A few months ago, we announced we were performing a compliance assessment on Microsoft Azure Stack, today we are happy to share that the compliance assessment is done and available to you.
Knowing that preparing compliance paperwork is a tedious task, we precompiled the documentation for our customers. Since Azure Stack is delivered as an integrated system through hardware partners, we are in a unique position to perform a formal compliance assessment of Azure Stack that applies to all our customers. This resulted in a set of precompiled compliance documents that customers can now use to accelerate their compliance certification process.
We are glad to announce that Coalfire, a Qualified Security Assessor (QSA) and independent auditing firm, has audited and evaluated Azure Stack Infrastructure against the technical controls of PCI-DSS and the CSA Cloud Control Matrix, and found that Azure Stack satisfies the applicable controls.
In the assessor’s words:
“It is Coalfire’s opinion that Microsoft Azure Stack integrated system, reviewed between July 2017 and October 2017, can be effective in creating a PCI DSS compliant infrastructure and to assist in a comprehensive program of compliance with PCI DSS version 3.2.”
“It is Coalfire’s opinion that Microsoft Azure Stack as deployed in the Original Equipment Manufacturer (OEM) integrated system test, which was reviewed between July 2017 and October 2017, can be effective in creating a CSA CCM 3.0.1 compliant infrastructure and can assist in a comprehensive program of compliance with CSA CCM version 3.0.1.”
This compliance documentation describes how Azure Stack meets the technical controls applicable to Azure Stack infrastructure. The technical controls related to the workloads running on top of Azure Stack, as well as the controls related to people and processes, however, remain the customers responsibility, since these are specific to a customer. With this documentation, customers now have all the necessary information related to the Azure Stack infrastructure to be certified for either PCI-DSS, or many compliance standards covered by the CSA-CCM framework.
The PCI-DSS and the CSA-CCM documents for Azure Stack can be downloaded from the Microsoft Service Trust Portal.
We understand that compliance encompasses not only the Azure Stack infrastructure, but also the workloads that are deployed on it. To reduce the complexity of compliance related to workloads, Azure Stack and the Azure Blueprint Program are coming together to deliver turn-key compliance solutions to support our customers’ compliance needs and help them rapidly deliver value to their companies and customers. We will share more details on the Azure Blueprint Program for Azure Stack in the coming months; stay tuned!
Azure Stack will continue to expand the portfolio of validated standards based on customer demand. To express your preference about which compliance standard you would like us to prioritize, please fill out this survey.