Updated – 21/11/2022 – Microsoft Defender for Cloud Regulatory Compliance now includes manual attestation and evidence that can help you to meet compliance requirements.
As we know security compliance is expanding and constantly changing, how do we keep up with it in the cloud?
In this article, we will share with you how to accelerate compliance for your organization with Microsoft security solutions.
Table of Contents
Introduction
Before diving into how to achieve regulatory compliance in the cloud, it is worth talking about security governance, when we talk about compliance, it really comes down to a governance perspective.
When we talk about security governance, we talk about business goals and risks. We talk about architecture in regards to multi-cloud, landing zone as an option, and policies.
How do we use policies? and understand setting those policies so we can gain control and oversight of our entire infrastructure whether that’s hybrid across the cloud, on-premises, or statically within Azure.
Next, we come to security posture management. When we look at security posture management, what is it? it’s the continuous discovery of being able to get the information on demand. What is actually out there? Not that we have a server sitting somewhere, but actually getting that real near real-time information at our fingertips, so that we can start making good decisions and mitigating our risks upfront.
Then we have continuous improvement, you’re constantly going to be shifting whether you’re migrating into the cloud, using as a lift and shift (IaaS), then transitioning perhaps when you’re looking at it for modernizing your applications and databases. And then going back through an iterative process of being able to divide policy-driven governance to consistently get the execution that provides those rules and be able to mitigate risks before they happen.
And that comes back to compliance and reporting, Microsoft has a couple of tools at our fingertips to help us with compliance and reporting.
Accelerate Compliance
As part of the Microsoft compliance ecosystem, we have first the service trust portal. That’s a great reference when you’re looking for what compliance we have already built in or potentially coming out. What services are provided from a compliance perspective?
You can review the available independent audit reports for Microsoft’s Cloud services, which provide information about compliance with data protection standards and regulatory requirements, such as International Organization for Standardization (ISO), Service Organization Controls (SOC), National Institute of Standards and Technology (NIST), Federal Risk and Authorization Management Program (FedRAMP), and the General Data Protection Regulation (GDPR).
Then you have the Microsoft 365 compliance manager that also can help you to go through from a Microsoft 365 perspective to stay compliant and be able to look at that from the overall organization, SharePoint, Exchange Online, OneDrive, all that’s going to come into Microsoft 365 compliance manager. Microsoft Compliance Manager is a feature in the Microsoft 365 compliance center that helps you manage your organization’s compliance requirements with greater ease and convenience. Compliance Manager can help you throughout your compliance journey, from taking inventory of your data protection risks to managing the complexities of implementing controls, staying current with regulations and certifications, and reporting to auditors.
You can also use Microsoft Sentinel (formerly known as Azure Sentinel) from the security information and event management (SIEM) perspective since it can do both SIEM and security orchestration, automation, and response (SOAR), but from a compliance perspective, we’re looking at it from an IT security event management (more on that in a bit). We are able to collect all those security logs from all the resources, all that data coming in, and be able to filter the logs through and bring up those anomalies that come in, including compliance.
Last, we have the Microsoft Defender for Cloud (formerly known as Azure Security Center), that’s going to give you the policy and posture protection (more on that in a bit). With Defender for Cloud, you are able to get the actual security posture management viewpoint on demand.
Microsoft Defender for Cloud
With Defender for cloud, we get continuous assessment (security posture), harden resources (secure), detect, and resolve threats to resources (defend). You need to understand what the different toolsets actually bring to the table, and when to use which one that works for you.
With Defender for Cloud, we are not only continuously assessing from a compliance standpoint but then implementing things to make us more secure. Getting the insight and recommendations that are built-in not just from Microsoft, but from the Center for Internet Security (CIS), we have also NIST SP 800-53, ISO 27001:213, and other industry standards that are coming in and making these security recommendations.
You can get to the regulatory compliance from the overview dashboard, which kind of breaks everything out, and these are going to reflect the lowest compliance regulatory standards.
You can dive into regulatory compliance by clicking on the tile and then selecting ‘Manage compliance policies‘ to see the list of all regulatory compliances that are available to you.
When you’re looking at Defender for Cloud, security policies and regulatory standards are onboarded by subscription. So what I mean by that is when I’m looking at it from a subscription perspective and being able to click through and see what security policies are applied to my subscriptions.
These policies can also be applied at a management group level. So if you’re looking from an architect standpoint being able to enforce those standards audits so nobody can go and change them unless they have access to what we call at the scope, the management group, or subscription level.
This is going to be the default policy initiative added by Defender for Cloud which is going to give you some recommendations. It’s going to audit your environment on demand and be able to track the information.
As shown in the figure below, these are the current regulatory compliances that are enabled in my environment. Some of them are out of the box.
We have the default Azure Security Benchmark (security controls v3) which includes 3 control frameworks, the Center for Internet Security (CIS) Controls, the National Institute of Standards and Technology (NIST), and the Payment Card Industry Data Security Standard (PCI-DSS) framework.
Please note that the Azure Security Benchmark is free and doesn’t require any Microsoft Defender for Cloud plan to be enabled to use it. To track compliance with other standards, you need to enable Microsoft Defender for Cloud.
We have the NIST SP 800-53 R4 added manually, you can see it’s inherited from the management group and why is not important. Again, coming back through nobody can touch that unless they have rights at the management group, and that comes back into that compliance. The security compliance, implementing policy at the management group levels or subscriptions, even at the resource group level with RBAC (role-based access control), making sure my RBAC is in place so that I can enforce this compliance as far as even for just auditing.
We can also add more standards. You can quickly add any standard. As shown in the figure below, by clicking Add on the standards that you want to add to the regulatory compliance dashboard and then assign it to the subscription or management group. After completing the assignment, the custom policies will be available in the Regulatory compliance dashboard.
We have the new NIST SP 800-53 R5 that we can add too.
If we switch to the regulatory compliance dashboard, you can see the entire list of regulatory compliance that is available in our environment, you can select anyone which will take a couple of seconds to populate.
Then you can expand the compliance controls for a specific standard and be able to map and see the compliance status for each control. If you see a control that is greyed out, it’s either not applicable, or you don’t have anything in there yet.
You can also download and export the reports. You can select the regulatory standard that you want (i.e. NIST 800-53 R4) as shown in the figure and definitely export that out either in a CSV which your security engineers would appreciate or the PDF file which gives them a more high-level view that is more appropriate to your management.
[!Important] – If the security controls for a specific regulatory standard are green (i.e. ISO 27001:2013), it means those assessments are currently passing; this does NOT ensure you are fully compliant with that control and regulation. Furthermore, not all controls for any particular regulation are covered by Defender for Cloud assessments, and therefore this report is only a partial view of your overall compliance status. You still need to work with your compliance department to complete the remaining controls (for example, Information security policies, Human resource security, Asset management, etc.) to be eligible to apply for ISO 27001:2013 certification.
[Updated – 21/11/2022] – Previously, any time we had manual security controls in any standard that couldn’t be automated, then Microsoft would just have those grayed out for you.
For example, for human resources security, there’s really nothing we can do to analyze the resources, to find out if you’re meeting human resources security, even though it’s an ISO 27001 requirement as shown in the figure below.
But now, Microsoft has added these manual controls, which are basically all the manual actions, that you can take in order to meet these requirements. So, you can go ahead and open the manual control and then click ‘Attest‘ as shown in the figure below.
This is basically, you are going to provide information about how you’re meeting this control, provide implementation details, and even add a link to the evidence. So, this might be documentation, for example showing how we’re clearing personnel with access to classified information.
Once you’ve entered all this information, then you can go ahead and click ‘Create’, and that means you’ve created an attestation for this control.
As you can see, the regulatory compliance dashboard will help you to focus your attention on the gaps in compliance with your chosen standards and regulations.
Microsoft Sentinel
Microsoft Sentinel, as we just mentioned, the purpose of it is to collect security data. We’re looking to detect, get those threats, investigate and respond and but from that perspective, it provides the cloud-native SIEM being able to collect all that data and being able to help facilitate the detection, investigation, and response to help you and your Security Operation Center (SOC) or your security engineers to be able to provide that information to you upfront.
Microsoft Sentinel is not onboarded by subscription compared to Microsoft Defender for Cloud, it’s onboarded by your log analytics workspace. The overview dashboard is huge which gives you a lot of events, incidents, and alerts that are coming from different data points.
But what we want to highlight here for this particular purpose is sticking to our compliance. There is a new solution under the ‘Content hub‘ page which is called ‘Cybersecurity Maturity Model Certification (CMMC) 2.0‘. It’s going to deploy all the analytics rules, the playbook, and the workbook so you don’t have to go individually and map that out.
You can actually deploy that by launching Microsoft Sentinel > Content Hub > Search “CMMC 2.0” > Install > Create > Configure Options > Review + Create and have it come through and it will be done in seconds versus hours.
You can also deploy the solution by clicking on the buttons below and trying it in the Azure portal:
We’ve already deployed it just to help facilitate the purpose of this article, but the workbooks come through and we’re going to highlight this and what this looks like.
You launch the workbook by clicking on view saved workbook to open it. You select the getting started guide which gives you a step by step instructions on how to onboard it.
You start first by setting the desired subscription, workspace, and time range. You can reduce the default time range because it’s going to chunk through a lot of data (i.e the last 24 hours instead of the last 7 days), it’s fully customizable.
Then you will be able to set the level that you want (i.e. Posture Assessment) and the desired Control Family. In this example, we need to assess our risk and security.
The posture assessment section provides a mechanism to find, fix, and resolve CMMC recommendations aligned to NIST SP 800-171 R2. Once selected, the panels will summarize CMMC 2.0 recommendations by control family, status over time, recommendations, and resources identified. These panels are helpful for identifying the CMMC 2.0 control areas of interest, status over time, and which resources are most impacted by these vulnerabilities.
The CMMC 2.0 recommendation details provide a mechanism to identify specific recommendation details with deep links to pivot to Microsoft Defender for Cloud: Regulatory Compliance for remediation.
So as you add and select more control sections such as access control, it’s going to give you the same type of information so that you can get that one-stop picture. You will be able to filter through all that data and be able to come and get the information from that perspective, giving you the assessment.
And at any point in time, you can print and export the report by opening the CMMC 2.0 Workbook > Select Subscriptions/Workspaces/Time Range> Select Options.
The workbook prints what’s visible for custom reporting requirements. Print/Export the report by clicking on the ellipsis More Content Actions (…) > Print Content as shown in the figure below.
Summary
In this article, we discussed how you can accelerate and achieve compliance with Microsoft security solutions that are available at your disposal.
You may be noticed there are two different compliance tools depending on the use of Microsoft 365 or Microsoft Azure. While there are currently two different tools, they are not mutually exclusive in use. Holistic compliance with CMMC requires the use of both the Compliance Manager and the Microsoft Defender for Cloud.
You deploy the Compliance Manager with the Assessment Template for CMMC for coverage of Microsoft 365 products and features, such as Office 365 and Enterprise Mobility & Security. This includes coverage for most SaaS offerings. You will also want to deploy the Microsoft Defender for Cloud with the Azure Policy Initiative for CMMC 2.0 Level 2 (NIST SP 800-171) for coverage of Azure IaaS and PaaS offerings. At the time of this writing, you will need to leverage both solutions for CMMC compliance.
Microsoft Sentinel may serve as a single pane of glass overlaying both Microsoft 365 and Microsoft Azure, as discussed in this article.
The Microsoft Sentinel: Cybersecurity Maturity Model Certification (CMMC) 2.0 is a new solution that enables Compliance Teams, Architects, SecOps Analysts, and Consultants to gain situational awareness of cloud workload security posture.
This solution is designed to augment staffing through automation, visibility, assessment, monitoring, and remediation. This solution includes one Workbook for build/design/assessment/reporting, two Analytics rules for monitoring, and three Playbooks for response/remediation.
CMMC 2.0 model consists of maturity processes and cybersecurity best practices from multiple cybersecurity standards, frameworks, and other references, as well as inputs from the Defense Industrial Base (DIB) and Department of Defense (DoD stakeholders.
Please note that CMMC 2.0 is the next iteration of the Department’s CMMC cybersecurity model. It streamlines requirements to three levels of cybersecurity – Foundational, Advanced, and Expert – and aligns the requirements at each level with well-known and widely accepted NIST cybersecurity standards.
For more information, please check the official CMMC 2.0 (securing the defense industrial base).
__
Thank you for reading my blog.
If you have any questions or feedback, please leave a comment.
-Charbel Nemnom-
