Tuesday, February 14, 2023

Compliance and Governance with Microsoft Azure in Australia

Cloud adoption is a buzzword these days, but after moving to the cloud, can I move away from all of my responsibilities?

This article discusses the various concerns and possible solutions that you, as a Microsoft Azure cloud advocate and user in Australia, can employ. However, the concepts discussed are applicable to any region.

Microsoft Azure is compliant with various regulations and standards, including the Australian Privacy Act, ISO 27001, and PCI DSS. Azure has also received certification from the Australian Signals Directorate (ASD) for compliance with the Information Security Registered Assessors Program (IRAP) and the Australian Government Information Security Manual (ISM).

But is that all we should be concerned about? Is there any responsibility on us as cloud users? Let's discuss about data privacy and data retention concerns.


Data Privacy 

The Australian Privacy Act 1988 is a federal law that regulates how businesses in Australia handle personal information. The Act includes 13 Australian Privacy Principles (APPs) that set out guidelines for the collection, use, and disclosure of personal information.

If your business is using Microsoft Azure to store or process personal information, you'll need to ensure that you are compliant with the Australian Privacy Principles. Some of the key requirements of the APPs include:

  • Obtaining consent from individuals before collecting their personal information
  • Only collecting personal information that is necessary for your business
  • Keeping personal information secure and confidential
  • Allowing individuals to access and correct their personal information
  • Not disclosing personal information to third parties without consent

Data Retention

In Australia, businesses are required to retain certain types of data for a specified period of time. For example, tax records must be retained for at least five years, and employee records must be retained for at least seven years.


Industry Specific Policies

Following are some industry specific examples.

Healthcare providers must comply with the Australian Privacy Principles as well as the Health Records Act 2001, which sets out additional requirements for the handling of health information.

Financial institutions must comply with the Privacy Act 1988 as well as the Australian Prudential Regulation Authority (APRA) Prudential Standard CPS 234, which sets out information security requirements for APRA-regulated entities.

I highly recommend you to check with your industry for specific regulatory requirements


Stay Ahead with Regulatory Concerns With Azure

So far we have checked general concerns on regulatory requirements. Following are some tips for you to comply with policies and regulations.

Some tips to achieve data privacy

  • Conduct privacy impact assessment to identify and address any privacy risks (Sample)
  • Ensure that your Azure environment is configured securely, including network security and access control measures
  • Implement data encryption to protect personal information stored in Azure
  • Ensure that you have a privacy policy in place that complies with Australian Privacy Principles 
  • Allow the policy easily accessible to individuals

Some tips to achieve data retention

  • Implement retention policies in Azure to ensure that data is retained for the required period of time
  • Implement security measures to protect data from unauthorized access


Compliance and Governance with Azure


Following are some tools you can use to stay compliant with regulatory requirements and with your own policies. Following should be considered  with Cloud Adoption Framework & Azure Well-Architected Framework.

Azure Policy

Azure Policy is a service in Azure that allows you to create, assign, and manage policies that enforce rules and effects over your resources. Azure Policy helps you ensure that your resources are compliant with your organization's standards and regulatory requirements. 







You can enforce policy initiative, which is a set of policies to comply to govern your resources. Some common initiative templates are HIPAA and GDPR. Now there is a preview initiate template called Australian Government ISM PROTECTED, which has policies that you can enforce on resources to comply with Australian Government Information Security Manual (ISM).











Azure Blueprint

Azure Blueprint is a service in Azure that allows you to define and maintain collections of Azure resources that comply with your organization's standards and regulatory requirements. An Azure Blueprint consists of artifacts such as policies, resource groups, role assignments, and resource templates that are versioned and published as a single unit.

When you create a blueprint, you define the set of artifacts that you want to include, and you specify the version of each artifact that you want to use. You can also define parameters that allow you to customize the blueprint when it is deployed.

Once you have defined your blueprint, you can publish it to the Azure Blueprint service. The service stores the blueprint and its artifacts in a versioned container that can be used to deploy the resources.

Ultimately you are end up with compliant resources where you can deploy to many environments and scopes


Microsoft Purview

Microsoft Purview is a unified data governance solution that allows organizations to discover, classify, and manage their data across the enterprise.

Purview discovers data across on-premises and cloud environments, including data sources such as SQL Server, Oracle, Hadoop, and more. Purview uses a combination of automated scanning and crawling, as well as manual metadata entry, to create a comprehensive inventory of an organization's data assets.

Purview also allows organizations to catalog their data assets, creating a comprehensive and searchable inventory of all their data. The catalog includes metadata such as data lineage, business terms, and technical attributes, making it easier for organizations to manage and govern their data.


Role Based Access Control (RBAC) & Attribute Based Access Control (ABAC)

Azure RBAC is a built-in authorization system that manages access to Azure resources. It provides a granular level of access control by assigning roles to users, groups, and applications. We always need to comply with least privilege principle.

Azure Attribute Based Access Control (ABAC) is an authorization solution that provides a way to manage access to Azure resources based on the attributes of the user or resource. 


Conclusion

Governance and compliance are very broad topics that require your serious attention. Australia has its own set of regulatory requirements, and although Azure as a cloud provider complies with many of them, we still have to perform a lot of groundwork to stay compliant and secure.