- Provider can help you comply with regulations and standards
- Think about:
- How compliant is the cloud provider when it comes to handling sensitive data?
- How compliant are the services offered by the cloud provider?
- How can I deploy my own cloud-based solutions to scenarios that have accreditation or compliance requirements?
- What terms are part of the privacy statement for the provider?
- CJIS = Criminal Justice Information Services
- Any US state or local agency that wants to access the FBI's CJIS database is required to adhere to the CJIS Security Policy
- Microsoft Azure adheres to the same requirements that law enforcement and public safety entities must meet.
- CSA = Cloud Security Alliance
- Independent third-party assessment of a cloud provider's security posture
- Ensures:
- ISO/IEC 27001 certificationis achieved
- Criteria specified in the Cloud Controls Matrix (CCM) are met
- Also assesed against the STAR Capability Maturity Model for the management of activities in CCM control areas.
- 📝 GDPR = General Data Protection Regulation, european privacy law
- Imposes rules for collecting & analyzing data tied to EU residents.
- The GDPR applies no matter where you are located.
- EU Standard Contractual Clauses
- Guarantees around transfers of personal data outside of the EU.
- Ensures customers can use cloud service to move data freely through cloud from Europe to the rest of the world.
- HIPAA = Health Insurance Portability and Accountability Act
- US federal law that regulates patient Protected Health Information (PHI)
- HIPAA Business Associate Agreement (BAA)
- Adheres o certain security and privacy provisions in HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act.
- Azure offers BAA as contract addendum to assist customers individual compliance.
- 📝 ISO/IEC 27018 = International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) 27018
- Covers the processing of personal information by cloud service providers
- MTCS = Multi-Tier Cloud Security (MTCS) Singapore
- MTCS 584:2013 asses for IaaS & PaaS & SaaS service classifications.
- SOC = Service Organization Controls
- Cloud services audited at least annually against the SOC report framework by independent third-party auditors.
- Audit covers controls for data security, availability, processing integrity, and confidentiality
- as applicable to in-scope trust principles for each service.
- 📝 NIST CSF = National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)
- NIST is agency of United States Department of Commerce.
- Voluntary framework that defines security guidelines, and best practices to manage cybersecurity-related risks.
- Azure have undergone independent, third-party Federal Risk and Authorization Management Program (FedRAMP) Moderate and High Baseline audits & is certified
- Also validated by the Health Information Trust Alliance (HITRUST)
- a leading security and privacy standards development and accreditation organization
- Also validated by the Health Information Trust Alliance (HITRUST)
- Cloud computing certification for services used by government entities in UK.
- Azure has received official accreditation from the UK Government Pan Government Accreditor.