Reading time: Approx. 5 minutes
Microsoft Purview and Microsoft 365 are part of my comfort zone. But for this article, I decided to go a bit beyond this. So for this article and video (see below) I’m looking at Microsoft Defender for Cloud.
According to Microsoft:
Microsoft Defender for Cloud is a Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP) for all of your Azure, on-premises, and multicloud (Amazon AWS and Google GCP) resources. Defender for Cloud fills three vital needs as you manage the security of your resources and workloads in the cloud and on-premises.https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-for-cloud-introduction
But Microsoft Defender for Cloud goes beyond this. It also gives you insights into the regulatory compliance posture of your cloud workloads. So time to take a look.
Microsoft Purview Compliance Manager
Wait: why are we going to the Compliance Manager? This is because the regulatory compliance components in Microsoft Defender for Cloud and Microsoft Purview Compliance Manager are somewhat similar. Both allow you to select specific regulations and both will provide you with improvement actions.
And the Compliance Manager also includes specific assessments for Azure. So it makes sense to look at these first. And for this, I’ve looked at the ISO27001 assessment for Azure.
What stands out is the lack of details. Also, the Compliance Manager mostly provides high-level (technical, operational, or documentation) recommendations. As the Compliance Manager cannot scan the Azure environment(s), giving any detailed level recommendations or improvement actions is impossible.
Having said this, the Compliance Manager does provide more than 700 assessment templates (most premium), including GDPR. Which Microsoft Defender for Cloud does not offer.
But in the end, if you want specific recommendations and insight into your regulatory compliance posture for the cloud workloads, go to Microsoft Defender for Cloud.
Microsoft Defender for Cloud
At first glance, the goal for Microsoft Defender for Cloud is clear: to get an insight into your workloads and the security posture of your environment. And right away you will notice that this is a multi-cloud platform: Azure, AWS, and GCP are part of the scope.
Beneath the heading “Cloud Security” you will find the part we’re interested in: regulatory compliance. Let’s take a closer look. The dashboard shows you the assessments (or regulatory standards) that have been added to Defender for Cloud. As a default, the Azure Security Baseline V3 is displayed.
Every assessment (or regulatory standard) has specific compliance controls. And these are displayed below the selected assessment. When these are all green, then you have nothing to worry about. But any red ones should be taken seriously. You can open up any control to see the recommendations and affected cloud resources.
Keep in mind
There are some aspects to keep in mind when looking at these controls.
First off – in any cloud environment, the “Shared Responsibility” model is used. And Microsoft Azure is no different. So the controls will have either an MS, C, or both annotation. MS: Microsoft | C: Customer. This is somewhat the same for the Compliance Manager.
Controls are greyed out or not visible
Any controls by Microsoft will not be displayed in detail. And if there’s a specific category that contains controls that cannot be affected by the customer at all, then these are greyed out.
The first time you see the Defender for Cloud dashboard, remember that this is a point-in-time assessment. It shows you the details of that point in time. If you want a more continuous overview and also a historical reference to the controls, you will need to use the “Compliance over time workbook”.
What can we do?
Working from the dashboard, you can see the controls and recommendations. You can use these to assign an owner for tracking and solving the potential problem. In some cases, you might have an Azure Log App available that can remediate the problem. You can run this on the selected resources.
You can also export a summary of findings in PDF or CSV form. The PDF is very high level. But can be used effectively to scare people 🙂 If you want to get into the details, then download the CSV form. It will include the entire assessment.
If the default assessments are not enough, you can add additional ones. Beware that this might have a licensing effect. You can add these by going to the Manage Compliance Policies setting, selecting your subscription, and editing the settings.
In this part, you’re able to add additional assessments. These are somewhat limited. But do keep in mind: these assessments will check if your cloud resources are compliant and will therefore save you a lot of time. Microsoft Netherlands even provides a specific assessment for the Baseline Informatiebeveiliging Overheid (BIO).
If you want to learn more, please follow these links.
In this video, I go through the settings and working of Microsoft Defender for Cloud.