Understanding Azure Compliance
Compliance is a very important topic because companies obviously must comply with the law
Azure is constantly getting new certifications and the list below is only current as of July 14, 2014
For a complete and up to date list of compliance, see
Why is compliance complex?
- Regulatory requirements vary by country and industry, and often by state.
What can Microsoft provide to make complex faster and easier?
Microsoft can provide audit reports and compliance packages
There is also a compliance framework that provides a single set of controls to simplify compliance
What are the certifications supported by Microsoft for Azure?
- Here is a quick rundown.
ISO/IEC 27001:2005 AUDIT AND CERTIFICATION
The certificate issued by the British Standards Institution (BSI) is publically available
This certification is completed annually
It verifies information security controls
Includes guidelines for initiating, implementing, maintaining, and improving information security management within an organization
SOC 1 AND SOC 2 SSAE 16/ISAE 3402 ATTESTATIONS
A series of accounting standards that measure the control of financial information for a service organization
It enables the auditor to perform risk assessment procedures
In general they focus on a service organization?s controls relevant to security, availability, and confidentiality
Azure is audited annually to ensure that security controls are maintained
CLOUD SECURITY ALLIANCE CLOUD CONTROLS MATRIX
Designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider
The CSA was formed in December 2008 as a coalition by individuals who saw a need to provide objective enterprise user guidance on the adoption and use of cloud computing.
Its initial work product Security Guidance for Critical Areas of Focus in Cloud Computing
FEDERAL RISK AND AUTHORIZATION MANAGEMENT PROGRAM (FEDRAMP)
FedRAMP is a mandatory U.S. government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services
This approach uses a "do once, use many times" framework that will save cost, time, and staff required to conduct redundant agency security assessments.
PAYMENT CARD INDUSTRY (PCI) DATA SECURITY STANDARDS (DSS) LEVEL 1
Allowing merchants to establish a secure cardholder environment and to achieve their own certification.
Designed to prevent fraud through increased controls around credit card data
PCI certification is required for all organizations that store, process or transmit payment cardholder data
UNITED KINGDOM G-CLOUD IMPACT LEVEL 2 ACCREDITATION
- Primarily for a broad range of UK public sector organizations, including local and regional government, National Health Service (NHS) trusts and some central government bodies, who require 'protect' level of security for data processing, storage and transmission
HIPAA BUSINESS ASSOCIATE AGREEMENT (BAA)
US laws that apply to healthcare entities with access to patient information (called Protected Health Information, or PHI)
For healthcare companies to use a cloud services
While Azure includes features to help enable customer's privacy and security compliance, customers are responsible for ensuring their particular use of Azure complies with HIPAA, the HITECH Act, and other applicable laws and regulations, and should consult with their own legal counsel.
FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT (FERPA)
FERPA imposes requirements on U.S. educational organizations regarding the use and disclosure of student education records.
Educational organizations can use Windows Azure to process data, such as student education records, in compliance with FERPA
Microsoft will only use Customer Data to provide organizations with the Windows Azure service and will not scan Customer Data for advertising purposes