Microsoft Azure – Compliance
Microsoft invests heavily in being as much compliant with different regulations, standards and law as it can. Especially regarding cloud services. More and more customers are expecting such approach as they may have good evidence for their clients and auditors that services they are subscribed to are meeting all required criteria.
Microsoft public cloud – Microsoft Azure – meets a broad set of international, regional, and industry-specific compliance and regulatory standards. To give you on insight on the timeline have a look at the figure below.
As you can see it covers global (like SOC1, SOC2), US (FedRAMP, HIPAA) and others (EU Data Protective Directive, ISO 27018) standards and regulations. Some of the most important Standards/Regulations (of course other standards may be most important for others):
- FIPS 140-2. US government standard that defines a minimum set of security requirements for products and systems that implement cryptography.
- HIPAA. The Health Insurance Portability and Accountability Act (HIPAA) is a US federal law that regulates patient Protected Health Information (PHI).
- ISO/IEC 27018. Microsoft is the first cloud provider to have adopted the ISO/IEC 27018 code of practice, covering the processing of personal information by cloud service providers.
- PCI DSS. Azure is Level 1 compliant with Payment Card Industry (PCI) Data Security Standards (DSS) version 3.0, the global certification standard for organizations that accept most payments cards, as well store, process, or transmit cardholder data.
For Microsoft, it is a continuous compliance approach driven by rigorous third-party audits, in example performed by the British Standards Institute. The list of standards is still growing. So to easier verify which cloud service (Microsoft Azure, Microsoft Office 365, etc.) complies with which standard in which Datacenter you should follow this site ref. https://www.microsoft.com/en-us/TrustCenter/Compliance/default.aspx . It gives a full overview of compliance of Microsoft cloud services. It also includes description and introduction of Microsoft Common Controls Hub (ref. https://www.microsoft.com/en-us/trustcenter/Common-Controls-Hub ) which is a subset of more than 200,000 individual compliance mandates from more than 800 laws and standards.