Cloud Compliance
If you are studying for Microsoft Azure Fundamentals Exam, this guide will help you with quick revision before the exam. it can use as study notes for your preparation.
Dashboard Other Certification NotesCloud Compliance
- Provider can help you comply with regulations and standards
- Think about:
- How compliant is the cloud provider when it comes to handling sensitive data?
- How compliant are the services offered by the cloud provider?
- How can I deploy my own cloud-based solutions to scenarios that have accreditation or compliance requirements?
- What terms are part of the privacy statement for the provider?
Some compliance offerings
CJIS
- CJIS = Criminal Justice Information Services
- Any US state or local agency that wants to access the FBI’s CJIS database is required to adhere to the CJIS Security Policy
- Microsoft Azure adheres to the same requirements that law enforcement and public safety entities must meet.
CSA STAR Certification
- CSA = Cloud Security Alliance
- Independent third-party assessment of a cloud provider’s security posture
- Ensures:
- ISO/IEC 27001 certificationis achieved
- Criteria specified in the Cloud Controls Matrix (CCM) are met
- Also assesed against the STAR Capability Maturity Model for the management of activities in CCM control areas.
GDPR
- 📝 GDPR = General Data Protection Regulation, european privacy law
- Imposes rules for collecting & analyzing data tied to EU residents.
- The GDPR applies no matter where you are located.
EU Model Clauses
- EU Standard Contractual Clauses
- Guarantees around transfers of personal data outside of the EU.
- Ensures customers can use cloud service to move data freely through cloud from Europe to the rest of the world.
HIPAA
- HIPAA = Health Insurance Portability and Accountability Act
- US federal law that regulates patient Protected Health Information (PHI)
- HIPAA Business Associate Agreement (BAA)
- Adheres o certain security and privacy provisions in HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act.
- Azure offers BAA as contract addendum to assist customers individual compliance.
ISO/IEC 27018
- 📝 ISO/IEC 27018 = International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) 27018
- Covers the processing of personal information by cloud service providers
MTCS Singapore
- MTCS = Multi-Tier Cloud Security (MTCS) Singapore
- MTCS 584:2013 asses for IaaS & PaaS & SaaS service classifications.
SOC 1, 2, and 3
- SOC = Service Organization Controls
- Cloud services audited at least annually against the SOC report framework by independent third-party auditors.
- Audit covers controls for data security, availability, processing integrity, and confidentiality
- as applicable to in-scope trust principles for each service.
NIST CSF
- 📝 NIST CSF = National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)
- NIST is agency of United States Department of Commerce.
- Voluntary framework that defines security guidelines, and best practices to manage cybersecurity-related risks.
- Azure have undergone independent, third-party Federal Risk and Authorization Management Program (FedRAMP) Moderate and High Baseline audits & is certified
- Also validated by the Health Information Trust Alliance (HITRUST)
- a leading security and privacy standards development and accreditation organization
- Also validated by the Health Information Trust Alliance (HITRUST)
UK Government G-Cloud
- Cloud computing certification for services used by government entities in UK.
- Azure has received official accreditation from the UK Government Pan Government Accreditor.