A majority of businesses are considering leveraging the cloud to get their business done, and get it done at levels of efficiency never before possible. But the concept of the cloud still instills fear and concerns across all levels of the business.
Welcome to Microsoft Azure
“Security’s the biggest blocker not just for Azure adoption but for cloud adoption generally,” Stevan Vidich, director of Windows Azure Marketing. A recent report from Capgemini reveals several friction points slowing the adoption of Microsoft Azure. Forty percent said “fear of security breaches,” another 52% said “data sovereignty” and compliance issues combined to make them apprehensive.
In the case of Microsoft Azure, these concerns are largely unfounded. Azure offers an enormous range of compliance options and highly secure and responsible data practices. That is not to say you should go to the cloud without doing your due diligence first. As is often the case, industry specific standards vary, and you should always evaluate the law and how it applies to you.
Filling The Gaps
Often, Azure only offers partial compliance, or only on a specific set of services. This means it will be up to you to fill the gaps. Microsoft believes that security, privacy, and compliance for its enterprise cloud services are a shared responsibility. Microsoft helps reduce the security and compliance burden for customers by providing trustworthy enterprise cloud services, while also offering the security capabilities and flexibility customers need to use the services in accordance with their own standards.
Microsoft undergoes regular verification by third-party audit firms and shares audit report findings and compliance packages with customers to help them fulfill their own compliance obligations. By verifying that its services meet compliance standards and demonstrating how compliance was achieved, Microsoft makes it easier for customers to attain compliance for the infrastructure and applications they run in Microsoft Azure.
Microsoft Azure has obtained many industry-specific certifications, including:
•CDSA: The Content Delivery and Security Association (CDSA) provides a Content Protection and Security (CPS) standard for compliance with anti-piracy procedures governing digital media. Azure passed the CDSA audit, so, they are enabling secure workflow for content development and distribution.
•CJIS: Any US state or local agency that wants to access the FBI’s Criminal Justice Information Services (CJIS) database through a cloud-based solution is required to use a cloud provider that adheres to the CJIS Security Policy. Azure is the only major cloud provider that contractually commits to conformance with CJIS.
•CSA CCM: The Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) provides detailed information about how Azure fulfills the security, privacy, compliance, and risk management requirements defined in the CCM version 1.2. Learn more
•DIACAP: The Department of Defense (DoD) Information Assurance Certification and Accreditation Process (DIACAP) is a United States DoD process that helps companies and organizations manage risk for information systems. However, in March 2014, the DoD replaced DIACAP with the NIST 800-37 Risk Management Framework and DoD 8510.01. Azure demonstrates compliance with these standards through its FedRAMP accreditation.
•DISA Level 2: Azure has been granted a DISA Provisional Authorization for Cloud Security Model Level 2 under a reciprocal agreement with the FedRAMP JAB. This certification attests to Azure’s compliance with required standards as dictated by DoD Instruction 8500.01 and 8510.01, the Security Requirements Guide, CDSSI 1253, and NIST 800-37 / 53.
•EU Model Clauses: Microsoft offers customers EU Standard Contractual Clauses that provide contractual guarantees around transfers of personal data. Microsoft is the first company to receive approval from the EU’s Article 29 Working Party for contractual commitments.
•FDA 21 CFR Part 11: The US Food and Drug Administration (FDA) Code of Federal Regulations (CFR) Title 21 Part 11 lists requirements for the security of electronic records of companies that sell food and drugs manufactured or consumed in the United States. Working with the Qualification Guideline for Microsoft Azure, which identifies the responsibilities shared by Microsoft and its customers for meeting the regulatory requirements, companies are able to demonstrate that Azure services and execution fulfill the requirements.
•FedRAMP: The Federal Risk and Authorization Management Program (FedRAMP) is a mandatory US government program that provides a standardized approach to security assessment, authorization, and monitoring for cloud services used by federal agencies. Azure has been granted a Provisional Authority to Operate from the FedRAMP Joint Authorization Board at a Moderate Impact level based upon the FIPS 199 classification.
•FERPA: The Family Educational Rights and Privacy Act (FERPA) is a US federal law that protects the privacy of student educational records. Azure’s compliance with FERPA limits the transmission of student data to third parties.
•FIPS 140-2: The Federal Information Processing Standard (FIPS) Publication 140-2 is a US government security standard that specifies the security requirements for cryptographic modules protecting sensitive information. Azure uses Microsoft cryptographic modules in the validated list published by NIST, enabling customers to configure and use Azure Virtual Network services in a way that helps meet their information encryption requirements.
•FISC: The Center for Financial Industry Information Systems (FISC) in Japan collaborated with its membership to establish a set of guidelines for the promotion of security measures on financial institutions' information systems. Azure has been assessed to meet the requirements for FISC, and provides guidance including recommendations for banking computer systems security, information system audits, contingency planning, and security policy development.
•FISMA: The Federal Information Security Management Act (FISMA) relies on the guidelines defined by the National Institute of Standards and Technology (NIST) for securing information systems within Federal agencies. Rather than requiring each agency to define and implement its own information security program, FedRAMP provides a consistent assessment for all parties, thereby simplifying the authorization process for cloud solutions.
•IRS 1075: Internal Revenue Service Publication 1075 (IRS 1075) provides guidance to ensure that the policies, practices, controls, and safeguards employed by recipient agencies adequately protect the confidentiality of Federal Tax Information and related financial tax return data. Microsoft Azure Government supports the security capabilities for customers to comply with IRS 1075 requirements.
•HIPAA / HITECH: The Health Insurance Portability and Accountability Act (HIPAA) is the US law that regulates patient Protected Health Information (PHI). Azure offers customers a HIPAA Business Associate Agreement (BAA), stipulating adherence to HIPAA’s security and privacy provisions.
•CCSL (IRAP): Azure has been certified by the Australian Signals Directorate (ASD) and is included on the ASD Certified Cloud Services List (CCSL) for the storage and processing of Unclassified (DLM) data. The Certification recognizes the successful completion, review and acceptance of a comprehensive assessment undertaken by an Independent Security Registered Assessor.
•ISO/IEC 27001/27002:2013: The ISO/IEC 27001/27002:2013 certificate validates that Microsoft has implemented the internationally recognized information security controls defined in this standard, including guidelines and general principles for initiating, implementing, maintaining, and improving information security management within an organization.
•ISO/IEC 27018:2014: Microsoft is the only cloud provider to adhere to the ISO/IEC 27018 code of practice, covering the processing of personal information by cloud service providers. ISO/IEC 27018 controls include a prohibition on the use of customer data for advertising and marketing purposes without the customer’s express consent
•MLPS: Multi-Level Protection Scheme (MLPS) is based on the Chinese state standard issued by the Ministry of Public Security. Azure operated by 21Vianet adheres to this standard, which provides assurance for both the management and technical security of cloud systems.
•MTCS SS Tier 3: Azure (public) has achieved level 3 certification with the Multi-Tier Cloud Security Standard for Singapore (MTCS SS), an ISO 27001-based standard covering areas such as data retention and sovereignty, developed under the Singapore Information Technology Standards Committee (ITSC). Level 3 is designed for regulated organizations with the most stringent security requirements around HBI data.
•NZ GCIO: The New Zealand (NZ) Government Chief Information Officer (GCIO) has published a framework of 105 questions focused on the security and privacy aspects of cloud services that are fundamentally related to data sovereignty. Microsoft New Zealand has proactively provided information showing how Microsoft Azure meets these requirements.
•PCI DSS Level 1: Azure complies with Payment Card Industry (PCI) Data Security Standards (DSS) Level 1 version 3.0, the global certification standard for organizations that accept most payment cards and store, process, or transmit cardholder data.
•SOC 1 Type 2 and SOC 2 Type 2: Service Organization Controls (SOC) are a series of accounting standards that measure the control of financial information for a service organization. Azure’s SOC 1 and SOC 2 Type 2 audit reports attest to the effectiveness of the design and operation of its security controls.
•TCS CCCPPF: Azure operated by 21Vianet is among the first cloud providers in China to pass the Trusted Cloud Service certification developed by the China Cloud Computing Promotion and Policy Forum (CCCPPF) by providing an open platform, high-quality Service Level Agreement, powerful data recovery capabilities and robust customer benefits.
•UK G-Cloud: The UK Government G-Cloud is a cloud computing certification for services used by government entities in the United Kingdom. Azure has received OFFICIAL accreditation from the UK Government Pan Government Accreditor.
•Section 508 / VPATs: Microsoft offers detailed Voluntary Product Accessibility Templates, or VPATs, for many of Azure’s core services, demonstrating Azure’s level of compliance with Section 508. Because Azure comprises many services, individual VPATs are provided for specific components and capabilities.
Since 1981, Oakwood has been helping companies of all sizes, across all industries, solve their business problems. We bring world-class consultants to architect, design and deploy technology solutions to move your company forward. Our proven approach guarantees better business outcomes. With flexible engagement options, your project is delivered on-time and on budget. 11,000 satisfied clients can’t be wrong.