Azure Compliance: Standards, Tools, and 6 Critical Best Practices
Azure compliance refers to the adherence of Azure services to compliance standards, ensuring that data stored in Azure cloud is managed and protected in accordance with government regulations and industry standards. Microsoft Azure provides a set of compliance offerings, including certifications, attestations, and frameworks that aid organizations in achieving compliance.
What Is Azure Compliance?
Using Microsoft’s infrastructure, Azure enables organizations to fulfill regulatory obligations across different industries and regions. With broad support of compliance certifications and laws across global regions and specific industries, Azure helps organizations manage security risks and enhance business operations, ensuring that customer data is securely managed and privacy is maintained.
In this article:
Key Compliance Standards on Azure
Let’s go into detail about how Azure supports important compliance standards.
1. PCI
The Payment Card Industry Data Security Standard (PCI DSS) is a critical framework designed to protect credit card data and prevent fraud through stringent security controls. Established by the PCI Security Standards Council, PCI DSS is mandatory for any organization handling cardholder data, such as the primary account number (PAN), cardholder name, expiration date, and sensitive authentication data.
Azure supports PCI DSS compliance by undergoing validation through an approved Qualified Security Assessor (QSA). Microsoft Azure is certified under PCI DSS version 4.0 at Service Provider Level 1, the highest compliance level for service providers handling over 6 million transactions annually. The Attestation of Compliance (AOC) from this validation is available for customers to download and use.
While Azure’s compliance helps reduce the effort and costs for customers to achieve their own PCI DSS validation, it’s essential for customers to understand that this does not automatically extend to their own environments. They must ensure their own compliance with PCI DSS requirements for the services they build or host on Azure. To aid in this, Azure provides the following resources:
- Azure PCI DSS Shared Responsibility Matrix: This matrix outlines the division of responsibilities between Azure and the customer for each PCI DSS requirement, helping customers understand their obligations.
- Azure Policy Regulatory Compliance Built-in Initiative for PCI DSS: This initiative maps Azure Policy definitions to PCI DSS compliance domains and controls, offering a compliance dashboard to evaluate the environment’s overall compliance status.
Azure’s compliance documentation covers various services including Azure, Dynamics 365, Power Platform, and select Microsoft 365 cloud services. Customers can access the PCI DSS audit documents through the Service Trust Portal.
2. HIPAA
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the regulations issued under HIPAA establish requirements for the use, disclosure, and safeguarding of protected health information (PHI). HIPAA applies to covered entities such as doctors’ offices, hospitals, health insurers, and other healthcare companies that handle PHI. It also applies to business associates of these entities, including cloud service providers (CSPs) like Microsoft Azure.
While there is no official certification for HIPAA compliance, Azure supports HIPAA requirements through adherence to other security frameworks:
- NIST SP 800-66 and NIST SP 800-53: These publications guide the implementation of HIPAA Security Rule standards. Azure aligns with these standards and maintains a FedRAMP High Provisional Authorization to Operate (P-ATO), which assures that HIPAA Security Rule safeguard standards are adequately addressed.
- Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM): Azure maintains the CSA STAR Certification and CSA STAR Attestation, which map HIPAA requirements to security controls.
- HHS HIPAA Security Rule Crosswalk to NIST Cyber Security Framework: This crosswalk provides relevant control mapping to standards such as ISO/IEC 27001, which Azure is certified under.
To support HIPAA compliance, Microsoft enters into Business Associate Agreements (BAAs) with its customers. Azure offers physical, technical, and administrative safeguards required by HIPAA and the HITECH Act within in-scope Azure services. The BAA includes contractual assurances about data safeguarding, breach notifications, data access, and other critical provisions.
Azure Policy regulatory compliance built-in initiative for HIPAA/HITRUST maps to HIPAA/HITRUST compliance domains and controls, offering a compliance dashboard to evaluate the overall compliance status. This helps enforce organizational standards and assess compliance at scale.
3. GDPR
The General Data Protection Regulation (GDPR) is a significant regulation designed to protect the personal data of EU residents and enforce strict data privacy laws. Organizations that process personal data of EU citizens must adhere to GDPR requirements to ensure data protection and privacy.
Azure supports GDPR compliance by providing various tools and resources to help organizations manage personal data responsibly. Key aspects include:
Data Subject Requests (DSR): Azure offers capabilities to handle DSRs, enabling organizations to respond to requests such as accessing, rectifying, deleting, or exporting personal data. Azure’s tools help automate these processes, ensuring timely and accurate responses as mandated by GDPR.
Breach Notification: In the event of a personal data breach, GDPR requires organizations to notify relevant authorities within 72 hours and inform affected individuals without undue delay. Azure’s comprehensive security controls and monitoring systems help detect breaches early, allowing for prompt action. Azure also provides detailed documentation and support for breach response and notification processes.
Data Protection Impact Assessment (DPIA): Organizations must conduct DPIAs for data processing activities that pose high risks to individuals’ rights and freedoms. Azure aids in this by providing guidelines and tools to assess risks and implement necessary safeguards. Azure’s built-in compliance capabilities align with GDPR requirements, supporting the development of effective DPIAs.
Microsoft Purview Compliance Manager: This tool helps organizations assess and manage their compliance posture. It includes a pre-built assessment for GDPR, guiding organizations through compliance tasks and offering insights into areas requiring attention. The Compliance Manager’s dashboard provides an overview of compliance status and recommended actions to mitigate risks.
4. CCPA
The California Consumer Privacy Act (CCPA) represents a landmark privacy regulation in the United States, granting extensive rights to California consumers over their personal data. Enforced by the California Attorney General, the CCPA mandates that businesses operating in California adhere to specific obligations to ensure consumer data privacy and protection.
Microsoft, as a service provider, ensures its services comply with CCPA requirements, assisting organizations in maintaining their compliance. The Online Services Terms (OST) and the Microsoft Professional Services Data Protection Addendum (MSDPA) align with CCPA mandates, enabling customers to manage data within Microsoft’s framework without additional contractual changes.
Supporting Tools and Resources:
- Microsoft Purview Compliance Manager: This tool aids in assessing and managing compliance posture. Organizations can leverage the GDPR assessment template within Compliance Manager to help with CCPA compliance tasks, ensuring comprehensive coverage of privacy obligations.
- Data Subject Requests (DSAR) Tool: Facilitates the efficient handling of consumer requests for data access, deletion, and portability.
- Information Protection Tools: Microsoft Purview Information Protection offers features to discover, classify, label, and protect sensitive data.
- Email Encryption: Enhances the control and security of sensitive communications.
Full List of Compliance Standards Supported by Azure
Below is a full list of compliance standards supported by Azure services. Refer to the Azure compliance documentation for details on specific services that support each standard.
Global | CIS benchmark | Financial Services | 23 NYCRR Part 500 (US) |
CSA STAR Attestation | AFM and DNB (Netherlands) | ||
CSA STAR Certification | AMF and ACPR (France) | ||
CSA STAR self-assessment | APRA (Australia) | ||
SOC 1 | CFTC 1.31 (US) | ||
SOC 2 | EBA (EU) | ||
SOC 3 | FCA and PRA (UK) | ||
ISO 20000-1 | FFIEC (US) | ||
ISO 22301 | FINMA (Switzerland) | ||
ISO 27001 | FINRA 4511 (US) | ||
ISO 27017 | FISC (Japan) | ||
ISO 27018 | FSA (Denmark) | ||
ISO 27701 | GLBA (US) | ||
ISO 9001 | KNF (Poland) | ||
WCAG | MAS and ABS (Singapore) | ||
US Government | CJIS | NBB and FSMA (Belgium) | |
CMMC | OSFI (Canada) | ||
CNSSI 1253 | OSPAR (Singapore) | ||
DFARS | PCI 3DS | ||
DoD IL2 | PCI DSS | ||
DoD IL4 | RBI and IRDAI (India) | ||
DoD IL5 | SEC 17a-4 (US) | ||
DoD IL6 | SEC Regulation SCI (US) | ||
DoE 10 CFR Part 810 | SOX (US) | ||
EAR | TruSight | ||
FedRAMP | Healthcare and Life Sciences | ASIP HDS (France) | |
FIPS 140 | EPCS (US) | ||
ICD 503 | GxP (FDA 21 CFR Part 11) | ||
IRS 1075 | HIPAA (US) | ||
ITAR | HITRUST | ||
JSIG | MARS-E (US) | ||
NDAA | NEN 7510 (Netherlands) | ||
NIST 800-161 | Automotive, Education, Energy, Media, and Telecommunication | CDSA | |
NIST 800-171 | DPP (UK) | ||
NIST 800-53 | FACT (UK) | ||
NIST 800-63 | FERPA (US) | ||
NIST CSF | MPA | ||
Section 508 VPATs | GSMA | ||
StateRAMP | NERC (US) | ||
Regional – Americas | Argentina PDPA | TISAX | |
Canada privacy laws | Regional – EMEA | EU Cloud CoC | |
Canada Protected B | EU EN 301 549 | ||
US CCPA | ENISA IAF | ||
Regional – Asia Pacific | Australia IRAP | EU GDPR | |
China GB 18030 | EU Model Clauses | ||
China DJCP (MLPS) | Germany C5 | ||
China TCS | Germany IT-Grundschutz workbook | ||
India MeitY | Netherlands BIR 2012 | ||
Japan CS Gold Mark | Qatar NIA | ||
Japan ISMAP | Russia personal data law | ||
Japan My Number Act | Spain ENS High | ||
Korea K-ISMS | Spain LOPD | ||
New Zealand ISPC | UAE DESC | ||
Singapore MTCS | UK Cyber Essentials Plus | ||
UK G-Cloud | |||
UK PASF |
Tools That Improve Compliance in Azure
Here are some of the tools offered by Microsoft Azure to help ensure regulatory compliance.
Azure Blueprints
Azure Blueprints is a powerful tool that allows cloud architects and central IT groups to define a repeatable set of Azure resources that adhere to an organization’s standards, patterns, and requirements. This service facilitates rapid deployment of new environments while ensuring compliance with organizational policies. Key features of Azure Blueprints include:
- Role Assignments: Azure Blueprints allows administrators to define and assign roles to users and groups, ensuring appropriate access controls are in place across all deployed resources.
- Policy Assignments: Administrators can assign policies that enforce specific compliance requirements, such as ensuring resources are tagged correctly or deployed in approved regions.
- Azure Resource Manager (ARM) Templates: Blueprints can deploy ARM templates, which define the infrastructure and configuration of Azure resources in a consistent manner.
- Resource Groups: Blueprint definitions can include resource groups, enabling the logical grouping and management of related Azure resources.
Azure Blueprints leverages Azure Cosmos DB to replicate blueprint objects across multiple regions, providing low latency, high availability, and consistent access. This global distribution ensures that organizations can reliably deploy and manage compliant environments regardless of geographical location.
Azure Policy
Azure Policy is an essential tool for enforcing organizational standards and assessing compliance at scale. It provides a robust framework for creating, assigning, and managing policy definitions that help ensure resources adhere to corporate policies and regulatory requirements. Key functionalities of Azure Policy include:
- Compliance Dashboard: Azure Policy offers an aggregated compliance dashboard that provides a comprehensive view of the overall compliance state of the environment. Users can drill down to specific resources and policies to identify non-compliant items.
- Policy Assignments: Policies can be assigned to management groups, subscriptions, or resource groups to enforce governance rules across the entire Azure environment.
- Remediation: Azure Policy supports bulk remediation for existing resources to bring them into compliance and automatic remediation for newly deployed resources.
- Common Use Cases: Azure Policy is commonly used for governance actions such as ensuring resources are deployed only to allowed regions, enforcing consistent application of taxonomic tags, and requiring resources to send diagnostic logs to a Log Analytics workspace.
With the integration of Azure Arc, policy-based governance can be extended to resources across different cloud providers and on-premises datacenters, providing a unified approach to compliance management.
Microsoft Purview Compliance Manager
Microsoft Purview Compliance Manager is a comprehensive solution designed to help organizations manage compliance across multicloud environments. It simplifies the process of assessing and managing compliance risks and provides detailed guidance to achieve regulatory compliance. Key features of Compliance Manager include:
- Pre-built and Custom Assessments: Compliance Manager offers pre-built assessments for common industry and regional standards and regulations. Organizations can also create custom assessments tailored to their specific compliance needs.
- Workflow Capabilities: The tool includes workflow capabilities that streamline the completion of risk assessments, allowing organizations to efficiently manage compliance tasks within a single tool.
- Improvement Actions: Compliance Manager provides detailed, step-by-step guidance on suggested improvement actions to help organizations comply with relevant standards and regulations. For Microsoft-managed actions, the tool offers implementation details and audit results.
- Compliance Score: A risk-based compliance score helps organizations understand their compliance posture by measuring progress in completing improvement actions. The Compliance Manager overview page displays the current compliance score and highlights key areas needing attention.
Azure Information Protection
Azure Information Protection (AIP) is a cloud-based solution that helps organizations classify, label, and protect data based on its sensitivity. AIP provides robust encryption services and integrates seamlessly with Microsoft Purview Information Protection. Key capabilities of AIP include:
- Sensitivity Labels: Organizations can apply sensitivity labels to classify data based on its sensitivity level. These labels can be configured to enforce encryption, access controls, and other protective measures.
- Information Protection Client: The client application allows users to apply labels and protection to documents and emails, ensuring sensitive information is handled appropriately.
- Information Protection Scanner: This tool scans on-premises repositories for sensitive data, applies labels, and enforces protection policies.
- Information Protection SDK: The SDK extends sensitivity labels to third-party applications and services, enabling developers to build support for applying labels and protection to files within their own solutions.
AIP helps organizations comply with data protection regulations by ensuring sensitive information is adequately protected and managed throughout its lifecycle.
Azure Advisor
Azure Advisor is a personalized cloud consultant that provides best practice recommendations to optimize Azure deployments. It analyzes resource configuration and usage telemetry, offering actionable insights to enhance cost efficiency, performance, reliability, and security. Key features of Azure Advisor include:
- Personalized Recommendations: Advisor provides proactive, actionable recommendations tailored to the specific configuration and usage patterns of the organization’s Azure resources.
- Categorized Recommendations: Recommendations are categorized into five key areas:
- Reliability: Ensures the continuity of business-critical applications by identifying and mitigating potential reliability issues.
- Security: Detects threats and vulnerabilities, offering recommendations to enhance the security posture of Azure resources.
- Performance: Provides insights to improve the speed and responsiveness of applications.
- Cost: Identifies opportunities to optimize and reduce overall Azure spending.
- Operational Excellence: Helps achieve process efficiency, manageability, and deployment best practices.
- Advisor Dashboard: The dashboard displays personalized recommendations for all subscriptions, allowing users to apply filters to view recommendations for specific subscriptions and resource types.
- Inline Actions: Advisor provides proposed actions inline with recommendations, making it easy for users to implement suggested improvements.
Azure Advisor helps organizations maintain compliance while optimizing their cloud operations by providing targeted, practical guidance on improving various aspects of their Azure deployments.
Security Best Practices to Support Azure Compliance
Here are some of the measures that organizations can take to ensure regulatory compliance in Azure.
Data Security and Encryption
Ensuring data security in Azure requires a multi-faceted approach to protect data at rest, in transit, and in use. Each state of data poses unique challenges and requires specific best practices to ensure its security.
Data at Rest:
- Disk Encryption: Utilize Azure Disk Encryption to protect data stored on virtual machines. For Linux VMs, use dm-crypt, and for Windows VMs, use BitLocker. This encryption ensures that even if the physical hardware is compromised, the data remains inaccessible without the encryption keys.
- Encryption Models: Use Azure Storage and Azure SQL Database, which offer default encryption. Control encryption keys using Azure Key Vault to ensure only authorized access. This helps meet regulatory requirements and enhances data security.
- Risk Mitigation: Encrypt drives before writing sensitive data to them. This practice prevents unauthorized access and is crucial for compliance with industry regulations, ensuring data integrity and confidentiality.
Data in Transit:
- Secure Transfers: Always use SSL/TLS protocols to encrypt data during transfer. For data moving between on-premises infrastructure and Azure, consider using HTTPS or VPNs. This encryption prevents eavesdropping and man-in-the-middle attacks.
- VPN Solutions: Use site-to-site VPNs for secure connections between on-premises networks and Azure virtual networks, and point-to-site VPNs for individual workstations. This setup ensures secure communication channels.
- High-Speed Links: For transferring large data sets, use Azure ExpressRoute, which can also be encrypted at the application level using SSL/TLS. This provides a high-performance, secure connection bypassing the public internet.
By implementing these best practices, organizations can ensure their data is securely protected across all states, meeting regulatory requirements and enhancing overall data security in Azure.
Network Security
Implementing robust network security measures is essential for protecting sensitive data and ensuring compliance in Azure environments. Here are key best practices to enhance network security:
Use Strong Network Controls:
- Centralized Management: Connect Azure VMs and appliances through Azure virtual networks and centralize the management of core network functions. This includes ExpressRoute, virtual network, and subnet provisioning, as well as IP addressing. Centralized management provides clear visibility into network security, reducing errors and enhancing reliability.
- Logically Segment Subnets: Use CIDR-based principles to create subnets and implement network access controls between them. Avoid broad allow rules with extensive IP ranges. Use network security groups (NSGs) to manage traffic and create flexible subnets to support future growth.
Adopt a Zero Trust Approach:
- Conditional Access: Implement Microsoft Entra Conditional Access to apply access controls based on conditions like device and network location. This ensures that access is granted based on verified trust claims rather than assumed network security.
- Just-in-Time Access: Enable port access only with workflow approval and grant temporary permissions for privileged tasks. This minimizes the risk of unauthorized access.
By following these best practices, organizations can significantly improve their network security, protecting sensitive data and maintaining compliance in Azure environments.
Identity Management and Access Control
Treating identity as the primary security perimeter is crucial for securing Azure environments, especially with the increasing adoption of cloud services and BYOD policies.
Centralized Identity Management:
- Microsoft Entra ID Integration: Use Microsoft Entra ID to integrate core directory services, application access management, and identity protection. Centralizing identity management enhances security and simplifies user access across environments.
- Establish a Single Entra Instance: Designate a single Microsoft Entra directory as the authoritative source for corporate accounts. This reduces complexity and mitigates security risks from human errors.
Implement Role-Based Access Control (RBAC):
- Segregate Duties: Assign permissions based on the principle of least privilege using Azure built-in roles. This minimizes the risk of over-privileged access and enhances security.
- Grant Security Teams Appropriate Access: Assign security teams the Azure RBAC Security Reader role to provide visibility into Azure resources for risk assessment and remediation.
By focusing on identity management and access control, organizations can ensure that access to resources is secure and well-managed, reducing the risk of unauthorized access and enhancing overall security.
Operational Security
Defining and deploying strong operational security practices is essential for maintaining a secure Azure environment. These practices involve enforcing multifactor authentication, managing user passwords, and organizing Azure subscriptions effectively.
Enforce Multifactor Authentication (MFA):
- Enable MFA for All Users: Implement MFA using Microsoft Entra Security Defaults to secure all user accounts. MFA requires users to provide two forms of identification, significantly reducing the risk of account compromise.
- Conditional Access Policies: Use Conditional Access to prompt for MFA under specific conditions, such as logins from untrusted locations. This method enhances security while providing a flexible user experience.
Manage and Monitor User Passwords:
- Password Protection: Follow Microsoft’s password guidance to secure user accounts. Ensure proper password management practices, such as enforcing strong passwords and regular updates.
- Monitor Suspicious Activities: Use Microsoft Entra security reports to detect risky sign-ins and user accounts. Automate high-risk password detection using Microsoft Entra ID Protection to identify and remediate compromised credentials.
By implementing these operational security practices, organizations can enhance the security of their Azure environments, ensuring that user accounts and sensitive information are well-protected.
Securing PaaS Deployments
In a cloud environment, the traditional network perimeter is no longer the primary defense line. Instead, identity and application security become critical. Here are best practices for securing PaaS deployments in Azure:
Identity as the Primary Security Perimeter:
- Strong Authentication and Authorization: Use federated identities with Microsoft Entra ID to implement strong authentication and authorization. Employ multifactor authentication (MFA) to further enhance security.
- Centralized Credential Management: Store and manage cryptographic keys and other secrets in Azure Key Vault. Avoid storing credentials in source code or public repositories to prevent unauthorized access.
Application Security:
- Authenticate Through Microsoft Entra ID: Use OAuth 2.0 for authorization, simplifying access management across web and mobile applications. Implement least privilege principles using Azure RBAC to minimize security risks.
- Monitor Security State: Employ Microsoft Defender for Cloud to continuously assess and improve the security posture of your App Service environments.
Managing Secure Workstations
Ensuring that workstations, especially those used for sensitive tasks, are secure is a critical component of a comprehensive security strategy. Implementing strict controls and security measures on these endpoints helps mitigate the risk of unauthorized access and data breaches.
Privileged Access Workstations (PAWs):
- Dedicated Workstations: Use secure, dedicated workstations for performing sensitive tasks and managing critical data. PAWs are configured with heightened security settings and isolated from regular user activities to minimize the risk of endpoint attacks.
- Endpoint Protection: Implement robust endpoint protection measures across all devices accessing data, whether on the cloud or on-premises. This includes using antivirus software, firewalls, and intrusion detection/prevention systems to safeguard against malware and other threats.
Security Policies and Monitoring:
- Enforce Security Policies: Apply stringent security policies on all devices, including enforcing strong passwords, automatic locking, and regular security updates. Ensuring compliance with these policies helps maintain a secure environment.
- Continuous Monitoring: Regularly monitor workstations for suspicious activities and vulnerabilities. Use tools like Microsoft Defender for Endpoint to detect and respond to potential threats in real-time, ensuring that any security issues are promptly addressed.
By securing workstations and enforcing strict security policies, organizations can significantly reduce the risk of unauthorized access and protect sensitive data from potential breaches.
Related content: Read our guide to Azure security best practices