Aug 04 2020 01:46 AM - last edited on Nov 29 2021 11:33 AM by Allen
I have some questions i don't find clear answers in the documentation, so i hope you may share your insights here.
First, I don't see how the regulatory compliance impact the secure score? Some of them are in the recommendations, some of them are not.
Second, what's actually the difference between the Azure CIS 1.1.0 and the Azure Benchmark? And how they are connected with Azure Policy? Additionally, i though the ASC recommendations are based on Azure Policy, but then i read also that they are based on Benchmarks?
4th thing: Is it possible to e.g. set up one of the policies from ASC Default in that way that it only monitor it for a specific resource group? Let's say I want that one of that ASC default policies regarding VM security (e.g. Disk encryption on VM's) only monitor a specific resource group. How can i handle that? I tried to add custom initiatives with a defined scope for a specific resource but then there are no recommendations.
Thank you in advance
Aug 05 2020 07:07 AM - edited Aug 06 2020 12:50 AMSolution
thanks for asking these great questions, I'll try to answer them in the respective order using a numbered list.
Senior Program Manager
CxE | Azure Security Center
Aug 05 2020 11:20 PM
Many thanks for your answer. ASC looks very simple but actually it's much more magic behind:) I have a few follow-up questions to your answers.
Many thanks in advance!
Aug 06 2020 12:11 AM - edited Aug 06 2020 09:40 AM
it's all about the details
Regarding your follow-up questions:
I hope, this helps?
Thanks and best,
Aug 06 2020 08:10 AM - edited Aug 06 2020 09:02 AM
Thanks Tom. Everything is perfectly answered, but the first is not so clear.
Or maybe i didn't explained well. e.g. in the Azure CIS 1.1.0 I see a Control "7.1 Ensure that "OS disk" are encrypted" and below the "Disk encryption should be applied on virutal machines" security control which is in the recommendations. When i remediate them, then i have an effect on secure score. Two things I need to clarify here: does it mean that some of the regulatory compliance points are same as recommendations (or similar) but not all? And genrally spoken , I though that both ASC and Indusitry & regulatory standards policies (Azure CIS1.1.0, ISO 27001, SOT TSP and so on) do create recommendations which impact my secure score?
The other side is: If regulatory compliance policies does not have an impact on secure score, How to handle that "Regulatory compliance assessment" or on which level to pay attention on it?. At this moment it looks like secure score with his gamification and direct remediations impacts is much more relevant than to follow regulatory compliance?
Aug 06 2020 09:37 AM
sorry for confusing you - let me try to explain it differently:
The regulatory compliance part of ASC is another view to security risks. If you, for example, take a look at the CIS 1.1.0 control 7.1 Ensure that OS disks are encrypted, and you then go to the underlying recommendation "Disk encryption should be applied on virtual machines"; once you remediate this recommendation, you will gain credit towards your Secure Score if, besides this recommendation, you have made sure that all other recommendations in the same Security Control (Enable encryption at rest) have also been remediated. So, in order to increase your Secure Score, it's not enough to remediate the recommendation only, but from the perspective of the respective compliance standard, it is.
If you then, for example, take a look at the SOC TSP set of controls, you will find CCE-numbers underneath C1.2. These refer to vulnerabilities that have been found on machines within the scope of the policy.
There is no single recommendation or Security Control for these in the Resource Security Hygiene part of ASC, but you will find them underneath the Vulnerabilities in security configuration on your machines should be remediated recommendation, which is part of the Remediate security configurations security control.
We have customers that need their resources to comply to different regulatory compliance standards. With the Regulatory Compliance dashboard, it is easy for them to find all settings that need to be configured so their resources will be compliant. We are mapping security recommendations to the topics that need to be taken care of when applying the compliance standard to an environment. So, with the compliance dashboard, it is easier to plan for which recommendations to focus on first in order to get the environment compliant, and then focus on remediating all the other recommendations and security controls. Once you remediate the recommendations from the Regulatory Compliance dashboard, they will also be remediated and count towards your Secure Score (but again: for receiving credits towards your Secure Score, all recommendations within a Security Control need to be remediated for a particular resource).
So, to make sure your environment is as secure as possible, you should try to get the Secure Score to 100%. If you achieve this, your compliance assessments will also reflect this achievement. If you focus on increasing your Secure Score, the recommendations that pop up in the different regulatory compliance assessments will automatically show less non-compliant resources.
At the end, Secure Score is the main KPI for how secure an environment is. The compliance dashboard gives you another view on your environment.
Aug 20 2020 01:54 PM - edited Aug 20 2020 02:13 PM
Hi guys. I am not sure if you are right here.
First of all, it is not really clear if the regulatories are that one that gives the security controls/recommendations and are showed in the recommendation tab or vice versa if the benchmarks of Microsoft are just creating recommendations and feed or map them to standards.
Because os it is confusing that it s not clear if all the recommendations are from one of the regulatories or not; and.. at the other side there are quite a lot of "empty" controls in the regulations.
Why I see this like that? - Exclusion of recommendations does not work
Yes; let's say i want to exclude a security recommendation control because I dont need it. When I exclude that policy in the ASC default and even when i delete the default ASC policy, I still see that recommendation in the out-of-the-box Azure CIS regulation or other regulatories and also in the recommendations. This leads to false positives and to a decreased security score.
Aug 21 2020 03:14 AM - edited Aug 21 2020 06:05 AM
I'm not sure if I could entirely follow your argumentation, but let me try to divide and explain the different parts.
Security Recommendations, which are part of Security Controls, and Regulatory Compliance are two different parts of the product. Security Controls combine Security Recommendations that belong together and influence your environment's Secure Score. These recommendations are based on the Security Policy Initiative, which you can customise. As you said, today you can only switch a security policy in this initiative on and off, but we are currently working on a resource exemption capability (no ETA, yet). It is correct that switching off a security policy in the security initiative will not influence the recommendations within the regulatory compliance policies, because they rely on separate compliance policies. Why is that?
In the regulatory compliance part of the product, we take standard definitions like ISO27001, SOC TSP, or HITRUST/HIPAA and map their regulations to assessments that will then show you how compliant your Azure environment is in regards of these standards. If you decide that for your environment, you want to switch off some of the recommendations in the resource security hygiene part, than this is okay and you can do it - but from a compliance perspective, your environment then might never be compliant regarding a particular compliance policy.
Let me give you an example:
You might decide, to switch off the recommendation External accounts with owner permissions should be removed from your subscription. You can do it with a Custom Security Policy, so you don't need to take care of it when remediating recommendations. But what if your company needs to comply to the SOC TSP compliance standard? This compliance standard contains section C1.2: Confidential information within the boundaries of the system is protected against unauthorized access, use, and disclosure during input, processing, retention, output, and disposition in accordance with confidentiality commitments and requirements. And part of this compliance standard is the above mentioned assessment. So, if you'd switch it off because you decide you cannot remove external accounts with owner permissions and take the risk which is associated with it, your environment would never be compliant regarding this particular compliance standard. This is why you cannot switch off parts of compliance policies. In this example, in order to comply to SOC TSP, you would have to disable external ownership and think of a different process.
I don't think that this leads to false positives. First of all, Secure Score is not part of Regulatory Compliance, but of resource security hygiene. That said, we don't score your achievements in the Regulatory Compliance towards the Secure Score, because it is a different idea behind. Of course, if you get your environment "green" regarding a particular compliance standard, your Secure Score might also have increased, because, at the same time, you'll have remediated some entire Security Controls when taking care of getting your environment compliant. But the main idea behind Regulatory Compliance in Azure Security Center is to give you an easy view on separate compliance rules and what assessments need to be remediated. Again, if you want to customise your Security Policy, you can do it. But compliance standards are not customisable because they simply demand several enforcements. It is not a false positive because the assessments belong to the standards. And your Secure Score will not decrease, but increase, once you switch off particular Security Controls or Recommendations.
I hope this helps and clarifies it a bit more.
Senior Program Manager
CxE | Azure Security Center
Sep 11 2020 02:54 AM
This whole thread is most interesting en gives a lot of new insights on how to make optimal use of Security Center. Everybody has his own insights and use-cases and I want to check my insights after reading this thread. I'm working on a large project and we would like to govern our subscriptions based on the Azure CIS 1.1.0 (new) Compliance policy.
Thank you for your time.
Sep 11 2020 07:50 AM
thanks for asking. I'm glad you like this thread and the Secure Score feature. Regarding your questions:
I have published an automation artifact in our GitHub community, which will send a weekly compliance report per subscription by email. The email will contain the information gathered from the above mentioned API. Maybe you can use parts of this Playbook for your scenario?
Have a great weekend and best regards,
Senior Program Manager
CxE | Azure Security Center