Compliance Terms and Requirement
Some of the important questions to ask for choosing a cloud service provider –
- How compliant is the cloud provider when it comes to handling sensitive data?
- How compliant are the services offered by the cloud provider?
- How can I deploy my own cloud-based solutions to scenarios that have accreditation or compliance requirements?
- What terms are part of the privacy statement for the provider?
Compliance Offerings
Given list offers details about some of the compliance offerings available –
- Criminal Justice Information Services (CJIS) – Azure is one of the largest cloud provider that contractually commits to conformance with the CJIS Security Policy, that commits Microsoft to adhering to the same requirements that law enforcement and public safety entities must meet.
- Cloud Security Alliance (CSA) STAR Certification – Azure, Intune, and Microsoft Power BI have obtained STAR Certification, that involves a rigorous independent third-party assessment of a cloud provider’s security posture. This STAR certification has been based on achieving ISO/IEC 27001 certification and meeting criteria specified in the Cloud Controls Matrix (CCM).
- General Data Protection Regulation (GDPR) – GDPR in effect from May 25, 2018 imposes new rules on companies, government agencies, non-profits, and other organizations that offer goods and services to people in the European Union (EU), or that collect and analyze data tied to EU residents.
- EU Model Clauses – Microsoft offers customers EU Standard Contractual Clauses that provide contractual guarantees around transfers of personal data outside of the EU.
- Health Insurance Portability and Accountability Act (HIPAA) – Azure offers customers a HIPAA Business Associate Agreement (BAA), stipulating adherence to certain security and privacy provisions in HIPAA and the Health Information Technology for Economic and Clinical Health Act (HITECH) Act. In order to assist customers in their individual compliance efforts, Microsoft offers a BAA to Azure customers as a contract addendum.
- International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) 27018 – Microsoft is the first cloud provider to have adopted the ISO/IEC 27018 code of practice, covering the processing of personal information by cloud service providers.
- Multi-Tier Cloud Security (MTCS) Singapore – After rigorous assessments conducted by the MTCS Certification Body, Microsoft cloud services received MTCS 584:2013 Certification across all three service classifications—Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).
- Service Organization Controls (SOC) 1, 2, and 3 – Microsoft-covered cloud services are audited at least annually against the SOC report framework by independent third-party auditors.Microsoft cloud services audit covers controls for data security, availability, processing integrity, and confidentiality as applicable to in-scope trust principles for each service.
- National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) – NIST CSF is a voluntary Framework that consists of standards, guidelines, and best practices to manage cyber-security-related risks. Microsoft cloud services have undergone independent, third-party Federal Risk and Authorization Management Program (FedRAMP) Moderate and High Baseline audits, and are certified according to the FedRAMP standards.
- UK Government G-Cloud – UK Government G-Cloud is a cloud computing certification for services used by government entities in the United Kingdom. Azure has received official accreditation from the UK Government Pan Government Accreditor.
Economies of scale
Economies of scale refers to the ability to do things more efficiently or at a lower-cost per unit when operating at a larger scale. This cost advantage is an important benefit in cloud computing. Cloud providers such as Microsoft, Google, and Amazon are large businesses leveraging the benefits of economies of scale, and then pass the savings onto their customers. Cloud providers can also make deals with local governments and utilities to get tax savings, lowering the price of power, cooling, and high-speed network connectivity between sites. Cloud providers are then able to pass on these benefits to end users in the form of lower prices than what you could achieve on your own.