UK Police-Assured Secure Facilities (PASF)

UK PASF overview

The National Policing Information Risk Management Team (NPIRMT) of the UK Home Office is charged with ensuring that the storage of and access to police information meet its standards. Through the National Policing Information Risk Management Policy, it sets the central standards and controls for law enforcement agencies across the UK that are assessing the risk of moving police information systems to the cloud. The policy requires that all national police services in the UK that store and process protectively marked or other sensitive law enforcement information take an extra step in their risk assessment: a physical inspection of the datacenter where their data will be stored. The successful assessment of a datacenter determines that it is PASF.

Azure and UK PASF

Microsoft Azure can support UK law enforcement IT customers who require Police-Assured Secure Facilities (PASF) to process and store their data in the cloud. The NPIRMT completed a comprehensive security assessment of the physical infrastructure of Microsoft Azure datacenters in the UK and concluded that they are in compliance with NPIRMT requirements. There were no compliance issues or necessary remedial actions identified as a result of this assessment. Risks identified during PASF audits are managed according to the National Policing Accreditation Policy.

Local police services can use this NPIRMT assessment to support their own review. Using the NPIRMT policy guidelines, the senior information risk owner for each police service is responsible for assessing the suitability of an individual datacenter in the context of their particular application, which they then submit to the NPIRMT for approval.

Microsoft takes a holistic defense-in-depth approach to security. Our UK datacenters (like all Microsoft datacenters) are certified to comply with the most comprehensive portfolio of internationally recognized standards of any cloud service provider and consistently meet those requirements.

These certifications are backed by the measures that we take to protect the physical security of our datacenters. We adopt a layered approach that starts with how we design, build, and operate datacenters to strictly control physical access to the areas where customer data is stored. Microsoft datacenters have extensive levels of protection with access approval required at the facility’s perimeter, at the building’s perimeter, inside the building, and on the datacenter floor. This structure reduces the risk of unauthorized users gaining physical access to datacenter resources.

Applicability

  • Azure UK datacenter physical infrastructure

Audit reports and certificates

The NPIRMT audits one Azure datacenter each year, annually cycling through the four Microsoft datacenters in the UK. The NPIRMT assessment that Microsoft datacenters are PASF is available through the Home Office for law enforcement customers who are conducting their own risk assessment regarding the use of cloud services.

How to implement

  • Azure UK OFFICIAL Blueprint helps you deploy a core set of policies for any Azure-based architecture requiring accreditation or compliance with the UK OFFICIAL requirements. With this blueprint, you can deploy and update cloud environments in a repeatable manner using composable artifacts such as Azure Resource Manager templates to provision resources, role-based access controls, and policies. Resources provisioned through Azure Blueprints adhere to an organization’s standards, patterns, and compliance requirements such as the UK OFFICIAL requirements. The overarching goal of Azure Blueprints is to help automate compliance and cybersecurity risk management in cloud environments. When assigned to an architecture, resources are evaluated by Azure Policy for compliance with assigned policy definitions.

Frequently asked questions

Can police departments in the UK use the Azure PASF assessment as part of their own risk assessments?
Yes. Law enforcement can use the NPIRMT assessment of Azure to support their own local risk assessment before a move to the cloud.

Resources