I’ve been following the development of the Azure Security Center (ASC) from the very beginning, since its birthday. We can debate whether ASC’s birthday is the date it was announced or the date it went into Public Preview – the first is September 29th, 2015. and the latter is December 1st in the same year – but one thing is sure, I am always excited to see new features added to ASC. The journey was a long one and it is not over, security is an extremely important and delicate cog in Azure (well, not just in Azure but in every aspect of computing) and it took a lot of challenging work to get here from where it was.
Just for the sake of curiosity, compare how the Azure Security Center looked like in December 2015, and how it looks today, February 2019.
Azure Security Center in December 2015
Azure Security Center in February 2019
Why am I telling you this? Because ASC is always improving and getting better and better protecting your Azure environment.
Recently, two weeks ago, Azure Security Center became richer with another feature – Regulatory compliance dashboard.
What does regulatory compliance mean and why should you care? Compliance, or being compliant means meeting the requirements of a policy, standard or rule, while regulatory compliance is alignment or conforming to policies, regulations, and laws. Often, when the term regulatory compliance is mentioned, it refers to a regulation or a standard, but to a law as well. So, you’d say, why do we need the standards for, if there are laws that define information security? Many countries have security-related laws, but they are often loosely defined, address the security topics from a wide angle covering bigger audiences, that is, all people and organizations. These laws indeed define important topics such as retention of important documents or management of sensitive and personal information but also lack to define numerous security issues in detail, like risk management. Standards and regulations fill the uniformity gap, add detailed and industry-specific security coverage that individuals and organizations need to follow to be considered secure, trusted, and worthy of doing business with.
Regulatory compliance dashboard, in Azure Security Center helps you to get insight into position of your Azure environment against the currently supported security standards: Azure CIS, ISO 27001, PCI DSS 3.2 and SOC TSP. I hope these won’t be the only supported standards; while I would like to see more standards supported in the future, I am happy these four important standards made it to the list.
To preview Regulatory compliance dashboard, you need to set the Standard pricing tier of Azure Security Center for a subscription.
Regulatory Compliance dashboard made its debut as the fourth entry under the Policy & Compliance section, and on the ASC Overview dashboard as well, at the top, between Secure score and Subscription coverage, giving you instantaneous view at the least compliant regulatory standards list and the number of rules affecting the score.
The Azure Security Center – Regulatory Compliance dashboard goes straight to the point, showing you the overall score of the regulatory compliance assessment, in number of failed and passed assessments, as well as in percentage, if you hover the pointer over the individual graph colors. Right to the overall score, you’ll find the compliance status of individual regulatory standards and the number of rules passed the assessment.
According to the information on the dashboard, an additional and very useful functionality, compliance reporting features, will be incorporated in the compliance blade too.
Each regulatory standard has a list of controls, and each control has a list of compliance rules. If a control is green, it means all the rules within that control have passed the assessment and are green as well. If a control is red, at least one rule under a control is red and did not pass the assessment.
If you expand a rule, you’ll see the individual assessments, resource type, total resources affected and a graphical representation of the assessment results.
There is also a third color, grey, telling you either the compliance assessment is not yet supported, or it is not applicable. In the screenshot below, the control 2.8 is grey because there is no Web Application Firewall to evaluate at the moment.
To resolve an issue is easy – clicking on an assessment name takes you right to the blade where you can resolve the problem, such as installing monitoring agent on a virtual machine or identifying which virtual machines need updating and installing the missing updates.
Resolving the compliance issues can be performed also from the All tab, where the recommendations are grouped and show which standards are affected by a particular assessment or a recommendation.
Furthermore, the data from the ASC Regulatory Compliance dashboard will be available in the Compliance Manager, aggregating the data from Azure and Office 365 environments in one convenient place, from where you can improve data protection and compliance further, following the recommendations.
Improving the compliance of Azure environment using Azure Security Center is greatly simplified. Fast and effective, with Regulatory Compliance blade, compliance can be significantly improved, directly within the dashboard.