One of the biggest areas of concern when an organization begins looking at moving their on-premise services to the cloud is losing control over their data.
In industries such as healthcare this is of importance because of there are rules and regulations concerning the storage and access of patient files and personal data.
In a recent white paper, Microsoft has provided insight and background into how healthcare organizations can use Microsoft's Azure cloud services to not only comply with the regulations surrounding patient data but also get a cost savings by moving those services to the cloud.
"This Microsoft guidance helps customers understand how they can improve security of their solution service simply and effectively. In addition, each customer should have their own compliance mechanisms, policies, and procedures in place to ensure they do not use Azure in a way that violates any regulatory requirements. Users of Azure should independently verify with their own legal counsel that their implementation meets all local compliance regulatory requirements.
This paper provides insight into how Microsoft meets its compliance obligations on the platform and presents best practices and security principles that are aligned to International Organization for Standardization (ISO) 27001, Microsoft’s Security Development Lifecycle (SDL), and operational security for Microsoft online services."
This white paper is targeted at the following key personnel:
- Risk Managers
- Solution Architects
- Operation Managers
The 40 page document is broken down into three key areas:
Compliance and security methodology
- Aligning using ISO
- Risk management
- Standard Operating Procedures
Incorporating regulation considerations for the health industry, HIPAA and EU Data Protection Directive
Considerations and tools for success
- Shared responsibilities
- Applying data governance practices
- Applying security practices
Key principles and recommendations for secure development and operations
- Enable identity and authentication solutions
- Use appropriate access controls
- Use industry-recommended, enterprise-wide antimalware solution
- Effective certificate acquisition and management
- Encrypt all customer data
- Penetration testing
- Threat modeling services and applications
- Log security events, implement monitoring and visualization capabilities
- Determine root cause of incidents
- Train all staff in cyber security
- Patch all systems and ensure security updates are deployed
- Keep service and server inventory current and up-to-date
- Maintain clear server configuration with security in mind
The paper wraps up with a use case for these features to help you understand how they can be implemented.
Ultimately, according to Microsoft, the goal is to help organizations with strict regulatory controls to understand exactly how moving to the cloud can impact privacy, security and compliance for them.
Looking for an awesome, no-nonsense technical conference for IT Pros, Devs, and Devops? Check out IT/Dev Connections!