Auditing the cloud
Article, 139KB, Microsoft Word file
Microsoft IT and auditors work closely to ensure that the Microsoft Azure public cloud is a fully auditable computing infrastructure. Read on to learn how Microsoft uses independently validated Azure services and features to automate corporate compliance.
When it’s time to talk to your auditors and demonstrate the advantages of moving to the cloud, this paper can help provide a framework for those conversations.
The cloud is new, compliance is not
Moving to the cloud is a major transformation. It’s not surprising that people have serious concerns about maintaining high network and data security standards in the cloud. How can you reassure auditors that the same stringent compliance requirements that you meet in the datacenter will also be satisfied in the cloud?
Auditors want to see evidence of compliance activities, such as:
Proof of configured, stored, and encrypted backups
Proof of user access control mechanisms
Proof of sensitive data management
In Microsoft IT, we found that network security compliance in the cloud is not first and foremost an issue of technology or skills. Rather, there is a larger cultural issue that we’ve addressed through ongoing communication and verification with auditors.
In fact, we are so focused on compliance that we test controls more intensely than a typical user would. We have allayed security concerns with control owners, risk managers, and auditors by showing them that Azure simplifies, automates, and operationalizes compliance activities.
Azure simplifies compliance
Compared to an on-premises environment, we have found that compliance activities are much easier in Azure. In many areas, auditability is built into the platform and can't be turned off. Many of the controls and control activities that affect compliance in an on-premises datacenter are less likely to fail in Azure. In some cases, the controls no longer even apply. Physical infrastructure is not necessary; instead, infrastructure is virtual. This means that there are fewer opportunities to introduce errors.
Microsoft regularly refreshes service certifications to ensure that Azure is current with as many international standards as possible.
Azure SQL Database makes automatic backups
With the Azure SQL Database service, backups are automatically created every hour. You don't have to opt-in to the process. Azure provides an audit trail, and you can immediately show that critical data can be recovered. Because of the simplification, tasks can be taken out of the hands of technical staff—almost anyone can do them. For example, in the cloud, your business does not have to rely on a complex process to create and retain Azure SQL Database backups.
Self-service auditing provides insight
The auditing function in Azure SQL Database tracks database events in a log and saves it in an Azure Storage account. In addition to meeting compliance regulations, the auditing function helps you see database activity and gives you insight into anomalies that could indicate business risk or suspected security violations. Auditable events include:
Access to data
Database structure changes (from DDL, or Data Definition Language statements)
Data changes (from DML, or Data Manipulation Language statements)
Accounts, roles, and permissions (from DCL, or Data Control Language statements)
Customized options include locally redundant backups, geo-redundant backups, and more. The audit logs are stored in an Azure storage account, for specific, pre-determined retention times.
Dynamic service certification
Certification standards for newly developed Azure services and features are constantly tracked and updated by a compliance team within the Azure product development group. Azure services and features are independently certified and meet international standards such as SOC 1, SOC 2, and ISO.
Microsoft wants to certify as many Azure services as possible, so that you do not have to choose from the suite of Azure service offerings. The international certification rigor means that no matter what the local or national laws are, Azure meets the common international standards. When your organization builds apps and services, service certifications should be thoroughly understood.
Azure automates compliance
In some cases, auditability simply cannot be turned off. For example, Azure SOC 1-certified services automatically enforce audit-ready recordkeeping. A detailed audit trail provides information such as which administrators were added to the subscription, when they were added, who added them, and how they were added.
Automated services compliance frees your high-value developers from tedious infrastructure management. They can dedicate their time to strategic application development and business needs. For example, the Azure Blob storage service retains large amounts of unstructured data, which can be published globally. It is fast and easy, and can be accessed from anywhere in the world using HTTP or HTTPS protocols. Important access details for this wide-ranging service, accessible from anywhere using common protocols, are automatically logged by Azure. This provides an immediate and critical audit trail.
Operationalized compliance activities
Microsoft uses Azure to structure and operationalize workflow processes. For example, when you create a new virtual machine in Azure, a template configures the virtual machine with settings that meet compliance requirements, such as automatic patching, scheduled updates, and anti-malware settings. In an on-premises environment, you or your IT team would have to do this work by hand or with a customized script.
The Azure Security Center shows you the security status of all Azure resources. Azure Security Center data simplifies compliance and makes it more efficient. Policy-driven controls are tailored to specific applications or types of data. Streamlined provisioning easily deploys security solutions—even network changes.
We use an analytics-driven approach that combines threat intelligence and expertise with security-related events across all Azure deployments at Microsoft. Security Center helps us to detect threats early, and it reduces false positives. Security alerts offer critical insights into the attack campaign, and suggest remediation techniques.
The Microsoft experience shows that cloud transition teams need to partner closely with control owners, risk managers, and internal and external auditors to test and validate processes. All teams need to be brought into the conversation to ensure that the compliance function is ready for the move to Azure, and that an organization is “cloud ready.” Our auditors can verify that Azure has simplified, automated, and operationalized security compliance functions at Microsoft.
For more information
© 2016 Microsoft Corporation. All rights reserved. Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.