Microsoft partners with customers to help them address a wide range of international, country, and industry-specific regulatory requirements.
Last updated: April 2015
By providing customers with compliant, independently verified cloud services, Microsoft makes it easier for customers to achieve compliance for the infrastructure and applications they run in Azure. Microsoft provides Azure customers with detailed information about our security and compliance programs, including audit reports and compliance packages, to help customers assess our services against their own legal and regulatory requirements.
In addition, Microsoft has developed an extensible compliance framework that enables it to design and build services using a single set of controls to speed up and simplify compliance across a diverse set of regulations and rapidly adapt to changes in the regulatory landscape. More information on specific compliance programs is available here:
Azure is committed to annual certification against ISO/IEC 27001/27002:2013, a broad international information security standard. The ISO/IEC 27001/27002:2013 certificate validates that Microsoft has implemented the internationally recognized information security controls defined in this standard, including guidelines and general principles for initiating, implementing, maintaining, and improving information security management within an organization.
The audit included the Information Security Management System (ISMS) for Azure, encompassing infrastructure, development, operations, management, support, and in-scope services. The certificate issued by the British Standards Institution (BSI) is publically available.
Additionally, Microsoft Azure services have incorporated the controls that embody ISO/IEC 27018 – an extension of the ISO 27001 standard with a code of practice governing the processing of personal information by cloud service providers. ISO 27018 provides controls that reflect considerations specifically for protecting personally identifiable information in public cloud services. For example, the ISO 27018 controls prohibit the use of customer data for advertising and marketing purposes without the customer’s express consent. ISO 27018 also provides clear guidance for cloud service providers for the return, transfer and/or secure disposal of personal information of customers leaving their service and requires the cloud service provider to identify any sub-processor before customers enter into a contract, and inform customers promptly of new sub-processors, to give customers an opportunity to object or terminate their agreement.
Azure has been audited against the Service Organization Control (SOC) reporting framework for both SOC 1 Type 2 and SOC 2 Type 2. Both reports are available to customers to meet a wide range of US and international auditing requirements.
The SOC 1 Type 2 audit report attests to the design and operating effectiveness of Azure controls. The SOC 2 Type 2 audit included a further examination of Azure controls related to security, availability, and confidentiality. Azure is audited annually to ensure that security controls are maintained.
Audits are conducted in accordance with the Statement on Standards for Attestation Engagements (SSAE) No. 16 put forth by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) and International Standard on Assurance Engagements (ISAE) 3402 put forth by the International Auditing and Assurance Standards Board (IAASB). In addition, the SOC 2 Type 2 audit included an examination of the Cloud Controls Matrix (CCM) from the Cloud Security Alliance (CSA).
The audit included the Information Security Management System (ISMS) for Azure, encompassing infrastructure, development, operations, management, support, and in-scope services. Customers should contact Azure Support (or new customers can contact their account representative) to request a copy of the SOC 1 Type 2 and SOC 2 Type 2 reports for Azure.
The Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) is designed to provide fundamental security principles to guide cloud vendors and to assist prospective customers in assessing the overall security risk of a cloud provider. Detailed information about how Azure fulfills the security, privacy, compliance, and risk management requirements defined in the CCM version 1.2 is also published in the CSA's Security Trust and Assurance Registry (STAR). In addition, the Microsoft Approach to Cloud Transparency paper provides an overview of how Microsoft addresses various risk, governance, and information security frameworks and standards, including the CSA CCM v1.2.
Azure has been granted a Provisional Authority to Operate (P-ATO) from the Federal Risk and Authorization Management Program (FedRAMP) Joint Authorization Board (JAB) at a Moderate impact level based upon the FIPS 199 classification. Following a rigorous security review, the JAB approved a provisional authorization that an executive department or agency can leverage to issue a security authorization and an accompanying Authority to Operate (ATO). This will allow U.S. federal, state, and local governments to more rapidly realize the benefits of the cloud using Azure.
FedRAMP is a mandatory U.S. government program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud services.
The FedRAMP audit included the Information Security Management System (ISMS) for Azure, encompassing infrastructure, development, operations, management, support, and in-scope services. Government agencies can request the Azure FedRAMP security package. Microsoft intends to pursue FedRAMP certification for Azure Government.
The Federal Information Security Management Act of 2002 was implemented to provide agencies the ability to document and implement information security programs within their operational systems.
Previously, cloud providers were required to undergo FISMA assessments by individual federal agencies. Azure received an ATO from the General Services Administration under FISMA. In 2011, the FedRAMP program was created and designed to streamline the process for cloud service providers and agencies and has replaced FISMA authorizations as the preferred approach to validating the security of cloud services.
The FISMA audit included the Information Security Management System (ISMS) for Azure, encompassing infrastructure, development, operations, management, support, and in-scope services. Government agencies can request the current Azure FedRAMP security package.
Microsoft has reviewed the Azure Government policies and procedures to verify that it meets the requirements necessary for U.S. state and local agencies to use in-scope services to store and process Criminal Justice Information. Azure will contractually commit and sign the FBI CJIS security addendum, which commits Azure to the same requirements that law enforcement and public safety must meet. Azure continues to work with a variety of states to enter into additional CJIS Information Agreements, which provide additional information to law enforcement authorities about the nature of the services, and ensure appropriate background screening for operating personnel.
Contact your Microsoft account representative for information about what programs exist in your state or email AzureGov@microsoft.com.
Azure is Level 1 compliant under the Payment Card Industry (PCI) Data Security Standards (DSS) Version 3.0 as verified by an independent Qualified Security Assessor (QSA), allowing merchants to establish a secure cardholder environment and to achieve their own certification.
The PCI DSS is an information security standard designed to prevent fraud through increased controls around credit card data. PCI certification is required for all organizations that store, process or transmit payment cardholder data. Customers can reduce the complexity of their PCI DSS certification by using compliant Azure services.
The audit included the Information Security Management System (ISMS) for Azure, encompassing infrastructure, development, operations, management, support, and in-scope services. The Azure PCI Attestation of Compliance and Azure Customer PCI Guide are available for immediate download.
Azure has received OFFICIAL accreditation from the UK Government Pan Government Accreditor. Azure is available on the G-cloud Framework and details can be found on the UK’s Digital Marketplace.
The OFFICIAL rating benefits a broad range of UK Public Sector organizations, including Local and Regional Government, National Health Service (NHS) trusts and some central government bodies who hold or transact public sector data for business conducted at the OFFICIAL level of Security Classification. Details of the OFFICIAL accreditation can be found here and form part of the UK Government’s Cloud Security Principles.
Azure has been assessed against the Australian Government Information Security Registered Assessors Program (IRAP) and a letter of compliance has been issued for in-scope services. The IRAP assessment provides assurance for public sector customers (and the partners that serve them) that Microsoft has appropriate and effective security controls in place for the processing, storage and transmission of Unclassified Sensitive data within Microsoft Azure. Unclassified Sensitive data represents the majority of federal government, healthcare, education and state government data in Australia.
Azure has achieved Level-1 certification with the Multi-Tier Cloud Security Standard for Singapore (MTCS SS), a cloud security standard, developed under the Singapore Information Technology Standards Committee (ITSC) to provide businesses with greater clarity on the levels of security offered by different cloud service providers. The standard covers areas such as data retention, data sovereignty, data portability, liability, availability, business continuity, disaster recovery, and incident management.
A rigorous assessment was conducted by the MTCS Certifying Body and included Microsoft development, operations, support, and in-scope services. The list of certified cloud service providers can be found here.
HIPAA and the HITECH Act are United States laws that apply to healthcare entities with access to patient information (called Protected Health Information, or PHI). In many circumstances, for a covered healthcare company to use a cloud service like Azure, the service provider must agree in a written agreement to adhere to certain security and privacy provisions set forth in HIPAA and the HITECH Act. To help customers comply with HIPAA and the HITECH Act, Microsoft offers a BAA to customers as a contract addendum.
Microsoft currently offers the BAA to customers who have a Volume Licensing / Enterprise Agreement (EA), or an Azure only EA enrollment in place with Microsoft for in-scope services. The Azure only EA does not depend on seat size, rather on an annual monetary commitment to Azure that allows a customer to obtain a discount over pay as you go pricing.
Prior to signing the BAA, customers should read the Azure HIPAA Implementation Guidance. This document was developed to assist customers who are interested in HIPAA and the HITECH Act to understand the relevant capabilities of Azure. The intended audience includes privacy officers, security officers, compliance officers, and others in customer organizations responsible for HIPAA and HITECH Act implementation and compliance. The document covers some of the best practices for building HIPAA compliant applications, and details Azure provisions for handling security breaches. While Azure includes features to help enable customer's privacy and security compliance, customers are responsible for ensuring their particular use of Azure complies with HIPAA, the HITECH Act, and other applicable laws and regulations, and should consult with their own legal counsel.
Customers should contact their Microsoft account representative to sign the agreement.
The CDSA’s Content Protection & Security (CPS) Standard provides guidance and requirements to secure media assets such as video-on-demand and live streaming broadcasts within a Content Security Management System (CSMS). This standard details a set of controls designed to ensure the continued integrity of intellectual property, confidentiality, and media asset security, at all stages of the supply chain.
The Azure Media Services CSMS has been validated by the CDSA, and as a result Microsoft has been awarded certification to this standard. Azure Media Services provides a number of security-enhanced content protection features such as HTTPS upload over the Internet, UDP upload via the Aspera client, and the ExpressRoute private network connection to Azure.
The initial certification is valid for 6 months. Microsoft is committed to continuing annual CDSA audits, as well as maintaining internal audits and controls to retain CPS certification. Customers should contact Azure Support (or new customers can contact their account representative) to request a copy of the audit report.
Microsoft offers customers E.U. Standard Contractual Clauses that provide additional contractual guarantees around transfers of personal data for in-scope services. Microsoft’s implementation of the E.U. model clauses has been validated by European Union data protection authorities as being in line with the rigorous privacy standards that regulate international data transfers by companies operating in its member states. Microsoft is the first company to receive joint approval from the E.U.’s Article 29 Working Party for its strong contractual commitments to comply with E.U. privacy laws no matter where data is located.
The Food and Drug Administration Part 11 of Title 21 Code of Federal Regulations, Electronic Records; Electronic Signatures (21 CFR Part 11) applies to entities that maintain records or submit information to include records in electronic form that are created, modified, maintained, archived, retrieved, or transmitted under any records requirements set forth in FDA regulations. Part 11 also applies to electronic records submitted to the Agency under the Federal Food, Drug, and Cosmetic Act (the Act) and the Public Health Service Act (the PHS Act).
Since Part 11 became effective in 1997, the Food and Drug Administration has publicly emphasized their intent and commitment to overcome unnecessary restrictions on the use of electronic technology, significant costs of compliance and barriers to innovation and technology advances that stand in the way of public health benefit. The Part 11 requirements for validation, audit trails, record retention, record copying, and legacy systems and others introduce potential barriers and restrictions especially for agencies working in constrained time, resource or emergent public health crisis.
Azure’s deep partnership with customers and partners in public sector health and life sciences industry resulted in the Qualification Guideline for Microsoft Azure. Working with the Qualification Guideline, entities are able to demonstrate Azure services and execution fulfills Part 11 requirements. To learn more about the customers and partners who have qualified their regulated applications running on Azure, download the Guide or the recorded webinar “Qualifying Microsoft Azure for Regulated Applications in the Life Sciences” from Montrium.
The Azure platform components which are within scope of this review include: Cloud Services (Web, Worker and VM roles), Azure Storage (Blobs, Queues, and Tables), Networking (Traffic Manager, Virtual Network), and Virtual Machines.
FERPA is a Federal law that protects the privacy of student education records, and imposes requirements on U.S. educational organizations regarding the use and disclosure of student education records. Educational organizations can use Azure to process data, such as student education records, in compliance with FERPA. Microsoft agrees to use and disclosure restrictions imposed by FERPA, will only use Customer Data to provide organizations with the Azure service, and will not scan Customer Data for advertising purposes.
The Federal Information Processing Standard (FIPS) Publication 140-2 is a US government security standard that specifies the security requirements for cryptographic modules protecting sensitive information. The National Institutes of Standards and Technology (NIST) publishes the list of vendors with validated FIPS 140-1 and 140-2 cryptographic modules. Azure uses Microsoft cryptographic modules in the validated list published by NIST, enabling customers to configure and use Azure Virtual Network services in a way that helps meet their information encryption requirements.
Azure operated by 21Vianet is among the first batch of Cloud Services Providers in China to pass the Trusted Cloud Service Certification developed by China Cloud Computing Promotion and Policy Forum (CCCPPF) by providing an open platform, high-quality Service Level Agreement (SLA), powerful data recovery capabilities and robust customer benefits.
As part of the trusted cloud service certification result, Azure operated by 21Vianet’s Virtual Machines, Cloud Storage and SQL Database were tested and evaluated within the SLA framework in terms of 16 indexes including data management, service quality, and rights protection. The test results issued by the CCCPPF are publically available.
For more information, please visit Microsoft Azure in China.
Multi-Level Protection Scheme is based on the Chinese state standard (GB/T 22239-2008) and issued by the Ministry of Public Security. The certification labels target systems from level 1 to 5 (with 5 being the highest) based on their risk profiles. The MLPS provides assurance for both the management and technical security of the target system.
For more information, please visit Microsoft Azure in China.