Azure Security Compliance components

Just with two essential Azure components, you can enable security auditing for your Azure environment, using established security standards like Azure CIS, NIST 800-53, ISO 27001, PCI DSS.

Azure Security Compliance components

The remediation of the failed security controls identified by the audit, are a completely different ball-game: a lot of manual tasks are required to make your environment secure as dictated by security standards. We provide managed services that can take care of those tasks, so talk to us!

NIST 800-53

The US National Institute of Standards and Technology (NIST) publishes a catalog of security and privacy controls, Special Publication (SP) 800-53, for all federal information systems in the United States (except those related to national security). It provides a process for selecting controls to protect organizations against cyberattacks, natural disasters, structural failures, and other threats.

For US government entities and others with compliance requirements based on NIST SP 800-53, the Azure implementation of this standard helps you proactively manage and monitor compliance of your Azure environments. This standard provides governance guardrails to help organization assess specific NIST SP 800-53 R4 controls, and it enables you to use a core set of policies for any Azure-deployed architecture that must implement these controls.

These control mappings include:

  • Account management. Helps with the review of accounts of that may not comply with an organization’s account management requirements.
  • Separation of duties. Helps in maintaining an appropriate number of Azure subscription owners.
  • Least privilege. Audits accounts that should be prioritized for review.
  • Remote access. Helps with monitoring and control of remote access.
  • Audit review, analysis, and reporting. Helps ensure that events are logged and enforces deployment of the Log Analytics agent on Azure virtual machines.
  • Least functionality. Helps monitor virtual machines where an application white list is recommended but has not yet been configured.
  • Identification and authentication. Helps restrict and control privileged access.
  • Vulnerability scanning. Helps with the management of information system vulnerabilities.
  • Denial of service protection. Audits if the Azure DDoS Protection standard tier is enabled.
  • Boundary protection. Helps with the management and control of the system boundary.
  • Transmission confidentiality and integrity. Helps protect the confidentiality and integrity of transmitted information.
  • Flaw remediation. Helps with the management of information system flaws.
  • Malicious code protection. Helps the management of endpoint protection, including malicious code protection.
  • Information system monitoring. Helps with monitoring a system by auditing and enforcing logging across Azure resources.

Each control category listed above is associated with one or more Azure Policy definitions. These policies may help you assess compliance with the control; however, there often is not a 1:1 or complete match between a control and one or more policies. As such, Compliant refers only to the Azure policies themselves; this doesn’t ensure you’re fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren’t addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status.

NIST 800-53

CIS Microsoft Azure Foundations Benchmark

CIS® (Center for Internet Security, Inc.) is a forward-thinking, non-profit entity that harnesses the power of a global IT community to safeguard private and public organizations against cyber threats.

The CIS Controls® and CIS Benchmarks™ are the global standard and recognized best practices for securing IT systems and data against the most pervasive attacks. These proven guidelines are continuously refined and verified by a volunteer, global community of experienced IT professionals.

The CIS Microsoft Azure Foundations Security Benchmark provides prescriptive guidance for establishing a secure baseline configuration for Microsoft Azure. Its scope is designed to assist organizations in establishing the foundation level of security for anyone adopting the Microsoft Azure cloud. 

The following configuration profiles are defined by this Benchmark:

  • Level 1 Items in this profile intend to:
    • be practical and prudent;
    • provide a clear security benefit; and
    • not inhibit the utility of the technology beyond acceptable means.
  • Level 2 This profile extends the “Level 1” profile. Items in this profile exhibit one or more of the following characteristics:
    • are intended for environments or use cases where security is paramount
    • acts as defense in depth measure
    • may negatively inhibit the utility or performance of the technology.

Our Managed Azure Compliance Services are focused mostly at Level 1.

For a list of all the CIS security controls, please see the official site.

PCI DSS

PCI DSS is a set of network security and business best practices guidelines adopted by the PCI Security Standards Council to establish a “minimum security standard” to protect customers’ payment card information. The scope of the PCI DSS includes all systems, networks, and applications that process, store, or transmit cardholder data, and also systems that are used to secure and log access to the systems in scope.

  • If you’re a Level 1 merchant, your environment must be validated by a Qualified Security Assessor (QSA). A QSA is a firm or an individual that is approved by the PCI Security Standards Council to validate PCI environments and give the seal of approval. Please note that NovaQuantum is NOT a QSA at this time.
  • If you’re a Level 2 merchant or lower, you can validate your environment by filling out the Self-Assessment Questionnaire.

ISO 27001

The ISO/IEC 27000 family of standards helps organizations keep information assets secure. ISO/IEC 27001 is a security standard that outlines and provides the requirements for an information security management system (ISMS). It specifies a set of best practices and details a list of security controls concerning the management of information risks.

While the 27001 standard does not mandate specific information security controls, the framework and checklist of controls it lays out allows NovaQuantum to ensure a comprehensive and continually improving model for security management for our Managed Azure Security customers.

FAQ

Azure Security Compliance FAQ

Q: What are the costs related with the implementation of the Azure Security Compliance Policies?

A: Azure Security Compliance costs are based on the following paid Azure services:

  1. The enabling of the Compliance Policies in Azure is a service free of charge, but in order to make use of all the features and act upon the remediation tasks required for becoming compliant, Azure Security Center Standard tier needs to be enabled on your subscription.

Sample monthly pricing for an environment running 24×7:

Number of VMs 5 10 20 50 100
Number of SQL servers 1 3 5 7 10
Storage Accounts transactions 20k 60k 150k 300k 1000k
Total cost per month ($CAD) $114.6 $250.2 $505.2 $1,095.3 $2,144.4
  1. Another cost to take in consideration is the number of alerts for policy violations and resource health.

Sample monthly pricing for an environment running 24×7:

Security Alerts 100 policy alerts 100 policy alerts 200 policy alerts
Health Alerts 20 100 500
Total cost per month ($CAD) $15.36 $25.6 $89.6
  1. Initial deployment and configuration of your custom security policies – This is the effort associated with the initial creation of the security framework that you want to be compliant with: not all the security policies available in Azure by default would make sense for your particular environment as some of them could impede your normal management operations, for example. Creation of all the alerts for policy violations and other health alerts for your critical services. Creating and implementing the remediation plan for any policy violations. Novaquantum provides support for the full development life-cycle of security policies and remediation tasks involved in securing your environment.
  2. On-going management – This is the effort required for daily support of the Azure Security Compliance service, monitoring of log sources, policy violations and on-going alerts tune-up and is covered by monthly management fee charged by managed Azure providers like us.  

Q: Can you guarantee 100% compliance with the above mentioned standards?

A: We will enable and remediate (if agreed by the customer) all the security controls available in Azure for the compliance framework(s) that you choose. Most of the security compliance frameworks have not only technical components, but business processes and procedures that need to be compliant as well, for which the customer alone is responsible. One notable exception is Azure CIS that has only technical controls which we can control 100%.

Each security control is associated with one or more Azure feature/service. These features/services may help you assess compliance with the control; however, there often is not a 1:1 or complete match between a control and one or more platform feature. As such, Compliant in Azure refers only to the policies themselves; this doesn’t ensure you’re fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren’t addressed by any Azure platform features at this time. Therefore, compliance in Azure is only a partial view of your overall compliance status.

Q: I don’t need or understand what those security standards are, so why should I care about them?

A: Many small and medium businesses don’t need to be compliant with any of the mentioned standards, but the compliance will enable your Azure environment to be very secure and protected. The enablement and continuous monitoring of those security controls will give you confidence that your data is secure in the Cloud! As a best practice, we recommend to anyone having any workloads running in a public cloud like Azure, to use the CIS 1.1.0 security standard as a baseline for securing their environment.

Q: I am interested in the initial assessment and enablement of those security controls, but I am not interested in the ongoing maintenance of the compliance: can you offer me only this service?

A: Short answer: Yes, but…without ongoing maintenance of your security compliance, your Azure environment will be very fast exposed to a lot of security risks. Cloud environments are very dynamic with resources and services/features being added, removed and modified quite often, so without keeping pace with all those changes, your initial security controls that we enabled will not be very effective.

Q: Could you perform a security assessment and remediation of any security flaws for the applications that we have running in Azure?

A: Not at this time, but we are always adding new services to our portfolio!

Q: Our environment is a hybrid environment with resources located on-premise and in Azure, would you be able to audit and propose a remediation plan for all the resources?

A: Short answer: Yes, we can. Long answer: enabling non-Azure resources for security auditing using native Azure services, requires the installation of local agents on those resources. We can assist and provide guidance in this situations, but the installation and distribution of the agents is your responsibility entirely.

Q: All the remediation tasks that are required to enable the security controls for any given standard, might disrupt our normal business or operational procedures that we have in place: how can we avoid any downtime and disruption of those procedures?

A: Our experienced security consultants will advise you if any of the changes required will require an outage or not. You will always have the final say as to when or if those changes are acceptable to the business. You can choose as well to perform the changes yourself. Our proposal for remediation of the non-compliant resources will include a priority list and a risk score, so you will always know where you should focus your technical resources.