Azure tools for Governance and Accreditation

Stuart Hoff
5 min readNov 7, 2022

--

The world is very busy right now dealing with cybercrime. It is prevalent in business and personal lives, affecting the way we behave and interact with others physically and digitally.

Professionally, we should be proactive about security, both in the solutions that we create and the procedures that we follow. For many organisations, this is a requirement that is regulated and audited periodically. Compliance with regulatory standards such as Sarbanes-Oxley, General Data Protection Regulation, or the Health Insurance Portability and Accountability Act is often mandatory and requires strict adherence to rules of governance, with hefty fines available for those that are found to be uncompliant.

Certification for the ISO 27000 family is another badge for an organisation to prove that they are achieving industry standards in information technology security. Compliance with this standard is not always mandatory but helps to create trust, while bringing knowledge and expertise into the organisation.

Regulations and certifications are both broad and complex, and a daunting task for any who embark on the journey. Specialist knowledge in each area is sought in order to bring an organisation in line, create plans and methodologies, and to document standard operating procedures along with guidance on training.

Fortunately, Azure has a service available that takes a lot of heavy lifting away from the cloud environment. Azure Defender for Cloud can be used to work towards or demonstrate compliance against various regulations and is easy to set up and use.

Activating Azure Defender for Cloud

The first step to making your cloud environment not only compliant, but also a lot safer, is to activate Defender for Cloud. This is done from the Azure Portal by selecting Azure Defender for Cloud — there is a free plan, which is enabled as soon as you visit the Defender for Cloud page, and includes Secure Score, Security Policy and basic recommendations, and Network Security Assessment. This may be enough for less complex configurations, but to take advantage of the enhanced security features you can upgrade with a 30-day free trial.

Azure Defender for Cloud

Enhanced Security Features

On an upgraded plan for Defender for Cloud, you will have access to enhanced security features that deliver security management and threat protection across your Azure resources, including hybrid cloud workloads. This includes vulnerability assessments, alerts, access and application controls, and compliance analysis among other features.

Enhanced features and costs

The cost of enhanced security features is managed per resource, so you will only incur costs for the assets you have, and those which you choose to cover — you can switch these on or off.

I will discuss the features and benefits of using Defender for Cloud to manage governance and accreditation, which is part of the enhanced security features.

Governance

In order to prove compliance in Azure, steps are required to enable the policy or policies that need to be adhered to. This is done from the Azure Defender for Cloud portal, under Cloud Security — Regulatory Compliance.

Here you can see the policies that are in effect or click on ‘Manage compliance policies’ to add more. Select the subscription you wish to add policies to, then click on Security policy under Policy settings.

Azure Defender for Cloud includes some policies and allows others to be added manually. The default initiative (a collection of policies) is ASC Default, and more custom initiatives can be created to align with your requirements. However, this discussion will focus on policies only.

Azure regulatory and compliance policies

Microsoft cloud security benchmark is enabled by default as it is part of the ASC Default initiative. Other policies available out of the box can be enabled, other than ISO 27001 as it is deprecated and needs the newer version to be added manually. Click on the blue ‘Add more standards’ button to find a list of policies that are available to be added and enabled on your subscription.

Once a policy is added, it will take some time to scan your environment before results are ready to review.

Remediations

The Azure Defender for Cloud dashboard will show a regulatory compliance overview, along with recommendations for your subscription to raise your secure score. To review recommendations by policy, click ‘Improve your compliance’ to be directed to the Regulatory Compliance page, or select the link from the left-hand menu.

Regulatory Compliance overview

Here you will see results for each policy, with categorisation and the ability to drill down within subcategories.

Policy results page

Each area will show the level of compliance — this may be the number of resources that are not compliant, with a link to the details of the control and the results in detail.

Control details for compliance

In some cases, Azure Defender for Cloud will include a Quick Fix option, detailing the steps taken — if you choose this, ensure you understand what steps will be actioned as it can incur a cost.

Remediation and quick fix steps

The goal here is to have full green bars, allowing you to export an audit report that details every level of compliance for the given policy. When you achieve this, it is more than just a tick in the box — it is a closed padlock showing that your environment is secure — which is more important is up to you!

--

--

Stuart Hoff

Lead Consultant at XAM Consulting, working in web application development, software engineering, AI, and cyber security.