Microsoft complies with the data protection and privacy laws generally applicable to Microsoft’s provision of a cloud services platform. Customers are responsible for determining if Windows Azure, and the particular applications they intend to run in Windows Azure, comply with the specific laws and regulations applicable to customers’ industry and use scenarios. To help our customers comply with their own specific requirements, we put in place a comprehensive compliance framework through which we will be advancing all Windows Azure features. Microsoft is committed to providing Windows Azure customers with detailed information about our security compliance programs to help customers make their own regulatory assessments. However, it is ultimately up to our customers to evaluate Windows Azure compliance programs against their own requirements to determine if our services satisfy their regulatory needs.
ISO/IEC 27001:2005 Audit and Certification
Windows Azure is committed to annual certification against the ISO/IEC 27001:2005, a broad international information security standard. The ISO/IEC 27001:2005 certificate validates that Microsoft has implemented the internationally recognized information security controls defined in this standard, including guidelines and general principles for initiating, implementing, maintaining, and improving information security management within an organization.
Scope: The following Windows Azure features are in scope for the current ISO/IEC 27001:2005 certification: Virtual Machines, Cloud Services, Storage (Tables, Blobs, Queues, Drives), and Networking.
The certificate issued by the British Standards Institution (BSI) is publically available.
SOC 1 and SOC 2 SSAE 16/ISAE 3402 Attestations
Windows Azure has been audited against the Service Organization Control (SOC) reporting framework for both SOC 1 Type 2 and SOC 2 Type 2. Both reports are available to customers to meet a wide range of US and international auditing requirements.
The SOC 1 Type 2 audit report attests to the design and operating effectiveness of Windows Azure controls. The SOC 2 Type 2 audit included a further examination of Windows Azure controls related to security, availability, and confidentiality. Windows Azure is audited annually to ensure that security controls are maintained.
Audits are conducted in accordance with the Statement on Standards for Attestation Engagements (SSAE) No. 16 put forth by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) and International Standard on Assurance Engagements (ISAE) 3402 put forth by the International Auditing and Assurance Standards Board (IAASB). In addition, the SOC 2 Type 2 audit included an examination of the Cloud Controls Matrix (CCM) from the Cloud Security Alliance (CSA).
Scope: The following Windows Azure features and the worldwide data-centers in which they operate are in scope for the current SOC 1 Type 2 and SOC 2 Type 2 attestations: Cloud Services (includes stateless Web, and Worker roles), Storage (Tables, Blobs, Queues), Virtual Machines (includes persistent virtual machines for use with supported operating systems) and Virtual Network (includes Traffic Manager).
Customers should contact their Microsoft representative to request a copy of the SOC 1 Type 2 and SOC 2 Type 2 reports for Windows Azure.
Cloud Security Alliance Cloud Controls Matrix
Windows Azure has been audited against the Cloud Controls Matrix (CCM) established by the Cloud Security Alliance (CSA). The audit was completed as part of the SOC 2 Type 2 assessment, the details of which are included in that report. This combined approach is recommended by the American Institute of Certified Public Accountants (AICPA) and CSA as a means of meeting the assurance and reporting needs of the majority cloud services users.
The CSA CCM is designed to provide fundamental security principles to guide cloud vendors and to assist prospective customers in assessing the overall security risk of a cloud provider. By having completed an assessment against the CCM, Windows Azure offers transparency into how its security controls are designed and managed with verification by an expert, independent audit firm.
Detailed information about how Windows Azure fulfills the security, privacy, compliance, and risk management requirements defined in the CCM is also published in the CSA’s Security Trust and Assurance Registry (STAR). A detailed paper discussing Windows Azure’s compliance with the specific controls in the CCM can be found here.
In addition, the Microsoft Approach to Cloud Transparency paper provides an overview of how it addresses various risk, governance, and information security frameworks and standards, including the CSA CCM.
Federal Risk and Authorization Management Program (FedRAMP)
Windows Azure has been granted a Provisional Authorities to Operate (P-ATO) from the Federal Risk and Authorization Management Program (FedRAMP) Joint Authorization Board (JAB). Following a rigorous security review, the JAB approved a provisional authorization that an executive department or agency can leverage to issue a security authorization and an accompanying Authority to Operate (ATO). This will allow US federal, state, and local governments to more rapidly realize the benefits of the cloud using Windows Azure.
FedRAMP is a mandatory U.S. government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This approach uses a “do once, use many times” framework that will save cost, time, and staff required to conduct redundant agency security assessments.
Scope: The following Windows Azure features and the worldwide datacenters in which they operate are in scope for the FedRAMP JAB P-ATO: Cloud Services (Web and Worker roles), Storage (Tables, Blobs, Queues, Drives), Virtual Machines (includes persistent virtual machines), SQL Databases and Virtual Network (includes Traffic Manager).
Government agencies can request the Windows Azure FedRAMP security package.
HIPAA Business Associate Agreement (BAA)
HIPAA and the HITECH Act are United States laws that apply to healthcare entities with access to patient information (called Protected Health Information, or PHI). In many circumstances, for a covered healthcare company to use a cloud service like Windows Azure, the service provider must agree in a written agreement to adhere to certain security and privacy provisions set forth in HIPAA and the HITECH Act. To help customers comply with HIPAA and the HITECH Act, Microsoft offers a BAA to customers as a contract addendum.
Microsoft currently offers the BAA to customers who have a Volume Licensing / Enterprise Agreement (EA), or a Windows Azure only EA enrollment in place with Microsoft. The Windows Azure only EA does not depend on seat size, rather on an annual monetary commitment to Windows Azure that allows a customer to obtain a discount over pay as you go pricing.
Prior to signing the BAA, customers should read the Windows Azure HIPAA Implementation Guidance. This document was developed to assist customers who are interested in HIPAA and the HITECH Act to understand the relevant capabilities of Windows Azure. The intended audience includes privacy officers, security officers, compliance officers, and others in customer organizations responsible for HIPAA and HITECH Act implementation and compliance. The document covers some of the best practices for building HIPAA compliant applications, and details Windows Azure provisions for handling security breaches. While Windows Azure includes features to help enable customer’s privacy and security compliance, customers are responsible for ensuring their particular use of Windows Azure complies with HIPAA, the HITECH Act, and other applicable laws and regulations, and should consult with their own legal counsel.
Scope: Only the following Windows Azure features are covered by the current HIPAA BAA: Virtual Machines, Cloud Services, Storage (Tables, Blobs, Queues, Drives), and Virtual Network.
Customers should contact their Microsoft account representative to sign the agreement.