Azure Security and Compliance
SHI has developed a multi-cloud governance framework to help organizations achieve governance at scale and accelerate cloud usage in a controlled, secure, compliant, and consistent way. The SHI Cloud Governance Framework is built upon a set of industry best practices, standards, frameworks, and benchmarks.
The SHI Cloud Governance Framework can be applied regardless of your maturity, if you’re new to the cloud, or are an existing cloud customer.
Phase 1 of the SHI Cloud Governance Framework helps to establish visibility and awareness of security and compliance issues within the cloud environment to strengthen your overall security posture.
The purpose of this document is to provide a configuration guide for enabling key Azure Services and integrating those services with SHI One.
The implementation of the services covered in this guide will strengthen your Azure security posture and establish a set of foundational best practices as further defined in the SHI Cloud Governance Framework.
The integration of these services into SHI One provides a simplified and unified view of this information and ensures that the SHI Cloud Governance Framework Success Program can act as your concierge to help guide you towards a stronger cloud security posture.
The following prerequisites must be met in order to utilize the SHI One Azure Security & Compliance Integration:
- An active subscription in Microsoft Azure
- Enabling Azure Defender requires a user with either Subscription Owner, Subscription Contributor, or Security Admin assigned roles
Note that Azure GovCloud is not supported in SHI One.
Note that Azure Web Direct subscriptions (a.k.a. Microsoft Online Subscription Program [MOSP]) are not fully supported in SHI One.
- Web Direct subscriptions in SHI One will not display cost reporting or consumption data
- Web Direct subscriptions in SHI One will display data for Recommendations and/or Security & Compliance if you have set up those integrations
This is due to configuration parameters on Microsoft's end which prevent full access to Web Direct subscription data. Azure subscription types can sometimes be changed; reach out to a Microsoft or Azure team and ask if it is possible to change your Web Direct subscription to a different subscription type.
To achieve the goal of strengthening the security posture of your environment, SHI recommends the following three step process, which is detailed later in this document:
- Enable Azure Security Center
- Enable Azure Defender (for the appropriate Azure resources)
- Configure SHI One Integration
Azure Security Center is a unified infrastructure security management system that strengthens the security posture of your data centers and provides advanced threat protection across your hybrid workloads in the cloud - whether they're in Azure or not - as well as on-premises.
Azure Security Center without Azure Defender is enabled on all active Azure subscriptions when you visit the Azure Security Center Dashboard for the first time.
Click the following link to visit your Azure Security Center:
Security Center is available for free to all Azure users. The free experience includes Cloud Security Posture Management (CSPM) features such as secure score, detection of security misconfigurations in your Azure machines, asset inventory, and more.
Azure Defender is Azure Security Center’s integrated cloud workload protection platform (CWPP). Azure Defender delivers advanced, intelligent protection of your Azure and hybrid resources and workloads. Enabling Azure Defender can bring a whole host of additional security features to Azure resources. When you enable Azure Defender, you gain access to several built-in policies. In addition, you can add your own custom policies and initiatives. You can add regulatory standards such as NIST and Azure CIS, as well as the Azure Security Benchmark for a truly customized view of your compliance.
Click the following link for a step-by-step guide:
Azure Defender provides individual pricing plans per resource; as such, each plan can be individually set to on or off.
- Best Practice: Enable Azure Defender for every Azure Resource used in your Azure Subscription
- Azure Security Center (free) vs. Azure Defender (enabled): https://docs.microsoft.com/en-us/azure/security-center/security-center-pricing
Once SHI One Azure Security & Compliance is enabled, aggregated findings from Azure Security Center will be visible from within SHI One. The SHI Cloud Governance Framework Customer Success program will guide you through the findings, help you identify priority items, and assist with recommending remediation strategies to strengthen your security posture.
The following section describes the necessary configuration to integrate your Azure Security Center into SHI One and details the permissions necessary to ensure proper functionality of the Security and Compliance Integration.
To utilize the Security and Compliance Integration to its fullest capabilities, an Azure Marketplace Managed Service Offer must be deployed to every Azure subscription participating in the SHI Cloud Governance Framework Integration with SHI One.
For customers with multiple subscriptions, the following process can be performed on your primary management Azure subscription.
- The individual performing the steps below must be an Admin in SHI One
- The individual performing the following steps must be an Owner of the subscription being delegated
- If you are a Global Admin in Azure, you can add yourself as an Owner to be able to complete the following steps
- The Microsoft.ManagedServices Resource Provider must be registered prior to each subscription(s) onboarded
- The Azure Marketplace Application is only added once per tenant
The Microsoft.ManagedServices Resource Provider must be registered for the subscription(s) being onboarded.
- Log in to the Azure portal with an account that has the Owner role assigned to the subscription
- Navigate to the subscriptions blade and select the subscription being onboarded:
- Click Resource providers
- Type Microsoft.ManagedServices
- Ensure the Microsoft.ManagedServices Resource Provider is registered; if not, register the Resource Provider
- Please note this may take 10-15 minutes
- Make sure every subscription has the Microsoft.ManagedServices registered
- Log in to the Azure portal with an account that has the Owner role assigned to the subscription
- Note: This link takes you directly to SHI’s Cloud Governance Framework offer for Azure; you can also find this offer via the Azure Marketplace or by adding an offer manually to the “Service Providers” area within your Azure Portal
- Select the primary Azure subscription for deployment
- Select the region to run the deployment
- The deployment must be run in one region but it is a global association to the subscription; we recommend using your most common region
- Click Review + create
- Check the confirmation box
- IMPORTANT - If your Create button is not highlighted: There is a bug on this page with some browsers. If the Create button does not highlight after the box is checked, click the Previous button then click Next: Review + create. All previously entered information should be retained and the Create button should now be highlighted.
- Click Create
- You will be redirected to an Azure deployment status page; after the deployment is completed, you will see a link to complete the final step of the configuration
- Click Give your partner access to your subscriptions or resource groups
- For the Service Provider, select SHI
- For the Name, select SHI Cloud Governance Framework (Standard)
- Click Delegate Subscriptions
- Select all applicable subscriptions and click Delegate resources
- Check the confirmation box
- Click Delegate
- You will receive a confirmation message in your Azure Notifications when the deployment is complete
- If there are any errors, please follow up with the SHI resource that provided this documentation
Note that it takes Azure up to 48 hours to grant SHI One access.
When updating the application, you may receive an error message such as the following:
If that is the case, remove the existing delegations first before installing the application.
- Log in to the Azure portal with an account that has the Owner role assigned to the subscription
- Navigate to Service providers blade by searching for “Service provider"
- Select Service provider offers from the left navigation
- Select the item SHI Vigilant Cloud (Standard)
- Click Delete
- In SHI One, navigate to Support Center -> New Request -> Service Request
- For Contract, select Azure
- For Issue Type, select Azure - Account Management
- For Issue Sub-Type, select Add-Manage Account/Subscription
- In the subject box, write "Azure Tenant ID/Subscription Mapping Request"
- In the description box, include every Azure Tenant ID/Subscription
- Click Submit
- The Support Team will inform you when the mapping process is complete; you can check the status of your ticket at Support Center -> Requests
- Once the Support Team has confirmed that the mapping process is complete, navigate to Settings -> Integrations
- Verify that the slider on the right of each Azure Integration box is orange/activated
- Click on every Azure Integration box to verify that every subscription's slider is orange/activated
Note that it takes Azure up to 48 hours to start sending data to SHI One.
The hourglass icon appears when Azure has not yet sent data to SHI One. It can take up to 48 hours after activating a subscription for Azure to start sending data to SHI One.
If it has been more than 48 hours since activating a subscription and the hourglass icon is still there, you can submit a support request for SHI to manually request data from Azure on your behalf. Perform the following steps:
- In SHI One, navigate to Support Center -> New Request -> Service Request
- For Contract, select Azure
- For Cloud Account, select the affected subscription
- For Issue Type, select Azure - Account Management
- For Issue Sub-Type, select Subscription Management
- In the subject box, write "Azure Subscription Manual Sync Request"
- In the description box, include the name and ID of every Azure subscription that has an hourglass icon next to it and include screenshots if possible
- Click Submit
The Support Team will inform you when the manual sync has been performed; you can check the status of your support request at Support Center -> Requests.
The red exclamation mark appears when there is an error with a subscription. Subscriptions in error are displayed with a message below explaining the nature of the error.
Because there are many error causes and possibilities, there is no way to list all potential methods of rectifying an error. Often the fastest method is to deactivate the affected subscription(s) and then perform this document's delegation process again. If that doesn't solve the problem, submit a support request in SHI One; make sure to include the name and ID of every subscription in error and include screenshots if possible.
