You can meet the Cybersecurity Maturity Model Certification (CMMC) requirements using solely on-premises infrastructure. But it can be pretty expensive to set up, operate, and maintain on-premises infrastructure and engage third-party assessors to validate compliance with CMMC controls. On-premises infrastructure also limits your flexibility and scalability.
Does that mean you should adopt a fully cloud-based approach to meet CMMC compliance requirements? No, that would require significant modifications and redevelopment efforts that need lots of time and money. A fully cloud-based approach also has cons like limited control over the infrastructure.
Rather than adopt a fully cloud-based approach, you can leverage Microsoft Azure resources to meet CMMC requirements with on-premise infrastructure. This guide discusses the Azure resources and features to leverage and how they can help you meet CMMC requirements with on-premises infrastructure.
1. Azure Arc
You need Azure Arc to leverage Azure resources. It is a Microsoft offering that extends Azure services and management capabilities to resources outside the Azure cloud environment. It provides a centralized, unified way for organizations to manage and govern on-premises servers, multi-cloud environments, and edge devices using Azure tools and services. This enables consistent deployment, monitoring, and configuration management across a hybrid and multi-cloud environment.
Some resources typically hosted outside Azure that you can manage inside Azure Arc include servers and virtual machines, Kubernetes clusters, Azure data services, SQL servers, and virtual machines.
Microsoft offers the following Azure Arc functionalities free of charge:
- Bringing in your on-premise and other cloud resources into Azure
- Organizing or categorizing your resources through management groups and tags
- Update management
- Access and security through Role-based access control (RBAC)
- Environments and automation through templates and extensions
But any services you use on the resources, such as Microsoft Defender, will be charged as per the pricing of the service.
After bringing your resources into Azure, you can leverage Azure’s capabilities to comply with CMMC requirements. Some resources you can use are discussed below.
2. Defender for Cloud
Microsoft Defender for Cloud is a unified cloud-native application protection platform designed to reduce security risks across multi-cloud and hybrid environments. It unifies the visibility of your security posture across Azure, AWS, Google Cloud, and hybrid clouds and prevents, detects, and responds to security risks.
Defender for Cloud has a clear and straightforward user interface that emphasizes visibility and clear KPIs, allowing you to identify all your security-related stats at a glance. You can choose the servers to use it on.
One of the most significant benefits of using Defender for Cloud is its regulatory compliance features. The regulatory compliance dashboard continually compares the configuration of your resources with different standards, including CMMC, and provides insights into your compliance posture. The workflow automation feature can detect if any of your regulatory compliance assessments changes its state and notify you with a link to the problem and guidance on handling it. You can create a report and export it for the compliance team or click the link to see the problem and take action. This streamlines the process of meeting regulatory compliance requirements.
3. Azure Purview
Azure Purview is a unified data governance solution that helps enterprises manage and govern their multi-cloud, on-premises, and SaaS data. It allows you to view the distribution of your data and key health metrics across your hybrid data estate. This helps you discover, understand, and manage their resources and data assets across various environments.
With Azure Purview, you can:
- Easily create a holistic, up-to-date map of your data landscape
- Classify your data assets in built or custom criteria
- Label sensitive data across Power BI, Microsoft 365, Azure, and SQL Server
- Integrate all your data catalog and systems using Apache Atlas APIs
For example, suppose you have data you want to archive by storing it in blob storage. In that case, you can use Azure Purview to identify sensitive information in the data so you can encrypt and protect it to avoid unauthorized access.
Purview features an enterprise-grade business glossary that eliminates the need for Excel data dictionaries. It also allows you to track the origin of data with interactive lineage visualization.
4. Management groups
If you have many Azure subscriptions, you need to manage each subscription’s roles, permissions, compliance, and policies. You can organize subscriptions into management groups and apply policies, access controls, and management settings to each group. The management settings of each group apply to the subscriptions within it.
Management groups offer a powerful way to organize and manage resources within Azure. You can make Role-Based Access Control (RBAC) assignments to control the permissions of each user or group.
For example, suppose you have an Azure subscription with virtual machines and want to grant a specific user or group permission to manage those virtual machines without accessing other resources. In that case, you can do the following:
- Define a custom role and set permissions needed to manage virtual machines
- Assign the role to the group
- Specify the scope of the assignment
This will allow the group to perform actions like starting, stopping, and managing the configurations of the virtual machines without access to other resources, such as databases.
To prevent the person that makes the policies from doing whatever they want, you can use Azure Blueprints. Azure Blueprints is a Microsoft Azure service that allows organizations to create and deploy pre-defined sets of Azure resources and configurations. Think of it as a template for setting up and managing Azure resources. You can have one role that defines the blueprint for the policies and another role that applies the policies. This structure reduces the risk of deliberately changing or removing policies to benefit themselves.
Management groups best practices
Here are some tips and best practices for structuring and managing Azure management groups.
- Define your hierarchy based on organization and environment type (production, pre-production, etc.). This ensures your hierarchy aligns with your organization’s structure and facilitates effective access, policy, and resource management within each environment separately.
- The root management group is for global configuration. You should only use it for settings that apply across the entire environment. The whole hierarchy will feel the impact of an erroneous assignment.
- Avoid duplicating policies and RBCA assignments in the hierarchy. You avoid repeating yourself by assigning common policies and RBAC assignments higher in your hierarchy, so lower-level management groups and subscriptions can inherit them. This approach ensures consistency and reduces the administrative overhead of managing policies and RBAC assignments across multiple levels.
- Utilize the built-in RBAC roles for management groups, such as management group contributor and management group reader.
Following these management group tips and best practices allows organizations to establish a well-structured and efficient management group hierarchy in Azure. It will enhance organization, access control, policy enforcement, and easier management of resources across different environments and levels.
5. Azure Sentinel
Azure Sentinel is a cloud-native security information and event management (SIEM) solution offered by Microsoft. It provides intelligent security analytics and threat intelligence across your business, improving detection, investigation, and response to security threats. It collects and analyzes security data from various sources and provides insights into your security posture.
You can have single or multiple instances of Azure Sentinel. But for general internal lines of business applications, one Azure Sentinel instance is enough. It simplifies management and allows Sentinel to analyze a wide range of information, including locally connected devices, servers, workstation logs, etc.
Some situations where you might need more than one instance of Azure Sentinel include the following:
- When conducting development and testing activities. Multiple instances allow you to simulate various scenarios and test different outputs.
- If your internal business operations are running in the GCC High environment. Having an Azure Sentinel instance dedicated to the environment ensures the logs and security data of the GCC High environment are properly analyzed and monitored.
- When you have a specific SaaS application or targeted use case that requires isolation. A separate instance of Azure Sentinel allows for more specific scoping and control over the data and information flowing through it.
Azure Sentinel relies on Azure Log Analytics as the underlying log data collection and storage platform. It ingests and collects security-related logs and events from the Log Analytics workspace, then performs advanced analysis to identify potential security incidents, anomalies, and threats.
You can improve the effectiveness of your analysis by ensuring all data sources for security monitoring are connected to the Log Analytics workspace. You should also enable diagnostics settings on all Azure resources and define the log retention period depending on your compliance and regulatory requirements. Create custom queries to search for specific conditions or patterns and custom alerts to notify you when certain conditions are met.
Meet CMMC with Agile IT
You can leverage Microsoft’s offerings to meet CMMC requirements with your existing on-premise infrastructure. You don’t need to create a virtual network, rewrite your policies, or change the installation of your environments. You only need to leverage the above Azure resources to improve what you have without massive IT changes.
Agile IT has helped billion-dollar SaaS businesses meet federal regulations and enter the FedRAMP marketplace. We are able to secure the most complex cloud and hybrid environments. To find out how we can help you meet FedRAMP High and CMMC requirements for your applications, contact us today.