The regulatory compliance dashboard in Azure Security Center is a great tool to help organizations understand their compliance stance with regard to industry standards. Reporting on compliance with certain standards is obviously vital for regulated customers. However, tracking compliance status is also relevant for many other companies that want to be guided by industry-wide best practices. Many of our customers use compliance frameworks as the basis for their organizational security model.
The Azure Security Center improves the general compliance readiness of your company. By conducting ongoing assessments, the Azure Security Center provides comprehensive, actionable insights and reports to help facilitate regulatory compliance.
Several major compliance management upgrades have recently been released in the Azure Security Center, including the integration of the Azure Security Benchmark with Secure Score, a new section for downloading audit certification reports, incorporating model ownership details into the product, and the functions for workflow automation.
Azure security benchmark
Azure security benchmark is now fully integrated into the legal compliance dashboard as a standard standard and is available to everyone Azure Security Center customers free. The Azure security benchmark comprises the canonical controls that Microsoft defines and recommends as a security foundation, which are tailored to industry frameworks and adapted to Azure and cloud environments. The benchmark is thus a superset of security controls with regard to cloud security in Azure and covers all security requirements with regard to cloud security from each of the standards to which it is assigned.
Secure Score is based on the Azure Security Benchmark and provides a KPI (Key Performance Indicator) measurement using the Azure Security Benchmark controls. Secure Score provides a set of prioritized recommendations that you can use to quickly identify the highest risk factors in your environment. All Security Center customers now have access to the Azure Security Benchmark view from the perspective of compliance controls and the Secure Score view to prioritize measures according to risk.
Figure 1: Azure Security Benchmark Framework in the Security Center Regulatory Compliance Dashboard
A variety of additional industry and regulatory standards are supported as part of Azure Security Center compliance, including ISO 27001, NIST SP 800-53 R4, PCI DSS 3.2.1, and more. They can be added to the dashboard individually and applied in each area, depending on your organizational needs. Within the dashboard, you can download a point in time report of your compliance status, which includes both an executive summary report in PDF format and a detailed report on compliance per resource in CSV format. These reports are available for Azure Security Benchmark as well as for all other compliance standards in the dashboard.
We recently added the ability to configure for continuous real-time reporting Continuous export Compliance frameworks allow you to have real-time compliance data continuously streamed into your Log Analytics workspace or Azure Event Hub for streaming to any external system.
Audit reports and shared responsibility in the cloud
Managing compliance in the cloud isn’t just about what you need to do, it’s based on a shared responsibility model with your cloud provider. That’s why we recently added access to Azure compliance certification artifacts right in the Azure Security Center compliance experience. We provide access to Azure certification documents for many compliance standards, including ISO standards, PCI (Payment Card Industry Data Security Standard), Service organization controls (SOC) and more. You can now filter and search to find the exact document you need and download it directly from the Monitoring Reports section in the Azure Security Center. These documents were previously accessed via the Service Trust Portalthat require separate authentication.
Figure 2: Audit certification reports in the Security Center
In addition to the audit reports, we recently added shared responsibility information that is built right into the compliance management experience in the dashboard. In many standards, we have added a responsibility statement to every control requirement, whether it is Microsoft responsibility, customer responsibility, or shared responsibility. This can give a more complete picture of what each control request fully entails and helps you understand where platform responsibility ends and your responsibility begins.
To the NIST SP 800-53 R4We also added detailed platform implementation details for compliance controls, which consists of a series of assessments from the Azure Control Framework that describe how Azure as a platform implements its part of that control. This will be available for additional compliance standards over time. Finally, we’ve added advanced control details for each compliance requirement so that you have access to a detailed description of the control and instructions on how to comply with that control.
Figure 3: Shared Responsibility Model and control information in the legal compliance dashboard
Workflow automation for compliance events
Another new feature that was recently released is the ability to be configured Workflow automation for regulatory compliance data. This feature allows you to automatically trigger a logic app whenever the status of a regulatory compliance assessment changes and take action based on that event. Automation can be configured on one or more standards, which you can track in the compliance dashboard. You can configure any number of automated actions that Logic Apps implement. There are several built-in, predefined templates, such as: B. Sending an e-mail to certain users or opening a new ticket in a ticket system. You can also create your own custom logic app using the automation logic of your choice.
Explore regulatory compliance data in Azure Resource Graph
All data for compliance with legal regulations are available to customers in Azure resource chart for easy exploration and queries. Access to this data is now also available directly on the legal compliance dashboard. Just click on the Open query Click the button on the dashboard to automatically load a query that will return detailed resource compliance data for the standard you currently have loaded into the dashboard. You can then customize this query as needed to create a view of your choice on the compliance data, as well as cross-referencing and filtering on other data stored in Azure Resource Graph for advanced exploration.
Tell us what you think
We encourage you to try these new compliance features in the Azure Security Center and we look forward to your feedback.
For more information on regulatory compliance in the Security Center, see this documentation: