Azure Compliance: 3 Keys for Getting Started

As enterprise businesses accelerate innovation in the cloud, the concepts of threat detection, data privacy and compliance audits have never been more important. Indeed, violations can lead to costly security breaches, regulatory actions and loss of brand equity. Microsoft, which launched its cloud services platform Azure back in 2011, clearly understands the importance of compliance, establishing itself as a trusted player in this space. And, according to Microsoft Vice President of Azure Data, there is still work to be done. In fact, he lumped Microsoft’s ability to manage exabytes of data in the cloud in with a handful of other big names like Google and Facebook, that must make investments in compliance if they are going to protect the security of their customers and retain trust.

With this in mind, here are three important considerations for getting started with Azure compliance:

#1 Understanding Azure and ISO Compliance

The International Organization for Standardization (ISO) is a worldwide compliance agency that offers baseline standards for almost every industry and sector. These standards also extend to cloud computing including specific guidance on how to manage security in the cloud.

Courtesy of Microsoft

Meeting ISO standards is one way that Microsoft lives up to its commitment to protect consumers by establishing trust. They also do this by focusing on the following three core tenets. These are:

• Experience in the tech industry as an early adopter of cloud technology
• Transparency about practices and resources for security and compliance; and
• Responsibility shared between individual users and organizations

Because Azure is based on these foundational principles, by design, it complements ISO standards easily.

Furthermore, Microsoft makes achieving new certifications a priority to increase trust and esteem in the brand. For example, a tool called the Microsoft Service Trust Center, which is home to a compliance repository resource that will be discussed in more detail below, tells us that Microsoft is ISO 9001:2015 certified.

According to Microsoft, the certification requires a rigorous audit by an independent organization. Passing means meeting ISO 9001:2015 management standards. Azure was one of the platforms audited for this certification. The Microsoft Service Trust Portal allows you to view their certificate and full audit.

#2 Explore Compliance Manager

In February, Microsoft announced it would be rolling out a new tool called Compliance Manager in the Service Trust Center.

Compliance Manager is designed to help enterprise businesses feel secure in their choice to transition to Microsoft cloud services, like Azure. It solves the following problems for enterprises business leaders:

• Makes security data available for easy consumption: Using dashboards with charts and graphs, Microsoft shares how their products hold up against audits and standards like ISO compliance.
• Allows for assigning and tracking: Enterprise businesses can assign, track and report on compliance goals and standards within their organization.
• Offers security in the form of a repository for files and compliance data.
• Reporting features are rich: Offering a number of reporting options to mine the most productive data available on compliance within your organization.

With Azure, Microsoft understands that in order to be competitive to enterprise businesses in a heavily populated cloud marketplace they have to keep rolling out new features like Compliance Manager for general use.

Here’s how your business can benefit from this new feature:

• Replace spreadsheets for tracking compliance with comprehensive dashboards and digital tracking tools.
• Free for Azure ID customers which means that security comes to your organization at no additional cost.
• Assign ownership of compliance controls to members of your organization, designate roles etc.
• Compare controls against other standards like GDPR.
• Implement and log control tests to determine how compliant your organization is and where your vulnerabilities lie.
• Get compliance recommendations from Microsoft the experts in GDPR and ISO compliance.
• Export compliance information to Excel for audits by third-party vendors.
• Access to data is well-controlled through a four-level hierarchy:
  • enterprise enrolment administrator
  • department administrator
  • account owner
  • service administrator
• Service Trust portal integration allows users to have access to important security data about Microsoft.
• Offers compliance scores that tell you how impactful compliance failures are to your organization’s success.

In short, Microsoft offers robust reporting and dashboard capabilities that make it easy for enterprise businesses to understand their compliance needs. And track and compare them against a growing list of industry standards.

Azure leverages Microsoft’s long history as a partner that enterprise businesses can trust. When you partner with Microsoft you can rest assured they are making investments to roll out new tools, like Compliance Manager, that meet your enterprise needs.

In addition to the above mentioned ISO standards, Microsoft’s compliance offerings include regional certifications for global locales and other international standards organizations. For a full list of compliance offerings from Microsoft click here.

#3 Try Azure Cosmos DB for a Compliant Database

Azure Cosmos DB has multiple compliance offerings and consistencies, as well as accurate, single-digit millisecond latencies worldwide. According to Microsoft, Azure Cosmos DB “guarantees end-to-end low latency at the 99th percentile to its customers.” Its features make it ideal for mobile, web, gaming, ad tech, IoT and many more applications.

Azure Cosmos DB is a multi-modal database that makes it easy to develop scalable, highly responsive applications at global scale. And it does all of this with a heavy handed focus on compliance including the following key benefits:

• Turnkey global distribution means that there is no need to redeploy applications to the database as you add and remove regions
• Third-party audit assessments
• Contractual amendments with self assessment tools
• Access to tips and guidance from the gurus at Microsoft
• Formal certifications and validations

See below for the comprehensive list of Azure Cosmos DB certifications:

• CSA STAR Self-Assessment
• CSA STAR Certification
• CSA STAR Attestation
• ISO 20000-1:2011
• ISO 22301:2012
• ISO 27001:2013
• ISO 27017:2015
• ISO 27018:2014
• ISO 9001:2015
• SOC 1 Type 2
• SOC 2 Type 2
• SOC 3
• FIPS 140-2
• 23 NYCRR 500
• APRA (Australia)
• DPP (UK)
• FCA (UK)
• FERPA
• FFIEC
• GLBA
• GxP (21 CFR Part 11)
• HIPAA and the HITECH Act
• HITRUST
• MAS and ABS (Singapore)
• NEN 7510:2011 (Netherlands)
• NHS IG Toolkit (UK)
• PCI DSS Level 1
• Shared Assessments
• SOX
• Argentina PDPA
• Australia IRAP Unclassified
• Canadian Privacy Laws
• EU ENISA IAF
• EU Model Clauses
• EU-US Privacy Shield
• Germany C5
• Germany IT-Grundschutz Workbook
• Japan My Number Act
• Netherlands BIR 2012
• Singapore MTCS Level 3
• Spain DPA
• UK Cyber Essentials Plus
• UK G-Cloud
• UK PASF

Once again, Microsoft leverages its experience with enterprise businesses to understand their compliance needs and deliver in the form of certifications, validations and self-assessments.

Azure and GDPR Considerations

The buzz around compliance is that very soon the General Data Protection Regulation (GDPR) will be replacing the Data Protection Directive as the governing force behind industry compliance in the European Union. This means that if your operations have a global reach, you must understand how these changes will affect the way you do business.

Furthermore, seemingly small differences in standards could mean big changes for businesses who need to comply. Companies may need to extend their data protection policies further than they ever have.

As mentioned above, Microsoft has been preparing for the change for almost a year, to ensure the appropriate changes have been made to keep Azure compliant. This puts them ahead of a large number of companies who want to have a GDPR change management strategy but have failed to launch any such efforts.

For a video that highlights the changes Azure has made to be compliant with GDPR, click here.

Final Thoughts

Regardless of individual enterprise requirements, all businesses have the same basic concerns about their data when it comes to transitioning to a multi-cloud environment: security, transparency and compliance.

While there are several options to choose from when it comes to cloud service providers, Microsoft Azure offers time-tested compliance measures that hold up against international standards. A large part of Microsoft’s success is its track record of letting the needs of the consumer drive their execution strategy. And the discussion around compliance is no different.

Next Steps

Apart from choosing the right cloud services platform, there’s a lot more involved in solving the compliance puzzle for your enterprise business. At BMC, we help make this enterprise compliance transition a lot easier with our SecOps Policy Service. This cloud-based service enables security and compliance testing of cloud settings and configurations, as well as application vulnerabilities.

More specifically, this solution offers several benefits including the following:

• Cloud security assessment and vulnerability fixes for public cloud services like Azure
  Integrated compliance and security checks
• Compliance and governance of infrastructures like Docker Containers, AWS CloudFormation, private, and hybrid clouds
• Out-of-the-box best practices
• Flexible architecture with built-in connectors and policy extensibility for virtually any data source

Simply put, the security of multi-cloud applications will depend on the proper configuration of hundreds of services across thousands of resources. BMC SecOps Policy Service helps detect and fix settings to minimize risk. For more information on how BMC can help your transition into cloud systems, contact us today.