Compliance, Auditors, and Documentation Oh My!
App Dev Manager Tina Saulsberry shares tips and resources on Azure Security and Compliance offerings.
Does your Azure solution need to meet one of the popular compliance program requirements like HiTrust or FedRAMP? Do you want to understand what documentation to provide auditors for compliance consideration? This blog post may help.
Azure Trust Center should be your first destination for our compliance offerings. Did you know independent audit reports along with Azure compliance offerings can be found there? This documentation is a free, but protected resource for those that utilize Microsoft cloud services (Azure, Office 365, Dynamics 365, etc.). Compliance documentation for HITrust, HIPPA/HITECH, FedRAMP, CSA CCM and many others are stored here.
It is important to note, not all Azure services are compliant with all compliance programs. Check out the offering documentation when designing your solution, and leverage Azure components that meet your desired compliance standard. Check the Trust Center periodically as the status of noncompliant services can change over time.
Another great resource is the Azure Security Center, it offers compliance assessments (Public Preview). It can evaluate the resources in your subscription and identify areas where your solution may have issues with regulatory compliance programs. At the time of this post, Azure Security Center provides assessments for Azure CIS 1.0.0, PCI DSS 3.2, ISO 27001 and SOC TSP, more will be added overtime.
Here are some steps to incorporate into your journey to demonstrate compliance:
- Leverage Azure by building your system using the Azure components that meet your desired compliance program.
- Review the architecture design of the system and determine if the appropriate threat mitigation is in place. This can be done by creating a threat model diagram for your solution showing how your solution’s technical defenses map onto the technical compliance requirements.
- Many times, the Azure audit documentation from the Trust Center along with the threat model for your solution is enough for auditors to do their work.
Premier Service for Developers can help you on your journey to regulatory compliance. Reach out to your Microsoft Application Development Manager (ADM) for more details.