Examine privacy, compliance, and data protection standards
The following list provides details about some of the compliance offerings available on Azure:
-Criminal Justice Information Service (CJIS). -Cloud Security Alliance (CSA) STAR Certification. Azure, Intune, and Microsoft Power BI -European Union (EU) Model Clauses. -International Organization of Standards/International Electrotechnical Commission (ISO/IEC) 27018. -Health Insurance Portability and Accountability Act (HIPAA). -International Organization of Standards/International Electrotechnical Commission (ISO/IEC) 27018. -Multi-Tier Cloud Security (MTCS) Singapore -Service Organization Controls (SOC) 1, 2, and 3. -National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). -United Kingdom (UK) Government G-Cloud.
Azure China 21Vianet is operated by
21Vianet is a physically separated instance of cloud services located in China, independently operated and transacted by Shanghai Blue Cloud Technology Co., Ltd. ("21Vianet"), a wholly owned subsidiary of Beijing 21Vianet Broadband Data Center Co., Ltd.
Only locally registered companies with less than
50-percent foreign investment qualify for these permits.
Service Trust Portal is a companion feature to the Trust Center, and allows you to:
Access audit reports across Microsoft cloud services on a single page. Access compliance guides to help you understand how can you use Microsoft cloud service features to manage compliance with various regulations. Access trust documents to help you understand how Microsoft cloud services help protect your data
Multi-Tier Cloud Security (MTCS) Singapore.
After rigorous assessments conducted by the MTCS Certification Body, Microsoft cloud services received MTCS 584:2013 Certification across all three service classifications—Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and SaaS. Microsoft was the first global cloud solution provider (CSP) to receive this certification across all three classifications.
Criminal Justice Information Service (CJIS).
Any US state or local agency that wants to access the FBI's Criminal Justice Information Services (CJIS) database is required to adhere to the CJIS Security Policy. Azure is the only major cloud provider that contractually commits to conformance with the CJIS Security Policy, which commits Microsoft to adhering to the same requirements that law enforcement and public safety entities must meet.
As the first foreign public cloud service provider offered in China in compliance with government regulations,
Azure China 21Vianet provides world-class security as discussed on the Trust Center, as required by Chinese regulations for all systems and applications built on its architecture.
Compliance Manager provides the following features:
Detailed information provided by Microsoft to auditors and regulators, as part of various third-party audits of Microsoft 's cloud services against various standards (for example, ISO 27001, ISO 27018, and NIST). Information that Microsoft compiles internally for its compliance with regulations (such as HIPAA). An organization's self-assessment of their own compliance with these standards and regulations. Enables you to assign, track, and record compliance and assessment-related activities, which can help your organization cross team barriers to achieve your organization's compliance goals. Provides a Compliance Score to help you track your progress and prioritize auditing controls that will help reduce your organization's exposure to risk. Provides a secure repository in which to upload and manage evidence and other artifacts related to compliance activities. Produces richly detailed reports in Microsoft Excel that document the compliance activities performed by Microsoft and your organization, which can be provided to auditors, regulators, and other compliance stakeholders.
Service Trust Portal (STP) also includes information about how Microsoft online services can help your organization maintain and track compliance with standards, laws, and regulations, such as:
ISO SOC NIST FedRAMP
The Trust Center site provides:
In-depth information about security, privacy, compliance offerings, policies, features, and practices across Microsoft cloud products. Recommended resources in the form of a curated list of the most applicable and widely used resources for each topic. Information specific to key organizational roles, including business managers, tenant admins or data security teams, risk assessment and privacy officers, and legal compliance teams. Cross-company document search, which is coming soon and will enable existing cloud service customers to search the Service Trust Portal. Direct guidance and support for when you can't find what you're looking for
The Azure services are based on the same Azure, Office 365, and Power BI technologies that make up the
Microsoft global cloud service, with comparable service levels. Azure agreements and contracts in China, where applicable, are signed between customers and 21Vianet.
International Organization of Standards/International Electrotechnical Commission (ISO/IEC) 27018.
Microsoft is the first cloud provider to have adopted the ISO/IEC 27018 code of practice, covering the processing of personal information by cloud service providers.
European Union (EU) Model Clauses.
Microsoft offers customers EU Standard Contractual Clauses that provide contractual guarantees around transfers of personal data outside of the EU. Microsoft is the first company to receive joint approval from the EU's Article 29 Working Party that the contractual privacy protections Azure delivers to its enterprise cloud customers meet current EU standards for international transfers of data, which ensures that Azure customers can use Microsoft services to move data freely through Microsoft's cloud, from Europe to the rest of the world.
National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF).
NIST CSF is a voluntary Framework that consists of standards, guidelines, and best practices to manage cybersecurity-related risks. Microsoft cloud services have undergone independent, third-party Federal Risk and Authorization Management Program (FedRAMP) Moderate and High Baseline audits and are certified according to the FedRAMP standards. Additionally, through a validated assessment performed by the Health Information Trust Alliance (HITRUST), a leading security and privacy standards development and accreditation organization, Office 365 is certified to the objectives specified in the NIST CSF.
Health Insurance Portability and Accountability Act (HIPAA).
The Health Insurance Portability and Accountability Act (HIPAA) is a US federal law that regulates patient Protected Health Information (PHI). Azure offers customers a HIPAA Business Associate Agreement (BAA), stipulating adherence to certain security and privacy provisions in HIPAA and the HITECH Act. To assist customers in their individual compliance efforts, Microsoft offers a BAA to Azure customers as a contract addendum.
United Kingdom (UK) Government G-Cloud.
The UK Government G-Cloud is a cloud computing certification for services used by government entities in the United Kingdom. Azure has received official accreditation from the UK Government.
Azure includes the core components of IaaS, PaaS, and SaaS.
These components include network, storage, data management, identity management, and many other services.
Compliance Manager is a dashboard that provides
a summary of your data protection and compliance stature, and recommendations to improve data protection and compliance.
Service Trust Portal users can download
audit reports produced by external auditors and gain insight from Microsoft-authored reports that provide details on how Microsoft builds and operates its cloud services.
Azure Government services handle data that is subject to
certain government regulations and requirements, such as FedRAMP, NIST 800.171 (DIB), ITAR, IRS 1075, DoD L4, and CJIS.
Service Organization Controls (SOC) 1, 2, and 3. Microsoft-covered
cloud services are audited at least annually against the SOC report framework by independent third-party auditors. The Microsoft cloud services audit covers controls for data security, availability, processing integrity, and confidentiality as applicable to in-scope trust principles for each service.
Compliance Manager provides ongoing risk assessments with a risk-based scores reference
displayed in a dashboard view for regulations and standards. Alternatively, you can create assessments for the regulations or standards that matter more to your organization.
Azure Government offers physical isolation
from non-US government deployments and provides screened US personnel.
Cloud Security Alliance (CSA) STAR Certification. Azure, Intune, and Microsoft Power BI
have obtained STAR Certification, which involves a rigorous independent third-party assessment of a cloud provider's security posture. The STAR certification is based on achieving ISO/IEC 27001 certification and meeting criteria specified in the CCM. It demonstrates that a cloud service provider conforms to the applicable requirements of ISO/IEC 27001, has addressed issues critical to cloud security as outlined in the CCM, and has been assessed against the STAR Capability Maturity Model for the management of activities in CCM control area
According to the China Telecommunication Regulation (in Chinese), providers of cloud services (IaaS and PaaS) must
have value-added telecom permits.
Even if you already use global Azure services, to operate
in China you may need to rehost or refactor some or all your applications or services.
The Customer Actions provided in Compliance Manager are recommendations only; it is up to each organization to evaluate the effectiveness of these recommendations
in their respective regulatory environment prior to implementation. Recommendations found in Compliance Manager should not be interpreted as a guarantee of compliance.
Azure Government provides the broadest compliance and Level 5 Department of Defense (DoD) approval. You can choose from six government-only datacenter regions,
including two regions granted an Impact Level 5 Provisional Authorization. Azure Government also offers the most compliance certifications of any cloud provider.
Azure Government
is a separate instance of the Microsoft Azure service. It addresses the security and compliance needs of US federal agencies, state and local governments, and their solution providers.
Compliance Manager
is a workflow-based risk assessment dashboard within the Trust Portal that enables you to track, assign, and verify your organization's regulatory compliance activities related to Microsoft professional services and Microsoft cloud services such as Office 365, Dynamics 365, and Azure.
To comply with this regulation, the Azure service in China is
operated by 21Vianet, based on the technologies licensed from Microsoft.
The Microsoft privacy statement explains what
personal data Microsoft processes, how Microsoft processes it, and for what purposes.
To provide the highest level of security and compliance, Azure Government uses
physically isolated datacenters and networks (located only in the US).
Azure China 21Vianet supports most of the same services
that global Azure has, such as geosynchronous data replication and autoscaling.
The Service Trust Portal (STP) hosts
the Compliance Manager service, and is the Microsoft public site for publishing audit reports and other compliance-related information relevant to Microsoft's cloud services.
The Trust Center is an important part of
the Microsoft Trusted Cloud Initiative and provides support and resources for the legal and compliance community.
Azure Government customers (US federal, state, and local government or their partners) are subject
to validation of eligibility.
The Trust Center is a
website resource containing information and details about how Microsoft implements and supports security, privacy, compliance, and transparency in all Microsoft cloud products and services.