Skip to content

Latest commit

 

History

History
76 lines (54 loc) · 3.43 KB

1.4. Cloud Compliance.md

File metadata and controls

76 lines (54 loc) · 3.43 KB
Raw

Cloud Compliance

  • Provider can help you comply with regulations and standards
  • Think about:
    • How compliant is the cloud provider when it comes to handling sensitive data?
    • How compliant are the services offered by the cloud provider?
    • How can I deploy my own cloud-based solutions to scenarios that have accreditation or compliance requirements?
    • What terms are part of the privacy statement for the provider?

Some compliance offerings

CJIS

  • CJIS = Criminal Justice Information Services
  • Any US state or local agency that wants to access the FBI's CJIS database is required to adhere to the CJIS Security Policy
  • Microsoft Azure adheres to the same requirements that law enforcement and public safety entities must meet.

CSA STAR Certification

  • CSA = Cloud Security Alliance
  • Independent third-party assessment of a cloud provider's security posture
  • Ensures:
    • ISO/IEC 27001 certification is achieved
    • Criteria specified in the Cloud Controls Matrix (CCM) are met
      • Also assesed against the STAR Capability Maturity Model for the management of activities in CCM control areas.

GDPR

  • 📝 GDPR = General Data Protection Regulation, european privacy law
  • Imposes rules for collecting & analyzing data tied to EU residents.
  • The GDPR applies no matter where you are located.

EU Model Clauses

  • EU Standard Contractual Clauses
  • Guarantees around transfers of personal data outside of the EU.
  • Ensures customers can use cloud service to move data freely through cloud from Europe to the rest of the world.

HIPAA

  • HIPAA = Health Insurance Portability and Accountability Act
  • US federal law that regulates patient Protected Health Information (PHI)
  • HIPAA Business Associate Agreement (BAA)
    • Adheres o certain security and privacy provisions in HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act.
  • Azure offers BAA as contract addendum to assist customers individual compliance.

ISO/IEC 27018

  • 📝 ISO/IEC 27018 = International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) 27018
  • Covers the processing of personal information by cloud service providers

MTCS Singapore

  • MTCS = Multi-Tier Cloud Security (MTCS) Singapore
  • MTCS 584:2013 asses for IaaS & PaaS & SaaS service classifications.

SOC 1, 2, and 3

  • SOC = Service Organization Controls
  • Cloud services audited at least annually against the SOC report framework by independent third-party auditors.
  • Audit covers controls for data security, availability, processing integrity, and confidentiality
    • as applicable to in-scope trust principles for each service.

NIST CSF

  • 📝 NIST CSF = National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)
    • NIST is agency of United States Department of Commerce.
  • Voluntary framework that defines security guidelines, and best practices to manage cybersecurity-related risks.
  • Azure have undergone independent, third-party Federal Risk and Authorization Management Program (FedRAMP) Moderate and High Baseline audits & is certified
    • Also validated by the Health Information Trust Alliance (HITRUST)
      • a leading security and privacy standards development and accreditation organization

UK Government G-Cloud

  • Cloud computing certification for services used by government entities in UK.
  • Azure has received official accreditation from the UK Government Pan Government Accreditor.