The cloud is new, compliance is not
Spend any time working in compliance, and you know that auditors will want to see evidence of compliance activities in the datacenter. Common examples include:
Backups having been configured, stored, and encrypted
Proof of user access control mechanisms
Proof of sensitive data management
How can you reassure your auditors that the same stringent compliance requirements that you fulfill in the datacenter would be satisfied in a cloud-based computing infrastructure? A transition to the cloud is akin to a sea-change. It is not surprising that there are serious questions and concerns about maintaining high levels of security and compliance standards in the cloud.
The experience at Microsoft has shown that ongoing communication and verification is vital to reassure auditors that Azure completely satisfies compliance requirements. In fact, Microsoft is so focused on compliance that it tests its controls more intensely than a typical customer would. What Microsoft has shown its auditors is that Azure simplifies, automates, and operationalizes compliance activities.
From a compliance perspective, communicating the advantages of cloud computing is not an issue of technology or skills. The purpose of this paper is to provide a framework for the conversations that are required to allay concerns about cloud computing with control owners, risk management, and internal and external auditors.
Simplified compliance activities
Compared to an on-premises environment, Microsoft has found that performing compliance activities in Azure is significantly easier. In many areas, auditability is packaged intrinsically into the platform, and can't even be turned off. Many of the controls and control activities that affect compliance activities in an on-premises environment are less likely to fail. In some cases, the controls are no longer applicable. Physical infrastructure does not need to be built out; instead, infrastructure is virtualized. Because of this, there are fewer opportunities to introduce errors. Microsoft refreshes service certifications on an ongoing basis to ensure that Azure tracks to as many international standards as possible.
When using the Azure SQL Database service, backups are automatically created across the Azure platform. Subscribers don't have to opt-in to the process. Azure provides an audit trail, and customers can immediately show that critical data can be recovered. In fact, the SQL Database service runs backups every hour.
Self-service audit functions
The Auditing function within Azure SQL Database tracks database events and writes them to an audit log in an Azure Storage account. In addition to fulfilling regulatory compliance, the Auditing function can help you understand database activity, and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations. Auditable types of events include:
Access to data
Schema changes (DDL)
Data changes (DML)
Accounts, roles, and permissions (DCL)
Stored Procedure, Login, and Transaction Management
Customized options include locally redundant backups, geo-redundant backups, and more. The audit logs are stored in an Azure storage account, and can be defined for specific retention periods.
Dynamic service certification
In Azure, international certification standards, such as SOC 1, SOC 2, and ISO, are constantly being tracked and updated. The goal at Microsoft is to certify as many Azure services as possible, so that customers do not have to be selective when considering the suite of Azure service offerings. When building apps and services, customers should understand the certifications that each service has met.
Microsoft actively seeks certifications for new Azure services on a regular basis. A compliance team within the Azure product development group builds and maintains features to ensure that they meet and retain certifications. Azure tracks to international certification standards. The certification rigor means that no matter what the local or national laws happen to be, Microsoft is always speaking a clear international language, and meeting the minimum bar for certifications.
Automated compliance activities
Because many functions have been simplified in Azure and are implemented across the service, they can be taken out of the hands of technical staff, and managed by business owners. For example, in the Azure cloud your business does not have to rely on a complex process to perform and retain backups. Azure simply performs the backups.
In many cases, auditability simply cannot be turned off. For example, Azure SOC 1-certified services automatically enforce the record-keeping that makes them auditable. The detailed audit trail provides information such as which Administrators were added to the subscription, when they were added, who added them, and how they were added.
In another example, automated auditing of the Azure Blob storage service frees customers from tedious infrastructure management. Customers can dedicate their time to their applications and business needs. Blob storage stores large amounts of unstructured data, and can publish globally. The service is fast and easy, and can be accessed from anywhere in the world via HTTP or HTTPS protocols. Important access details are automatically logged by Azure, and provide an audit trail.
Operationalized compliance activities
Microsoft uses Azure to structure and operationalize workflow resources and processes that implement compliance requirements. For example, when a new virtual machine (VM) is created in Azure, a template is applied that configures the VM with compliant features such as autopatching, settings enabled for regular updates, and anti-malware settings. In an on-premises environment, this work would have to be done by hand, or with a customized script.
The Azure Security Center provides a central view of the security state of all Azure resources. Azure Security Center data helps to simplify compliance efforts, and make them more efficient. Policy-driven controls are tailored to specific applications or types of data. Streamlined provisioning easily deploys security solutions—even networking changes. An analytics-driven approach combines threat intelligence and expertise with security-related events across all Azure deployments within Microsoft. Security Center helps to detect actual threats early, and it reduces false positives. Security alerts offer contextual insights into the attack campaign, and suggest remediation techniques.
Moving to the cloud is a huge change for any organization. The Microsoft experience shows that implementation teams need to partner closely with control owners, risk management, and internal and external auditors to perform ongoing testing and validation processes. All teams need to be bought into the conversation to ensure that compliance activities are ready for Azure adoption, and that an organization is ‘cloud ready.’ Microsoft IT and its auditors can verify that Azure has simplified, automated, and operationalized compliance functions.
For more information
Get started with Azure SQL Database
Get started with Azure SQL Database auditing
Azure Security Center
© 2019 Microsoft Corporation. All rights reserved. Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.