The rise of data privacy regulations such as the General Data protection regulation (GDPR) and the California Consumer Privacy Act (CCPA) has created a paradigm shift in how sensitive, business-critical and customer data is handled. Azure Compliance Manager is a new service to help customers manage the compliance requirements of the workloads they deploy in the cloud, aligned with the concept of the cloud’s shared responsibility model.
In this blog we will take a closer look at Azure Compliance Manager and see how customers can leverage it to assess their compliance posture.
What Is Azure Compliance Manager?
Azure Compliance Manager is a new service from Azure that augments compliance reporting capabilities. It assesses an organization's adherence to the 90+ compliance frameworks Azure has defined for standards such as ISO/SEC 27018, GDPR, HIPAA, FEDRAMP, and more, providing a risk assessment tool that can assist in defining a compliance posture and manage remediation activities.
Azure Compliance Manager operations are based on two main components: controls and assessments.
Azure Compliance Manager controls: Controls are high-level process containers that help to define the compliance related activities for an environment. The controls are linked to the compliance standards against which the assessment is being done. There are three types of controls: Microsoft-managed, customer-managed, or shared management controls.
Microsoft-managed controls are those aspects of the compliance standards that are implemented by Microsoft. For example, the physical security of Azure data centers and access to authorized personnel for data protection.
For customer-managed controls, Microsoft provides prescriptive guidance and implementation steps that have to be carried out by the customer. Azure Compliance Manager helps to track the implementation of those controls as well, by using work-flow functionality.
Shared management controls are used to track implementation of activities to be done by both Microsoft and the customer. Thus Azure Compliance Manager provides a holistic view of the controls for each compliance standard and helps track their implementation status, irrespective of whether the controls are owned by customer, Microsoft, or shared by both.
Azure Compliance Manager assessment: Azure Compliance Manager has built-in templates to assess a number of commonly used regulatory and compliance standards. An assessment consists of the in-scope service, the controls (both customer-managed and Microsoft-managed), and a score that indicates points achieved by meeting those controls.
In an assessment, the controls are grouped into different families, for example, security, PII sharing and transfer, and data privacy for GDPR compliance. The implementation of these controls by Microsoft will be documented and tested by a third party auditor and documented in the assessment. In addition to the built-in templates, customers can develop their own templates for assessments to track any other data protection control that they want to track for their environment.
The compliance score that Azure Compliance Manager provides gives insight into the risk level of the environment based on non-compliance or failed controls associated with an assessment. A bad score means the user should implement and test those controls to remediate the risk and improve the compliance score, and in that way ensure protection of data in the cloud.
Similarly customers are also expected to address controls and document the test results to improve the compliance score, such as encrypting personal data at rest and in motion. The relevant documentation for implementation will be shared by the Azure Compliance Manager, and it can then be assigned to the relevant team within the organization. That document can be leveraged by the compliance team to implement the controls, document the test plan in Azure Compliance Manager, and also upload the associated artifacts.
However, none of these controls get to the heart of the question that many organizations need to face when trying to comply with strict data privacy regulation: Which data is sensitive? For that, Azure users can turn to NetApp Cloud Compliance.
NetApp Cloud Compliance: Accurate Visibility and Reporting on Sensitive Data in Azure
Azure Compliance Manager is an enabler in your cloud compliance journey. However it should be noted that there are a wide range of controls where customers are expected to take action to ensure compliance with the entire host of data privacy regulations. Classification of data context and identification of sensitive data itself is one such mandated control for compliance standards of data stored anywhere, including Azure. GDPR compliant companies, for example, must be able to identify the sensitive private data in their Azure storage volumes in case they are required to produce DSARs, or requested to delete that information.
NetApp Cloud Compliance delivers out-of-the box capabilities driven by artificial intelligence to meet these data privacy requirements. For Azure users, Cloud Compliance is an add-on feature for Azure NetApp Files. Irrespective of the choice of storage service, Netapp Cloud compliance helps customers to ensure always-on privacy controls.
Some of the key features of Cloud Compliance for Azure users include:
- Discovering, identifying, and classifying sensitive data across different Azure storage services.
- Contextually-aware, accurate reports on data that goes beyond PII, including sensitive private information such as biographical details, personal preferences, sexual orientation, ethnicity and more.
- Automatic graphic visibility into the distribution of personal data across an Azure storage environment.
- Automatically generated data subject access request (DSAR)
- Visibility into data privacy violations that helps implementing data access restrictions.
- Automatic privacy risk assessment reports required for compliance regulations.
As NetApp Cloud Compliance is built on AI and natural language entity recognition, it provides more contextual understanding and categorization of data when compared with solutions that depend on pattern matching for data identification.The data from the source volumes are continuously scanned to ensure always-on privacy rather than one-time scanning solutions.
Azure Compliance Manager uses a predefined framework of rules and controls to provide insights into the compliance status of workloads deployed in Azure. HIPAA compliance, GDPR compliance, and CCPA compliance, however, require additional capabilities. For that, Azure users can rely on NetApp Cloud Compliance.
Cloud Compliance’s always-on privacy controls and functionality makes sure you can carry out data privacy actions required by the major data privacy regulations. Easy to implement and integrate with existing cloud storage solutions, NetApp Cloud compliance greatly simplifies the process of cross platform data privacy management.