Microsoft complies with the data protection and privacy laws generally applicable to Microsoft’s provision of a cloud services platform. Customers are responsible for determining if Windows Azure, and the particular applications they intend to run in Windows Azure, comply with the specific laws and regulations applicable to customers’ industry and use scenario. To help our customers comply with their own specific requirements, we put in place a comprehensive compliance framework through which we will be advancing all Windows Azure features. Microsoft is committed to providing Windows Azure customers with detailed information about our security compliance programs to help customers make their own regulatory assessments. However, it is ultimately up to our customers to evaluate Windows Azure compliance programs against their own requirements to determine if our services satisfy their regulatory needs.
The Microsoft Approach to Cloud Transparency
This paper provides an overview of various risk, governance, and information security frameworks and standards. It also introduces the cloud-specific framework of the Cloud Security Alliance (CSA), known as the Security, Trust & Assurance Registry (STAR).
ISO/IEC 27001:2005 Audit and Certification
Windows Azure is committed to annual ISO/IEC 27001:2005 certification. The certificate issued by the British Standards Institution (BSI) is publically available. The Windows Azure ISO/IEC 27001:2005 Statement of Applicability is available upon escalation to customers under a non-disclosure agreement. It includes over 130 security controls, and it maps Windows Azure controls to control objectives contained in Annex A of ISO/IEC 27001:2005. Please contact your local Microsoft representative to obtain a copy of the document.
ISO/IEC 27001:2005 is a broad international information security standard. The ISO/IEC 27001:2005 certificate validates that Microsoft has implemented the internationally recognized information security controls defined in this standard, including guidelines and general principles for initiating, implementing, maintaining, and improving information security management within an organization.
Scope: Only the following Windows Azure features are in scope for the current ISO/IEC 27001:2005 certification: Virtual Machines, Cloud Services, Storage (Tables, Blobs, Queues, Drives), and Networking.
SSAE 16/ISAE 3402 Attestation
A detailed Service Organization Control 1 (SOC 1) Type 2 report is available to customers under a non-disclosure agreement. Please contact your local Microsoft representative to get a copy of the report. Windows Azure is committed to annual SSAE 16 / ISAE 3402 attestation.
The audit was conducted in accordance with the Statement on Standards for Attestation Engagements (SSAE) No. 16 put forth by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) and International Standard on Assurance Engagements (ISAE) 3402 put forth by the International Auditing and Assurance Standards Board (IAASB), a standard-setting board within the International Federation of Accountants (IFAC).
The SOC 1 Type 2 audit report attests to the fairness of the presentation for Windows Azure service description, and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives.
Scope: Only the following Windows Azure features are in scope for the current SOC 1 Type 2 attestation: Cloud Services, Storage (Tables, Blobs, Queues), and Networking (Traffic Manager and Windows Azure Connect only). The following additional features were launched after the examination review period but are subject to the same controls and processes that were tested in the audit: Virtual Network and Virtual Machines.
HIPAA Business Associate Agreement (BAA)
HIPAA and the HITECH Act are United States laws that apply to healthcare entities with access to patient information (called Protected Health Information, or PHI). In many circumstances, for a covered healthcare company to use a cloud service like Windows Azure, the service provider must agree in a written agreement to adhere to certain security and privacy provisions set forth in HIPAA and the HITECH Act. To help customers comply with HIPAA and the HITECH Act, Microsoft offers a BAA to customers as a contract addendum.
Microsoft currently offers the BAA to customers who have a Volume Licensing / Enterprise Agreement (EA), or a Windows Azure only EA enrollment in place with Microsoft. The Windows Azure only EA does not depend on seat size, rather on an annual monetary commitment to Windows Azure that allows a customer to obtain a discount over pay as you go pricing. The BAA is currently not available to pay-as-you-go customers who have Windows Azure Agreement in place. Customers should contact their Microsoft account manager to sign the agreement.
Prior to signing the BAA, customers should read the Windows Azure HIPAA Implementation Guidance. This document was developed to assist customers who are interested in HIPAA and the HITECH Act to understand the relevant capabilities of Windows Azure. The intended audience includes privacy officers, security officers, compliance officers, and others in customer organizations responsible for HIPAA and HITECH Act implementation and compliance. The document covers some of the best practices for building HIPAA compliant applications, and details Windows Azure provisions for handling security breaches. While Windows Azure includes features to help enable customer’s privacy and security compliance, customers are responsible for ensuring their particular use of Windows Azure complies with HIPAA, the HITECH Act, and other applicable laws and regulations, and should consult with their own legal counsel.
Scope: Only the following Windows Azure features are covered by the current HIPAA BAA: Virtual Machines, Cloud Services, Storage (Tables, Blobs, Queues, Drives), and Networking.