Defender for Cloud – Part 9: Regulatory compliance

Overview

Microsoft Defender for Cloud provides Regulatory Compliance capabilities to help organizations assess and maintain compliance with industry standards, frameworks, and regulatory requirements. It continuously monitors cloud resources and provides insights into security posture, ensuring alignment with compliance benchmarks.

So if you need to see how your Azure / AWS / GCP environment’s resources comply against wanted compliance benchmark for example in case of certain auditing it is very easy. Just enable wanted standard and wait for the results. It takes usually 24 hours to results come.

You can find Regulatory compliance “Dashboard” from Defender for Cloud under Cloud Security section:

In the dashboard you can:

Get a summary of standards controls that have been passed.
Get of summary of standards that have the lowest pass rate for resources.
Review standards that are applied within the selected scope.
Review assessments for compliance controls within each applied standard.
Get a summary report for a specific standard.
Manage compliance policies to see the standards assigned to a specific scope.
Run a query to create a custom compliance report
Create a “compliance over time workbook“ to track compliance status over time.
Download audit reports.
Review compliance offerings for Microsoft and third-party audits.

Some key features of Regulatory compliance

The core are the built-in compliance standards

Defender for Cloud comes with pre-configured compliance standards, including:

Microsoft Cloud Security Benchmark – Microsoft’s best practices for security.
CIS Benchmark – Center for Internet Security guidelines.
NIST 800-53 – A standard for U.S. federal agencies.
ISO 27001 – An international information security standard.
NIS2 – EU’s updated framework for cybersecurity
PCI DSS – Payment Card Industry Data Security Standard for handling credit card transactions.
SOC 2 – Security and trust standards for cloud services.

Additionally, you can add custom regulatory standards to align with organizational policies. I’ll show this later.

Compliance Dashboard

Provides a real-time compliance score showing how well your cloud resources align with selected frameworks.
Highlights non-compliant resources and provides remediation recommendations.

Security Controls & Recommendations

Defender for Cloud evaluates your environment against regulatory requirements and generates actionable security recommendations.
Example: If your virtual machines lack encryption, it suggests enabling Azure Disk Encryption to meet compliance needs.

Continuous Monitoring & Alerts

Compliance is continuously monitored, and security posture updates dynamically as resources change.
Integration with Microsoft Sentinel allows security teams to receive alerts on non-compliant resources.

Compliance Reports & Audits

Export compliance reports in formats suitable for auditors and security teams.
Provides evidence for regulatory audits with detailed insights into compliance status.

Compliance in Azure

In my example I have chosen 2 extra standards, CIS Azure 2.0.0 and NIST SP 800 53 R5:

MCSB aka Microsoft cloud security benchmark is always on when you have onboarded subscriptions to Defender for Cloud.

Under selected benchmark you can see top levels and controls related to that MSCB benchmark. If top level starts with red circle with white x in it, there’s something to do in resources which are not compliant.

MCSB control overview

The Microsoft cloud security benchmark (MCSB) provides prescriptive best practices and recommendations to help improve the security of workloads, data, and services on Azure and your multi-cloud environment. This benchmark focuses on cloud-centric control areas with input from a set of holistic Microsoft and industry security guidance that includes:

Cloud Adoption Framework: Guidance on security, including strategy, roles and responsibilities, Azure Top 10 Security Best Practices, and reference implementation.
Azure Well-Architected Framework: Guidance on securing your workloads on Azure.
The Chief Information Security Officer (CISO) Workshop: Program guidance and reference strategies to accelerate security modernization using Zero Trust principles.
Other industry and cloud service providers security best practice standards and framework: Examples include the Amazon Web Services (AWS) Well-Architected Framework, Center for Internet Security (CIS) Controls, National Institute of Standards and Technology (NIST), and Payment Card Industry Data Security Standard (PCI-DSS).

SOURCE: MS Learn

and descriptions

Click the control link to see the whole description. The column right side shows only the short one.

Network Security

Network Security covers controls to secure and protect networks, including securing virtual networks, establishing private connections, preventing, and mitigating external attacks, and securing DNS.

Identity Management

Identity Management covers controls to establish a secure identity and access controls using identity and access management systems, including the use of single sign-on, strong authentications, managed identities (and service principals) for applications, conditional access, and account anomalies monitoring.

Privileged access

Privileged Access covers controls to protect privileged access to your tenant and resources, including a range of controls to protect your administrative model, administrative accounts, and privileged access workstations against deliberate and inadvertent risk.

Data protection

Data Protection covers control of data protection at rest, in transit, and via authorized access mechanisms, including discover, classify, protect, and monitor sensitive data assets using access control, encryption, key management and certificate management.

Asset Management

Asset Management covers controls to ensure security visibility and governance over your resources, including recommendations on permissions for security personnel, security access to asset inventory, and managing approvals for services and resources (inventory, track, and correct).

Logging and Threat protection

Logging and Threat Detection covers controls for detecting threats on cloud, and enabling, collecting, and storing audit logs for cloud services, including enabling detection, investigation, and remediation processes with controls to generate high-quality alerts with native threat detection in cloud services

Incident response

Incident Response covers controls in incident response life cycle – preparation, detection and analysis, containment, and post-incident activities, including using Azure services (such as Microsoft Defender for Cloud and Sentinel) and/or other cloud services to automate the incident response process.

Posture and Vulnerability management

Posture and Vulnerability Management focuses on controls for assessing and improving cloud security posture, including vulnerability scanning, penetration testing and remediation, as well as security configuration tracking, reporting, and correction in cloud resources.

Endpoint security

Endpoint Security covers controls in endpoint detection and response, including use of endpoint detection and response (EDR) and anti-malware service for endpoints in cloud environments.

Backup and recovery

Backup and Recovery covers controls to ensure that data and configuration backups at the different service tiers are performed, validated, and protected.

DevOps security

DevOps Security covers the controls related to the security engineering and operations in the DevOps processes, including deployment of critical security checks (such as static application security testing, vulnerability management) prior to the deployment phase to ensure the security throughout the DevOps process.

Governance and Strategy

Governance and Strategy provides guidance for ensuring a coherent security strategy and documented governance approach to guide and sustain security assurance, including establishing roles and responsibilities for the different cloud security functions, unified technical strategy, and supporting policies and standards.

an example of NS control

Here you can see the passed controls (green) and the controls which have something to do (red).

If you click the Asset name Azure opens the details of assessment:

Navigation shows Exempt, Enforce, view policy definition and open query
Panel shows assessment Severity, Freshness interval, and Mitre Att@ck tactics and techiniques
Panel shows description for the assessment, remediation steps if there are any (most cases this quick fix does not work and affected resources

example of policy definition

Available compliance standards in Defender for Cloud

Standards

Cloud(s)

EU 2022 2555 (NIS2) 2022
EU General Data Protection Regulation (GDPR) 2016 679
NIST CSF v2.0
NIST 800 171 Rev3
NIST SP 800 53 R5.1.1
PCI DSS v4.0.1
CIS AWS Foundations v3.0.0
CIS Azure Foundations v2.1.0
CIS Controls v8.1
CIS GCP Foundations v3.0
CIS Google Cloud Platform Foundation Benchmark
CIS Azure Kubernetes Service (AKS) Benchmark
CIS Amazon Elastic Kubernetes Service (EKS) Benchmark
CIS Google Kubernetes Engine (GKE) Benchmark
HITRUST CSF v11.3.0
SOC 2023
SWIFT Customer Security Controls Framework 2024
ISO IEC 27001:2022
ISO IEC 27002:2022
ISO IEC 27017:2015
Cybersecurity Maturity Model Certification (CMMC) Level 2 v2.0
AWS Well Architected Framework 2024
Canada Federal PBMM 3.2020
APRA CPS 234 2019
CSA Cloud Controls Matrix v4.0.12
Cyber Essentials v3.1
Criminal Justice Information Services Security Policy v5.9.5
FFIEC CAT 2017
Brazilian General Data Protection Law (LGPD) 2018
NZISM v3.7
Sarbanes Oxley Act 2022 (SOX)
NCSC Cyber Assurance Framework (CAF) v3.2
Australian Government ISM Protected
FedRAMP ‘H’ & ‘M’
HIPAA
RMIT Malaysia
SOC 2
Spanish ENS
California Consumer Privacy Act (CCPA)
UK OFFICIAL and UK NHS
AWS Foundational Security Best Practices
CRI Profile
NIST SP 800-172

Azure, AWS, GCP
Azure, AWS, GCP
Azure, AWS, GCP
Azure, AWS, GCP
Azure, AWS, GCP
Azure, AWS, GCP
AWS
Azure
Azure, AWS, GCP
GCP
GCP
Azure
AWS
GCP
Azure, AWS, GCP
Azure, AWS, GCP
Azure, AWS, GCP
Azure, AWS, GCP
Azure, AWS, GCP
Azure, AWS, GCP
Azure, AWS, GCP
AWS
Azure, AWS, GCP
Azure, AWS
Azure, AWS, GCP
Azure, AWS, GCP
Azure, AWS, GCP
Azure, AWS, GCP
Azure, AWS, GCP
Azure, AWS, GCP
Azure, AWS, GCP
Azure, AWS, GCP
Azure
Azure
Azure
Azure
Azure, GCP
Azure
AWS, GCP
Azure
AWS
AWS, GCP
AWS, GCP

List of compliance standards have updated on February, 2025: https://learn.microsoft.com/en-us/azure/defender-for-cloud/release-notes#31-new-and-enhanced-multicloud-regulatory-standards-coverage

Add built-in compliance standard to Azure

To add or manage compliance standards you can click the “Manage compliance standards” link on top.

or you can do go to subscription environment settings and choose Security policies.

Make your own custom security standard and recommendation

There are prerequisites when you want to create your own ones:

You need Owner permissions on the subscription to create a new security standard.
You need Security Admin permissions to create custom recommendations.
To create custom recommendations based on KQL, you must have the Defender CSPM plan enabled. All customers can create custom recommendations based on Azure Policy.
Review support in Azure clouds for custom recommendations.

On the same Security policies panel you can click “+Create” to start creating your own Standard or recommendation.

There’s a good article in MS Learn.

Resources

Assigning compliance standards in Defender for Cloud.

Service Trust Portal is a place to look for papers of regulations, standards, guides etc.

Here was a scratch of Regulatory Compliance for Azure resources. This will help if you need to audit your resources against the certain standard.

The next topic is about workload protection in Azure.

Thanks for reading!

The parts of the MDC blog series

Jussi Metso

Author is a a lifelong IT enthusiast, Microsoft Security MVP and interested in Cloud Security, XDR, SIEM and AI. Motto: Learning is the key for your future.

Share on Social Media

Discover more from Jussi Metso

Subscribe to get the latest posts sent to your email.

DEFENDER FOR CLOUD #cloudsecurity #mdcseries

Table of Contents