Over the past decade, we have seen a steady increase in the number of data breaches costing untold billions of dollars to businesses large and small in every industry and vertical globally. Part of this may be attributed to the evolving threat landscape with well-financed and skilled attackers leveraging threat vectors that seem to arise daily. The other part may be due to a lack of clear direction on how to mitigate and manage risk exacerbated by under-resourced organisations entrusted with managing the critical data of others as well as their own.
While well intended, the introduction of many administrative controls has led to an increasingly complex and hyper-connected digital world where most systems communicate although with little oversight or control. Regulatory compliance is intended to provide guidance to organisations responsible for the secure use, storage, and transmission of data but the ability to do so correctly has not been simple by any means.
Despite our best efforts, we still struggle to adopt and implement these regulations, facing threats from both those who seek to cause harm such as cyber criminals, as well as from legal authorities whose penalties through our violations may end up causing more financial damage than a breach. Recognising that its systems are among the most used in the world, Microsoft has taken responsibility to helps its global customer base realise the full protection these regulations are intended to provide. This has led to the development of the Microsoft Compliance Manager which will greatly benefit your organisation and leverage your existing investments in technology.
What Is It?
Microsoft Compliance Manager is a risk assessment tool based on your workflows that permits verification, tracking, and required assignments of regulatory compliance regarding your use of the Microsoft cloud such as Azure and Microsoft / Office 365. It’s worth noting that “regulatory compliance” is in reference to laws, regulations, guidelines, and relevant specifications around business processes. Violations of these regulations usually result in legal penalties up to and including federal fines.
As part of your Microsoft cloud license (assuming you have an Azure or 365 subscription) you’re able to manage this regulatory compliance using a shared responsibility model. Rather than introducing undue complexity normally associated with this type of control, the Compliance Manager includes a centralized dashboard. Here, you can view standards and regulations along with details about the implementation of the controls as well as test results for Microsoft Service Assessments. Best of all, it includes tools that permit management of bespoke controls and compliance that is organisation specific.
It’s good to know that Microsoft has essentially removed a lot of the guesswork that leads to accidental exposures, a lack of awareness, or hefty fines and is able to help you regardless of the regulatory compliance you must adhere to.
So what can we do with it? I’m glad you asked! Here are a few of the items I have found quite useful with Microsoft Compliance Manager:
· Combining the compliance information regarding cloud services for auditors and relevant authorities that relate to your organisation. This information is almost always requested, so this way it’s all at your fingertips when needed. This may vary depending on your industry, but at the core are common standards and regulations such as the International Organization for Standardization (ISO), the National Institute of Standards and Technology (NIST), the Health Insurance Portability and Accountability Act (HIPAA), and the European Union (EU) General Data Protection Regulation (GDPR).
· Keep a record of all compliance and assessment actions taken. These are great for project management, KPIs, budgetary planning, and so on. One thing many organisations are poor at can be documenting and updating projects; this helps with that tedious task.
· Provide a “Compliance Score” against which progress can be tracked and this is helpful in two ways. First, you can prioritise your work (since we all have limited time, resources, and money) to focus on the more critical elements. Second, you can demonstrate to stakeholders that progress is being made and ensure the support (and funding) continues.
· One that I use the most is a secure repository to maintain documents, data, and other supporting documents related to the work we’re doing. Everything I need, for this activity, in one place, and secure. Great!
· For Excel junkies (it’s a brilliant yet badly-underused product — I love it) detailed reports that everyone needs — especially the auditors and other regulatory authorities.
Interested yet? You should be if compliance is a key target of yours in the next year.
Where Do I Start?
If you’ve come this far, then it’s fair to say that you have a need to meet some type of compliance and that Microsoft Compliance Manager (MCM) is a good fit. With many things, I cannot emphasise enough that you need a well-planned and methodical approach to implementing a new solution and this is no different. Being that it is a familiar platform in Microsoft, some of the technical complexity is removed but having the right people involved and asking the right questions is crucial to success. Among this is understanding how the relationships between the components work.
At the top, you need to understand how Groups work within the MCM. Groups are basically containers you use to organise items such as assessments and common items such as information and workflows between same / related controls. For example, if different assessments share the same control such as a customer-managed control, the common factors synchronise between the two to reduce duplication and overlap. To me, this is a massive time-saver and keeps everything neat and tidy.
Next, we look at the Assessments. The term “assessment” can be vague, so allow me to clarify what it means in the MCM context. They’re containers that organise controls shared between your organisation and Microsoft that assess the cloud security and compliance risks. Assessments help implement the relevant safeguards required by the regulatory compliance relevant to your industry, which is quite helpful. It goes a long way to achieving your compliance goals. By default three assessments are configured: Office 365 ISO 27001, Office 365 NIST 800–53, and Office 365 GDPR — three of the biggest out there.
These assessments include many components, such as
· In-Scope Services that apply to a specific set of Microsoft services that you likely use.
· Microsoft-managed controls which are a set of compliance controls for applicable standards and regulations is implemented by Microsoft for each cloud service
· Customer-managed controls implemented by your organization when you are responsible to act upon each control.
· An Assessment Score, which is the percentage of the total possible score for your customer-managed controls in the Assessment. This assist in tracking the implementation of the actions assigned to each control so you can monitor progress.
Speaking of Controls, these are compliance process containers in MCM which define managing compliance activities and are organized into control families aligned with the structure for corresponding certifications or regulations. They consist of three key parts: Control ID (name of the control and its corresponding compliance), Control Title (the title of the Control IT from its corresponding compliance), and Description (I shouldn’t need to elaborate here). With regards to GDPR, there is also the “Article ID” relating to GDPR assessments only.
There are three type of controls you should know as well. First is the Microsoft Managed Control, which is required by the regulators Microsoft must comply with, so basically these are built in and not up for debate as to whether they’re needed or not. Second are the customer-managed controls that you are responsible for. Thankfully, Microsoft makes the implementation of these much simpler than having to go it alone and they have built-in workflow management. Third, there are Shared Management Controls that fall under both your responsibility and Microsoft’s and examples are password management and encryption — quite important if you ask me!
While it may seem like a lot to take in, it’s quite important you invest the time and effort now rather than pay the price later.
Next are Action Items which are the tasks which you must do to achieve compliance and are trackable through the relevant dashboard so you can monitor progress. Normally an action is performed by one person and then verified by another just to make sure it’s been correctly implemented. This is not micro-management; this is simply best practice and protects all involved.
Permissions are another key component of MCM so that you can control who does what and leverages a role-based access control (RBAC) model. Each permission must be explicitly assigned and the previous Guest role no longer exists, thankfully, as it did have a tendency to cause some headaches.
Managing Evidence must also be considered as MCM can keep track of and protect all artefacts such as documents and files. Better still is how it also preserves telemetry data about what is / has been done to keep a full end to end record of works and tasks. In forensics, this is incredibly valuable.
So now that we have a pretty good grip on MCM, and we know of the three default assessments included such as ISO, NIST, and GDPR, what else is available? As of this writing, there were an additional 14 compliance templates available such as ISO 27018, the NIST Cybersecurity Framework (one of my favourites), Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) 3.0.1, HIPAA, IRAP and more. It doesn’t take long to realise how useful the MCM is!
For Australian customers, there is some exceptionally good news in this regard. Many of the conversations I have revolve around the Australian Signals Directorate (ASD) Australian Cyber Security Centre (ACSC) strategies to mitigate cyber security incidents. In 2018, Microsoft became the very first global cloud service provider to be certified for “Protected” data by the ASD for both Microsoft Azure and Office 365. That is a massive advantage in information assurance.
As part of the checks and balances every two years, an Information Security Registered Assessors Program (IRAP) assessment of Microsoft systems is undertaken by a fully-independent auditor. This identifies conformance by Microsoft against more than 800 controls required to achieve “Protected” certification under ACSC’s risk management framework. It’s also updated and the newest portfolio includes services such as Microsoft Teams.
This regular IRAP assessment provides assurance that the Microsoft cloud is adequately secured, but the onus of protecting individual tenancy still resides with customers, so be sure to undertake your own assessments
That’s all well and good, you think, but how do we quantify all of this? That’s where the Compliance Score comes in. This is a feature of Microsoft 365 Compliance Centre that clarifies your organization’s compliance posture and is based on a calculated, risk-based score that measures your progress against regulatory standards. Kind of a “report card” if you like (try bringing that home to your parents!) It’s also worth noting this is integrated with the Microsoft Secure Score for synchronised items, so if you were working on something separate, you may find it benefits what you’re trying to do for compliance.
Australian customers can leverage this Compliance Score to assist with the assessment of their Office 365 tenancy against these ACSC ISM requirements while identifying steps needed to bolster their security and compliance posture.
How do I make It Work?
The easiest part is acquiring MCM in the first place because you likely already have it as part of your licensing agreement. If you don’t have access to it, the upgrade to access it should be relatively straightforward. Don’t be afraid to ask for any help and ask us any questions to make sure you get exactly what you need. I often find we heavily invest in tech only to use a small portion of it. If you have access to MCM, please use it.
I won’t go into extreme details, but getting started is relatively straightforward, but if you’re not comfortable tackling it alone (which I suspect many would not be) let us help. Once you log onto the Microsoft Service Trust Portal with your account details, you launch Compliance Manager from the main page. You’ll most likely be presented with a dashboard and from here, you can see your compliance scores and so on.
While there are a number of items you can do, many are menu-driven and easy to navigate but we do recommend understanding what each is and what it does. You can review the assessments and often, the Microsoft managed controls are already implemented and complete since they are their responsibility. From here, you can drill into each component (both Microsoft and customer owned) to better understand what each items is.
Rather than leaving you blindly to take a guess at how to implement the controls, Microsoft has a wealth of information on tap about each control, what it does, what it impacts, and a relevant risk score. Where these may be linked between several assessments, you can avoid duplication of effort and be more efficient. One of the handiest features I’ve found are direct links to other Microsoft Ecosystem technologies to address the control need and links to supporting knowledge articles so you don’t have to go digging constantly. To me, this is a massive time saver!
You can assign actions to the responsible parties and, underpinned with your administrative controls (RBAC based, Just-In-Time, Just-Enough-Administration) you can ensure the right people are involved to implement the control. The administrator receives the notification and can see all of their assignments (often just by following the link) sorted by the tabs of the various control and compliance frameworks implemented.
An Administrator can then implement the control, keep notes (PLEASE, for the love of all that is good, keep your documentation up to date!) and then mark it as implemented. It can then be reassigned to a compliance officer or similar for review. From there it can be tested, marked as passed (or failed of more work needs to be done) and then ultimately reflected in the dashboards.
What I find interesting is how other assessments automatically update and reflect it in their compliance score by virtue of implementing controls aligned with other assessments. It really makes tackling the implementation of a compliance framework that much easier. Well, “easy” being a relative and subjective term, but when it comes to this stuff, we need all the help we can get, right?
There is a lot more here, but I’ll trust that you’ll ask the right questions and get the right people involved and again, please reach out to us if you need a little push in the right direction!
While the process of using Microsoft Compliance Manager makes things a whole lot easier, you’re not off the hook that easy! The actions provided are recommendations only; you must evaluate them in their respective regulatory environments before actually implementing them. Microsoft clearly states that these are not a guarantee of compliance; that ultimately rests with you (but it does give you a really good head start!)
You must also accept that the Compliance Score is not an absolute measure of organizational compliance against standards or regulations. It’s just a guideline about how you adopted controls to reduce risks to data and privacy. To be fair, there are no services that can guarantee that you are fully compliant with any standard or regulation — be sure to preface this with anyone who views it that it is by no means a guarantee.
Ghosts in the Machine?
The spectre of human error can certainly appear when implementing any kind of regulatory compliance control framework. With nearly every aspect of your organisation, this is more than just an IT matter; it’s a whole-of-business matter. Since there are legal elements to nearly all of these regulatory compliances, involvement of your legal team or counsel is a must. Never assume; always ask.
Beside human error, three of the most common issues I encounter include too many layers, a lack of integration, and a lack of visibility. Thankfully, by using MCM, you reduce the layers by remaining inside of the Microsoft ecosystem. Integration is nearly a foregone conclusion for the same reason, and the MCM dashboards and metrics monitored and analysed make visibility much more relevant to your compliance requirements.
At this point, the most likely missing item is either a plan to proceed with MCM, or the ability to leverage it because you do not yet have the licenses available. If you are like many organisations, you will have some form of regulatory compliance you must adhere to, so asking the right questions internally is a great place to start in finding out what, if anything, is missing. At the same time, please don’t hesitate to pick up the phone and give us a call, send us an email, reach out to your local account manager, or even message me directly through any of my channels like LinkedIn. We can certainly help you get moving on the path towards compliance today!
From my view, Microsoft Compliance Manager is well worth the investment and time and money when you consider what is at stake.
Stay safe out there!
Disclaimer: The thoughts and opinions presented on this blog are my own and not those of any associated third party. The content is provided for general information, educational, and entertainment purposes and does not constitute legal advice or recommendations; it must not be relied upon as such. Appropriate legal advice should be obtained in actual situations. All images, unless otherwise credited, are licensed through ShutterStock