What is Azure regulatory compliance?
In a general context, compliance refers to following the specifications of a rule. More specifically, compliance often is used as it relates to legal and regulatory frameworks.
Regulatory compliance is when an organization is aware of the relevant regulation and takes action to comport to the policy.
What do I need to know about Azure regulatory compliance?
The regulatory environment around data privacy and security is increasing in complexity as is the data that organizations work with. The size of this challenge is driving the adoption of consolidated (often cloud-based) compliance controls. By having a unified set of compliance controls, organizations can efficiently deploy their resources to be in compliance without redundancies.
What Azure regulatory compliance issues can Atmosera help us with?
Microsoft Azure has more compliance offerings than any other cloud solutions provider (CSP) to put you in compliance with national, regional and industry-specific requirements governing the collection and use of individual’s data. Cloud-native, infrastructure-free, security management as a service from Azure is available to simplify your practices.
Quick-security posture and threat detection
Visualize outbound malicious IP traffic and threat types to identify attack patterns. With Azure you can understand the security posture of your entire environment regardless of the platform.
Analyze and investigate incidents
Analyze events across multiple data sources and identify security risks. Quickly assess the scope and impact of threats and attacks to limit the damage of security breaches.
Supply and query set for security audits and investigations
Automatically capture all of the data required for security or compliance audits. Azure’s searchable and downloadable logs and datasets save time and resources used to complete an audit.
What rules and policies does Atmosera offer managed compliance for?
HIPAA/HITECH
The Health Insurance Portability and Accountability Act of 1996 is known as HIPAA. Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers.
HIPAA privacy and security audits are not looming out there on the horizon, they are happening now. The Health Information Technology for Economic and Clinical Health Act (HITECH Act) mandates audits of health care providers to investigate and determine if they are in compliance with the HIPAA Privacy Rule and Security Rule.
HITECH Act regulations put real teeth into the enforcement aspect in the event of non-compliance by a health care provider with HIPAA requirements. Perhaps the most important element in the amendments to HIPAA is that mandatory penalties will be imposed for willful neglect on the part of the health care provider.
It is sound advice to providers includes once again a careful review of your existing policies and procedures with regard to the protection of patient information.
PCI-DSS
The Payment Card Industry Data Security Standard (PCI-DSS) is an information security standard for organizations that handle branded credit cards from the major card schemes.
The PCI Standard is mandated by the card brands and administered by the Payment Card Industry Security Standards Council. The standard was created to increase controls around cardholder data to reduce credit card fraud.
The PCI Data Security Standard specifies twelve requirements for compliance, organized into six logically related groups called “control objectives.” These six groups are:
- Build and Maintain a Secure Network and Systems
- Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regularly Monitor and Test Networks
- Maintain an Information Security Policy
IRS-1075
Internal Revenue Service Publication 1075 (IRS Pub 1075) provides guidance for US government agencies and their agents to protect Federal Tax Information (FTI).
Microsoft Azure Government and Microsoft Office 365 U.S. Government cloud services provide a contractual commitment that they have the appropriate controls in place, and the security capabilities necessary for Microsoft agency customers to meet the substantive requirements of IRS 1075.
These Microsoft cloud services for government provide a platform on which customers can build and operate their solutions, but customers must determine for themselves whether those specific solutions are operated in accordance with IRS 1075 and are, therefore, subject to IRS audit.
To help government agencies in their compliance efforts, Azure:
- Offers detailed guidance to help agencies understand their responsibilities and how various IRS controls map to capabilities in Azure Government and Office 365 U.S. Government. The IRS 1075 Safeguard Security Report (SSR) thoroughly documents how Microsoft services implement the applicable IRS controls, and is based on the FedRAMP packages of Azure Government and Office 365 U.S. Government. Because both IRS 1075 and FedRAMP are based on NIST 800-53, the compliance boundary for IRS 1075 is the same as the FedRAMP authorization.
- The IRS must explicitly approve the release of any IRS Safeguards document, so only government customers under NDA can review the SSR.
- Makes available audit reports and monitoring information produced by independent assessors for its cloud services.
- Provides to the IRS Azure Government Compliance Considerations and Office 365 U.S. Government Compliance Considerations, which outline how an agency can use Microsoft Cloud for Government services in a way that complies with IRS 1075. Government customers under NDA can request these documents.
- Offers customers the opportunity (at their expense) to communicate with Microsoft subject matter experts or outside auditors if needed.
SSAE 16
Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization, was finalized by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) in January 2010. SSAE 16 effectively replaces SAS 70 as the authoritative guidance for reporting on service organizations.
Windows Azure Trust Center (WATC) launched in 2012 with the goal of providing customers and partners with easier access to regulatory compliance information. We indicated that WATC would be updated on a regular basis with additional compliance programs that Azure is pursuing.
Windows Azure now publishes a detailed SOC 1 Type 2 report for the core features. The audit report is available to Enterprise Agreement (volume licensing) customers under a non-disclosure agreement. The audit was conducted in accordance with SSAE 16 and ISAE 3402 standards.
The scope of the audit covers the following Azure features:
- Cloud Services (includes Web and Worker roles)
- Storage (includes Blobs, Queues, and Tables)
- Networking (includes Traffic Manager and Windows Azure Connect)
The following additional features were launched after the examination review period but are subject to the same controls and processes that were tested in the audit:
- Virtual Network
- Virtual Machines
The SOC1 Type 2 audit report attests to the fairness of the presentation for Azure service description. It also examines the suitability of the design and operating effectiveness of the controls to achieve the related control objectives.