Azure resources to assess risk and compliance

April 29th, 2019
Azure resources to assess risk and compliance

This article was originally posted in the Microsoft Azure blog.

This blog post was co-authored by Lucy Raikova, Senior Program Manager, Azure Global – Financial Services.

It is vital for our customers in the Financial Services Industry to deliver innovation and value to their customers while adhering to strict security and regulatory requirements. We at Microsoft Azure know this, and we understand the complexities of trying to innovate fast and effectively, while also ensuring that key regulations and compliance necessities are not overlooked. Azure is uniquely positioned to help our global FSI customers meet their regulatory requirements. Most customers, and likely the entire FSI, need to identify risks and conduct a full risk assessment before committing to any cloud service. This is often mandated by internal risk policies or external regulations, and we agree it is a critical security practice to do the due diligence of assessing a cloud service provider’s (CSP) ability to comply with strict regulations. This will validate the competence of a CSP to enable the privacy, security, access, and continuity of their cloud environment and downstream customer data in cloud.

Microsoft provides rich set of solutions and resources to help you assess and manage your compliance risk as you evaluate moving to the Microsoft cloud. One of the main goals of a general risk assessment is to guarantee that the migration of a system or data to the cloud will not introduce new or unidentified risks into your organization, or at the least, identify those new risks so that they can be appropriately managed to avoid costly fines or loss in revenue due to system downtime. The focus continues to be to ensure that the security, privacy and control, compliance, and transparency requirements are met, and to keep identified risks below the internal risk appetite threshold. By leveraging these solutions and resources, our most highly regulated FSI customers can efficiently and comprehensively document their compliance and regulatory footprints, while also pushing the boundaries of innovation so that their customers’ experiences continue to evolve and improve.

Self-service resources

There’s a wealth of self-service resources which comes with an active Azure subscription. Let’s walk through some of those we most commonly recommend for various functions in Financial Services organizations.

Service Trust Portal

The Service Trust Portal (STP) helps with self-service audits and compliance by providing deeper technical trust, security, privacy and compliance information. Through the STP customers can access information like Microsoft’s security reports, whitepapers (PCI, SEC 17a-4, EBA etc.), Microsoft's Compliance county checklists, and independent third-party audit reports about Microsoft online services. To access some of the resources on the STP, login is required as an authenticated user with a Microsoft cloud service account.

Audit reports

Microsoft is regularly audited and submits self-assessments to third party auditors. We perform in-depth audits of the implementation and effectiveness of security, compliance, and privacy controls. These independent third-party audit reports about Microsoft online services and information about how they can help your organization maintain and track compliance with standards, laws, and regulations such as International Organization for Standardization (ISO), Service Organization Control (SOC), National Institute of Standards and Technology (NIST), Federal Risk and Authorization Management Program (FedRAMP), General Data Protection Regulation (GDPR) are available on the STP.

Compliance Manager

Microsoft also offers a set of integrated solutions that leverage AI to help improve data protection capabilities and overall compliance posture. Compliance Manager enables you to manage your compliance activities in a single dashboard and provides three key capabilities:

  • Risk assessment: The tool helps you track, assign, and verify your organization's regulatory compliance activities related to Microsoft Cloud services,  With a single dashboard, you can see multiple assessments and measure the compliance performance for a cloud service against a regulation or a standard (Ex- ISO 27001, ISO 27018, FedRAMP, NIST, GDPR)
  • Compliance score: With each assessment you get a compliance score which gives you visibility into your compliance performance.
  • Recommendations: Recommends how to address control gaps, to improve data protection, and to prioritize your tasks.

Penetration testing

Microsoft regularly conducts penetration testing and vulnerability assessments as required by the Microsoft Security Development Lifecycle (SDL), Payment Card Industry (PCI), FedRAMP and/or ISO 27001 certification. Microsoft security practices and the ongoing SDL processes enable the service to rapidly mitigate new threats and attacks, and protect customer data. Testing standards have also included Open Web Application Security Project Top 10 and CREST-certified testers, Fuzzy testing and port scanning of the endpoints. As part of the ongoing risk management program, test results are resolved, and the resolution is validated as part of the compliance program.

Additional Azure resources

Azure also provides you and your LOB, domain risk (e.g. Operational Risk),  IT/Ops and DevOps teams additional resources that help control and monitor your infrastructure on Azure cloud, and help you be more secure and compliant:

Azure Monitor

Azure Monitor maximizes the availability and performance of applications by delivering a comprehensive solution for collecting, analyzing, and acting on telemetry from the cloud and on-premises environments. It helps you understand how your applications are performing and proactively identifies issues affecting them and the resources they depend on.

Azure Security Center

Azure Security Center is a unified infrastructure security management system that strengthens the security posture of your data centers and provides advanced threat protection across your hybrid workloads in the cloud, be it Azure, any other cloud, or on-premis.

Azure Sentinel

Azure Sentinel is a scalable, cloud-native security information and event manager (SIEM) platform that uses built-in AI to analyze large volumes of data across the enterprise from all sources in a few seconds at a fraction of the cost. It includes built-in connectors for easy onboarding of popular security solutions, and allows you to collect data from any source with support for open standard formats like CEF and Syslog.

Azure Service Health

Azure Service Health provides personalized alerts and guidance when Azure service issues affect our customers’ business. It can notify you, help you understand the impact of issues, and keep you updated as the issue resolves. It can also help prepare for planned maintenance and changes that could affect the availability of your resources.

Azure governance

Governance validates that your organization can achieve its goals through an effective and efficient use of IT. It meets this need by creating clarity between business goals and IT projects. With Azure you build and scale your applications quickly while maintaining control.

Azure Blueprints

Azure Blueprints enable quick, repeatable creation of fully governed environments. This service helps you deploy and update cloud environments in a repeatable manner using artifacts such as policies, resource groups, deployment templates, and role-based access controls. This service is built to help devOps set up governed Azure environments and scale to support production implementations for large-scale migrations. Azure recently announced Blueprint for compliance standard ISO 27001.

Azure Policy

Azure Policy helps you govern Azure resources by creating, assigning and managing policies. These policies enforce different rules and effects over your resources that help them stay compliant with your corporate standards and service level agreements, and this management and security can be applied at scale.

As you can see Microsoft provides our customers multiple resources and tools to keep pace with the compliance and regulation restrictions in the 54 regions Azure operates, and we are just getting started! Our goal is to continue to be the cloud platform with most comprehensive compliance coverage in the industry.