Easing compliance for UK public and health sectors with new Azure Blueprints

Posted on 22 July, 2019

General Manager, Azure Global

Earlier this month we released our latest Azure Blueprint for a key compliance standard with the availability of the UK OFFICIAL blueprint for the Government-Cloud (G-Cloud) standard, and National Health Service (NHS) Information Governance of the United Kingdom. The new blueprints map a set of Azure policies to appropriate UK OFFICIAL and UK NHS controls for any Azure deployed architecture. This allows UK government agencies and partners, and UK health organizations to more easily create Azure environments that might store and process UK OFFICIAL government data and health data.

Azure Blueprints is a service that enables customers to define a repeatable set of Azure resources that implement and adhere to standards, patterns, and requirements. Azure Blueprints help customers to set up governed Azure environments that can scale to support production implementations for large-scale migrations.

The National Health Service is the national health system for England, which holds the population's health data. NHS Digital published its guidance on the use of public cloud services for storing confidential patient data, which provides a single standard that governs the collection, storage, and processing of patient data. Adherence with NHS helps protect the integrity and confidentiality of patient data against unauthorized access, loss, damage, and destruction.

G-Cloud is a UK government initiative to enable the adoption of cloud services by the UK public sector. The G-Cloud standard requires the implementation of 14 Cloud Security Principles. Every year, Microsoft submits evidence to attest that its in-scope cloud services comply with these principles, giving potential G-Cloud customers an overview of its risk environment. 

The UK OFFICIAL blueprint includes mappings to 8 of the 14 Cloud Security Principals:

1.  Data in transit protection. Assigns Azure Policy definitions to audit insecure connections to storage accounts and Redis cache.

2.  Data at rest protection (asset protection and resilience.) Assigns Azure Policy definitions that enforce specific cryptograph controls and audit the use of weak cryptographic settings. Also includes policies to restrict deployment of resources to UK location.

5.  Operational security. Assigns Azure Policy definitions that monitor missing endpoint protection, missing system updates, various vulnerabilities, unrestricted storage account, and whitelist activity.

9.  Secure user management and 10. Identity and authentication. Assigns several Azure Policy definitions to audit external accounts, accounts that do not have multi-factor authentication (MFA) enabled, virtual machines (VMs) without passwords, and other issues.

11. External interface protection. Assigns Azure Policy definitions that monitor unrestricted storage accounts. Also assigns a policy that enables adaptive application controls on VMs.

12.  Secure Service Administration. Assigns Azure Policy definitions related to privileged access rights for external accounts, Azure Active Directory authentication, MFA enablement, etc.

13.  Audit Information for Users. Assigns Azure Policy definitions that audit or enable various log settings on Azure resources.

Microsoft has prepared a guide to explain how Azure can help customers comply with the 14 Cloud Security Principals including 3, 4, 6, 7, 8, and 14. It can be found in our document 14 Cloud Security Controls for UK Cloud Using Microsoft Azure.

Compliance with regulations and standards such as ISO 27001, SASE-16, PCI DSS, and UK OFFICIAL is increasingly necessary for all types of organizations, making control mappings to compliance standards a natural application for Azure Blueprints. Azure customers, particularly those in regulated industries, have expressed strong interest in compliance blueprints to make it easier to meet their compliance obligations.

We are committed to helping our customers leverage Azure in a manner that helps improve security and compliance. We have now released Azure Blueprints for ISO 27001, PCI DSS, UK OFFICIAL, and UK NHS.  Over the next few months we will release new built-in blueprints for HITRUST, NIST SP 800-53, FedRAMP, and Center for Internet Security (CIS) Benchmark. If you would like to participate in any early previews please sign up with this form, or if you have a suggestion for a compliance blueprint please share it via the Azure Governance Feedback Forum.

Learn more about the UK OFFICIAL and UK NHS blueprints in our documentation Control mapping of the UK OFFICIAL and UK NHS blueprint samples.