Defender for Cloud – Part 9: Regulatory compliance

Table of Contents

Overview

An AI made image. See the typing problems.

Microsoft Defender for Cloud provides Regulatory Compliance capabilities to help organizations assess and maintain compliance with industry standards, frameworks, and regulatory requirements. It continuously monitors cloud resources and provides insights into security posture, ensuring alignment with compliance benchmarks.

So if you need to see how your Azure / AWS / GCP environment’s resources comply against wanted compliance benchmark for example in case of certain auditing it is very easy. Just enable wanted standard and wait for the results. It takes usually 24 hours to results come. 

You can find Regulatory compliance “Dashboard” from Defender for Cloud under Cloud Security section:

Main view in Regulatory compliance. Click to enlarge.

In the dashboard you can:

  • Get a summary of standards controls that have been passed.
  • Get of summary of standards that have the lowest pass rate for resources.
  • Review standards that are applied within the selected scope.
  • Review assessments for compliance controls within each applied standard.
  • Get a summary report for a specific standard.
  • Manage compliance policies to see the standards assigned to a specific scope.
  • Run a query to create a custom compliance report
  • Create a “compliance over time workbook to track compliance status over time.
  • Download audit reports.
  • Review compliance offerings for Microsoft and third-party audits.

Some key features of Regulatory compliance

The core are the built-in compliance standards

Defender for Cloud comes with pre-configured compliance standards, including:

  • Microsoft Cloud Security Benchmark – Microsoft’s best practices for security.
  • CIS Benchmark – Center for Internet Security guidelines.
  • NIST 800-53 – A standard for U.S. federal agencies.
  • ISO 27001 – An international information security standard.
  • NIS2 – EU’s updated framework for cybersecurity
  • PCI DSS – Payment Card Industry Data Security Standard for handling credit card transactions.
  • SOC 2 – Security and trust standards for cloud services.

Additionally, you can add custom regulatory standards to align with organizational policies. I’ll show this later.

Compliance Dashboard

  • Provides a real-time compliance score showing how well your cloud resources align with selected frameworks.
  • Highlights non-compliant resources and provides remediation recommendations.

Security Controls & Recommendations

  • Defender for Cloud evaluates your environment against regulatory requirements and generates actionable security recommendations.
  • Example: If your virtual machines lack encryption, it suggests enabling Azure Disk Encryption to meet compliance needs.

Continuous Monitoring & Alerts

  • Compliance is continuously monitored, and security posture updates dynamically as resources change.
  • Integration with Microsoft Sentinel allows security teams to receive alerts on non-compliant resources.

Compliance Reports & Audits

  • Export compliance reports in formats suitable for auditors and security teams.
  • Provides evidence for regulatory audits with detailed insights into compliance status.

Compliance in Azure

In my example I have chosen 2 extra standards, CIS Azure 2.0.0 and NIST SP 800 53 R5:

MCSB aka Microsoft cloud security benchmark is always on when you have onboarded subscriptions to Defender for Cloud.

Under selected benchmark you can see top levels and controls related to that MSCB benchmark. If top level starts with red circle with white x in it, there’s something to do in resources which are not compliant.

Click to enlarge

MCSB control overview

The Microsoft cloud security benchmark (MCSB) provides prescriptive best practices and recommendations to help improve the security of workloads, data, and services on Azure and your multi-cloud environment. This benchmark focuses on cloud-centric control areas with input from a set of holistic Microsoft and industry security guidance that includes:

SOURCE: MS Learn

and descriptions

Click the control link to see the whole description. The column right  side shows only the short one.

 

Network Security

Network Security covers controls to secure and protect networks, including securing virtual networks, establishing private connections, preventing, and mitigating external attacks, and securing DNS.

Identity Management

Identity Management covers controls to establish a secure identity and access controls using identity and access management systems, including the use of single sign-on, strong authentications, managed identities (and service principals) for applications, conditional access, and account anomalies monitoring.

Privileged access

Privileged Access covers controls to protect privileged access to your tenant and resources, including a range of controls to protect your administrative model, administrative accounts, and privileged access workstations against deliberate and inadvertent risk.

Data protection

Data Protection covers control of data protection at rest, in transit, and via authorized access mechanisms, including discover, classify, protect, and monitor sensitive data assets using access control, encryption, key management and certificate management.

Asset Management

Asset Management covers controls to ensure security visibility and governance over your resources, including recommendations on permissions for security personnel, security access to asset inventory, and managing approvals for services and resources (inventory, track, and correct).

Logging and Threat protection

Logging and Threat Detection covers controls for detecting threats on cloud, and enabling, collecting, and storing audit logs for cloud services, including enabling detection, investigation, and remediation processes with controls to generate high-quality alerts with native threat detection in cloud services

Incident response

Incident Response covers controls in incident response life cycle – preparation, detection and analysis, containment, and post-incident activities, including using Azure services (such as Microsoft Defender for Cloud and Sentinel) and/or other cloud services to automate the incident response process.

Posture and Vulnerability management

Posture and Vulnerability Management focuses on controls for assessing and improving cloud security posture, including vulnerability scanning, penetration testing and remediation, as well as security configuration tracking, reporting, and correction in cloud resources.

Endpoint security

Endpoint Security covers controls in endpoint detection and response, including use of endpoint detection and response (EDR) and anti-malware service for endpoints in cloud environments.

Backup and recovery

Backup and Recovery covers controls to ensure that data and configuration backups at the different service tiers are performed, validated, and protected.

DevOps security

DevOps Security covers the controls related to the security engineering and operations in the DevOps processes, including deployment of critical security checks (such as static application security testing, vulnerability management) prior to the deployment phase to ensure the security throughout the DevOps process.

Governance and Strategy

Governance and Strategy provides guidance for ensuring a coherent security strategy and documented governance approach to guide and sustain security assurance, including establishing roles and responsibilities for the different cloud security functions, unified technical strategy, and supporting policies and standards.

an example of NS control

Here you can see the passed controls (green) and the controls which have something to do (red).

Click to enlarge

If you click the Asset name Azure opens the details of assessment:

  1. Navigation shows Exempt, Enforce, view policy definition and open query
  2. Panel shows assessment Severity, Freshness interval, and Mitre Att@ck tactics and techiniques
  3. Panel shows description for the assessment, remediation steps if there are any (most cases this quick fix does not work and affected resources

example of policy definition

Click to enlarge

Available compliance standards in Defender for Cloud

Standards

Cloud(s)

EU 2022 2555 (NIS2) 2022  
EU General Data Protection Regulation (GDPR) 2016 679  
NIST CSF v2.0  
NIST 800 171 Rev3  
NIST SP 800 53 R5.1.1  
PCI DSS v4.0.1  
CIS AWS Foundations v3.0.0  
CIS Azure Foundations v2.1.0  
CIS Controls v8.1  
CIS GCP Foundations v3.0  
CIS Google Cloud Platform Foundation Benchmark
CIS Azure Kubernetes Service (AKS) Benchmark
CIS Amazon Elastic Kubernetes Service (EKS) Benchmark
CIS Google Kubernetes Engine (GKE) Benchmark
HITRUST CSF v11.3.0  
SOC 2023  
SWIFT Customer Security Controls Framework 2024  
ISO IEC 27001:2022  
ISO IEC 27002:2022  
ISO IEC 27017:2015  
Cybersecurity Maturity Model Certification (CMMC) Level 2 v2.0  
AWS Well Architected Framework 2024  
Canada Federal PBMM 3.2020  
APRA CPS 234 2019  
CSA Cloud Controls Matrix v4.0.12  
Cyber Essentials v3.1  
Criminal Justice Information Services Security Policy v5.9.5  
FFIEC CAT 2017  
Brazilian General Data Protection Law (LGPD) 2018  
NZISM v3.7  
Sarbanes Oxley Act 2022 (SOX)  
NCSC Cyber Assurance Framework (CAF) v3.2  
Australian Government ISM Protected
FedRAMP ‘H’ & ‘M’
HIPAA
RMIT Malaysia
SOC 2
Spanish ENS
California Consumer Privacy Act (CCPA)
UK OFFICIAL and UK NHS
AWS Foundational Security Best Practices
CRI Profile
NIST SP 800-172

Azure, AWS, GCP
Azure, AWS, GCP
Azure, AWS, GCP
Azure, AWS, GCP
Azure, AWS, GCP
Azure, AWS, GCP
AWS
Azure
Azure, AWS, GCP
GCP
GCP
Azure
AWS
GCP
Azure, AWS, GCP
Azure, AWS, GCP
Azure, AWS, GCP
Azure, AWS, GCP
Azure, AWS, GCP
Azure, AWS, GCP
Azure, AWS, GCP
AWS
Azure, AWS, GCP
Azure, AWS
Azure, AWS, GCP
Azure, AWS, GCP
Azure, AWS, GCP
Azure, AWS, GCP
Azure, AWS, GCP
Azure, AWS, GCP
Azure, AWS, GCP
Azure, AWS, GCP
Azure
Azure
Azure
Azure
Azure, GCP
Azure
AWS, GCP
Azure
AWS
AWS, GCP
AWS, GCP

List of compliance standards have updated on February, 2025: https://learn.microsoft.com/en-us/azure/defender-for-cloud/release-notes#31-new-and-enhanced-multicloud-regulatory-standards-coverage

Add built-in compliance standard to Azure

To add or manage compliance standards you can click the  “Manage compliance standards” link on top.

Manage compliance standards. Click to enlarge.

or you can do go to subscription environment settings and choose Security policies.

Choosing Security policies. Click to enlarge

Make your own custom security standard and recommendation

There are prerequisites when you want to create your own ones:

  • You need Owner permissions on the subscription to create a new security standard.
  • You need Security Admin permissions to create custom recommendations.
  • To create custom recommendations based on KQL, you must have the Defender CSPM plan enabled. All customers can create custom recommendations based on Azure Policy.
  • Review support in Azure clouds for custom recommendations.
Create your own selection

On the same Security policies panel you can  click “+Create” to start creating your own Standard or recommendation.

There’s a good article in MS Learn.

Resources

Assigning compliance standards in Defender for Cloud.

Service Trust Portal  is a place to look for papers of regulations, standards, guides etc.

Here was a scratch of Regulatory Compliance for Azure resources.  This will help if you need to audit your resources against the certain standard.

The next topic is about workload protection in Azure.

Thanks for reading!

The parts of the MDC blog series

 
Picture of Jussi Metso
Jussi Metso

Author is a a lifelong IT enthusiast, Microsoft Security MVP and interested in Cloud Security, XDR, SIEM and AI. Motto: Learning is the key for your future.

Discover more from Jussi Metso

Subscribe to get the latest posts sent to your email.

DEFENDER FOR CLOUD

Related Posts

Discover more from Jussi Metso

Subscribe now to keep reading and get access to the full archive.

Continue reading