Microsoft’s Azure cloud computing services are designed to facilitate its clients’ compliance with various security frameworks and standards. Companies leverage Microsoft’s compliant architecture so that certain requirements (e.g. data center physical security and environmental controls) are the responsibility of Microsoft. This is a huge advantage to small to medium-sized businesses that don’t have the resources to maintain all the internal controls necessary to pass a SOC 2 or other type of IT audit. Microsoft offers a variety of levels of service where they take varying degrees of responsibility for IT controls. Microsoft can’t perform every IT control for every client, so there is always some degree of responsibility that remains with users of Azure to maintain their own internal controls.
Is Microsoft Azure SOC 2 Compliant?
Yes – Azure is SOC 2 compliant along with the following additional third-party validated frameworks: ISO 27001, ISO 27018, SOC 1, SOC 3, FedRAMP, HITRUST, MTCS, IRAP, and ENS. If your company needs to comply with any of these frameworks and you leverage Azure, you are already meeting some of the requirements of each framework by inheriting Microsoft’s Azure controls.
If I Leverage Azure’s SOC 2 Compliant Architecture, Does that Make My Company SOC 2 Compliant?
Yes and No – you will inherit some of Aure’s controls required to meet the SOC 2 criteria, but still be responsible for other controls. For example, some of the SOC 2 criteria are related to management oversight of information security and governance, employee onboarding and offboarding, system development, and identity management of system access. While Microsoft can provide architecture and tools to support their customer’s service, they cannot perform any of the controls related to information security oversight, HR processes, or access provisioning and de-provisioning. If you use Azure and get a SOC 2 report, your auditor should carve out the controls that Microsoft is responsible for and only include the controls your company is responsible for to meet the applicable SOC 2 criteria.
Which SOC 2 Requirements Does Azure Help Meet?
- Physical and environmental controls protecting hardware (e.g., servers, network devices, etc).
- Networking controls (more or less depending on which service you are utilizing from Azure).
- Data center business continuity and disaster recovery.
- Operating system hardening (for users receiving PaaS and SaaS services).
- Application controls (for users receiving SaaS services).
What is the Azure Security Center?
The Azure Security Center is a monitoring service provided by Microsoft to help companies monitor infrastructure and services, where hosted by Microsoft or on-premise. The Security Center is designed to help users predict, prevent, and respond to security threats.
Features of Azure Security Center:
- Automatically update endpoints with required security patches and malware protection.
- Use machine learning to identify and remediate vulnerabilities or malware before they can be exploited.
- Detect and analyze inbound attacks and help identify countermeasures.
- Just in time access control for network ports so they are only open for the time needed to perform their function.
- Allow users to view security posture across the organization as well as various security frameworks (e.g., SOC TSP, PCI) and identify opportunities for improvement.
- Streamline security management.
Azure Shared Responsibility Model
Prior to going through a SOC 2 audit, your auditor will need to determine which controls are the responsibility of Azure and which are the responsibility of your company. The controls Azure will be responsible for are dependent on the type of service your company leverages from Microsoft. One important aspect of a shared responsibility model is that there needs to be adequate governance at the top of the organization to understand and manage the division of responsibilities in meeting security requirements.
Azure as a Subservice Organization in Your SOC 2
See our past blog on carve out vs. inclusive reports.
If you use Azure to host your infrastructure and receive your own SOC 2 report, Azure is likely “carved out” of your report. Carved out is auditor-speak for not including Azure’s controls in your SOC 2 report and placing reliance on the work that Azure’s auditor did to confirm controls were operating effectively in their environment. Your SOC 2 report should identify which of the SOC 2 criteria Azure is responsible for and Azure’s controls would be considered complementary subservice organization controls within your report. In the unlikely event that Azure allowed your auditor to test Azure controls in addition to your controls, the report would be inclusive.
Azure Vendor Monitoring
See our past blog regarding vendor and subservice organization monitoring.
Trust, but Verify – Microsoft has built a reputation of trust related to the use of its Azure cloud services. They have also engaged a third-party SOC 2 auditor to test their internal controls and map them to SOC 2 criteria. It is incumbent on any customer of Azure’s cloud services to understand which SOC 2 related controls are the responsibility of Microsoft and which are the responsibility of the service organization. After the SOC 2 related controls that Azure provides to support your service are identified, it is important to develop vendor monitoring procedures to determine whether Azure is fulfilling their responsibilities and operating the relevant controls effectively.
Should My SOC 2 Be Less Expensive Because We are Leveraging Microsoft Azure?
Yes, you should save money on your SOC 2 by leveraging Azure! This is due to the fact that Microsoft is responsible for certain controls helping your company meet the SOC 2 criteria. Provided there are adequate vendor monitoring controls in place to ensure Microsoft is performing their expected controls, your audit report should be smaller (fewer controls) and as a result, less costly. Select an auditor that understands modern cloud architecture such as Azure and is able to pass along savings on the audit since some of the controls are the responsibility of Microsoft.
Please feel free to contact me with any questions regarding the use of Azure and SOC 2 compliance.
Rob started with Linford & Co., LLP in 2011 and leads the HITRUST practice as well as performs SOC examinations and HIPAA assessments. He has spoken at Data Center World on compliance-related topics and has completed over 200 SOC examinations. He started his career as an IT auditor in 2003 with PwC in the Systems and Process Assurance group, and has worked in a variety of industries in internal audit as well as for the City and County of Denver.