Azure Security Compliance FAQ
Q: What are the costs related with the implementation of the Azure Security Compliance Policies?
A: Azure Security Compliance costs are based on the following paid Azure services:
- One cost to take in consideration is the number of alerts for policy violations and resource health.
Sample monthly pricing for an environment running 24×7:
|Security Alerts||100 policy alerts||100 policy alerts||200 policy alerts|
|Total cost per month ($CAD)||$15.36||$25.6||$89.6|
- Initial deployment and configuration of your custom security policies – This is the effort associated with the initial creation of the security framework that you want to be compliant with: not all the security policies available in Azure by default would make sense for your particular environment as some of them could impede your normal management operations, for example. Creation of all the alerts for policy violations and other health alerts for your critical services. Creating and implementing the remediation plan for any policy violations. Novaquantum provides support for the full development life-cycle of security policies and remediation tasks involved in securing your environment.
- On-going management – This is the effort required for daily support of the Azure Security Compliance service, monitoring of log sources, policy violations and on-going alerts tune-up and is covered by monthly management fee charged by managed Azure providers like us.
- One other (optional) cost is the Azure Standard Security Center implementation. The default Free version of the Azure Security Center should cover 90% of the regular customer’s needs, but your particular case might require extra security controls to be enabled, which will incur extra charges from Azure.
Q: Can you guarantee 100% compliance with the above mentioned standards?
A: We will enable and remediate (if agreed by the customer) all the security controls available in Azure for the compliance framework(s) that you choose. Most of the security compliance frameworks have not only technical components, but business processes and procedures that need to be compliant as well, for which the customer alone is responsible. One notable exception is Azure CIS that has only technical controls which we can control 100%.
Each security control is associated with one or more Azure feature/service. These features/services may help you assess compliance with the control; however, there often is not a 1:1 or complete match between a control and one or more platform feature. As such, Compliant in Azure refers only to the policies themselves; this doesn’t ensure you’re fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren’t addressed by any Azure platform features at this time. Therefore, compliance in Azure is only a partial view of your overall compliance status.
Q: I don’t need or understand what those security standards are, so why should I care about them?
A: Many small and medium businesses don’t need to be compliant with any of the mentioned standards, but the compliance will enable your Azure environment to be very secure and protected. The enablement and continuous monitoring of those security controls will give you confidence that your data is secure in the Cloud! As a best practice, we recommend to anyone having any workloads running in a public cloud like Azure, to use the CIS 1.1.0 security standard as a baseline for securing their environment.
Q: I am interested in the initial assessment and enablement of those security controls, but I am not interested in the ongoing maintenance of the compliance: can you offer me only this service?
A: Short answer: Yes, but…without ongoing maintenance of your security compliance, your Azure environment will be very fast exposed to a lot of security risks. Cloud environments are very dynamic with resources and services/features being added, removed and modified quite often, so without keeping pace with all those changes, your initial security controls that we enabled will not be very effective.
Q: Could you perform a security assessment and remediation of any security flaws for the applications that we have running in Azure?
A: Not at this time, but we are always adding new services to our portfolio!
Q: Our environment is a hybrid environment with resources located on-premise and in Azure, would you be able to audit and propose a remediation plan for all the resources?
A: Short answer: Yes, we can. Long answer: enabling non-Azure resources for security auditing using native Azure services, requires the installation of local agents on those resources. We can assist and provide guidance in this situations, but the installation and distribution of the agents is your responsibility entirely. This particular case will involve a custom quote from us, as it is not part of the standard service offering.
Q: All the remediation tasks that are required to enable the security controls for any given standard, might disrupt our normal business or operational procedures that we have in place: how can we avoid any downtime and disruption of those procedures?
A: Our experienced security consultants will advise you if any of the changes required will require an outage or not. You will always have the final say as to when or if those changes are acceptable to the business. You can choose as well to perform the changes yourself. Our proposal for remediation of the non-compliant resources will include a priority list and a risk score, so you will always know where you should focus your technical resources.