Cloud Compliance

• Provider can help you comply with regulations and standards
• Think about:
  • How compliant is the cloud provider when it comes to handling sensitive data?
  • How compliant are the services offered by the cloud provider?
  • How can I deploy my own cloud-based solutions to scenarios that have accreditation or compliance requirements?
  • What terms are part of the privacy statement for the provider?

Some compliance offerings

CJIS

• CJIS = Criminal Justice Information Services
• Any US state or local agency that wants to access the FBI’s CJIS database is required to adhere to the CJIS Security Policy
• Microsoft Azure adheres to the same requirements that law enforcement and public safety entities must meet.

CSA STAR Certification

• CSA = Cloud Security Alliance
• Independent third-party assessment of a cloud provider’s security posture
• Ensures:
  • ISO/IEC 27001 certificationis achieved
  • Criteria specified in the Cloud Controls Matrix (CCM) are met
    • Also assesed against the STAR Capability Maturity Model for the management of activities in CCM control areas.

GDPR

• 📝 GDPR = General Data Protection Regulation, european privacy law
• Imposes rules for collecting & analyzing data tied to EU residents.
• The GDPR applies no matter where you are located.

EU Model Clauses

• EU Standard Contractual Clauses
• Guarantees around transfers of personal data outside of the EU.
• Ensures customers can use cloud service to move data freely through cloud from Europe to the rest of the world.

HIPAA

• HIPAA = Health Insurance Portability and Accountability Act
• US federal law that regulates patient Protected Health Information (PHI)
• HIPAA Business Associate Agreement (BAA)
  • Adheres o certain security and privacy provisions in HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act.
• Azure offers BAA as contract addendum to assist customers individual compliance.

ISO/IEC 27018

• 📝 ISO/IEC 27018 = International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) 27018
• Covers the processing of personal information by cloud service providers

MTCS Singapore

• MTCS = Multi-Tier Cloud Security (MTCS) Singapore
• MTCS 584:2013 asses for IaaS & PaaS & SaaS service classifications.

SOC 1, 2, and 3

• SOC = Service Organization Controls
• Cloud services audited at least annually against the SOC report framework by independent third-party auditors.
• Audit covers controls for data security, availability, processing integrity, and confidentiality
  • as applicable to in-scope trust principles for each service.

NIST CSF

• 📝 NIST CSF = National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)
  • NIST is agency of United States Department of Commerce.
• Voluntary framework that defines security guidelines, and best practices to manage cybersecurity-related risks.
• Azure have undergone independent, third-party Federal Risk and Authorization Management Program (FedRAMP) Moderate and High Baseline audits & is certified
  • Also validated by the Health Information Trust Alliance (HITRUST)
    • a leading security and privacy standards development and accreditation organization

UK Government G-Cloud

• Cloud computing certification for services used by government entities in UK.
• Azure has received official accreditation from the UK Government Pan Government Accreditor.