Exercise 6: Using Compliance Tools (Azure Policy, Secure Score and Compliance Manager)

In this exercise, attendees will learn to navigate the Azure Policy and Secure Score features of Azure. You will also explore the Compliance Manager portal that will provide you helpful tasks that you should consider when attempting to achieve specific compliance policies.

Task 1: Review a basic Azure Policy

  1. Open the Azure Portal. Select All Services, then type Policy. Select Policy in the list of items.
  2. In the blade menu, click Compliance, review your Overall resource compliance percentage.
  3. For the scope, ensure the proper subscription is selected, then select ASC Default.
  4. In the Initiative compliance blade, review your compliance metrics.
  5. Scroll to the results area and select the Non-compliant resources tab.
  6. In the filter search box, type PAW-1 and select it when displayed.
  7. With the Policies tab selected, review the policies that the resource is non-complying against.
  8. Click one of the policies. Review the Definition JSON of the policy definition, notice how it is based on ARM Template format and is looking for specific properties to be set of the non-compliant resources.

Note: You can use these out of box templates to build your own policies and apply them as blueprints.

Task 2: Review and create Azure Blueprints

  1. In the Policy blade, select Definitions. These are a list of all defined policies which can be selected to be assigned to your subscription resources.
  2. In the Policy blade, select Blueprints.
  3. In the Blueprints blade, select Blueprint definitions.
  4. Select +Create blueprint.
  5. Review some of the sample blueprints, then select Start with blank blueprint.
  6. For the name, type gdprblueprint.
  7. For the location, select the ellipses, then select your subscription in the drop down.
  8. Click Select.
  9. Select Next: Artifacts.
  10. Click +Add artifact.
  11. For the Artifact Type, select Policy Assignment, review all the policies available to you (at the time of this writing you would see 151 policies).
  12. In the search box, type unrestricted, browse for the Audit unrestricted network access to storage accounts.
  13. Click Add
  14. Click Save Draft
  15. For the new blueprint, click the ellipses, then select Publish Blueprint
  16. For the version type 1.0.0.
  17. Click Publish.
  18. For the new blueprint, click the ellipses, then select Assign Blueprint.
  19. Review the page, then click Assign. This policy will now be audited across all your storage accounts in the specific subscription.

Task 3: Secure Score

  1. In the Azure Portal, select All Services, then type Security, select Security Center.
  2. In the Security Center blade, select Secure score.
  3. Review your overall secure score values and then notice the category values.
  4. Select your subscription, you will be presented with the items that have failed resource validation sorted by the score value that is assigned to that particular recommendation item.
  5. Select the Provision an Azure AD administrator for SQL Server, on the recommendation blade, you will be presented with information about how to remediate the recommendation to gain the impact value to your score.

Task 4: Use Compliance Manager for Azure

  1. In a browser, go to the Service Trust/Compliance Manager portal (https://servicetrust.microsoft.com).
  2. In the top corner, select Sign in, you will be redirected to the Azure AD login page.
  3. If prompted, select or sign in with your Azure ADOffice 365 credentials.
  5. Select on the +Add Assessment link.
  6. Select Create a new Group, for the name type AzureSecurity, select Next, set the Would you like to copy the data from an existing group toggle to No, select Next.
  7. For the product dropdown, select Azure.
  8. For the certification dropdown, select GDPR.
  9. Select Add to Dashboard. You will now see a new assessment for Azure and GDPR in progress:
  10. Select Azure GDPR.
  11. Review the various controls that you can implement:
Several categories of controls are listed on the page.
  1. Scroll to the top of the web page and in the top navigation, select Service Trust Portal, then scroll to the bottom of the page. Notice the two other sections of the trust center called:
  2. Select Audit Reports.
  3. Notice the various tabs that you can select from, select FedRAMP Reports.
  4. These are all the FedRAMP reports sorted by date that have been performed and publicly posted for Azure customer review. Select the item displayed and briefly review the document.

Here with the end of Security baseline on Azure.