 (new) controls not visible under 'Custom Recommendations' overlap with the ASC policy/benchmark and therefore are not specifically named in the recommendations?
  2. We want to empower our projects team as much as possible in managing their own subscriptions. Secure score is fantastic tool for the project-teams to provide insigths in the general security posture of the subscription.  We would also like to provide that insight based on the Azure CIS 1.1.0 (new) compliance policy. Is the number of 'passed controls' in the dashboard available in the API? Or maybe you have another suggestion?
  3. We want to keep our Azure CIS 1.1.0 (new) policy up to date. What would be the recommended way to be notified/informed of new releases of this policy.

Thank you for your time.

 

Regards, Erik

Tom_Janetscheck's avatar
Tom_Janetscheck
Icon for Microsoft rankMicrosoft
Sep 11, 2020

Erik_Snijder

 

Hello Erik,

thanks for asking. I'm glad you like this thread and the Secure Score feature. Regarding your questions:

  1. That's correct. As mentioned above, Regulatory Compliance standards are another view on existing (and additional) recommendations. The default set of recommendations and the compliance standards technically consist of Azure Policy Initiatives, that share a common set of policies. If you already see a recommendation that is also part of the Compliance Standard you activate additionally, the same policy is used and, therefore, no second recommendation is added.
  2. Yes, the Regulatory Compliance Standards API contains the number of passed, failed, and not applicable controls:

    I have published an automation artifact in our GitHub community, which will send a weekly compliance report per subscription by email. The email will contain the information gathered from the above mentioned API. Maybe you can use parts of this Playbook for your scenario?
  3. As long as you are using the builtin Policy Initiatives, they are automatically maintained.

Have a great weekend and best regards,

 

Tom Janetscheck

Senior Program Manager

CxE | Azure Security Center

Resources