For organizations planning to host IaaS or PaaS workloads in Microsoft Azure, Microsoft is publishing a series of blueprint samples built in to Azure to help you proactively manage and monitor your compliance obligations. Our most recent release is the Azure Canada Federal PBMM (Protected B, Medium Integrity, Medium Availability) Governance Blueprint. It maps a core set of Azure Policy definitions to specific controls for compliance with the Canadian Federal PBMM profile.
The free Azure Blueprints service helps cloud architects and information technology groups define a repeatable set of Azure resources that implements and adheres to an organization’s standards, patterns, and requirements. Blueprints can help speed the development and delivery of governed subscriptions, support the design of environments that comply with organizational standards and best practices, and scale to support production implementations for large-scale migrations.
Azure leads the industry with the deepest portfolio of more than 90 compliance offerings that meet a broad set of international and industry-specific compliance standards. This puts Microsoft in a unique position to help ease our customers’ burden in meeting their compliance obligations. In fact, many of our customers, particularly those in regulated industries, have expressed strong interest in being able to leverage our internal compliance practices for their environments with a service that maps compliance settings automatically. The Azure Blueprints service is our natural response to that interest. (Note, however, that customers are ultimately responsible for meeting the compliance requirements applicable to their environments and must determine for themselves whether particular information helps meet their compliance needs.)
To enable the adoption of cloud computing Canada Federal PBMM takes an integrated risk management approach. To support that approach, it developed a set of standardized cloud security controls, the Security Control Profile for Cloud-based GC Services suitable for both cloud service providers and GC departments and services. This document describes the baseline security controls that agencies must implement to adequately protect cloud-based GC services and related information with a PBMM security category. The GC cloud PBMM profile applies to GC programs and services that support sensitive government operations except for those concerning international affairs, defense, or federal-provincial affairs.
The Canada Federal PBMM Governance blueprint provides governance guardrails using Azure Policy which help towards Canada Federal PBMM attestation and enable customers to deploy a core set of policies for any Azure-deployed architecture. The control mapping documentation provides specific details on policies included within the blueprint and how they are mapped to various controls within the GC framework. When assigned to an architecture, resources will be evaluated by Azure Policy for non-compliance with assigned policies. These control mappings include:
- Account management. Helps with the review of accounts that may not comply with an organization’s account management requirements.
- Security attributes. Assigns Azure Policy definitions to monitor the use of security features.
- Audit generation. Helps ensure that ensure system events are logged by assigning Azure Policy definitions that audit log settings on Azure resources.
- Authenticator management. Assigns Azure Policy definitions to help ensure that system authenticators comply with the organization’s identification and authentication policy.
- Vulnerability scanning. Helps with the management of information system vulnerabilities.
- Boundary protection. Helps with the management and control of the system boundary.
- Protection of information at rest. Helps enforce organizational policy on the use of cryptograph controls to protect information at rest.
- Malicious code protection. Helps with the management of endpoint protection, including malicious code protection.
- Information system monitoring. Helps monitor a system by auditing and enforcing logging across and data security across Azure resources.
At Microsoft, we will continue this commitment to helping our customers leverage Azure in a secure and compliant manner. Over the next few months we plan to release more new built-in blueprints for HITRUST, FedRAMP, the Center for Internet Security (CIS) Benchmark, and other standards.
Learn more about the Azure Canada Federal PBMM Governance blueprint.