Welcome to the Azure Security Podcast, where we discuss topics relating to security, privacy, reliability, and compliance on the Microsoft Cloud Platform. Hey everybody, welcome to Episode 48. This week is the whole gang here, it's myself, Michael with Gladys Sarah and Mark. We also have a guest, Al Ederly, who's here to talk to us about compliance manager and security scores. But before we get to Al, why don't we take a lap around the news? Sarah, why don't you kick things off?
Sure. I will kick things off with some very unsurprising coverage from myself. I'm going to talk about what's new and Sentinel. We did mention on the news that we had an event last week, which was talking about some of the new features and products, releases that we've had. We did it instead of RSA because RSA has been postponed. A lot of cool things from a lot of different products, but let me pick some of my favorites.
First off, in Sentinel, we now have a MITRE support coverage mapping thing, which is very cool. I know a lot of customers been asking for it. If you go and open it up, you can see where you actually have coverage in Sentinel against those different tactics in the MITRE framework. You can also have a look at Azure Perview data. The other, the two that I'm really excited about is, you can search archived logs. When I say search, essentially we're doing something called basic logs.
What it means is they're a lot cheaper to store things in. You can't do everything across them. They have some limitations, but it's basically a way to keep data for a longer period of time in Sentinel that you don't need to actively query, but you may need for something else later down the track. That's gone into public preview. That one's definitely worth checking out.
Unless you can manually run playbooks on the incident trigger, which makes me a very happy lady, something that we've needed for quite a long time. I'm just going to stick with my Sentinel this week. Hey, Sarah, on the MITRE framework, that's MITRE attack, right? Yes. Oh, yes. I forget there's more than one MITRE now. There's a lot of different frameworks. Yes. Okay, cool. Yes. I have quite a few news items this week. The first one literally has just come across my desk.
That is that in GitHub, we have this tool called CodeQL, which is a static analysis framework. We now have added machine learning to it. For those of you not familiar with CodeQL, so the best way I think about CodeQL is imagine static analysis with a query language. In other words, there's an engine that runs and analyzes your code, it builds up essentially a database of the abstract syntax tree, like data flow analysis and so on of the code.
Then you can query that just like you can, essentially a database and the language is very SQL-esque. That's CodeQL. In fact, there are libraries of queries that you can download from GitHub. For example, you could say, if some data is entered at this point, then goes through here, here, and here, and then it is used in this particular way, and the data is of a certain shape, then that's a security vulnerability.
The really nice thing is it's almost democratizing the way people build queries into static analysis tools. That's CodeQL. Well, now we've just added machine learning. Now, it's in preview right now, but this is actually really cool because if you take the way static analysis tools work, they basically do data flow analysis and so on and so forth. Whereas, so you've got CodeQL, you've got deep logical analysis, deductive reasoning. Well, machine learning now does essentially inductive reasoning.
So it's inducing, you can actually say, hey, this code has a SQL injection vulnerability in it, and it can deduce the paths and the data that actually ends up getting there. So it's machine learning. You say, yeah, that really is a SQL injection vulnerability or cross-site scripting or direct resheverts or whatever, or memory corruption. But yeah, this is actually really cool to see. I think this is going to be a really important product
moving forward. CodeQL already is, but I think adding machine learning is just adding that extra layer of applicability. The next one is a tool named CloudKnock to actually purchase this company last year. I saw a demo of this a couple of weeks ago. This is actually really cool.
Essentially, the way I like to look at it is you deploy some solutions in Azure, or in fact, in this case, AWS or GCP, and you add RBAC policies, and you add authorization here and authorization there, and then over a period of time, you get this sort of permission creep, right? People leave the company, people change roles, people no longer need to have access to data, but the permission is still there. Well, CloudKnock lets you manage that.
And again, I saw a demo of this a couple of weeks ago, and I was pretty blown away because you can actually see all the change in permissions over a period of time, and actually just start querying it to find out, do people actually need these kinds of permissions or not? And that extends not just from Azure, it's Azure, AWS and GCP, which again is demonstrative of Microsoft's commitments through cross-cloud strategies.
The next one, which I'm gonna be honest, I've been waiting for this thing for a long time, and that is the ability to call APIs from your code to write your data to Microsoft, sorry, Azure Monitor logs. Sometimes you may want to have some custom data added to a log analytics workspace, while you can now do that relatively easily. It's in preview right now, the link's gonna be in the show notes, and you can sign up for that.
The next one, not really security related, but I've had a lot of customers just recently talking about distributed denial of service attacks, certainly with the current geopolitical issues that are going on with the Russian and Ukraine, and a lot of customers have been talking about it, about making sure they have appropriate mitigations in place around DDoS and other defenses as well, but certainly DDoS.
The tool that we now have available, it's in preview, it's called Azure Load Testing, and it's a way of simulating load across your Azure application, and frankly, if your application can't hand Azure Load Testing, it's probably not gonna be able to handle other kinds of attacks as well, other than the mitigations that come with Azure. So take a look at that, Azure Load Testing, not a direct security tool, but it certainly has some security ramifications.
The next one is, we've just introduced this in preview, Azure Active Directory with a multi-stage access review process. Again, this is this sort of feature, this RBAC creep, right, this sort of permission creep, and in this example, you can say, okay, Fred needs access to something, and he can go through a pipeline to get review. Historically, we could do it with multiple people, but it was sort of, everyone had to be in the same air quotes in the same room at the same time.
Now we actually have a process that can go into, into our workflow where someone can get signed off to allow them access to something. So that's awesome to see as well. The next item is a colleague of mine, Eric Bochane has started a new blog series called Introduction to Drafting a Winning Cybersecurity Strategy. It's really great material. Eric is one of those people who's really good at looking at the big picture, the sort of strategic picture around cybersecurity.
It's really well written, and a lot of it is really good, just good old common sense. And finally, Cosmos DB now has a Defender product, Microsoft Defender for Cosmos DB. It's very similar to the way Microsoft Defender for SQL Server works, in that it looks for things like access from sort of suspicious locations, as well as what you might consider suspicious data exfiltration. So pretty similar to what we're doing in SQL Server today. That's in preview.
So if using Cosmos DB, go ahead and kick the tires on it. Yeah, so from my side, there's really one key thing that I wanted to highlight. It's already been out there for a little bit, but I'm actually getting ready to do a webinar for it in a little bit live. The Zero Trust Commandments is out from the open group, and it's actually fully out. So you don't have to register anything like that for a free account and all that, like you used to. It's just you go to the link now.
So we put the link in the show notes. But the Zero Trust Commandments are the successor, the replacement for the original Jericho Commandments that kind of kicked off the whole Zero Trust thing and treat deprimitization. And how do you think about security in sort of this new practical way that doesn't rely on everything at the edge, for detection, for blocking, et cetera. And how do we now protect in this age where your devices could be anywhere, your apps, your data could be anywhere?
And so we really like the idea of the original Jericho Form Commandments that were very clear, non-negotiable. Here are the rules period. And so these Zero Trust Commandments are out. We kind of took that same style, updated them for the world today, took some direct and indirect inspiration from the original Jericho ones, and then adapted it to cloud and mobile and all the things that we deal with today, multi-cloud, you name it.
And these are really the second step of three to actually having Zero Trust becoming a global standard, which is kind of cool. And we're actually gonna cover that in the webinar, so we'll add the link to that if it's available. But effectively, we've started with the core principles, defining Zero Trust, what it is, et cetera. And then those really hardcore, non-negotiable rules of the road and the Zero Trust Commandments is within the open group.
By the way, the open group also does TOGAP, and they were the original ones that defined the Unix and POSIX standards, which was kind of crazy for me. I'm like, wow, these folks have been around for a while. And then the, and TOGAP is the open group architecture framework. So it's kind of enterprise architecture standard. And then the one that's coming up is the Zero Trust reference model.
And so this is where we actually, and so the Zero Trust reference model that's coming out soon is where it becomes a standard. So we're taking the definitions, the rules and resolving those into a very specific, prescriptive model of, these are the different functions and capabilities that Zero Trust will produce. This is how they interact, how they work together, et cetera.
So really making Zero Trust real, and putting it out there as an open standard, through the standard open review process, et cetera, that the open group uses. So lots more cool stuff to come there, but definitely check out the Zero Trust Commandments in the meantime. So these are the rules of the road for Zero Trust in a very clear, unequivocal, non-negotiable, I think is the term we used. That's all I got for this week. Today my focus will be on identity related releases.
I am really excited about the unification work that we have been doing with Microsoft Defender Services. As many of you know, a few years ago we saw the need for enabling cross service collaboration and unification of insight in order to help customers to detect, respond, and recover faster. Well, Defender 4 Identity is now fully integrated into the Microsoft 365 Defender Unified Experience.
If you haven't seen it, I recommend watching the Microsoft 365 Defender Unified Experience for XTRs video that the product group released. I have included the link in our website, but you could also search it in YouTube. Again, the title is Microsoft 365 Defender Unified Experience for XTR. In addition, in February 20th, Defender 4 Identity added the S-host attribute as part of the values that can be forward to your scene.
The S-host provides the account, usually this is the machine account, that is involved in the alert. Before this update, we only send the user account. However, since many users can be used in multiple devices, we saw the opportunity to trigger automation within other Microsoft Defender Services by providing this value. You can review the full CEF format by visiting the link I have provided in our site.
In addition, in that page, you will see a list of sample logs and expected values that we send to scenes, which comply with RFC 5424 and RFC 3164. All right, now the news is out of the way. Let's turn our attention to our guest. This week we have Al Erdley, who's here to talk to us about compliance and secure scores. Al, hey, welcome so much to the podcast. We'd like to spend a moment, introduce yourself to our listeners. Hey, yeah, thanks for having me. Great to be here.
So yeah, my name's Al Erdley. So I joined Microsoft about a year ago, working in the Microsoft Technology Center in the UK. For those who don't know what the Microsoft Technology Centers are, we're a global network of teams working in different locations. And our mission is to deliver immersive experiences and deep technical engagements for clients. So we really try and enable customers to understand how to apply Microsoft technology.
So we're really trying to help them overcome obstacles and understand the scope of what we can actually deliver from a Microsoft perspective. So one thing we're here to talk about is essentially secure score and compliance. So this is an area where, I spend quite a bit of time as well. I'm a big believer in compliance programs so long as people are realistic about them.
For example, I've mentioned to many, many customers, just because you're compliant doesn't necessarily mean you're secure, you're compliant. They're not necessarily the same thing. But that being said, I think if you're not compliant, I can almost guarantee you're probably not secure in many cases as well. I'm working with the customer right now in healthcare and we're going through a similar exercise with them right now.
So we're actually looking primarily at their Azure environment and looking at it from an ISO 27001 perspective and then helping that to drive NIST SP 800-53 controls. So is that kind of the sort of stuff that you work on? I mean, you work on the tooling and technology and advice for customers in that area? Absolutely. So we work with clients like the client you're working with who they have a need to demonstrate that they are adhering to a standard of one sort or another.
So whether that is a global standard like ISO 27001 or NIST or whether it's an industry standard like HIPAA or something like GDPR, clients who need to be able to demonstrate how they are compliant to those regulations. We provide a lot of information for them to help them understand the capabilities. But then importantly, to help them understand what actions they need to take to actually get to that compliant state.
How do they measure where they are to start with, work out what they need to actually do to get there, and then to help them plan what actions and activities they need to do to implement those standards. So when we're talking about this, are we talking about Azure or are we talking about Microsoft 365? It may be worthwhile explaining to our listeners the difference between Azure and Microsoft 365 and some of the compliance requirements that encompass those two environments.
Would you like to just spend a little moment to explain that? Absolutely. So where you're looking at, and I guess this almost comes down to the terminology as well, because we see a lot of different ways that the word in compliance is used in some of the context around this. So when we're thinking about Microsoft 365, it's software as a service.
So we're really talking about how we configure that service and how we configure the different tools that somebody may have purchased based on their license levels. And making sure that those tools are configured to deliver on what they need to actually adhere to based on the requirements that they're trying to aim for. So when we're talking about Microsoft 365, we've got a few things in there.
We've got compliance score, which is really talking about how they manage the content, how they manage the configuration of the compliance side of things in terms of measuring against the standards. And then you've got the secure score as well. That's really how we make sure that the environment is actually secured. They both play back to the standards that you might be trying to aim for. So those ISO and NIST standards. And then you've got Defender for Cloud, which is more of the Azure side.
And because that's not so much of the software as a service, as platform as a service, that's more, there's more flexibility and there's more, I guess granularity in terms of, you might have two SQL instances that are both set up, but they're configured slightly differently. So you'd be looking at those different instances discreetly in terms of how well they actually comply to the requirements that you are aiming for.
But when we're looking at the Microsoft 365 side of it, it's very much around how we configure the Microsoft 365 services that come with that tenant. That, you hit on something really interesting there. You said, compliance score and secure score. I've done a lot of work with secure score, especially in Microsoft Defender for Cloud, which was Azure Security Center.
And a lot of customers that I've worked with have focused on helping drive that number up, not artificially, actually driving it up with real, making real demonstrable, security improvements to their environment. But it's been very much around, around as your, there as your deployments. And in the Microsoft Defender for Cloud, I also see that there are compliance items in there as well.
So I'll say that, you must encrypt, for example, volumes at rest for SQL server, for example, multi-factual authentication, those kinds of things. And I'll then say, on that, maps onto NIST SP 800-53, blah, blah, blah, blah, blah, or it maps onto the Azure Security Benchmark, blah, blah, blah, blah, blah, or it maps onto the Center for Internet Security requirements, one, two, three, four, and so on. But that's not compliance score though, right?
That is just how a set of controls in Azure maps to various compliance programs, but that is not compliance score. So could you explain compliance score? Yeah, so the compliance score element, I guess, is a different set of control. So it's really looking about how you're looking after your information where it's stored in Microsoft 365. So where you're classifying content, where you're labeling content, where you're applying the rules to protect that content.
So whether it's data loss prevention, whether it's conditional access to make sure that you're bringing together the risk of the user, the location of the content, the risk of the device.
But basically the compliance, we think of that more around how you're managing the content that you're storing and your interactions with that content as opposed to the secure score, which certainly in Microsoft 365 is looking more around how we secure the identity, how we authenticate, how we're minimizing the risk that somebody would present based on the device that they're using, the compliance of that device to certain benchmarks that you're setting as an organizational standard.
So it splits in terms of the compliance score, content once you're in, how do you access that content insider risks, how you're using the content, preventing it leaking out of the organization as opposed to the secure score, which is how do we make sure that whoever's coming into the organization is secure and is trustworthy. So it's slightly different.
So it gets the defender for cloud when you get to the Azure element, is more of that going back 15 years is what I would have called the hardening, the securing of the network, the implementations that you've got, the services that you've actually implemented, the configurations that you've set up. Does that make sense? Yeah, it does. I mean, is there an overlap? There is an overlap.
Okay. There is, and I guess this is where, I hear a lot of clients go, well, why are there three places that you can go to get different scores? Why can't we just make it one location where you can see everything? And I guess that would ideally be a much easier way to manage everything. There's a few reasons why they're separated. One is the people who are managing them, they might actually be different.
They might have different skill sets, different depth of understanding around different areas. And when you're thinking about the compliance manager, so the admin interface in Microsoft 365 around compliance, there's a lot of secure access that you need.
So there's a lot of elements within that that you're configuring and using to get that compliance score increased, where you have, I wouldn't say global admin, but you have very high levels of permissions to actually access contents across the board. Whereas the secure score is very much more traditional sort of infrastructure and identity management. So you've got different skill sets that's needed to actually manage these.
And it also very much depends on the license levels that you've actually purchased as to what services you can actually use to increase these scores. All of these controls are played back to the standards that you're actually aiming for. If you're looking at something like NIST 800-53, we're looking at, there's what, about 1200 controls there, which results just for the Microsoft 365 side of it in about 5,000 recommendations of things that you should actually configure.
So there's a lot of different recommendations of what you need to do to configure, to get the most out of the Microsoft 365 solutions and make them compliant with NIST SB-853. One of the things that we always try to do is beat up the tasks that the analysts are doing or the engineers are doing in the environment.
So I was gonna lead it kind of like, you know, we are as part of our strategy, we're always talking about meantime to acknowledge or remediate and how do we enable customers to move on all the recommendations, right? Does that make sense? Yeah, I think that making it as easy as possible to actually implement these recommendations is something that I think a lot of work has been put in around that.
So where you look at the recommendations in the interface, there's often a button to click to say configure it and to basically take you to exactly the right place to actually make the change that you need to make. So it is something that is made as easy as possible to allow people to manage. I think the other thing about those recommendations, you know, the number of recommendations is often clients will have, you know, potentially another solution in place.
They might be using as an interim solution or they might be using as a permanent solution. So they can mitigate some of those recommendations where maybe they don't need to implement them because they've got an alternate solution and some of them might need more planning before they actually roll them out.
So there's very much the sense that we're not just making those recommendations, we're giving clients the ability to manage those recommendations, to prioritize them and to track them as they actually roll them out and implement them. Having 5,000 recommendations is a little daunting for a lot of organizations when they first look at this. Yeah, so one thing you mentioned is not just other approximately 5,000 recommendations, but there's also 1,200 NIST SP 800-53 controls.
What sort of coverage do we have of those controls? I mean, is it 50%, 60%? You know, kind of roughly what do we have? I mean, I realize that there's some stuff in NIST, again, I mean, specific NIST SP 800-53 that is totally outside of our, or more accurately, the tenant's controls. So for example, things like, you know, doors on locks and so on is something that's a, you know, classic example of the shared responsibility model, right?
That is something that we, as you take care of, but then there's other things that the tenant can take control of. So roughly, you know, what sort of coverage do we have there?
I'm not sure of the exact percentage in terms of all of them, but what I would say is that, having been in a position where, you know, you're running an order and you're presenting information back of those recommendations, those are the technical recommendations about what can you configure to make your tenants more compliant to those requirements. You can also download a spreadsheet of all of the recommendations.
And that spreadsheet actually has a whole load more recommendations which are outside of the remit of the technology. So where it's processes and documentation that the compliance manager can't really manage for you. So when you are in an organization and you're going through the auditing process and you have to demonstrate these things, there's probably another 5,000 or so controls or recommendations where you actually need to do those outside of the technology.
So all of those documentation and process, you know, interviews with users, as you say, the things that we can't influence from a technology perspective. So there's probably 50% of the technology and 50% that is process and documentation based on when you actually export the full list in the Excel export. So going back to helping a customer drive all those recommendations forward as fast as possible, how do we help them prioritize?
And the reason that I'm trying to focus on that is because I see other type of solutions that provide guidance, but then the customer have to go through the environment configuration and define which areas are being affected and what is the priority of each one of them. Can you explain a little bit about that? Each recommendation comes with a number of points that will contribute towards the scores.
So the scores are usually measured as a percentage and the total number of points and the achievable points is based on the licensing that's available. So where we have a recommendation, each recommendation will have a number of points that will allow you to move forward with your score. So you can prioritize based on the number of points and to get the most bang for the buck in terms of the way that a configuration will help move you forward.
And I guess one thing to point out here is that these three scores, the compliance score, the secure score, both in Microsoft 365 and in the secure score in Defender for Cloud, they all have the recommendations. They refer back to the assessments and to the measures against the standards in slightly different ways.
So the compliance score within the compliance manager is probably the most mature in terms of you can choose from I think it's about 700 different assessments and you can choose which ones to actually implement and that will give you those recommendations. They are very granular in terms of what they're allowing you to do. So you can have one recommendation that will hit multiple sets of requirements around the standards.
The secure score doesn't have quite the same granularity, doesn't have quite the same control in terms of which ones do you want to aim for. And the Defender for Cloud has a set of standards, but you can't really choose some of the more granular ones in terms of the much more regional requirements.
So where you've got state level legislation that you might want to adhere to, regions, specific industry ones, the compliance score will have far more choice in terms of the different assessments that you could be using there. So it sounds like it's a lot more granular than secure score. Don't get me wrong, I mean secure score is pretty granular, but it sounds like you go above and beyond very low level technical controls to higher level technical controls, but a heck of a lot more of them.
Like looking at the technical requirements through a compliance lens, is that a fair comment? I mean, as a security center, sorry, Microsoft Defender for Cloud, I still say it. They are very technical, they're very specific to specific services within Azure. They're not necessarily purely compliance driven. I mean, we do show the mappings on some various compliance programs.
But it's almost like the compliance part of it is like, I'm not going to say secondary, but it's, the prime focus is like, let's look at the technical controls by themselves, and these are best practices that you should do. Whereas in the Microsoft compliance, sorry, the Microsoft 365 compliance manager, compliance is like the goal. And then we look at what technical controls are required to support those goals. Is that a fair comment? Yeah, yeah, I think that is a fair comment.
I mean, the secure score and the hardening, yeah, things that you are going to be looking at putting in place. There's probably more granularity in the compliance scores because of the number of different elements that they're actually measuring and the way that those are applied to the 700-odd assessments that are available. But that being said, there'll be a lot that is common across a lot of those requirements.
So implementing MFA, for example, is something that you'd kind of think, well, that's a secure score kind of element, but it's in the compliance score as well. And it will apply to most of the requirements that are there. And it will have quite a high number of points associated with it. But then there's going to be some things that are far more granular, far more low level in terms of putting the automation in, that you might say, actually, we need to automatically apply labels.
We need to automatically be classifying our data based on the content. So those types of elements tend to be the more granular, lower level elements that are in the compliance score. So we've kind of just touched on ISO 27001 and NIST SB 800-53, and you mentioned HIPAA, for example. Are there other compliance programs that we consider in the compliance manager? There's about 700-odd assessments. So there's some out-of-the-box assessments. So we have some secure benchmarks that are in there.
We've got things like GDPR that's out of the box. But then there are a lot of more regional, more niche standards that you can get assessments for. So it will measure against things like the New Zealand, GCIO, Spain, ENS, the Japan, FISC. Then we've got things like FedRAMP, we've got NIST, we've got DOD. There's all sorts of different types of assessments that are available, depending on what an organisation needs to adhere to.
So they could choose those assessments based on their industry, based on where they are working, where they are operating. And the nice thing about these scores is that it will come up with one recommendation that will tick the box across multiple assessments. So if you are assessing yourself against ISO, NIST, GDPR, FedRAMP, then one recommendation could apply to requirements in all of those. So how do we ensure that there's no drift?
Many companies are looking at different compliance requirements, security compliance. So how do we make sure that they don't lose track of what is happening accordingly to these compliance requirements? A great question. And I think it really highlights, actually, that this isn't a one-off exercise that you do and then it's done. So there's a few things that are in place within these scores. So you can see the change in time.
So Microsoft updates the guidance in terms of how you adhere to the legislation, how you adhere to the standards. So if we update the technology, then there might be new options that you need to consider and configure appropriately. The assessments that we're using in terms of the checks that we're doing against a tenant, those will evolve as the requirements of the standards change, but also as the way the technology changes as well. So you need to keep on top of those updates.
So check in on a regular basis to make sure that you are accepting updates to the assessments that you're using and then reviewing what you're actually doing in response to those as well and making sure that you are consciously checking should you change something, is there something new that you need to do is a key part of it. The scores don't stay static. They do carry on changing as we change the assessments.
And the other thing that's in quite a few of these is that to adhere to some of these requirements, you need to be checking things like the audit logs and checking incidents and making sure that you're actually responding to the outputs of some of the configurations that we're recommending you put in. So you can't just set it all up and go, OK, on the 1st of January, we've got a score of 100% because it will slowly go down if you don't check it.
So there is drift reports in there to show you what's changed, how your score has changed over time. And as I said, there are updates to the assessments which will change the recommendations that you need to carry out and how you need to configure things. My guess is, though, that the changes to assessments are relatively rigorous. What I mean by that, we don't just go and make changes.
If a compliance program changes, then we would make changes to obviously, also if our technology changes and obviously, yes, we would add new compliance requirements or new compliance checks. But we don't just sort of like really nearly just go in and just like, hey, that sounds like a good idea. Let's go and add something.
I know that your ideogeness is going to get mad at me when I say this, but the Microsoft Defender for Cloud Secure Score, they're constantly adding new checks, but they're not driven by any compliance program. They're driven by folks saying, hey, we really need to start looking at these kinds of things. So for example, there's a set of requirements or sets of checks that are coming out soon. They're currently in preview for making sure that endpoints all use TLS, for example.
And if you have an endpoint that doesn't have TLS, your Secure Score is going to drop when those things go live. But my guess is that the checks that we do in the compliance score are a little bit more... Rigger is probably not the right word, but I'll just use the word rigorous right now. Yeah, I mean, they change all the time. And it's not always adding lots of things that need to be updated.
Sometimes it's just changing the way they're checking and because the legislation has changed slightly. In most cases, it's more because there's a new option that's been released. There's a new element of the technology which needs to be taken into account in order to make sure that you are retaining the level of compliance that you had previously. But if you don't check it, then the score just will continuously go down.
So you do need to actively be checking for those updates, consciously checking, do I need to actually make a change to something because of those updates? At some point, the rubber has to hit the road and an organization has to go through the whole compliance process with an independent auditor because we can't do it, Microsoft can't do it, as you can't do it, the customer can't do it, it has to be someone independent.
So how do we see this compliance score and Microsoft compliance sense of being used in the real world? Like when an auditor is involved, what do we see? How do the auditors use this information, if at all? In my experience before joining Microsoft, we used a lot of these tools to actually get ourselves to being compliant with things like ISO 27001. And as you say, Microsoft can't certify an organization that they are compliance, we can't self certify. So we need to have auditors coming in.
One of the things that we did with the auditors was to agree how we were going to provide evidence of our compliance. So asking the question, what do you need me to show you when you come back in six months time so that I can demonstrate that I'm compliant?
These tools really help in that respect because we can then show an auditor, our compliance manager, so we can show them what we've done, we can show them that we are following the recommended best practice in terms of how we're configuring the platform, how we're configuring a Microsoft 365 tenant. And if they want to see those granular configurations, we can show them that. We can show them the audit logs if they want to see that.
We've then got the tools to be able to show them that and we can export the status, we can file that as a record of the point in time as part of that audit. So long as the auditors understand what we are showing them and they understand that we are providing that evidence, then that works out very well. And as I said earlier, a lot of what an auditor might actually be asking for may be things that are less technical.
They're not the configuration of the technology, but the processes that surround the technology. How do you respond to an incident that is raised? How do you respond to a violation of a sharing policy or a DLP policy, data loss prevention? And those are processes that we can't manage from within the tenant, within the compliance manager.
So we need to be clear with the auditors up from what we can show and tell them that's what we're going to show them, so they understand exactly what they're seeing and the value that it has in relation to the audit.
I think the other thing that we found whilst I was going through this with an organisation was some of our insurers were looking at these same tools, not from a compliance side to speak, but from a securities perspective to say, if we know that you have the right processes and the right security setup in place, then some of the insurance premiums could be reduced as well based on the same kind of evidence.
Yeah, she's funny she bring up the last point. I've been working with some folks in this area as well and where they're looking at things like Microsoft Defender for Cloud, Secure Score.
Actually, that's what we're looking at right now is exactly for this reason, is let's come up with a list of Secure Score settings or outcomes to show that not only is there a level of due diligence being done, but also that there are certain things in place that will actually reduce the cost of the premiums, as you say, for cybersecurity insurance.
In fact, one thing we've even been talking about is if your Secure Score is below a certain level, get it up to the specific level before we'll even talk to you. I think that's reasonable, right? This is something that's very objective, it's an objective measurement. If you're not doing the basics, then you're probably going to get whacked anyway and I probably wouldn't ensure you either, to be honest with you.
Not that I'm an insurance company, but I'm an underwriter by any stretch, but I probably wouldn't ensure you either. So it's great to see that actually. I think that's really positive, I think, for the industry as a whole. Yeah, and I think, as you say, it's putting your own effort in, making sure that you're getting to a certain point.
I mean, I've seen organisations that I've been speaking to around this thinking, well, do we target our team to say that we need the scores to be over 80% and that's a performance target to keep those scores at a certain level. So yeah, it's a good metric to have at our disposal, how we use it. We just need to make sure that we're using it appropriately. I had one client who said they wanted to set a target to make it 100%.
I don't think I've ever seen a secure score or a compliant score of 100%. I don't even know whether it's actually possible to get to that point because it is constantly evolving. But it is a good measure to start with and to start those conversations with. Oh, I've seen people hit 100% and I'm going to be honest with you, they basically exempted themselves from a whole bunch of stuff. And I just don't agree with that at all.
And as you say, you may be 100% today, but tomorrow that might change as we onboard some new checks. Again, discussions that I've had with customers, I had one just recently where they wanted to exempt something. And I'm like, no, in fact, it was multifactorial authentication. I'm like, no, there's a reason why subscription owners require multifactorial authentication. There are very strong, good, practical reasons why owners of a subscription should have multifactorial authentication.
I'm not going to exempt it. I think that's completely wrong. So yeah, I'm very leery actually at people wanting just to make a score, just to reach a score by whatever means. And in fact, this conversation I've just had recently was basically, yes, we want to raise our secure score, but we're going to make sure we're raising the secure score with stuff that really matters and making sure that we're actually really doing the right things and certainly not exempting ourselves from certain checks.
Yeah, I'm a little bit leery of just wanting to make a score for the sake of making a score without thinking of the true security ramifications of what they're doing. And frankly, there are diminishing returns as well. But you get to a point where the real security benefit starts to not be as not as impactful as it were. Certain things are way more impactful than other things. So for example, multifactorial authentication is just massive, right? And it's worth it 10%, whatever it is.
And there are other ones that are not as impactful. And that's also represented in the percentage improvement. But let's focus on the big ones that really make a huge difference, not just from a compliance perspective, but just from an overall doing the right thing perspective. So following on what Michael just mentioned, there's people that have sent different items such as MFA.
Is there any way to keep track of this and follow up on these items to make sure that in the future as the environment evolves, the customer can continue looking at the particular items that they have accepted or even new updates? So yes, they can see when the assessments are updated. That's basically saying that the checks or the recommendations have changed. And so when they see those changes come through, they can have a look at all of them.
So it can show, you know, you can use the filters to show everything or just to show the things that you haven't exempted. So you can still see the ones that you've chosen to exempt. You can still see any updates to those. So you can be flagged when things have changed and therefore when you have to revisit it as well. That's one final thought on that. And that is if you're exempting something, you better have a really good reason for exempting it.
Because remember, an auditor is going to look at this and there better be a really good reason for exempting yourself from satisfying some requirement. The most common reason for exempting I found is because they have something that is not detected by our tooling. That's quite common and that's fine. But exempting something just because you don't think it's a good idea is probably not the right answer. Anyway, that's just my sort of final thoughts on that.
And talking of final thoughts, our one thing we ask our guests on every episode is, if you had one final thought to leave our listeners with, what would it be? My final thought on this would be, think carefully about what you want to achieve in terms of the compliance and the standards you want to achieve. And then plan and work with your auditors to actually work through this process so that you can achieve that certification.
Because that's in the end, the main aim is to be able to demonstrate that you are actually adhering to a standard so that you get the credibility for it. So plan with your order to in terms of what you want to achieve. Hey Al, thank you so much for joining us this week. Great having you on, especially covering a topic that's actually near and dear to my heart, which is not just security but also the compliance implications of these various security standards.
I know every customer that I've ever worked with in Asia, Microsoft 365, they all struggle with meeting compliance requirements. So it's great that we have a fantastic tooling to help help them achieve those goals. And as you mentioned, you need to sort of work with your auditors to make sure that we're all in agreement on what kind of artifacts and evidence you're going to provide.
And what parts of the Microsoft 365 tooling will provide appropriate evidence to help satisfy the audit requirements. So again, thank you so much for joining. I really appreciate it. And to all our listeners out there, again, thank you so much for listening. I hope you enjoyed this one. Stay safe and we'll see you next time. Thanks for listening to the Azure Security Podcast. You can find show notes and other resources at our website. azsecuritypodcast.net.
If you have any questions, please find us on Twitter at azuresetpod. Background music is from ccmixter.com and licensed under the Creative Commons license.