Monday, January 26, 2015

Azure and Compliance

Over the past 6 months, I've been conducting quite a lot of cloud technology training, particularly Azure and Office 365. I've been speaking to a number of European MSPs in the SMB space who are now looking to take on Azure as a platform for their customers, to some degree replacing their old historical favourite, Small Business Server. SBS (rip) was a great platform for the small business – cheap, comprehensive and relatively easy to manage. But it's gone and not coming back.

When extolling the virtues of the cloud, I hear a number of objections – some valid, some possibly less so. One objection I hear to Azure revolves around compliance. For customers in compliance-affected businesses, compliance is not an option.

It's clear that Microsoft recognise the need to have Azure seen as a product that can comply with most, if not all, of the world's compliance regimes. It was comforting, therefore, to read Lori Woehler's recent blog article about Azure and compliance.

In her article, she notes that Azure has recently completed successfully an audit against ISO/IEC 27001:2013. carried out by the highly independent British Standards Institute Americas. BSI also validated that Azure was compliant with the ISO 27081 code of practice for protection of Personally Identifiable Information (PII) in clouds.

Woehler goes on to note that Azure has expanded the services in scope for SOC 1 and 2, the US Department of Health and Humans Services has granted the US FedRAMP authority to operate to both Office 365 and Azure AD, Azure Government is one of the first cloud platforms to meet US. Criminal Justice Information Services certification requirements for state and local governments. She mentions other, non-US compliance initiatives for Azure, including Singapore Multi Tier Cloud Security (MTCS's first Level 1 end to end cloud service offering), and the Australian Government Information Security Registered Assessors Program (IRAP) accreditation.

These, and the other Azure initiatives mentioned, should  help to bridge the confidence gap (as well as enabling Azure to be used in many compliance-bound industries. And this work just keeps going on, both to comply with new and additional compliance schemes as well as to re-certify on a regular basis. Azure is changing on what appears to be a weekly basis – the compliance certifications need to keep pace.

Hopefully, this continuing effort will go a long way towards assuaging at least some of the concerns of the SMB market space. Tags: ,

No comments: