While selection of cloud providers the important thing to check how the cloud provider can help you to comply the international regulations and standards
Some important questions to ask from the provider:
- How complaint are the services offered by cloud provider?
- Terms are part of the privacy statement for the provider
- Deployment of own cloud based solutions those need accreditation or have compliance requirement?
- Handling of sensitive data by the cloud provider , how ?
Compliance Offering:
Below is the list of compliance offerings available:
- Criminal Justice Information Services(CJIS)
- Any US state or local agency wants to access FBI’s CJIS database is required to adhere to the CJIS security policy.
- Azure is only major cloud provider that contractually commits to conformance with CJIS security policy
- Cloud Security Alliance(CSA) Star certification
- Azure, Intune and Power BI has obtain star certification
- The star certification is based on achieving ISO/IEC 27001 certification and meeting the specific criteria in Cloud Controls Matrix(CCM).
- This certificate demonstrates that a cloud service provider:
- Conforms to the applicable requirements of ISO/IES27001
- addressed issues that critical to cloud security as described in the Cloud Control Matrix(CCM)
- Assessed against the Star Capability Maturity Model for the management of activities in Cloud Control Matrix(CCM) control areas.
- General Data Protection Regulation(GDPR)
- As of May 2018, a European Privacy law (GDPR) is in effect.
- GDPR imposes new rules on companies, government agencies, non-profits and other organizations that offer goods and service to the European Union People or collect and analyze data of European Union resident.
- The GDPR applies no matter where are you located if your company or agency lies as per above statement.
- Health Insurance Portability and Accountability Act(HIPAA)
- Its a US Federal Law that regulates patient Protected Health Information(PHI)
- Azure offers customers a HIPAA Business Associate Agreement(BAA) which means Azure is adherence to certain security and privacy provisions in HIPPA and the Health Information Technology for Economical and Clinical Health(HITECH) Act.
- To Assist customers in the individual compliance efforts, Microsoft offers BAA to Azure customers as contract addendum.
- Multi-tier Cloud Security (MTCS) Singapore
- After rigorous assessments conducted by MTCS certification body, Microsoft cloud services received MTCS 584:2013 certifications for all three service classification
- Infrastructure as a Service(IaaS)
- Platform as a Service(Paas)
- Software as a Service(SaaS)
- Microsoft was the first service provider who got this certification for all three service classifications.
- After rigorous assessments conducted by MTCS certification body, Microsoft cloud services received MTCS 584:2013 certifications for all three service classification
- International Organization for Standardization(ISO) and International Electrotechnical Commission (IEC) 27018
- Microsoft is the first cloud provider who adopted the ISO/IEC 27018 code of practice, covering the processing of personnel information by the cloud service providers.
- UK Government G-Cloud
- The UK Government G-Cloud is a cloud computing certification for services used by government entities in the United Kingdom.Azure has received official accreditation from the UK Government Accreditor.
- National Institute of Standards and Technology (NIST) Cybersecurity Framework(CSF)
- NIST CFT is a voluntary framework that consists of standards, guidelines and best practices to manage the cyber-security related risks. Microsoft cloud services have undergone independent, Third-party Federal Risk and Authorization Management program(FedRAMP) Moderate and High Baseline audits, and are certified according to FeRAMP standards. Office 365 is certified to the objectives specified in the NIST CSF.
- Service Organization control (SOC) 1,2 and 3
- Microsoft cloud services are audited at least annually according to the SOC report framework by independent auditors.
- EU model Clauses
- Microsoft Offers customer EU standard contractual clauses the provides contractual guarantees around transfer of personal data outside of the EU.Microsoft is the first company to receive joint approval from the EU ‘s Article 29 working party that the contractual privacy protections Azure deliver to its enterprise cloud customers meet current EU standards for international transfer of data. This ensure that Azure customers can use Microsoft services to move data freely through Microsoft cloud rom Europe to the rest of the world.