In 2018, the Office for Civil Rights collected Health Accountability and Enforcement Act (HIPAA) settlements worth $30 million, including a record $16 million settlement. Under the GDPR, businesses have been fined $158 million, with an eye-watering $50 million fine for Google. Each year, the payment card industry fines many organizations for PCI-DSS violations, and acquiring banks pass those fines on to merchants and other businesses, with many losing their ability to take credit card payments.
A business that handles private customer data, healthcare records, or sensitive financial information faces regulatory oversight. The cost of non-compliance can be substantial, but so can the cost of compliance. It is often infrastructure security failings that expose businesses to the risks of non-compliance. And it is the complexity of securing large cloud infrastructure deployments that makes compliance so expensive.
Microsoft has worked with enterprise organizations for decades, providing platforms and services that help them comply with regulatory standards. Azure is no different. It includes several tools that help businesses with governance and compliance, reducing cost and complexity.
How Does Azure Help with Compliance?
Azure provides a secure and flexible foundation for building application and data hosting platforms that comply with a wide variety of regulations. As with all aspects of cloud hosting, compliance is a partnership between the cloud vendor and the user. Azure provides the tools and services, but it’s up to users to manage them in accordance with the regulations relevant to their industry.
We’re going to look at a couple of tools that come at the problem from different perspectives. Or to put it another way, that answer two different questions.
- How do I know my infrastructure is compliant?
- How can I be sure the infrastructure I deploy is compliant from the start?
Regulatory Compliance Dashboard
Monitoring is one of the biggest challenges of regulatory compliance. How do you know whether your infrastructure follows the rules? Servers and storage evolve as business requirements change. Cloud platforms are inherently flexible, and it’s straightforward for employees to deploy servers that may not meet regulatory requirements.
Over the last few years, many of the most significant security breaches have been the result of employees dumping sensitive data in insecure databases or storage platforms—convenience and short-term benefit often trump long-term security.
Azure Security Center’s regulatory compliance dashboard helps to answer our first question: How do I know whether my infrastructure is compliant?
It provides continuous insights into a business’s compliance posture, analyzing risk factors and presenting users with recommendations to mitigate them. At the time of writing, the regulatory compliance dashboard supports by default a handful of standards, including PCI DSS 3.2, ISO27001, and SOC TSP, but others can be added, including UK NHS, SWIFT CSP CSCF-v2020, and the Azure Security Benchmark.
The compliance dashboard has limitations, and many regulatory standards are missing, including HIPAA. But Azure does provide rich monitoring and alerting features that can help businesses to keep a close eye on their security and privacy.
Azure Blueprints allows users to define a repeatable set of Azure resources that conform to the standards and policies of their organization. With Blueprints, businesses can define which resources should be deployed, how they should be organized, and other features such as role and policy assignments. When they deploy a new environment with a Blueprint, they can be confident that it complies with their predetermined standards.
Microsoft has created a set of production-ready Blueprint samples that help businesses to comply with a wide variety of standards. These include HIPAA HITRUST, NIST SP 800–53 R4 and R2, PCI-DSS v3.2.1, IRS 1075, and about a dozen more.
In addition to Blueprints, Azure features another service for deploying pre-defined infrastructure: Azure Resource Manager (ARM) templates. These allow users to implement infrastructure as code, deploying resources and groups of resources according to JSON recipes.
Azure Blueprints and ARM templates are related but distinct. Blueprints can be used to create artifacts like ARM templates and policy assignments, allowing you to version control those artifacts and assign them to Azure environments. Unlike templates, the relationship between Blueprints and resources is maintained, so organizations can track which version of a Blueprint is currently deployed to a subscription, which is great for compliance monitoring and awareness.
In this article, we’ve discussed two of Azure’s services to help businesses comply with regulatory standards. If you’d like to learn more about regulatory compliance and your Azure infrastructure, contact an Azure specialist today for a free initial consultation.