Share via


Understanding Azure Compliance

  1. Compliance is a very important topic because companies obviously must comply with the law

  2. Azure is constantly getting new certifications and the list below is only current as of July 14, 2014

  3. For a complete and up to date list of compliance, see

Why is compliance complex?

  1. Regulatory requirements vary by country and industry, and often by state.

What can Microsoft provide to make complex faster and easier?

  1. Microsoft can provide audit reports and compliance packages

  2. There is also a compliance framework that provides a single set of controls to simplify compliance

What are the certifications supported by Microsoft for Azure?

  1. Here is a quick rundown.

ISO/IEC 27001:2005 AUDIT AND CERTIFICATION

  1. The certificate issued by the British Standards Institution (BSI) is publically available

  2. This certification is completed annually

  3. It verifies information security controls

  4. Includes guidelines for initiating, implementing, maintaining, and improving information security management within an organization

SOC 1 AND SOC 2 SSAE 16/ISAE 3402 ATTESTATIONS

  1. A series of accounting standards that measure the control of financial information for a service organization

  2. It enables the auditor to perform risk assessment procedures

  3. In general they focus on a service organization?s controls relevant to security, availability, and confidentiality

  4. Azure is audited annually to ensure that security controls are maintained

CLOUD SECURITY ALLIANCE CLOUD CONTROLS MATRIX

  1. Designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider

  2. The CSA was formed in December 2008 as a coalition by individuals who saw a need to provide objective enterprise user guidance on the adoption and use of cloud computing.

  3. Its initial work product Security Guidance for Critical Areas of Focus in Cloud Computing

FEDERAL RISK AND AUTHORIZATION MANAGEMENT PROGRAM (FEDRAMP)

  1. FedRAMP is a mandatory U.S. government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services

  2. This approach uses a "do once, use many times" framework that will save cost, time, and staff required to conduct redundant agency security assessments.

PAYMENT CARD INDUSTRY (PCI) DATA SECURITY STANDARDS (DSS) LEVEL 1

  1. Allowing merchants to establish a secure cardholder environment and to achieve their own certification.

  2. Designed to prevent fraud through increased controls around credit card data

  3. PCI certification is required for all organizations that store, process or transmit payment cardholder data

UNITED KINGDOM G-CLOUD IMPACT LEVEL 2 ACCREDITATION

  1. Primarily for a broad range of UK public sector organizations, including local and regional government, National Health Service (NHS) trusts and some central government bodies, who require 'protect' level of security for data processing, storage and transmission

HIPAA BUSINESS ASSOCIATE AGREEMENT (BAA)

  1. US laws that apply to healthcare entities with access to patient information (called Protected Health Information, or PHI)

  2. For healthcare companies to use a cloud services

  3. While Azure includes features to help enable customer's privacy and security compliance, customers are responsible for ensuring their particular use of Azure complies with HIPAA, the HITECH Act, and other applicable laws and regulations, and should consult with their own legal counsel.

FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT (FERPA)

  1. FERPA imposes requirements on U.S. educational organizations regarding the use and disclosure of student education records.

  2. Educational organizations can use Windows Azure to process data, such as student education records, in compliance with FERPA

  3. Microsoft will only use Customer Data to provide organizations with the Windows Azure service and will not scan Customer Data for advertising purposes