2024

EY PVT LTD

SWAPNALI GAIKWAD
 INDEX
SR TABLE OF CONTENT PAGE
NO. NO.

1. Introduction…………………………………………………… 3

2. Challenges………………………………………………………………… 4

2.1 Data storage acesses misconfigruation………….................................. 4

4
2.2 Lack of security
2.3 monitoring…………………………………………………………..
Failing to encrypt Data at rest……………………………………………... 4

3. Solution… ……………………………………………………………… 5

3.1 Cloud compliance and governance………………………………...... 5

6
3.2 Azure governance services……………………………………………
6
3.3 Regulatory compliance dashboard…………………………………
6
3.4 Azure security center………………………………………………………..
7

4 Implementation………………………………………………………… 7

4.1 Azure compliance Manager…………………………………………… 7

7
4.2 Azure service delivery manager……………………………………......
8
4.3 Perform regular test for security system…………………………….....
8
4.4 Use and update Antivirus Software with
9
firewall………………………
4.5 9
Use appropriate encryption procedure………………………………....

5 Conclusion…………………………............................................................ 12

6 Appendix………………………………………………………………….. 13

2
1. INTRODUCTION
 EY Solutions: is leading Cloud Consultants deliver a comprehensive
cloud platform to achieve business growth and agility with amplified
consistency and proficiency. In 2004, EY Solutions was set up in India, to
provide services for modernizing data centre’s by implementing a hybrid
cloud that propels enterprises in their IT-as-a-Service journey, enabling
global enterprises to become more agile and innovative.

 AWT Pvt Ltd : is among the most prominent manufacturing companies

in India. They are a rapidly expanding Indian pharmaceutical firm that
develops, manufactures, and markets a wide range of bio pharmaceutical
medicines worldwide. This firm has long been a pioneer in the
pharmaceutical industry. AWT Pvt Ltd is the major client of EY.

2. CHALLENGES
 AWT Private Ltd. (Client) :They have wide variety of services such as
cloud storage, compute services, network services, databases and Web
applications, It is difficult to manage security for your IT environment. The
Security Center is needed to provides recommendations and sends threat
alerts for your workloads. quickly and accurately so the client shifted to
azure governance and compliance as a remedy to organization's security
status.

2.1 Data Storage Access Misconfiguration

The costs of managing storage are rising, and the penalties for managing it
improperly are more costly than ever. A lack of proper management can result
in operational downtime, lost revenue and regulatory fines.
Several factors point to the need for data and storage management tools.
Investing in the right tools can help organizations avoid the pitfalls associated
with the mismanagement of the storage environment.

2.2 Lack of Security Monitoring.

Lack of information security can have consequences in the form of the

business not being able to be conducted in an appropriate and efficient manner,

3
lack of protection of personal integrity and disruptions in socially important
activities. Deficiencies in information systems can also affect: Physical assets.

2.3 Failing To Encrypt Data At Rest

Data encryption helps prevent unauthorized users from reading data on a cluster
and associated data storage systems. This includes data saved to persistent
media, known as data at rest, and data that may be intercepted as it travels the
network, known as data in transit.

3. SOLUTION
 EY Private Ltd.(cloud service provider):is responsible for managing the
azure compliance dashboard for AWT compliance is not just about following
rules; it's about safeguarding their operations, reputation, and customer trust.
Data protection and privacy: Effectivecloud compliance measures are
essential for protecting sensitive data from unauthorized access and
breaches.

3.1CLOUD COMPLIANCE AND GOVERNANCE

1. Cloud governance: is the process of defining, implementing, and

monitoring a framework of policies that guides an organization's cloud
operations. This process regulates how users work in cloud environments to
facilitate consistent performance of cloud services and systems.
2. A dashboard and monitoring tool : that summarizes data protection,
compliance score, and recommendations. It allows you to assign, track, and
record compliance and assessment-related activities. Recommendations for
industry regulations: GDPR, ISO, and NIST
3. Governance, Risk, and Compliance (GRC):is a structured way to align
IT with business goals while managing risks and meeting all industry and
government regulations. It includes tools and processes to unify an
organization's governance and risk management with its technological
innovation and adoption.
4. The Azure compliance documentation: provides you with detailed
documentation about legal and regulatory standards and compliance on
Azure.

4
3.2 Azure Governance Services
The three essential services for effective governance are Azure Policy, Defender
for Cloud, and Azure Cost Management. They enable organizations to manage
security, compliance, and cost in Azure environments .
1. Azure policy:Azure Policy helps to enforce organizational standards and
to assess compliance at-scale. Through its compliance dashboard, it
provides an aggregated view to evaluate the overall state of the
environment, with the ability to drill down to the per-resource, per-policy
granularity. It also helps to bring your resources to compliance through
bulk remediation for existing resources and automatic remediation for new
resources.

2. Defender of cloud:Microsoft Defender for Cloud is a cloud-native

application protection platform (CNAPP) that is made up of security
measures and practices that are designed to protect cloud-based
applications from various cyber threats and vulnerabilitieswhen
you enable Defender for Cloud, you automatically gain access to
Microsoft 365 Defender.

The Microsoft 365 Defender portal helps security teams investigate

attacks across cloud resources, devices, and identities.

 Secure Cloud Applications: Defender for Cloud helps you to

incorporate good security practices early during the software
development process, or DevSecOps. You can protect your code
management environments and your code pipelines, and get insights
into your development environment security posture from a single
location. Defender for Cloud empowers security teams to manage
DevOps security across multi-pipeline.
 Improving Cloud Security Posture:The security of your cloud and on-
premises resources depends on proper configuration and deployment.
Defender for Cloud recommendations identifies the steps that you can
take to secure your environment.
 Protect Cloud Workloads:Proactive security principles require that
you implement security practices that protect your workloads threats.
Cloud workload protections (CWP) surface workload-specific
recommendations that lead you to the right security controls to protect
your workloads.

5
 3. Azure cost management
Azure Cost Management lets you analyze past cloud usage and expenses,
and predict future expenses. You can view costs in a daily, monthly, or
annual trend, to identify trends and anomalies, and find opportunities for
optimization and savings.

3.3 Regulatory compliance Dashboard with Azure

security:
Meeting regulatory compliance obligations and complying with all the
requirements of benchmark standards can be a significant challenge in a cloud
or hybrid environment. Identifying which assessments to perform, evaluating
the status, and resolving the gaps can be a very daunting task.
The regulatory compliance dashboard provides insight into your compliance
posture for a set of supported standards and regulations, based on continuous
assessments of your Azure environment.

3.4 Azure Security Center

 The assessments performed by Azure Security Centeranalyze risk factors
in your hybrid cloud environment in accordance with security best
practices. These assessments are mapped to selective compliance controls
from a supported set of standards. In the regulatory compliance
dashboard, you get a single view of the status of all assessments within
your environment, in the context of a particular standard or regulation.

 In the Azure Security Center regulatory compliance blade, you can get an
overview of key portions of your compliance posture with respect to a set
of supported standards. Currently supported standards are Azure
CIS, PCI DSS 3.2, ISO 27001, and SOC TSP.

 The information provided by the regulatory compliance dashboard can be

very useful for providing evidence to internal and external auditors as to
your compliance status with the supported standards.

 The data from the ASC compliance dashboard will soon be integrated
into Compliance Manager, delivering the benefit of automated
assessments from Azure directly into the Compliance Manager
experience instead of requiring manual processes.

6
4.IMPLEMENTATION
1.Assess regulatory compliance:

In the Regulatory compliance dashboard, you manage and interact with

compliance standards. You can see which compliance standards are assigned,
turn standards on and off for Azure the Regulatory compliance dashboard
shows which compliance standards are enabled. It shows the controls within
each standard, and security assessments for those controls. The status of these
assessments reflects your compliance with the standard the dashboard helps you
to focus on gaps in standards, and to monitor compliance over time.

2.Updated and patch compliance Dashboard:

Azure Update Manager is a service that helps manage updates for all your
machines, including those running on Windows and Linux, across Azure, on
premises, and on other cloud platforms. Monitor s update compliance from a
single dashboard. Make updates in real time, schedule updates within a
maintenance window, or automatically update during off-peak hours.

3.Cost Compliance Dashboard:

Harness provides preloaded By Harness (pre-defined) and Custom (user-
defined) Dashboards to visualize cloud cost data across clusters and cloud
accounts. Using the Azure Cost Dashboard you can:

 Discover new analytical insights into your Azure cloud costs

 Track various cloud cost indicators across different zones and time range
 Explore the cloud cost data in a logical and structured manner
 View your cloud costs at a glance, understand what is costing the most,
and analyze cost trends.

7
4. Azure Policy Regulatory Compliance controls for Azure Backup

Regulatory Compliance in Azure Policy provides Microsoft created and

managed initiative definitions, known as built-ins, for the compliance
domains and security controls related to different compliance standards.

 Azure CMMC Level3 Certifications:

CMMC 2.0 Level 3, also called Expert, focuses on the effectiveness of

cybersecurity controls and practices around protecting CUI from advanced
persistent threats (APTs). It replaces the previous CMMC 1.0 Level 5 and
brings with it a number of significant changes.
 FedRAMP High regulatory compliance:
Regulatory compliance in Azure Policy provides built-in initiative definitions to
view a list of controls and compliance domains based on responsibility –
customer, Microsoft, or shared. For Microsoft-responsible controls, we provide
extra audit result details based on third-party attestations and our control
implementation details to achieve that compliance. Each FedRAMP control is
associated with one or more Azure Policy definitions. These policies may help
you assess compliance with the control; however, compliance in Azure Policy is
8
only a partial view of your overall compliance status. Azure Policy helps to
enforce organizational standards and assess compliance at scale. Through its
compliance dashboard, it provides an aggregated view to evaluate the overall
state of the environment, with the ability to drill down to more granular status

 Azure services in audit scope:

Azure compliance certificates and audit reports state clearly which cloud
services are in scope for independent third-party audits. Different audits may
have different online services in audit scope.

 Azure HIPAA HITRUST 9.2:

The HIPAA HITRUST 9.2 provides a combined set of predefined compliance
and security best-practice checks for Health Insurance Portability and
Accountability Act. Generate Administrator and Operator Logs Report.
Generate Audit Logging Report. Generate Back-Up Report.

 Azure Security Benchmark:

Asset Management covers controls to ensure security visibility and governance
over Azure resources, including recommendations on permissions for security
personnel, security access to asset inventory, and managing approvals for
services and resources (inventory, track, and correct). Logging and Threat
Detection (LT).

5.Azure Conditional Alerts:

Conditional alerts let you trigger notifications when the specific conditions are
met or exceeded. Notifications can be sent to specific recipients at a desired
frequency. The alert conditions use the dashboard filters that exist when the
alert is created.

 Alerts are set on dashboard tiles.

 Dashboards check whether each alert’s conditions have been met or
exceeded based on the alert’s frequency, and then notifies users of this
change.
 To create alerts, your dashboard must be out of edit mode.

4.1 Azure compliance Manager:

9
 A Manager dashboard and monitoring tool that summarizes data protection,
compliance score, and recommendations. It allows you to assign, track, and
record compliance and assessment-related activities. You can upload and
manage artifacts or evidence in a secure repository.

Azure Compliance Manager Cheat Sheet:

 A dashboard and monitoring tool that summarizes data protection,

compliance score, and recommendations.
 It allows you to assign, track, and record compliance and assessment-
related activities.
 Recommendations for industry regulations: GDPR, ISO, and NIST
 You can upload and manage artifacts or evidence in a secure repository.

4.2 Role of Service Delivery Manager in Azure security

posture:

10
 A cornerstone of this service is the service delivery manager (SDM), who
serves as a trusted advisor throughout the customer’s journey.
 The SDM guides customers through the onboarding process, which involves
assessing the customer’s digital estate, tuning the Microsoft Defender suite,
and customizing policies to get the customer’s posture ready for operations.
 After onboarding, operations commence and the SDM closely monitors the
customer’s security status, alerts, incidents, new threats, and shares relevant
insights and suggestions to further improve their security posture.
The SDM communicates with their customers regularly through emails, calls,
and meetings to review the service, security posture, and threat landscape.
When crises happen, the SDM is the first line of support, orchestrating actions,
and providing advice.

4.3 Perform regular test for security system

 Vulnerabilities are constantly being discovered by malicious individuals and
researchers. In this current threat environment, it’s always prudent to assume
that no machine is invulnerable to attacks, and therefore a regular testing and
scanning strategy must be implemented to ensure security.
 It is therefore advisable to make sure that the following practices are
implemented in your security strategy:
 Make sure that all external IPs and domains are regularly scanned. For
example, the PCI DSS standard requires that all external IPs and domains
exposed in the CDE be scanned at least quarterly by a PCI Approved
Scanning Vendor (ASV).
 Make sure that all external IPs and domains are subjected to extensive,
regular application and network penetration tests.
 Have a robust file monitoring strategy. Make sure your system carries out
regular file comparisons to detect changes that would otherwise go
unnoticed.

4.4 Use and regularly update Antivirus software with

strong Firewall
 This is a top compliance checklist for most Azure compliance standards.
This checklist requirement focuses on system protection against all types
of malware.

11
 To make sure that you are in compliance, make sure that all systems are
equipped with an anti virus solution. This includes workstations, laptops, and
mobile devices that employees may use to access the system both locally and
remotely to make sure that the anti-virus program is effective, you also need
to ensure that the anti-virus or anti-malware programs are regularly updated.
 make sure that your anti-virus mechanisms are always active,generating
auditable logs, and are using the latest signatures when it comes to having a
robust firewall policy, it’s always recommended to always close
administrative ports. Access to SSH, RDP, WinRM, and other administrative
ports should be restricted unless absolutely necessary. This is vital to
protecting your virtual machines.

4.5 Use appropriate encryption procedures

In Azure, encryption is critical for every business today because it allows them
to protect sensitive data by converting it to ciphertext, which is unreadable
without an encryption key. This is known as “encoding.” because only those
with an encryption key can decipher the data and reveal the true information,
encryption makes it nearly impossible for other parties to steal and misuse the
data.So, to make sure that this compliance checklist is checked off, you need to
make sure that you:
 Apply only the latest modern encryption protocols to safeguard your data.
 Make sure you use TLS over SSL, as SSL contains several exploitable .
 Make sure your endpoints are encrypted as well. Yes, encrypt even data
that is already stored securely. This renders it useless to attackers in the
event that the data is stolen.

5. CONCLUSION
 The Cloud service provide EY LTD collaborated with Azure regulatory
compliance dashboard provides insight into AWT LTD (client) compliance
posture for a set of supported standards and regulations, based on continuous
assessments of your Azure environment.
 The assessments performed by Azure Security Centeranalyze risk factors in
your hybrid cloud environment in accordance with security best practices.

These assessments are mapped to selective compliance controls from a

supported set of standards.

12
 In the regulatory compliance dashboard, you get a single view of the status
of all assessments within your environment, in the context of a particular
standard
 Thus the Microsoft defender and security centre he realm of cybersecurity,
the terrain of threats is in a constant state of evolution, demanding
unwavering dedication from professionals to shield their organizations.
 However, the complexity of staying updated, adopting a zero-trust approach,
and proactively identifying emerging threats often surpasses the capabilities
of even the most skilled security teams.
 This is where managed extended detection and response (MXDR) services
come into play, with Microsoft Defender Experts for XDR taking the charge
to help our customers augment their SOC with human expertise and AI-
powered threat intelligence.

6.APPENDIX

The following resources used in these case study Azure policy ,

compliance boards and operation management and cost Governance
https://azure.microsoft.com/en-us/products/azure-policy
https://azureis.fun/posts/Azure-Dashboards-for-Azure-Governance
https://learn.microsoft.com/en-us/azure/cloud-adoption-
framework/scenarios/hybrid/arc-enabled-servers/eslz-security-
governance-and-compliance
https://www.datadoghq.com/blog/new-azure-dashboards

13
14