1. Core tenets of Security, Privacy, and Compliance
Section, we’re going to talk about privacy and compliance. Now I’m going to give a caveat here to say that in different areas of this course, this is a Z 900. It is supposed to be an overview of the fundamentals of Azure. Some of it is quite practical, as we saw with the Azure policy and the Azure Blueprint section, and some of it is quite a bit higher level. And so we’re going to get into some privacy and compliance topics here where it’s a bit higher level. Microsoft has this concept called the Trusted Cloud. The Trusted Cloud is made up of the following five components. So we have to think about security, privacy, compliance, resiliency, which means it’s not going to go down, it’s going to always be available and protecting intellectual property.
So those five together make up the Trusted Cloud. If we look at those individually, we’re going to see security. Microsoft Azure is built with security in mind so they don’t go and release new features without thinking about the security implications. This is part is baked in, as they say, and they want to make sure that you as a customer have those tools and technologies available as well to protect your own applications and data. If we remember the division of responsibilities between Microsoft Azure and the clients that run on top of it, the applications and data is always going to be your responsibility. And so they want to make sure that you have things that you can use to manage your own security. Encryption seems to be baked in. So now all the virtual machines have encryption enabled.
All the storage accounts are encrypted as well. You can’t even turn these things off. So Azure is built around the encryption of customers data and they also have been rolling out over the years advanced threat detection and tools to detect these threats, monitor these threats and protect against it. The second tenant of this is the privacy element. So the data is your data. Microsoft is never going to peek at your data, use your data against you, et cetera. That’s why it’s encrypted. And you have the ability to manage the security keys for your own storage, et cetera. They’re not going to mine that data, use it for marketing. You also control location. We know in the age of GDPR and various privacy laws around the world that the location of data is very important.
So you can basically specify, my data is located in this region and it shall never leave that geographic boundary. You can access your own data at any time there is published information on how Microsoft responds to government requests. So if the FBI was to ever want some information, they have to follow a particular process. And if you decide to discontinue your service, then they’re not going to hang on to your data forever. There is a policy to follow there as well. The third tenant of security, the third tenant of the trust policy is compliance. So there are international standards that follow.
We can see them published. We’ll talk about that in a second. There’s compliance certifications. So Microsoft not only follows standards, but they publish which ones they follow and that sometimes they get audited for following certain standards. There’s regional standards as well and they provide tools so that if you want to follow standards in your industry so let’s say you’re in the healthcare sector and you need to follow healthcare standards like HIPAA, there are 35 industries that are covered that you can then have Microsoft help you to meet those standards. The fourth area was resiliency, which typically means you’ve got backups and disaster recovery and that it’s high availability, the ability not only to use your own applications in a highly available way, but the underlying, of course the underlying Microsoft Azure framework and fabric needs to also be highly available. So downtime becomes a rare thing. And the last one of those trust standards is protecting IP. So they’re promising to you and testing to you that they’re not going to steal your ideas and steal your code and they’re not going to then launch a competing service.
Exceptions for that they’re not going to basically steal your IP in order to compete against you. There is protection for you against frivolous infringement. So let’s say that somebody claims a patent within the Linux OS space and so are they going to come after you because your applications run in Linux? Well, if your applications run in Linux within Microsoft Azure, well, Microsoft will protect you from those patent claims when people are trying to get to you by using their services. And you can sort of follow up with things such as a shared innovation initiative, that is the Azure Trusted Cloud Cloud Initiative. In this section we’re going to continue talking about various privacy and trust and compliance related issues.
2. Microsoft Privacy Statement and Online Services Terms (OST)
So we’re going to see the next step in the requirements is to describe the purpose of the privacy statement, online Services Terms and Data Protection amendment. So the Microsoft Privacy Statement, well, pretty cool, URL, it’s a privacy Microsoft. com. And if you go there, you can see that basically Microsoft is talking about the personal data that they collect, how they use the personal data, why they need the personal data, pretty standard stuff in terms of a privacy statement. But it is important to know that when you’re using Azure, when using any Microsoft service, they have published ways that they use your data, reasons for collecting it, and basically what laws and standards that they follow. Now, it’s going to be very similar to the standard online service terms.
Terms of service are sometimes called. Took a little bit of digging, but I was able to find the universal license for online services. And we can see here that Microsoft. Comlicensingterms and then you can look for online services in the menu. Again, the purpose of this is going to basically say this is the level of service we’re promising you. This is our contract with you. When you’re using our services, this is what you’re getting. And the third element of this is called the Data Protection addendum or DPA. Now, I’ll be honest with you, this was the hardest thing of all of those statements and the requirements, the hardest thing to find. I ended up finding a Word document posted to someplace that is the only thing that mentions data protection addendum and relating to Microsoft. I think these are all fairly related in terms of the privacy statement, in terms of the service terms. And now this is basically how they handle your data, where they store it, what they do if there’s a security incident, how that data is retained if you leave the service, or if you delete the data, how long they retain it for.
Basically the data protection addendum is basically talking about the data, specifically biometric data, et cetera. I will leave the footnote here again, that this is fairly high level. I do not really expect to see this on the test, but it is on the requirements. And so I will mention it. These are the agreements that you basically agree to when you sign up for Azure or you create your applications and upload your data into Azure.
3. Trust Center
Alright, the next couple of requirements have to do with Trust Center and Azure compliance. And we’ll end this section talking about the Azure server regions. So the Trust Center, so there is a Webpage@microsoft. com Trust Center slash Cloud Services slash Azure, which basically is the place where a lot of this documentation lives. So if you scroll through this and you click on Security GDPR, you can basically read about the standards that they follow, how they are in compliance with various rules. The Privacy statement is going to be in there. We can read about government organizations, transparency, all of these things is in the Trust Center. So Trust Center seems to be like the portal for everything that we’re talking about. In this section of the course, it’s going to contain the various Gulf government regulations that it follows, such as Gtgpr, the ISO standards, and the National NIST Security standards across the world.
We have a couple of hundred countries and regions of the world, and they all have slightly different standards. Some of the times they agree, sometimes they don’t. And Microsoft is basically documenting which standards they are in compliance with. And so if you have it as a requirement for your move to the cloud that you have to follow these standards, you are the platform that you move your applications to. Might be important to know which standards that they follow so that you’re in compliance with your own. I said earlier in the course, they do give you tools so that you can be in compliance with your own standard. So let’s talk about something such as GDPR. This was in the news a few years ago. It’s a set of rules that allow EU citizens to have control over their own personal data. And it does apply worldwide, theoretically. So even if you are an American company, but you handle the data of an EU citizen, you have to follow these rules. There are strict conditions on how you collect data, there are strict conditions on how you have to protect that, or there’s penalties. And if the data is somehow mishandled or hacked, you have to report it within a very short period of time. And so this is the GDPR regulation. The ISO has been around forever. It’s the International Organization for Standardization. And you can sort of see there’s a checkbox here. I don’t know if this is the latest up to date, but you can see, depending on different standards, ISO 9001, ISO 20,000, azure is in compliance with a lot of the ISO standards. And the Azure government region, which we’ll talk about in a second, is in standard compliance with most of them as well. So, for instance, the 9001 is the quality standard on how they find and fix issues of continual improvement. The ISO 20,000 is for service management, and this is how they handle ticketing. And basically it as a service organization to the rest of the company.
The National Institute for Standards and Technology focuses a lot on compliance and security and privacy. So we can see that there’s a whole page within the Trust Center. Great spot to post it for the Cybersecurity Framework and how Azure works with the framework. So these are basically the the standards that Microsoft complies with. There are, like I said, are over 90 national standards and 50 something regional standards. Go to the Trust Center if it’s important to you and look to see that the standards you’re looking for are in there. It’s an important for the exam just to know that they do follow standards and where to find them.
4. Azure Sovereign Regions
So the last topic in this section of the Exam has to do with what are called Sovereign regions. Now, I’ve mentioned before in this course that there are separate regions that you, as the General Public, don’t have access to. In fact, you need to have a separate account to access some of these regions. So if we talk about, like, the US. Government agencies. There’s a US. Government government Cloud, and that does not run on the same physical hardware or the same network as the general public’s Azure Portal. So you actually have to go to a separate website, sign up for a separate account. This is not available to the general public, obviously. And so then you have to go through whatever the process that is to prove that you are entitled to it.
Not only does the US Government have Its Own region, but the Department of Defense has its own region. So there’s actually two us. Government regions. And of course, Department of Defense probably kind of hard to create an account on that one. So these are isolated data centers, isolated locations. The networks are not connected. And so you have to almost think of Azure as being four or five different Azure, not just one Azure that everyone uses. So the government regions meets the standards that are specific to the US. Government in this particular case. So we saw when we were creating the policies and the Blueprints that there was a FedRAMP standard. Well, you can imagine that the networks that run in the US. Government region and the DoD region are much more stringent in terms of meeting those FedRAMP and the National NIST standards. All of these standards, IRS, Department of Defense standards, of course, the government’s going to have its own rules. And to access that portal. It’s portal. Azure us. Not portal azure. com. And to keep in mind with that is some of the functionality is different. So you might have services in the public Azure Portal that don’t exist in the US. Government Portal. And the URLs are different. So if you are providing services to companies, and you’re going to be using the Cloud APIs to connect to those things, they have different URL. So that’s a particular trap if you’re dealing with both public customers and government customers. US. Isn’t the only country with its own regions. Azure China runs as an independent company as well. They have a separate account required, a separate login. Of course, the data remains in China. The Great Firewall Area.
So you could deploy services into Mainland China, but you would have to then deal with the Chinese company separately. Now, There Used To Be a separate region For Germany, but now all of Europe follows those standards in terms of Data protection, et cetera. So they don’t even consider Germany a separate sovereign region anymore.