Recently, I hosted our Azure security, privacy and compliance advisory council here in Redmond, where I had the opportunity to hear directly from our customers. Key desires expressed were to help them reduce complexity and improve their capability to fulfill compliance obligations by working with Azure. Another ask was to enable risk-based decisions by leveraging attestations from independent auditors, who test against proven standards and controls. Azure customers reported that they’re reducing their compliance costs and accelerating accreditations for their systems running in Azure. Today, I have some updates to share regarding Azure compliance coverage for international, market and industry requirements.
International Organization for Standardization (ISO) ISO 27001
Azure recently completed an ISO 27001 renewal audit to the 2013 version of the standard, following the ISO 27002 best practices for comprehensive information security and risk management. Once again, British Standards Institute (BSI) Americas performed the independent audit. In addition to expanding coverage for new Azure services and components, we also asked BSI to validate that we incorporated controls that are aligned to the ISO 27018
code of practice for protection of Personally Identifiable Information (PII) in public clouds. There are three big commitments enabled by these controls: Azure is “Advertising Free,” so customers don’t have to worry their data is used for advertising or marketing purposes; Azure has defined policies for the return, transfer and secure disposal of PII; and Azure proactively discloses the identities of sub-processors. The final report from the BSI auditors is complete, and the updated certificate is available at the BSI web site
Service Organization Controls (SOC) 1 and 2
Azure has expanded the services in scope
for our SOC 1 and 2 Reports for the third year, demonstrating our ability to test and report on the design (Type I) and operating (Type II) effectiveness of controls. Key controls include SOC 1 / SSAE16 (financial reporting controls), and SOC 2 (security controls) for the Trust Principles of Security, Availability and Processing Integrity. Each Principle consists of defined criteria that controls must meet in order to produce an auditor’s opinion that the testing demonstrated design and operating effectiveness. SOC reports contain details about how the service provider’s controls fulfill each of the Principles. At this time, Azure is the only global cloud service provider with a report for SOC 2 Processing Integrity, which demonstrates system processing was complete, accurate, timely, and authorized.
Recently, the Department of Health and Human Services (HHS) Office of the Inspector General (OIG) granted FedRAMP Authority to Operate (ATO) to Microsoft Office 365, including Azure Active Directory (AD) for Identity Management services. Azure AD combines directory services, advanced identity governance and application access management to meet FedRAMP Moderate standards. With the announcement of Azure Government Cloud, we’re expanding our FedRAMP coverage with delivery of services for customers who require cloud services delivered by U.S. Citizens with specialized screening, in dedicated environments.
U.S. Criminal Justice Information Services (CJIS) Azure Government
is one of the first commercial infrastructure cloud platforms to meet U.S. CJIS certification requirements for state and local governments, expanding the scope of coverage to state agencies already using Microsoft Office 365 for CJIS workloads. The CJIS certification has generated a lot of interest in the public sector because there are stringent requirements to protect criminal justice information and deliver services with specially screened personnel. We’re actively working with state CJIS officers to expand coverage.
Australian Government Information Security Registered Assessors Program (IRAP)
IRAP accreditation was announced in October 2014 when we launched Azure in Australia. As Azure expands our global presence, we’re strengthening regional compliance coverage with deep and early engagement. Our goal is to support customers’ ability to meet unique government or data sovereignty requirements, and to accelerate deployment of key workloads to accredited cloud services.
Singapore Multi-Tier Cloud Security (MTCS)
MTCS accreditation was announced in late October 2014 for Microsoft Cloud Infrastructure and Operations datacenters, Office 365 and Azure as the first Level 1 certified end-to-end cloud services offering. Regardless of the service consumed at point of entry to the cloud offering, customers have the assurance that the full stack through infrastructure, platform, and software services meets MTCS criteria.
Food and Drug Administration 21 CFR Part 11
Specialized vertical solutions in healthcare can require complex accreditation efforts, especially when it comes to life and death matters such as drug testing or device monitoring. Azure has worked with customers and partners in life sciences to to qualify their applications and services running on Azure to 21 CFR Part 11. The Qualification Guideline for Microsoft Azure
is a proven resource for customers and partners who have shared their experiences in case studies
. As we begin 2015, my team is finishing up the Azure PCI DSS Level 1 audit to version 3 of the PCI Standard, working with our auditor Neohapsis. The annual Azure SOC audit period began January 1, launching a cycle which will expand coverage for new services across Azure Compute, Web & Mobile, Data & Storage, Analytics, Networking, Hybrid Integration, Identity & Access, Media Services, Developer Services and Management. Check out the Trust Center
for updates about audit reports and guidance. Customers can also open support requests for additional assistance or resources. I would also love to hear from you on Twitter: @msftlori Happy New Year, Lori