In July I decided to create a series of 3 posts about this topic. Those 3 posts are be:
- Introduction to Windows Azure Security
- Introduction to Windows Azure Compliance
- Lessons Learned Building Secure and Compliant solutions in Windows Azure
In this post I’ll be focusing on the Windows Azure compliance part.
Introduction to Windows Azure Compliance
Compliance is extremely important when moving/building solutions to the cloud for two main reasons. First because it will provide us with with an understanding of the type of infrastructure that is underneath the cloud offering. Secondly because there are several different solutions and companies which require specific compliances in order to be approved for deployment.
In order to achieve this Windows Azure Infrastructure provides the following compliances:
“Specifies a management system that is intended to bring information security under explicit management control” by Wikipedia. More information here.
This is extremely important because it provides us a clear information about how secure our data will be inside Windows Azure.
SSAE 16/ISAE 3402 SOC 1, 2 and 3
“Enhancement to the current standard for Reporting on Controls at a Service Organization, the SAS70. The changes made to the standard will bring your company, and the rest of the companies in the US, up to date with new international service organization reporting standards, the ISAE 3402” by SSAE-16.com. More information here.
Extremely important to understand that Windows Azure is audited and has to follow strict rules un terms of reporting to make it compliance. This give us a view that everything has a specific process that needs to be followed.
“The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology.” by hhs.gov. More information here.
By having this HIPPA compliance it means that solutions for the healthcare industry can be delivered in Windows Azure because the underlying infrastructure is already HIPPA compliant. This doesn’t mean that anything we do now is HIPPA compliant, it just means that Windows Azure can be used to deploy the solution, but the solution still needs to comply with the rest of the HIPPA compliance, mainly the software compliance part.
PCI Data Security Standard Certification
“Created to increase controls around cardholder data to reduce credit card fraud via its exposure. Validation of compliance is done annually — by an external Qualified Security Assessor (QSA) that creates a Report on Compliance (ROC) for organizations handling large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes.” by Wikipedia. More information here.
This doesn’t mean that we can deploy PCI compliant solution in Windows Azure, because this certification is only for the way Windows Azure uses to accept payment, and not for allowing 3rd party applications.
FISMA Certification and Accreditation
“Assigns specific responsibilities to federal agencies, the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) in order to strengthen information system security. In particular, FISMA requires the head of each agency to implement policies and procedures to cost-effectively reduce information technology security risks to an acceptable level.
According to FISMA, the term information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality and availability.” by Wikipedia. More information here.
Windows Azure Compliance Roadmap
But Windows Azure has other compliances and so here is the complete roadmap.
What all this means if that Windows Azure is a secure and highly compliant option, which will allow us to leverage the Cloud on several different occasions.
Hope this clears a bit your view about the compliances behind Windows Azure.