Section 4 – Evaluate Governance Risk Compliance (GRC) technical strategies and security operations strategies – Design a regulatory compliance strategy

Posted by Harri Jaakkonen Posted on 17/08/2022 0 Comments on Section 4 – Evaluate Governance Risk Compliance (GRC) technical strategies and security operations strategies – Design a regulatory compliance strategy
Posted in Azure, Compliance, Microsoft Purview, Security

This is the fourth section to my SC-100 study guide and it will cover the following topics:

  • Interpret compliance requirements and translate into specific technical capabilities (new or existing)
  • Evaluate infrastructure compliance by using Microsoft Defender for Cloud
  • Interpret compliance scores and recommend actions to resolve issues or improve security
  • Design implementation of Azure Policy
  • Design for data residency requirements
  • Translate privacy requirements into requirements for security solutions

Table of Contents

Interpret compliance requirements and translate into specific technical capabilities (new or existing)

Governance – How is the organization’s security going to be monitored, audited, and reported? Design and implementation of security controls within an organization is only the beginning of the story. How does the organization know that things are actually working? Are they improving? Are there new requirements? Is there mandatory reporting? Similar to compliance there may be external industry, government or regulatory standards that need to be considered.

Risk – What types of risks does the organization face while trying to protect identifiable information, Intellectual Property (IP), financial information? Who may be interested or could leverage this information if stolen, including external and internal threats as well as unintentional or malicious? A commonly forgotten but extremely important consideration within risk is addressing Disaster Recovery and Business Continuity.

Compliance – Are there specific industry, government, or regulatory requirements that dictate or provide recommendation on criteria that your organization’s security controls must meet?

Make a baseline

Microsoft has a tool that identifies gaps in your organization across key domains, as defined in Governance methodology of the Microsoft Cloud Adoption Framework-organizational readiness, resource consistency, cost management, deployment acceleration, security baseline, and identity baseline.

Microsoft Cloud Adoption Framework Governance Benchmark Tool
This assessment identifies gaps in your organization across key domains, as defined in Governance methodology of the Microsoft Cloud Adoption Framework-organizational readiness, resource consistency, cost management, deployment acceleration, security baseline, and identity baseline.

Adopt CAF model and study the available documentation

CAF

The Microsoft Cloud Adoption Framework for Azure guides you through each consideration and implementation along the phases of your cloud adoption journey. Use the Cloud Adoption Framework across your organization to prepare decision makers, central IT, and the cloud center of excellence (CCoE) for your organization’s cloud adoption efforts.

Microsoft Cloud Adoption Framework for Azure – Cloud Adoption Framework
Proven guidance and best practices that help you confidently adopt the cloud and achieve business outcomes.

Well-Architected Framework

The Azure Well-Architected Framework provides a set of Azure architecture best practices (cost management, operational excellence, performance efficiency, reliability, and security) to help you build and deliver great solutions. The Well-Architected Framework outlines necessary considerations for the workload owner before initiating workload deployments.

PillarDescription
ReliabilityThe ability of a system to recover from failures and continue to function.
SecurityProtecting applications and data from threats.
Cost OptimizationManaging costs to maximize the value delivered.
Operational ExcellenceOperations processes that keep a system running in production.
Performance EfficiencyThe ability of a system to adapt to changes in load.

Azure Architecture Center

Reference architectures are templates of required components, and the technical requirements to implement them. Each reference architecture includes recommended practices, with considerations for scalability, availability, security, resilience, and other design aspects, including a deployable solution, or reference implementation. Reference architectures aid in accelerating deployment for a number of common scenarios.

Microsoft have released an consolidated center for different architectures, it’s an easy way to start the planning.

Azure Architecture Center – Azure Architecture Center
The Azure Architecture Center provides guidance for designing and building solutions on Azure using established patterns and practices.

If you choose “Browse Azure architecture” from the main page.

There you will find example guidance for integrating your On-premises AD securely to Azure AD.

Security best practices

Best practices help you build reliable, scalable, and secure applications in the cloud. They offer you guidelines and tips for designing and implementing efficient and robust systems, mechanisms, and approaches to onboard assets using Azure Arc, ARM templates, and various Azure products.

Security best practices and patterns – Microsoft Azure
This article links you to security best practices and patterns for different Azure resources.

Workload prioritizing

Featured Azure products provide information about the products that support your Azure strategy. Use proven combinations of Azure products and services to solve your business problems. Get started with documentation and reference architectures, follow best practices guidance for scenarios, and implement solutions for common workloads on Azure.

Define and prioritize workloads for cloud adoption – Cloud Adoption Framework
Use the Cloud Adoption Framework for Azure to learn how to define and prioritize workloads for a cloud adoption plan.

Microsoft Learn

Microsoft Learn is an online free training platform. Guided, interactive, hands-on Learn modules help you to gain required skills so you can implement, maintain, and support solutions in the cloud, including role-based training and learning paths for Azure developers, solution architects, and administrators.

Browse all – Learn
Learn new skills and discover the power of Microsoft products with step-by-step guidance. Start your journey today by exploring our learning paths and modules.

Technical tools to meet governance and compliance

CapabilityDescriptionMore information
Microsoft 365 Defender portalMicrosoft 365 Defender portal provides security administrators and other risk management professionals with a centralized hub and specialized workspace that enables them to manage and take full advantage of Microsoft 365 intelligent security solutions for identity and access management, threat protection, information protection, and security management.Microsoft 365 Defender portal
Microsoft Purview compliance portalMicrosoft Purview compliance portal provides easy access to the data and tools you need to manage your organization’s compliance needs.Microsoft Purview compliance portal
Microsoft Defender for CloudMicrosoft Defender for Cloud is a unified infrastructure security management system that strengthens the security posture of your data centers, and provides advanced threat protection across your hybrid workloads in the cloud – whether they’re in Azure or not – as well as on premises.Microsoft Defender for Cloud documentation
Management GroupsIf your organization has many subscriptions, you may need a way to efficiently manage access, policies, and compliance for those subscriptions. Azure management groups provide a level of scope above subscriptions. You organize subscriptions into containers called “management groups” and apply your governance conditions to the management groups.Organize your resources with Azure management groups
Azure PolicyAzure Policy is a service in Azure that you use to create, assign, and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.Azure Policy documentation
Azure BlueprintsAzure Blueprints enables cloud architects and central information technology groups to define a repeatable set of Azure resources that implements and adheres to an organization’s standards, patterns, and requirements. Azure Blueprints makes it possible for development teams to rapidly build and stand up new environments with trust they’re building within organizational compliance with a set of built-in components — such as networking — to speed up development and delivery.Azure Blueprints documentation

Evaluate infrastructure compliance by using Microsoft Defender for Cloud

What regulatory compliance standards are available?

By default, every Azure subscription has the Azure Security Benchmark assigned. This is the Microsoft-authored, Azure-specific guidelines for security and compliance best practices based on common compliance frameworks.

Available regulatory standards:

  • PCI-DSS v3.2.1:2018
  • SOC TSP
  • NIST SP 800-53 R4
  • NIST SP 800 171 R2
  • UK OFFICIAL and UK NHS
  • Canada Federal PBMM
  • Azure CIS 1.1.0
  • HIPAA/HITRUST
  • SWIFT CSP CSCF v2020
  • ISO 27001:2013
  • New Zealand ISM Restricted
  • CMMC Level 3
  • Azure CIS 1.3.0
  • NIST SP 800-53 R5
  • FedRAMP H
  • FedRAMP M

ASC

Azure Security Center is located under Defender for Cloud https://portal.azure.com/#view/Microsoft_Azure_Security/ComplianceBlade

From here you can see the regulatory compliance status for your services

And you can download the report and edit Azure Policies to comply with the regulations.

ISO 27001:2013

PCI DSS 3.2.1

SOC TSP

Trust Services Criteria (TSC) replaced “Trust Services Principles (TSP)” for SOC reporting.

Removing or adding an applied policy

Under Security policy you can disable the default out of the box policies and add more.

Permissions needed

Security ReaderView permissions for Microsoft Defender for Cloud. Can view recommendations, alerts, a security policy, and security states, but cannot make changes.39bc4728-0917-49c7-9d2c-d95423bc2eb4
Resource Policy ContributorUsers with rights to create/modify resource policy, create support ticket and read resources/hierarchy.36243c78-bf99-498c-9df9-86d9f8d28608


Interpret compliance scores and recommend actions to resolve issues or improve security

Purview Compliance manager

Compliance is based on organization industry or customer requirements.

Compliance improves your security posture. It will help you define baseline for security requirements, but also minimize costs during possible breaches and lost of classified internal data.

Microsoft made and Compliance Manager portal that has standards based on industry and regulations.

The following compliance templates are available in the following subscriptions.

License TypeAssessment Templates (included by default)
Microsoft 365 or Office 365 A1/E1/F1/G1Data Protection Baseline
Microsoft 365 or Office 365 A3/E3/F3/G3
Microsoft 365 or Office 365 A5/E5/G5Data Protection Baseline
Microsoft 365 A5/E5/F5/G5 ComplianceEU GDPR
Microsoft 365 A5/E5/F5/G5 eDiscovery and AuditNIST 800-53
Microsoft 365 A5/E5/F5/G5 Insider Risk ManagementISO 27001
Microsoft 365 A5/E5/F5/G5 Information Protection and GovernanceCustomer Assessments
CMMC Level 1-5 (only available for G5)

And there is also premium templates available for purchase.

Microsoft Purview Compliance Manager templates list – Microsoft Purview (compliance)
Microsoft Purview Compliance Manager provides templates for building assessments that align to national, regional, and industry regulations, standards, and laws.

And premium templates are available in all subscriptions. There was a change at 7/2021 from Microsoft.

“To meet customers where they are in their compliance journey, we are excited to announce that Compliance Manager premium assessment templates will no longer require a Microsoft 365 E5 or Office 365 E5 license as a prerequisite. This update enables all enterprise customers to assess compliance with the regulations most relevant to them and meet their unique compliance needs. Starting July 1st, 2021, all Enterprise customers, both commercial and government, can purchase premium assessment templates as long as they have any Microsoft 365 or Office 365 subscription.”

Use Premium Assessments in Microsoft Compliance Manager to Meet Your Regulatory Compliance Needs
The pandemic has permanently changed how organizations of all sizes work. A substantial increase in hybrid and remote work has presented new compliance challenges, and organizations have responded by growing their compliance functions. A recent study shows that there were 257 average daily regulator…

So, there is many points why to use Compliance Manager.

  • Pre-built assessments for common industry and regional standards and regulations, or custom assessments to meet your unique compliance needs.
  • Workflow capabilities to help you efficiently complete your risk assessments through a single tool.
  • Detailed step-by-step guidance on suggested improvement actions to help you comply with the standards and regulations that are most relevant for your organization. For actions that are managed by Microsoft, you’ll see implementation details and audit results.
  • A risk-based compliance score to help you understand your compliance posture by measuring your progress in completing improvement actions.

Compliance Manager Secure Score.

Your initial score is calculated according to the default Data Protection Baseline assessment provided to all organizations. Upon your first visit, Compliance Manager is already collecting signals from your Microsoft 365 solutions. You’ll see at a glance how your organization is performing relative to key data protection standards and regulations, and see suggested improvement actions to take.


You can also add your own assessment from the templates. Be default the following assessment is enabled in every tenant.

And when you click add you create from a template.

I will choose CIS Microsoft 365 Foundations Benchmark which has two levels.

  • Level 1—Recommended minimum security settings that should be configured on any system and should cause little or no interruption of service or reduced functionality.
  • Level 2—Recommended security settings for highly secure environments and could result in some reduced functionality.

And controls they have.

SectionDescriptionAmount of controls
Account/Authentication policiesRecommendations related to setting the appropriate account and authentication policies.8
Application permissionsRecommendations related to the configuration of application permissions within Microsoft 365.4
Data managementRecommendations for setting data management policies.6
Email security/Exchange OnlineRecommendations related to the configuration of Exchange Online and email security.13
Auditing policiesRecommendations for setting auditing policies on your Microsoft 365 tenant.14
Storage policiesRecommendations for securely configuring storage policies.2
Mobile device managementRecommendations for managing devices connecting to Microsoft 365.13
Total recommendations60

And when you start applying the template, you can copy the information from old assessments or create a new one.

And when you are done with applying process, you will start to see assessment running in our tenant.

So, lets open one and you will see what is inside.

On the left you will points that this will affect on the Compliance and Secure Score. And on the rights instructions how to implement and what licenses it requires, so it’s a one-step shop for all info.

You can select implementation status or let it be discovered when you run the assessment again.

You can see the policies on the same page and like you would imagine CIS policy has a lot more actions inside.

Score calculation

In Compliance Manager you can find points under each action. In example 27 is points from a mandatory action.

And 9 points for preventive actions

Actions are assigned a score value based on whether they’re mandatory or discretionary, and whether they’re preventative, detective, or corrective.

Mandatory and discretionary actions
  • Mandatory actions can’t be bypassed, either intentionally or accidentally. An example of a mandatory action is a centrally managed password policy that sets requirements for password length, complexity, and expiration. Users must follow these requirements to access the system.
  • Discretionary actions rely upon users to understand and adhere to a policy. For example, a policy requiring users to lock their computer when they leave it is a discretionary action because it relies on the user.
Preventative, detective, and corrective actions
  • Preventative actions address specific risks. For example, protecting information at rest using encryption is a preventative action against attacks and breaches. Separation of duties is a preventative action to manage conflict of interest and guard against fraud.
  • Detective actions actively monitor systems to identify irregular conditions or behaviors that represent risk, or that can be used to detect intrusions or breaches. Examples include system access auditing and privileged administrative actions. Regulatory compliance audits are a type of detective action used to find process issues.
  • Corrective actions try to keep the adverse effects of a security incident to a minimum, take corrective action to reduce the immediate effect, and reverse the damage if possible. Privacy incident response is a corrective action to limit damage and restore systems to an operational state after a breach.

Each action has an assigned value in Compliance Manager based on the risk it represents:

TypeAssigned score
Preventative mandatory27
Preventative discretionary9
Detective mandatory3
Detective discretionary1
Corrective mandatory3
Corrective discretionary1

Compliance Manager action point values.

Secure score in Defender for Cloud

You can also find Secure score from Defender, you can see history for Secure score and export and Governance report.

Continuous export

If you want to see the historical data, you have enable Continuous export function.

Continuous export can send Microsoft Defender for Cloud’s alerts and recommendations to Log Analytics or Azure Event Hubs
Learn how to configure continuous export of security alerts and recommendations to Log Analytics or Azure Event Hubs

How the score is calculated?

You can see a Potential score estimation under the policy.

And here more info on the different factors

Security posture for Microsoft Defender for Cloud
Description of Microsoft Defender for Cloud’s secure score and its security controls

In example for MFA

Secure scoreSecurity control and descriptionRecommendations
10Enable MFA – Defender for Cloud places a high value on multi-factor authentication (MFA). Use these recommendations to secure the users of your subscriptions.
There are three ways to enable MFA and be compliant with the recommendations: security defaults, per-user assignment, conditional access policy. Learn more about these options in Manage MFA enforcement on your subscriptions.		– MFA should be enabled on accounts with owner permissions on subscriptions
– MFA should be enabled on accounts with write permissions on subscriptions

Improve the score

To improve your secure score, remediate security recommendations from your recommendations list. You can remediate each recommendation manually for each resource, or use the Fix option (when available) to resolve an issue on multiple resources quickly. For more information, see Remediate recommendations.

You can also configure the Enforce and Deny options on the relevant recommendations to improve your score and make sure your users don’t create resources that negatively impact your score.

More on policies on Azure Policy design.


Design implementation of Azure Policy

Azure Policy evaluates resources in Azure by comparing the properties of those resources to business rules. These business rules, described in JSON format, are known as policy definitions. To simplify management, several business rules can be grouped together to form a policy initiative (sometimes called a policySet). Once your business rules have been formed, the policy definition or initiative is assigned to any scope of resources that Azure supports, such as management groups, subscriptions, resource groups, or individual resources. The assignment applies to all resources within the Resource Manager scope of that assignment. Subscopes can be excluded, if necessary.

Azure Policy uses a JSON format to form the logic the evaluation uses to determine whether a resource is compliant or not. Definitions include metadata and the policy rule. The defined rule can use functions, parameters, logical operators, conditions, and property aliases to match exactly the scenario you want. The policy rule determines which resources in the scope of the assignment get evaluated.

Azure Policy Samples

GitHub – Azure/azure-policy: Repository for Azure Resource Policy built-in definitions and samples
Repository for Azure Resource Policy built-in definitions and samples – GitHub – Azure/azure-policy: Repository for Azure Resource Policy built-in definitions and samples

Definition

You use JSON to create a policy definition. The policy definition contains elements for:

  • display name
  • description
  • mode
  • metadata
  • parameters
  • policy rule
    • logical evaluation
    • effect

Effect types

Resource StateEffectPolicy EvaluationCompliance State
New or UpdatedAudit, Modify, AuditIfNotExistTrueNon-Compliant
New or UpdatedAudit, Modify, AuditIfNotExistFalseCompliant
ExistsDeny, Audit, Append, Modify, DeployIfNotExist, AuditIfNotExistTrueNon-Compliant
ExistsDeny, Audit, Append, Modify, DeployIfNotExist, AuditIfNotExistFalseCompliant

Initiative

You use JSON to create a policy initiative definition. The policy initiative definition contains elements for:

You need System Managed Identity for any remediation tasks.

Policy assignment to identify non-compliant resources

Identify non-compliant resources

Resource StateEffectPolicy EvaluationCompliance State
New or UpdatedAudit, Modify, AuditIfNotExistTrueNon-Compliant
New or UpdatedAudit, Modify, AuditIfNotExistFalseCompliant
ExistsDeny, Audit, Append, Modify, DeployIfNotExist, AuditIfNotExistTrueNon-Compliant
ExistsDeny, Audit, Append, Modify, DeployIfNotExist, AuditIfNotExistFalseCompliant

Once you have create a definition, you can assign it. From the policy itself

Or from Assignments menu

Earlier we created only Deny and Disable effects but we can also add Audit to the effects and make it as default.

And then the assignment will show like this. From this menu you can enforce the policy

When enforcement mode is disabled, the policy effect isn’t enforced (i.e. deny policy won’t deny resources). Compliance assessment results are still available.

And if You remove the tick from “Only show…” on the next page, you will se effects that have been defined and what the default one.

If you want to do something with the policy, You need Managed identity for it.

Here instructions how to create a Managed identity and add permissions to it.

Remediate non-compliant resources – Azure Policy
This guide walks you through the remediation of resources that are non-compliant to policies in Azure Policy.

Next you can put a message to display for non-compliance

And finally review and create

Compliance results

After we have assigned the policy, we can go to compliance and see the results.

For this demo, I created a Storage account with out SSL.

And it will show non-compliant based on the rule we created

but the other Storage accounts are compliant as they have SSL enabled

And when we drill down to details, we can see the custom reason we added to the policy

Troubleshooting

Troubleshoot common errors – Azure Policy
Learn how to troubleshoot problems with creating policy definitions, the various SDKs, and the add-on for Kubernetes.


Design for data residency requirements

Data residency and DPA

Microsoft has an excellent and throughout PDF for download.

In this document they cover DPA (Microsoft Products and Services Data Protection Addendum) which cover how Microsoft handles your data.

Where my data is located?

Azure AD and it’s related components

Microsoft has an excellent Power BI based page for service data residency.

Example for European customers the Azure AD B2B is located in the following

And for MFA in the following

Why you ask?

Azure AD B2B stores invitations with redeem link and redirect URL information in US datacenters. In addition, email address of users that unsubscribe from receiving B2B invitations are also stored in U.S. datacenters.

And for cloud-based Azure AD Multi-Factor Authentication, authentication is complete in the closest datacenter to the user. Datacenters for Azure AD Multi-Factor Authentication exist in North America, Europe, and Asia Pacific.

  • Multi-factor authentication using phone calls originate from datacenters in the customer’s region and are routed by global providers.
  • Multi-factor authentication using SMS is routed by global providers.
  • Multi-factor authentication requests using the Microsoft Authenticator app push notifications that originate from EU datacenters are processed in EU datacenters.
    • Device vendor-specific services, such as Apple Push Notifications, may be outside Europe.
  • Multi-factor authentication requests using OATH codes that originate from EU datacenters are validated in the EU.

For EU customers

Identity data storage for European customers – Azure AD – Microsoft Entra
Learn about where Azure Active Directory stores identity-related data for its European customers.

And for my Finnish customers

For Finnish customers the deal will be different in the future. Microsoft will build a data center region to Finland.

Microsoft announces intent to build a new datacenter region in Finland, accelerating sustainable digital transformation and enabling large scale carbon-free district heating – Microsoft News Centre Europe
The datacenters are designed to operate with 100 percent emission-free energy and will supply heat for the cities of Espoo and Kauniainen, and the municipality of Kirkkonummi, in a unique collaboration with Fortum. HELSINKI — 17 March, 2022 — Microsoft today announced it intends to build a new datac…

Microsoft 365

Microsoft 365 data locations – Microsoft 365 Enterprise
Determine where your Microsoft 365 customer data is stored worldwide

Moving data to new region

Microsoft provides a data residency option to eligible Microsoft 365 customers who are covered by the datacenter geos listed in the table above. With this option, eligible customers with data residency requirements can request migration of their organization’s core customer data at rest to their new datacenter geo. Microsoft will offer a committed deadline to all eligible customers who request migration during the enrollment window. Review the How to request your data move page for more details about the open enrollment window for your datacenter geo and the steps to enroll into the program. Data moves can take up to 24 months after the request period ends to complete.

We introduce no unique capabilities, features or compliance certifications with the new datacenter geo.

The complexity, precision and scale at which we need to perform data moves within a globally operated and automated environment prohibit us from sharing when a data move is expected to complete for your tenant or any other single tenant. Customers will receive one confirmation in Message Center per participating service when its data move has completed.

Data moves are a back-end service operation with minimal impact to end-users. Features that can be impacted are listed on the During and after your data move page. We adhere to the Microsoft Online Services Service Level Agreement (SLA) for availability so there is nothing that customers need to prepare for or to monitor during the move. Notification of any service maintenance is done if needed.

Data moves to the new datacenter geo are completed at no additional cost to the customer.

Process

How to request your data move – Microsoft 365 Enterprise
Existing Office 365 customers must submit a request before the deadline for their country to have their Microsoft 365 services data moved to their new geo.


Translate privacy requirements into requirements for security solutions

Cloud governance

Cloud governance is an iterative process. For organizations with existing policies that govern on-premises IT environments, cloud governance should complement those policies. The level of corporate policy integration between on-premises and the cloud varies depending on cloud governance maturity and the nature of the digital estate in the cloud. As the cloud estate changes over time, so do cloud governance processes and policies. Use the following exercises to help you start building your initial governance foundation:

  1. Establish your methodology: Establish a basic understanding of the methodology that drives cloud governance in the Cloud Adoption Framework to begin thinking through the end state solution.
  2. Use the governance benchmark tool: Assess your current state and future state to establish a vision for applying the framework.
  3. Establish an initial governance foundation: Begin your governance journey with a small, easily implemented set of governance tools. This initial governance foundation is called a minimum viable product (MVP).
  4. Improve your initial governance foundation: Throughout implementation of the cloud adoption plan, iteratively add governance controls to address tangible risks as you progress toward the end state.

GDPR

GDPR regulates peoples own information. Basically it’s saying that you have the right to know where your information is used and you can ask to be forgotten.

General Data Protection Regulation – Microsoft GDPR
Learn about Microsoft technical guidance and find helpful information for the General Data Protection Regulation (GDPR).

Audit reports

Microsoft has a trust portal with all the audit reports, you can download them as a registered user.

Service Trust Portal
The Microsoft Service Trust Portal contains details about Microsoft’s implementation of controls and processes that protect our cloud services and the customer data therein.

Research for cloud privacy and security

Excellent study about 10 recommendations for cloud privacy and security

10 recommendations for cloud privacy and security with Ponemon research
Today we’re pleased to introduce the release of Data Protection and Privacy Compliance in the Cloud: Privacy Concerns Are Not Slowing the Adoption of Cloud Services, but Challenges Remain, original research sponsored by Microsoft and independently conducted by the Ponemon Institute.

Then to the technical properties.

Encryption

First to introduce the different encryption types that you can use and how they differ.

Client-side encryption

Client-side encryption is performed outside of Azure. It includes:

  • Data encrypted by an application that’s running in the customer’s datacenter or by a service application.
  • Data that is already encrypted when it is received by Azure.

With client-side encryption, cloud service providers don’t have access to the encryption keys and cannot decrypt this data. You maintain complete control of the keys.

Server-side encryption

The three server-side encryption models offer different key management characteristics, which you can choose according to your requirements:

  • Service-managed keys: Provides a combination of control and convenience with low overhead.
  • Customer-managed keys: Gives you control over the keys, including Bring Your Own Keys (BYOK) support, or allows you to generate new ones.
  • Service-managed keys in customer-controlled hardware: Enables you to manage keys in your proprietary repository, outside of Microsoft control. This characteristic is called Host Your Own Key (HYOK). However, configuration is complex, and most Azure services don’t support this model.

Data at rest

The Microsoft cloud employs a wide range of encryption capabilities up to AES-256, giving you the flexibility to choose the solution that’s best for your business.

Data in transit

Microsoft uses and enables the use of industry-standard encrypted transport protocols, such as Transport Layer Security (TLS) and Internet Protocol Security (IPsec).

Encryption keys

All Microsoft-managed encryption keys are properly secured and offer the use of technologies such as Azure Key Vault to help you control access to passwords, encryption keys, and other secrets.

Different encryption stores (Microsoft solutions)

Azure Managed HSM

Azure Key Vault Managed HSM (Hardware Security Module) is a fully managed, highly available, single-tenant, standards-compliant cloud service that enables you to safeguard cryptographic keys for your cloud applications, using FIPS 140-2 Level 3 validated HSMs.

Azure Managed HSM Overview – Azure Managed HSM
Azure Managed HSM is a cloud service that safeguards your cryptographic keys for cloud applications.

Key vault

Azure Key Vault has two service tiers: Standard, which encrypts with a software key, and a Premium tier, which includes hardware security module(HSM)-protected keys.

Azure Key Vault Overview – Azure Key Vault
Azure Key Vault is a secure secrets store, providing management for secrets, keys, and certificates, all backed by Hardware Security Modules.

Supported services per key type and size

All Microsoft services are encrypted by default with Server-Side and using Service-Managed keys. You change this if needed.

The Azure services that support each encryption model:

Note! The RSA key length is the one mentioned in the documentation, not more, not less.

Product, Feature, or ServiceServer-Side Using Service-Managed KeyServer-Side Using Customer-Managed KeyClient-Side Using Client-Managed Key
AI and Machine Learning
Azure Cognitive SearchYesYes
Azure Cognitive ServicesYesYes
Azure Machine LearningYesYes
Content ModeratorYesYes
FaceYesYes
Language UnderstandingYesYes
PersonalizerYesYes
QnA MakerYesYes
Speech ServicesYesYes
Translator TextYesYes
Power BIYesYes, RSA 4096-bit
Analytics
Azure Stream AnalyticsYesYes**, including Managed HSM
Event HubsYesYes
FunctionsYesYes
Azure Analysis ServicesYes
Azure Data CatalogYes
Azure HDInsightYesAll
Azure Monitor Application InsightsYesYes
Azure Monitor Log AnalyticsYesYes
Azure Data ExplorerYesYes
Azure Data FactoryYesYes, including Managed HSM
Azure Data Lake StoreYesYes, RSA 2048-bit
Containers
Azure Kubernetes ServiceYesYes, including Managed HSM
Container InstancesYesYes
Container RegistryYesYes
Compute
Virtual MachinesYesYes, including Managed HSM
Virtual Machine Scale SetYesYes, including Managed HSM
SAP HANAYesYes
App ServiceYesYes**, including Managed HSM
AutomationYesYes
Azure FunctionsYesYes**, including Managed HSM
Azure portalYesYes**, including Managed HSM
Logic AppsYesYes
Azure-managed applicationsYesYes**, including Managed HSM
Service BusYesYes
Site RecoveryYesYes
Databases
SQL Server on Virtual MachinesYesYesYes
Azure SQL DatabaseYesYes, RSA 3072-bit, including Managed HSMYes
Azure SQL Managed InstanceYesYes, RSA 3072-bit, including Managed HSMYes
Azure SQL Database for MariaDBYes
Azure SQL Database for MySQLYesYes
Azure SQL Database for PostgreSQLYesYes
Azure Synapse AnalyticsYesYes, RSA 3072-bit, including Managed HSM
SQL Server Stretch DatabaseYesYes, RSA 3072-bitYes
Table StorageYesYesYes
Azure Cosmos DBYes (learn more)Yes (learn more)
Azure DatabricksYesYes
Azure Database Migration ServiceYesN/A*
Identity
Azure Active DirectoryYes
Azure Active Directory Domain ServicesYesYes
Integration
Service BusYesYesYes
Event GridYes
API ManagementYes
IoT Services
IoT HubYesYesYes
IoT Hub Device ProvisioningYesYes
Management and Governance
Azure Managed GrafanaYesN/A
Azure Site RecoveryYes
Azure MigrateYesYes
Media
Media ServicesYesYesYes
Security
Microsoft Defender for IoTYesYes
Microsoft SentinelYesYes
Storage
Blob StorageYesYes, including Managed HSMYes
Premium Blob StorageYesYes, including Managed HSMYes
Disk StorageYesYes, including Managed HSM
Ultra Disk StorageYesYes, including Managed HSM
Managed Disk StorageYesYes, including Managed HSM
File StorageYesYes, including Managed HSM
File Premium StorageYesYes, including Managed HSM
File SyncYesYes, including Managed HSM
Queue StorageYesYes, including Managed HSMYes
Data Lake Storage Gen2YesYes, including Managed HSMYes
Avere vFXTYes
Azure Cache for RedisYesN/A*
Azure NetApp FilesYesYes
Archive StorageYesYes
StorSimpleYesYesYes
Azure BackupYesYesYes
Data BoxYesYes
Data Box EdgeYesYes

* This service doesn’t persist data. Transient caches, if any, are encrypted with a Microsoft key.

** This service supports storing data in your own Key Vault, Storage Account, or other data persisting service that already supports Server-Side Encryption with Customer-Managed Key.

If you want to read more on Key Vault, read my posts below

Section 15 – Secure data and applications – Configure and manage Azure Key Vault
And here goes the last section in my AZ-500 study guide, the end is coming with: Create and configure Key Vault Configure access to Key Vault Manage certificates, secrets, and keys Configure key rotation Configure Backup and recovery of certificates, secrets, and keys Create and configure Key Vault Basics When you create a Key vault, […]
Key auto-rotation in Azure Key Vault now GA!
Automated key rotation in Key Vault allows users to configure Key Vault to automatically generate a new key version at a specified frequency. You can use rotation policy to configure rotation for each individual key. Our recommendation is to rotate encryption keys at least every two years to meet cryptographic best practices. This feature enables […]

Serverless security

Microsoft has an excellent PDF also for Serverless security designs.

Things to remember

Microsoft different models and portal for making your environment compliant:

  • CAF (Cloud Adoption Framework
  • Well-Architected Framework
  • Azure Architecture Center
  • Security best practices
  • Workload prioritizing
  • Microsoft Learn

Available regulatory standards:

  • PCI-DSS v3.2.1:2018
  • SOC TSP
  • NIST SP 800-53 R4
  • NIST SP 800 171 R2
  • UK OFFICIAL and UK NHS
  • Canada Federal PBMM
  • Azure CIS 1.1.0
  • HIPAA/HITRUST
  • SWIFT CSP CSCF v2020
  • ISO 27001:2013
  • New Zealand ISM Restricted
  • CMMC Level 3
  • Azure CIS 1.3.0
  • NIST SP 800-53 R5
  • FedRAMP H
  • FedRAMP M

How to use Defender for Cloud and Azure Policy to meet your regulation standards.

On M365 side the same for Purview Compliance Manager

How Secure score is defined in M365

TypeAssigned score
Preventative mandatory27
Preventative discretionary9
Detective mandatory3
Detective discretionary1
Corrective mandatory3
Corrective discretionary1

In example for MFA in Defender for Cloud

Secure scoreSecurity control and descriptionRecommendations
10Enable MFA – Defender for Cloud places a high value on multi-factor authentication (MFA). Use these recommendations to secure the users of your subscriptions.
There are three ways to enable MFA and be compliant with the recommendations: security defaults, per-user assignment, conditional access policy. Learn more about these options in Manage MFA enforcement on your subscriptions.		– MFA should be enabled on accounts with owner permissions on subscriptions
– MFA should be enabled on accounts with write permissions on subscriptions

Data residency and where the data is located and how to move it if needed.

What services are global and what can be moved.

Different key storing services and encryption models and what are the limitations.

Link to main post

Exam cram for Cybersecurity Architect exam
When I wrote the study guide for AZ-500, I was planning to write a study guide for MS-500, SC-400 or AZ-104 but when I saw the contents of SC-100, I decided differently. For AZ-500 I counted 12 parts but now I’m not going to give any number. Seems that I write a lot, so let’s […]
Read More
www.cloudpartner.fi
Author: Harri Jaakkonen

Leave a Reply

Your email address will not be published. Required fields are marked *