Managed Azure Security services using security compliance* standards
*As defined by available technical Azure security controls only. We cannot control or manage any business processes or procedures that are related with any compliance framework.
The Public Cloud landscape (Azure, AWS, GCP) has created a fast, complex, and dynamic environment that is challenging to protect and secure. Traditional security measures were built for stable, full-stack controllable networks—not for fast-changing cloud-based environments.
When using any services provided by a Public Cloud provider, like Microsoft Azure, you need to understand the shared responsibility model for cloud computing. In an IaaS (Infrastructure as a Service) cloud service model, you are responsible for securing your applications, operating system, network configuration, identity, clients and data within Azure. Microsoft is responsible for the security of the platform, such as physical security, host infrastructure and protection of foundational services.
In order to provide a secure environment for your applications and data, industry best practices recommend the use of a recognized security standard (Azure CIS, PCI DSS, ISO 27001, NIST 800-53, and SOC TSP) to measure against and to secure your environment. While there are services provided by the Azure platform (like Azure Policies, Security Center, Azure Monitor) that can help you in this endeavor, their configuration and continuous operation will require a substantial effort on your part.
What’s included in our Managed Azure Security service:
- Perform an initial assessment of the existing infrastructure and identify the critical components
- Enable auditing of the environment against one of the following regulatory standards: Azure CIS 1.1.0 (only this standard is available as of January 2020, more to come soon), NIST SP 800-53 Rev4, PCI DSS 3.2, ISO 27001, and SOC TSP.
- Create a custom security policy that uses only the high-value/low risk items identified and agreed upon by the customer.
- Provide continuous monitoring and remediation (only if agreed by the customer, for controls that have no impact on environment availability–about 60 controls for CIS) of policy violations
- Provide monthly/weekly reports of the compliance status
- Provide advanced alerting (integration with customer ticketing system) for policy violations
- Create best-of-breed, enterprise-level-tested, alerts for all the essential Azure services used in a particular environment
- Create a custom operational dashboard for monitoring critical Azure components
- The security controls available in Azure don’t necessarily map 1:1 to security controls defined in the actual Security Standards, and some of them are not even made available for auditing by the Azure platform. Our services can audit and control only what security controls Azure platform is making available via it’s Azure Policies, with the exception of Azure CIS standard, where we’ve done extensive custom development work to enable all the controls defined in the standard (over 100 vs only 48 available by default).
One of the most comprehensive security standard that we recommend for the majority of our customers is the CIS Microsoft Azure Foundations Security Benchmark. This standard has been designed with Azure Security in mind for the Azure platform and unless your business is required to use on the most formal standards, like ISO 27001, NIST 800-53 or PCI DSS, look no further than this. The standard has over 111 security controls that should be audited, but at this time (March 2020) only 48 of them are available by default in Azure Policy built-in policies. The remaining 60 controls need manual intervention: our extensive development work gave us the possibility to audit over 100 security controls of the standard! At the same time, we can enable automatic remediation of over 60 controls that have been identified as having zero risk to your production environment.
We bring our 20+ years of experience in IT security to provide a customized compliance and remediation service, based on large enterprise level projects, so you’ll know how where to focus your valuable technical resources. Part of our managed security service, we will identify for you the priority for any remediation tasks and the risk associated with their implementation.
For more details please read our Blog post: FAQ for Azure Managed Security Services