Lepide Blog: A Guide to IT Security, Compliance and IT Operations

Azure Compliance: A Complete Guide

Azure Compliance

Whether you are already using Microsoft Azure or considering migrating to it, understanding the compliance landscape is essential to protect sensitive data while maintaining legal and regulatory obligations. Such regulations include HIPAA (for US organizations holding PHI), PCI (for organizations dealing with credit card information internationally), GDPR for EU citizen data (regardless of company location), and CCPA for citizens of California.

Complying with these regulations can be complex as each set of regulations has its own definition of “personal data” and different requirements for storing, processing, and sharing sensitive data. It is important to recognize that these regulations consider Microsoft as a “business partner”. As such, organizations are responsible for ensuring that Microsoft are able to meet the applicable standards. Achieving compliance involves not only technical measures, but also managerial processes, access policies, and protocols for responding to customer requests.

Azure HIPAA Compliance

The Health Insurance Portability and Accountability Act (HIPAA) is a US regulation that sets standards for the protection of health information. It applies to healthcare entities, including doctors’ offices, hospitals, and insurers, as well as their business associates, such as cloud service providers. These business associates, which can include lawyers, accountants, and IT personnel, also have a responsibility to comply with HIPAA. If you use Azure, you will need to have an agreement with Microsoft to ensure HIPAA compliance.

The Microsoft Business Associate Agreement

HIPAA requires covered entities and their business associates to have contracts that ensure the protection of PHI. A Business Associate Agreement (BAA) outlines how PHI will be handled and the steps both parties will take to comply with HIPAA. However, simply having a BAA does not guarantee HIPAA compliance. It is the responsibility of the user to have proper compliance programs and internal processes in place. Microsoft provides guidance and resources, such as the Azure Security and Compliance Blueprint and Azure Blueprints, to help users ensure HIPAA compliance when using Azure.

Which Microsoft Azure services are HIPAA compliant?

To remain compliant with HIPAA, it is important to use Azure correctly and only connect it with approved Microsoft components. The following Microsoft components are covered under the BAA agreement:

  • Azure and Azure Government
  • Cloud App Security
  • Microsoft Health Bot Service
  • Microsoft Stream
  • Microsoft Professional Services: Premier and On Premises for Azure, Dynamics 365, Intune, and for medium business and enterprise customers of Office 365
  • Dynamics 365 and Dynamics 365 U.S. Government
  • Microsoft Flow cloud service, either standalone or included in Office 365 or Dynamics 365 plans
  • Office 365, Office 365 U.S. Government, and Office 365 U.S. Government Defense
  • PowerApps cloud service, either standalone or included in Office 365 or Dynamics 365 plans
  • Power BI cloud service, either standalone or included in Office 365 or Dynamics 365 plans
  • Azure DevOps Services

Azure HIPAA Best Practices

Azure HIPAA Best Practices include implementing policies and procedures to prevent and detect security violations. Additionally, covered entities must:

  1. Assign a security official responsible for HIPAA compliance
  2. Identify employees with access to ePHI
  3. Enforce least privilege access to ePHI through permissions
  4. Train users on HIPAA rules and security policies
  5. Create plans for data backup and disaster recovery
  6. Regularly review and maintain policies and procedures
  7. Ensure third-party contractors understand the HIPAA requirements and are are able to adequately protect ePHI
  8. Limit and audit physical access to computers storing ePHI
  9. Establish policies for the use and disposal of devices and media storing ePHI
  10. Use technologies to monitor activity and ensure the integrity of ePHI
  11. Verify the identity of individuals accessing ePHI
  12. Ensure the security of transmitted data through encryption

In addition to these best practices, it is necessary to establish procedures for addressing customer inquiries and responding to security breaches.

Azure PCI Compliance

PCI compliance refers to the set of standards and guidelines developed by major credit card companies to protect credit card information. It is mandatory for organizations that handle payment card data and requires them to secure their systems against hackers. Unlike HIPAA compliance, PCI compliance does not require an agreement with Microsoft. While Azure, OneDrive for Business, and SharePoint Online can be considered PCI DSS compliant, the same cannot be said for services built or hosted on these platforms. However, there are several services within Azure, such as Azure and Azure Government, Cloud App Security, Graph, Intune, PowerApps, Power BI, that can be made PCI DSS compliant.

Azure CCPA Compliance

The California Consumer Privacy Act (CCPA) is a new law in the United States that aims to protect the privacy of California citizens by giving them control over how their personal information is stored, processed, and sold by companies. It is similar to the General Data Protection Regulation (GDPR) but has specific requirements for companies using Azure systems to be CCPA compliant. To determine if the CCPA applies to your business, you need to meet certain criteria, such as having an annual revenue of over $25 million or selling personal information of more than 50,000 California consumers. Non-compliance with the CCPA may result in fines and penalties enforced by the California Attorney General, with fines ranging from $100 to $750 per incident per consumer, and civil penalties up to $2,500 per violation or $7,500 per intentional violation.

Which Microsoft Azure services are CCPA compliant?

The Microsoft Azure services covered for CCPA use include Azure, Azure Dev Ops, Dynamics 365, Intune, Office 365, Support and Professional Services, and Visual Studio.

Microsoft acts as a service provider under the CCPA regulations. While most online services offered by Microsoft are already CCPA compliant, there are specific ways to use Azure to ensure compliance. This includes implementing processes to identify personal data within Azure and establishing a managerial system for handling customer requests. Microsoft provides tools for assessing compliance with GDPR, which can also be used for assessing compliance with CCPA. Establishing efficient processes for responding to Data Subject Access Requests, discovering and protecting sensitive data, and using email encryption capabilities are recommended for CCPA compliance.

Azure CCPA Best Practices

To maintain compliance with the CCPA when working with Azure, it is important to establish a labeling system for all personal data held in order to easily identify it. The CCPA grants consumers the right to know how their data is collected and used and allows them to make requests to access and delete their data. It is necessary for organizations to:

  1. Inform consumers of the categories and purposes of data collection before it takes place.
  2. Provide more detailed information in a privacy policy regarding the sources, business purposes, and categories of personal information collected, including any transfers of that information to other entities.
  3. Enable consumers to exercise their rights of access, deletion, and portability for their specific personal information.
  4. Allow consumers to opt-out of their data being sold, except for transfers to exempt entities like service providers.
  5. Implement an opt-in process for minors under the age of 16 to prevent their personal information from being sold without active consent.
  6. Avoid any form of discrimination against consumers who exercise their rights under the CCPA.

For further guidance on complying with the CCPA when using Azure, read Microsoft’s white paper on Managing Compliance in the Cloud.

Azure GDPR Compliance

The General Data Protection Regulation (GDPR) applies to organizations that collect and analyze data from EU residents, and requires them to be GDPR compliant, regardless of their location. Microsoft has supplied numerous resources to assist organizations in achieving compliance in Azure. Article 5 of the GDPR outlines key principles for handling data, providing a framework for compliance.

Which Azure services are GDPR compliant?

Microsoft’s approach to GDPR compliance in Azure does not provide a specific list of components that can be used, but instead offers the Azure Security and Compliance GDPR Blueprint. This Blueprint includes four reference architectures for building GDPR-compliant systems using Azure, including solutions for data analytics, data warehousing, infrastructure as a service, and platform as a service. These reference architectures serve as a template for organizations seeking to work with GDPR-covered data in Azure.

Azure GDPR Best Practices

To ensure GDPR compliance for your Azure system, there are several key practices and tools provided by Azure that can be implemented.

  1. The Azure Data Subject Requests for the GDPR portal offers step-by-step guidance on how to comply with GDPR requirements by retrieving personal data stored in Azure.
  2. Azure Policy, integrated into Azure Resource Manager, allows organizations to enforce policies across resources, preventing violations by developers. Compliance Manager is a risk assessment tool that helps manage regulatory compliance in the Azure cloud, providing a dashboard view of standards, regulations, and assessments.
  3. Azure Information Protection enables the labeling, classification, and protection of sensitive data, improving data governance.
  4. Azure Security Center offers unified security management and advanced threat protection, with integration with Azure Policy for applying security policies across hybrid cloud workloads.
  5. Azure Security and Compliance GDPR Blueprint provides resources and guidance for building and launching GDPR-compliant cloud applications with the help of Microsoft’s reference architectures, deployment guidance, and threat models.

How Lepide Helps with Azure Compliance

The Lepide Data Security Platform offers essential tools that help organizations comply with regulations like HIPAA, PCI, GDPR, and CCPA. Lepide’s solution is able to aggregate and analyze event data from a wide range of popular cloud platforms, including Azure AD. Below are some of Lepide’s most notable features/benefits.

Data Discovery & Classification: To comply with regulations such as HIPAA and CCPA, the first step is to identify and classify all sensitive data within your environment. Lepide offers an in-built data classification tool that will scan your repositories and classify data according to the relevant requirements.

Data Access Governance: After identifying sensitive data, the next step is to manage access to it. Lepide helps organizations understand and control who has access to data on their network. Via an intuitive dashboard, administrators can view the permissions for each folder across multiple data stores, allowing them to see and manage user access. Lepide also recommends changes to permissions based on user activity, promoting a least-privilege model.

Real-Time Change Auditing: To ensure the security of protected data, organizations need to monitor for potential threats. Lepide offers a full audit trail of data activity, and uses behavioral baselines and threat modeling to detect cybersecurity threats in real-time. If a user starts accessing protected data they haven’t accessed before, Lepide triggers an alert. Predefined compliance reports can be effortlessly generated and sent to the relevant authorities to demonstrate compliance.

If you’d like to see how the Lepide Data Security Platform can help with Azure compliance, schedule a demo with one of our engineers.