Never have I been able to have a conversation about the Cloud without having the question asked of me: “What about security, privacy, and compliance?” Unlike some other folks that I know, I don’t shy away from having this discussion as I am of the opinion that, though a bit complicated to explain quickly, there’s a really great answer to the question (at least when talking about Windows Azure).
Side Note: I wanted to take this opportunity to thank all of the developers who have asked me this question at meetups, conferences, camps, etc, as you’ve given me the opportunity to make my answer crisper and crisper each time you ask!
Here’s how I break down the conversation:
Identity and Access
Since Windows Azure is an enterprise-level solution, it has cloud identity governance that enables you to manage access by your users. You can sync existing identities and enable single sign-on to Windows Azure, Office 365, and other cloud applications; monitor access patterns to identify and mitigate potential threats; and help prevent unauthorized access with Windows Azure Multi-Factor Authentication.
Your Windows Azure Virtual Machines and data are isolated from undesirable traffic and users. However, you can access them through private, encrypted connections. You can also setup firewalled and partitioned networks to help protect against unwanted traffic from the Internet. Better yet, if you want to keep your traffic off of the Internet all together, Windows Azure just released ExpressRoute, a private fiber link between users (you) and Windows Azure. Or if you don’t need something that crazy, you can securely connect your on-premises datacenter or a single computer to Windows Azure using Windows Azure Virtual Networks.
Microsoft makes data protection a priority. Both technology safeguards, such as encryption, and operation processes about data destruction keep your data yours only. Encryption is used to help secure data in transit between datacenters and you, as well as between and at Microsoft datacenters; however, you can always choose to implement additional encryption using a range of approaches, at which point, you would control the encryption method and keys. As for deletion of data, Windows Azure follows strict industry standards that call for overwriting storage resources before reuse, as well as physically disposing of decommissioned hardware, so no worries of deleted data lingering around.
You control where your data resides and who can access it by specifying the geographic areas where your data is stored. Your data is replicated for redundancy, but only within the same geographic area. Depending on what you’re working on, you may need more than just the knowledge that this is the case. Not a problem. You can get additional contractual commitments about the transfer of personal data to address specific government/regulatory needs.
ISO 27001, SOC 1, SOC 2, PCI DSS, HIPAA … to name a few. The different services within Windows Azure are independently verified to be compliant services, On the Windows Azure Trust Center, you can go through detailed information, including audit reports and compliance packages to provide you with insights into how specific regulatory standards are met.
To wrap all of this up as something clear and concise, here’s an infographic for you:
But realistically, the answer is more complicated than the above. Totally understood, so here’s what you need in order to get answers to the more specific questions you might have around Windows Azure’s security, privacy, and compliance capabilities:
Don’t think I forgot. Let’s tackle the question of “Is there a Windows Azure datacenter in Canada?”. Simple answer is no. The proper answer is, yes, there is, it is just not operated by Microsoft. It is operated by a Microsoft Cloud OS partner and is built on the same technologies as Windows Azure “proper”: Windows Server with Hyper-V, System Center, and the Windows Azure Pack. Whether you deploy to a Cloud OS partner (allowing you to keep everything 100% in Canada) or you deploy to Windows Azure, the code that you’re developing will be the exact same and will work the exact same. Hence why I say that the real answer is “yes”, where you deploy the code is the only technicality. Read more about Cloud OS providers here.
I’ll stop here so that I don’t get too far into technical depth on the topic. At the end of the day, most of this stuff is really for the lawyers and privacy officers to deal with (and is written as such, LOL.) I’d suggest looking through the technical documentation I have for you above, and leave the rest to the pros! … unless of course you play those roles in your company/startup as well.
This is definitely one of those topics that continues to generate questions and/or concerns. Please, feel free to share them. Start a new conversation in the Canadian Developer Connection LinkedIn group and get the answers you’re looking for.