Compliance Matrix

Executive Summary

Compliance Area	Coverage	Status	Notes
Network Security	90%	✅ Compliant	NSG deny-all, Firewall option
Data Protection	85%	✅ Compliant	Key Vault deployed for secrets
Access Control	85%	✅ Compliant	Azure AD-only, no public IPs
Monitoring & Audit	85%	✅ Compliant	Log Analytics, Defender Free
Incident Response	60%	⚠️ Partial	Manual runbooks only
Overall	83%	✅ Compliant	Suitable for SMB workloads

Network Security Controls

Control ID	Requirement	Implementation	Status
NS-1	Network segmentation	Hub-spoke topology, VNet peering	✅ Compliant
NS-2	Cloud-native firewall	Azure Firewall (optional)	✅ Compliant
NS-3	Network Security Groups	NSG on all subnets, deny-all default	✅ Compliant
NS-4	DDoS Protection	Basic (free) only	⚠️ Partial
NS-5	Private endpoint for PaaS	Private DNS Zone + Key Vault PE	✅ Compliant
NS-6	No public endpoints	Policy: no public IPs on VMs	✅ Compliant
NS-7	Traffic encryption	TLS 1.2+ enforced via policy	✅ Compliant

Data Protection Controls

Control ID	Requirement	Implementation	Status
DP-1	Data classification	Tags (Environment, Owner)	⚠️ Partial
DP-2	Encryption at rest	Azure default (PMK)	✅ Compliant
DP-3	Customer-managed keys	Key Vault deployed for future CMK	⚠️ Partial
DP-4	Encryption in transit	HTTPS-only policy	✅ Compliant
DP-5	Data backup	Azure Backup with auto-enrollment	✅ Compliant
DP-6	Secure key management	Azure Key Vault (Standard, RBAC)	✅ Compliant

Access Control

Control ID	Requirement	Implementation	Status
IM-1	Centralized identity	Azure AD	✅ Compliant
IM-2	Managed identities	Recommended pattern	✅ Compliant
IM-3	Azure AD-only auth	SQL policy enforced	✅ Compliant
PA-1	Privileged access protection	Azure Bastion, no public IPs	✅ Compliant
PA-2	Just-in-time access	Not implemented	❌ Gap
PA-3	Emergency access	Not implemented	⚠️ Partial

Monitoring & Audit Controls

Control ID	Requirement	Implementation	Status
LT-1	Centralized logging	Log Analytics workspace	✅ Compliant
LT-2	Log retention	30 days (configurable)	✅ Compliant
LT-3	Security event collection	Defender for Cloud (Free)	⚠️ Partial
LT-4	Alert on security events	Not pre-configured	❌ Gap
AM-1	Asset inventory	Azure Resource Graph	✅ Compliant
AM-2	Tag management	Required tags policy (Deny)	✅ Compliant

Incident Response Controls

Control ID	Requirement	Implementation	Status
IR-1	Incident response plan	Operations Runbook	✅ Compliant
IR-2	Incident detection	Defender for Cloud alerts	⚠️ Partial
IR-3	Incident containment	Manual (NSG modification)	⚠️ Partial
IR-4	Post-incident review	Not implemented	❌ Gap

Gap Analysis

Gap	Control	Risk	Remediation	Timeline
G-1	DP-3 (CMK)	Medium	Add Key Vault + CMK for storage	Future
G-2	PA-2 (JIT)	Medium	Enable Defender JIT access	Future
G-3	LT-4 (Alerts)	Low	Configure alert rules	Customer responsibility
G-4	NS-4 (DDoS)	Low	Upgrade to DDoS Protection Standard	Customer decision
G-5	IR-4 (Review)	Low	Establish post-incident process	Customer responsibility

Tip

Gaps G-3 through G-5 are intentionally left to the customer — they depend on workload-specific requirements that vary per SMB deployment.

Policy Enforcement Summary

The Azure Policies provide automated compliance enforcement:

Category	Deny	Audit	Total
Compute	2	4	6
Network	1	4	5
Storage	3	2	5
Identity	0	4	4
Key Vault	0	7	7
Tagging	2	0	2
Monitoring	0	1	1
Backup	0	2	2
Governance	1	0	1
Sub-scope	1	0	1
Total	10	24	34

See the full Policy Catalog for details on each policy.