“Azure employs a risk-management model of shared-responsibility between the customer and Microsoft. Microsoft is responsible for the platform including services offered, and seeks to provide a cloud service that can meet the security, privacy, and compliance needs of our customers. Customers are responsible for their environment once the service has been provisioned, including their applications, data content, virtual machines, access credentials, and compliance with regulatory requirements applicable to their particular industry and locale.” – excerpt from Windows Azure HIPAA Implementation Guidance, April 2014
When it comes to Azure, I hear a couple of common themes from customers:
- We’re concerned about Azure’s security.
- We have specific compliance requirements.
Moving your organization’s core applications, data, and/or infrastructure to the cloud shouldn’t be a decision that’s made without considering cost, impact to services, and security. It is a decision that requires mindfulness and circumspect.
Over the last few weeks I’ve shared with you many of the strengths within Azure Iaas, PaaS, and SaaS offerings. Even if you find some of these offerings to be exactly what you want, you should make sure Azure meets your organization’s security requirements. The idea of a secure cloud is, of course, not an easy concept to nail down. What does “secure” mean and at what point does the responsibility of security transition from Microsoft to you?
There are four pillars within Microsoft’s ‘trusted cloud’ which we will address: security, privacy, transparency, and compliance. Microsoft has addressed each of these within its Azure Trust Center, and I will be providing clarity around these 4 pillars. Once you’re done reading this article, jump over to the Microsoft Azure Trust Center and get your fill of security policies, privacy standards, and compliance data.
The focus of Azure security is to make sure it is resilient to attack, user access is protected, customer data is secure, and that there is a continuous practice of testing security models to ensure security is sufficient.
To address the management of identity and user access to Azure environments, data, and applications, Azure uses Azure Active Directory. VPN’s and other standard transport protocols are used to secure data transiting between user devices and the Microsoft datacenters, as well as within the datacenters. Encryption of up to AES-256 can be used to encrypt data at rest. Site-to-Site VPN’s can be setup to securely connect on-premises datacenters to Azure. And Microsoft leverages intrusion detection, DDoS attack prevention, machine learning tools, and a host of other security tools to mitigate threats against the Azure platform. To learn more, you should check out the security section of the Azure Trust Center.
Privacy is a big deal. You are likely concerned about your data being kept secure and that your data will not be used without your permission. When you put content into Azure you still maintain ownership of the data and control where it is stored and how it is securely accessed and deleted. Microsoft will not use your data for advertising or data mining. Also – Microsoft follows ISO/IEC 27018, the code of practice for protection of PII in public clouds acting as PII processors. To learn more, you should check out the privacy section of the Azure Trust Center.
If you keep your data in Azure, you should know where and how your data is stored and used. If you delete your customer data, Microsoft follows stringent standards to remove that customer data from all systems under its control. Microsoft has clear policies and guidelines describing who can access your data and under what conditions, and these operational processes and controls are regularly audited and verified. To learn more, you should check out the transparency section of the Azure Trust Center.
Microsoft cloud services are compliant in many ways, by many organizations. This means their infrastructure meets certain levels of certifications so that you can host your compliant applications, data, and services in Azure. (These certifications includeISO 27001/27002, SOC 1 and SOC 2, FISMA, HIPAA, FDA 21 CFR Part 11, UK G-Cloud, FedRAMP, CDSA, to name a few, and the list goes on and on.) BUT just because Azure meets many different regulations and compliance frameworks doesn’t guarantee that your application will. You are responsible for ensuring your particular use of Azure complies with the specific regulations and compliance frameworks governing your applications, data, and organization. To learn more, you should check out the compliance section of the Azure Trust Center.
If you are on the fence about whether Azure is the right solution for you and if security and compliancy are important do you, you should take a look at the Microsoft Azure Trust Center. There are many resources within the Azure Trust Center that will likely provide adequate clarity to help you make an educated decision. You will also find documentation which provides comprehensive information around what it takes to make sure your applications/data/services are built in a way to ensure they meet specific compliance frameworks. Security and compliance in Azure is a two-way street. Microsoft Azure has done quite a bit of work to ensure you have a solution that will abstract away a lot of the security headache, but you will need to do your part when building your solutions to ensure you don’t inadvertently compromise that security integrity.
Of course, good security practices are necessary whether or not you host your data in the cloud or on-premises!