Tutorial: Improve your regulatory compliance
Azure Security Center helps streamline the process for meeting regulatory compliance requirements, using the regulatory compliance dashboard.
Security Center continuously assesses your hybrid cloud environment to analyze the risk factors according to the controls and best practices in the standards applied to your subscriptions. The dashboard reflects the status of your compliance with these standards.
When you enable Security Center on an Azure subscription, the Azure Security Benchmark is automatically assigned to that subscription. This widely respected benchmark builds on the controls from the Center for Internet Security (CIS) and the National Institute of Standards and Technology (NIST) with a focus on cloud-centric security.
The regulatory compliance dashboard shows the status of all the assessments within your environment for your chosen standards and regulations. As you act on the recommendations and reduce risk factors in your environment, your compliance posture improves.
In this tutorial you'll learn how to:
- Evaluate your regulatory compliance using the regulatory compliance dashboard
- Improve your compliance posture by taking action on recommendations
- Setup alerts on changes to your compliance posture
- Export your compliance data as a continuous stream and as weekly snapshots
If you don’t have an Azure subscription, create a free account before you begin.
To step through the features covered in this tutorial:
- Azure Defender must be enabled. You can try Azure Defender for free for 30 days.
- You must be signed in with an account that has reader access to the policy compliance data (Security Reader is insufficient). The role of Global reader for the subscription will work. At a minimum, you'll need to have Resource Policy Contributor and Security Admin roles assigned.
Assess your regulatory compliance
The regulatory compliance dashboard shows your selected compliance standards with all their requirements, where supported requirements are mapped to applicable security assessments. The status of these assessments reflects your compliance with the standard.
Use the regulatory compliance dashboard to help focus your attention on the gaps in compliance with your chosen standards and regulations. This focused view also enables you to continuously monitor your compliance over time within dynamic cloud and hybrid environments.
From Security Center's menu, select Regulatory compliance.
At the top of the screen is a dashboard with an overview of your compliance status with the set of supported compliance regulations. You'll see your overall compliance score, and the number of passing vs. failing assessments associated with each standard.
Select a tab for a compliance standard that is relevant to you (1). You'll see which subscriptions the standard is applied on (2), and the list of all controls for that standard (3). For the applicable controls, you can view the details of passing and failing assessments associated with that control (4), and the number of affected resources (5). Some controls are grayed out. These controls don't have any Security Center assessments associated with them. Check their requirements and assess them in your environment. Some of these might be process-related and not technical.
To generate a PDF report with a summary of your current compliance status for a particular standard, select Download report.
The report provides a high-level summary of your compliance status for the selected standard based on Security Center assessments data. The report's organized according to the controls of that particular standard. The report can be shared with relevant stakeholders, and might provide evidence to internal and external auditors.
Improve your compliance posture
Using the information in the regulatory compliance dashboard, improve your compliance posture by resolving recommendations directly within the dashboard.
Select any of the failing assessments that appear in the dashboard to view the details for that recommendation. Each recommendation includes a set of remediation steps to resolve the issue.
Select a particular resource to view more details and resolve the recommendation for that resource.
For example, in the Azure CIS 1.1.0 standard, select the recommendation Disk encryption should be applied on virtual machines.
In this example, when you select Take action from the recommendation details page, you arrive in the Azure Virtual Machine pages of the Azure portal, where you can enable encryption from the Security tab:
For more information about how to apply recommendations, see Implementing security recommendations in Azure Security Center.
After you take action to resolve recommendations, you'll see the result in the compliance dashboard report because your compliance score improves.
Assessments run approximately every 12 hours, so you will see the impact on your compliance data only after the next run of the relevant assessment.
Export your compliance status data
If you want to track your compliance status with other monitoring tools in your environment, Security Center includes an export mechanism to make this straightforward. Configure continuous export to send select data to an Azure Event Hub or a Log Analytics workspace.
Use continuous export data to an Azure Event Hub or a Log Analytics workspace:
Export all regulatory compliance data in a continuous stream:
Export weekly snapshots of your regulatory compliance data:
You can also export a PDF/CSV report of your compliance data directly from the regulatory compliance dashboard:
Learn more in continuously export Security Center data.
Run workflow automations when there are changes to your compliance
Security Center's workflow automation feature can trigger Logic Apps whenever one of your regulatory compliance assessments change state.
For example, you might want Security Center to email a specific user when a compliance assessment fails. You'll need to create the logic app first (using Azure Logic Apps) and then set up the trigger in a new workflow automation as explained in Automate responses to Security Center triggers.
FAQ - Regulatory compliance dashboard
- What standards are supported in the compliance dashboard?
- Why do some controls appear grayed out?
- How can I remove a built-in standard, like PCI-DSS, ISO 27001, or SOC2 TSP from the dashboard?
- I made the suggested changed based on the recommendation, yet it isn't being reflected in the dashboard
- What permissions do I need to access the compliance dashboard?
- The regulatory compliance dashboard isn't loading for me
- How can I view a report of passing and failing controls per standard in my dashboard?
- How can I download a report with compliance data in a format other than PDF?
- How can I create exceptions for some of the policies in the regulatory compliance dashboard?
- What Azure Defender plans or licenses do I need to use the regulatory compliance dashboard?
- How do I know which benchmark or standard to use?
What standards are supported in the compliance dashboard?
By default, the regulatory compliance dashboard shows you the Azure Security Benchmark. The Azure Security Benchmark is the Microsoft-authored, Azure-specific guidelines for security, and compliance best practices based on common compliance frameworks. Learn more in the Azure Security Benchmark introduction.
To track your compliance with any other standard, you'll need to explicitly add them to your dashboard.
You can add other standards such as Azure CIS 1.3.0, NIST SP 800-53, NIST SP 800-171, SWIFT CSP CSCF-v2020, UK Official and UK NHS, HIPAA, Canada Federal PBMM, ISO 27001, SOC2-TSP, and PCI-DSS 3.2.1.
More standards will be added to the dashboard and included in the information on Customize the set of standards in your regulatory compliance dashboard.
Why do some controls appear grayed out?
For each compliance standard in the dashboard, there's a list of the standard's controls. For the applicable controls, you can view the details of passing and failing assessments.
Some controls are grayed out. These controls don't have any Security Center assessments associated with them. Some may be procedure or process-related, and therefore can't be verified by Security Center. Some don't have any automated policies or assessments implemented yet, but will have in the future. And some controls may be the platform responsibility as explained in Shared responsibility in the cloud.
How can I remove a built-in standard, like PCI-DSS, ISO 27001, or SOC2 TSP from the dashboard?
To customize the regulatory compliance dashboard, and focus only on the standards that are applicable to you, you can remove any of the displayed regulatory standards that aren't relevant to your organization. To remove a standard, follow the instructions in Remove a standard from your dashboard.
I made the suggested changed based on the recommendation, yet it isn't being reflected in the dashboard
After you take action to resolve recommendations, wait 12 hours to see the changes to your compliance data. Assessments are run approximately every 12 hours, so you will see the effect on your compliance data only after the assessments run.
What permissions do I need to access the compliance dashboard?
To view compliance data, you need to have at least Reader access to the policy compliance data as well; so Security Reader alone won’t suffice. If you're a global reader on the subscription, that will be enough too.
The minimum set of roles for accessing the dashboard and managing standards is Resource Policy Contributor and Security Admin.
The regulatory compliance dashboard isn't loading for me
To use the regulatory compliance dashboard, Azure Security Center must have Azure Defender enabled at the subscription level. If the dashboard isn't loading correctly, try the following steps:
- Clear your browser's cache.
- Try a different browser.
- Try opening the dashboard from different network location.
How can I view a report of passing and failing controls per standard in my dashboard?
On the main dashboard, you can see a report of passing and failing controls for (1) the 'top 4' lowest compliance standards in the dashboard. To see all the passing/failing controls status, select (2) Show all x (where x is the number of standards you're tracking). A context plane displays the compliance status for every one of your tracked standards.
How can I download a report with compliance data in a format other than PDF?
When you select Download report, select the standard and the format (PDF or CSV). The resulting report will reflect the current set of subscriptions you've selected in the portal's filter.
- The PDF report shows a summary status for the standard you selected
- The CSV report provides detailed results per resource, as it relates to policies associated with each control
Currently, there's no support for downloading a report for a custom policy; only for the supplied regulatory standards.
How can I create exceptions for some of the policies in the regulatory compliance dashboard?
For policies that are built into Security Center and included in the secure score, you can create exemptions for one or more resources directly in the portal as explained in Exempting resources and recommendations from your secure score.
For other policies, you can create an exemption directly in the policy itself, by following the instructions in Azure Policy exemption structure.
What Azure Defender plans or licenses do I need to use the regulatory compliance dashboard?
If you have any of the Azure Defender packages enabled on any of your Azure resource types, you have access to the Regulatory Compliance Dashboard, with all of its data, in Security Center.
How do I know which benchmark or standard to use?
Azure Security Benchmark (ASB) is the canonical set of security recommendations and best practices defined by Microsoft, aligned with common compliance control frameworks including CIS Microsoft Azure Foundations Benchmark and NIST SP 800-53. ASB is a very comprehensive benchmark, and is designed to recommend the most up-to-date security capabilities of a wide range of Azure services. We recommend ASB to customers who want to maximize their security posture, and have the ability to align their compliance status with industry standards.
The CIS Benchmark is authored by an independent entity – Center for Internet Security (CIS) – and contains recommendations on a subset of core Azure services. We work with CIS to try to ensure that that their recommendations are up to date with the latest enhancements in Azure, but they do sometimes fall behind and become outdated. Nonetheless, some customers like to use this objective, third-party assessment from CIS as their initial and primary security baseline.
Since we’ve released the Azure Security Benchmark, many customers have chosen to migrate to it as a replacement for CIS benchmarks.
In this tutorial, you learned about using Security Center’s regulatory compliance dashboard to:
- View and monitor your compliance posture regarding the standards and regulations that are important to you.
- Improve your compliance status by resolving relevant recommendations and watching the compliance score improve.
The regulatory compliance dashboard can greatly simplify the compliance process, and significantly cut the time required for gathering compliance evidence for your Azure, hybrid, and multi-cloud environment.
To learn more, see these related pages:
- Customize the set of standards in your regulatory compliance dashboard - Learn how to select which standards appear in your regulatory compliance dashboard.
- Managing security recommendations in Azure Security Center - Learn how to use recommendations in Security Center to help protect your Azure resources.