The Secure Development Lifecycle
To provide foundational, built-in security to all Azure services from the outset, Microsoft adheres to the Secure Development Lifecycle when building their applications. This process includes two methodologies that are highly relevant to GDPR compliance: privacy-by-design and privacy-by-default.
Azure Security Center (ASC)
ASC is a robust suite of security tools that includes advanced, analytics-rich security health monitoring; security vulnerability discovery and prevention; security threat alerts; and in-depth security recommendations.
Microsoft cloud services offer and support a wide range of encryption services, standards, methodologies and best practices to help administrators protect personal data:
Personal-data accuracy, confidentiality and availability
Azure has an impressive line of services that can help your organization comply with GDPR’s requirements concerning the confidentiality, accuracy and availability of personal data. These include Azure AD, as well as a long list of other powerful Microsoft and Azure-specific services:
Azure’s security standards and certifications
Azure has earned the following important security certifications:
Records and reporting
The GDPR requires that organizations maintain detailed records that document their handling of personal data. The following Azure services have auditing features to help organizations achieve compliance in this critical area:
- Azure Security Center: gather and view security logs across Azure’s suite of services.
- Azure Active Directory logs: track app-usage and logins.
- Azure Storage Analytics: track requests for data housed in Azure Storage.
- Azure Log Analytics: gain insight into Syslogs, IIS logs, and Windows Event logs.
- Azure Diagnostics: view Azure virtual machine event logs/
- Azure monitoring services: track customers’ API calls within their Azure resources.
International flows of personal data
Under the GDPR, the transmission of personal data into and out of the EU, as well as to and from third-parties, must meet certain requirements. Accordingly, Azure has adopted a regional datacenter approach.
Whenever a Microsoft service, or a partnering third-party, does not have the capacity to specify a region for personal data storage, Microsoft requires that they contractually agree to comply with applicable EU-U.S. Privacy Shield Frameworkand EU Model Clauses governing the transmission of personal data from the EU to countries outside the European Economic Area (EEA).
Microsoft also limits third-party access to customer data. For organizations, such as hospitals, that need to complete Data Protection Impact Assessments (DPIA) with respect to their Azure usage, the Microsoft Trust Center provides a wealth of information regarding how their services process and protect personal data.
A GDPR-compliance dashboard
In addition to the wealth of Azure services already in place to help organizations make a smooth transition to GDPR-compliance, Microsoft is currently putting the finishing touches on a unified solution to pull it all together.
On September 25th, Microsoft announced Compliance Manager, which is currently in preview. With the help of the new dashboard and the rich set of Azure services outlined above, your organization should soon have everything it needs to meet the demands of a new era of personal data protection.
Long Story Short? GDPR Reminds Us to Focus on the Customer, Not Ourselves