Cloud – Compliance terms and requirements

Cloud ComplianceWhen selecting a cloud provider to host your solutions, you should understand how that provider can help you comply with regulations and standards. Some questions to ask about a potential provider include:

  • How compliant is the cloud provider when it comes to handling sensitive data?
  • How compliant are the services offered by the cloud provider?
  • How can I deploy my own cloud-based solutions to scenarios that have accreditation or compliance requirements?
  • What terms are part of the privacy statement for the provider?

Compliance Offerings

The following list provides details about some of the compliance offerings available.

  • Criminal Justice Information Services (CJIS). Any US state or local agency that wants to access the FBI’s CJIS database is required to adhere to the CJIS Security Policy. Azure is the only major cloud provider that contractually commits to conformance with the CJIS Security Policy, which commits Microsoft to adhering to the same requirements that law enforcement and public safety entities must meet.
  • Cloud Security Alliance (CSA) STAR Certification. Azure, Intune, and Microsoft Power BI have obtained STAR Certification, which involves a rigorous independent third-party assessment of a cloud provider’s security posture. This STAR certification is based on achieving ISO/IEC 27001 certification and meeting criteria specified in the Cloud Controls Matrix (CCM). This certification demonstrates that a cloud service provider:
    • Conforms to the applicable requirements of ISO/IEC 27001.
    • Has addressed issues critical to cloud security as outlined in the CCM.
    • Has been assessed against the STAR Capability Maturity Model for the management of activities in CCM control areas.
  • General Data Protection Regulation (GDPR). As of May 25, 2018, a European privacy law — GDPR — is in effect. GDPR imposes new rules on companies, government agencies, non-profits, and other organizations that offer goods and services to people in the European Union (EU), or that collect and analyze data tied to EU residents. The GDPR applies no matter where you are located.
  • EU Model Clauses. Microsoft offers customers EU Standard Contractual Clauses that provide contractual guarantees around transfers of personal data outside of the EU. Microsoft is the first company to receive joint approval from the EU’s Article 29 Working Party that the contractual privacy protections Azure delivers to its enterprise cloud customers meet current EU standards for international transfers of data. This ensures that Azure customers can use Microsoft services to move data freely through Microsoft’s cloud from Europe to the rest of the world.
  • Health Insurance Portability and Accountability Act (HIPAA). HIPAA is a US federal law that regulates patient Protected Health Information (PHI). Azure offers customers a HIPAA Business Associate Agreement (BAA), stipulating adherence to certain security and privacy provisions in HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act. To assist customers in their individual compliance efforts, Microsoft offers a BAA to Azure customers as a contract addendum.
  • International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) 27018. Microsoft is the first cloud provider to have adopted the ISO/IEC 27018 code of practice, covering the processing of personal information by cloud service providers.
  • Multi-Tier Cloud Security (MTCS) Singapore. After rigorous assessments conducted by the MTCS Certification Body, Microsoft cloud services received MTCS 584:2013 certification across all three service classifications:
    • Infrastructure as a Service (IaaS)
    • Platform as a Service (PaaS)
    • Software as a Service (SaaS)

    Microsoft was the first global cloud solution provider (CSP) to receive this certification across all three classifications.

  • Service Organization Controls (SOC) 1, 2, and 3. Microsoft-covered cloud services are audited at least annually against the SOC report framework by independent third-party auditors. The Microsoft cloud services audit covers controls for data security, availability, processing integrity, and confidentiality as applicable to in-scope trust principles for each service.
  • National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). NIST CSF is a voluntary Framework that consists of standards, guidelines, and best practices to manage cybersecurity-related risks. Microsoft cloud services have undergone independent, third-party Federal Risk and Authorization Management Program (FedRAMP) Moderate and High Baseline audits, and are certified according to the FedRAMP standards. Additionally, through a validated assessment performed by the Health Information Trust Alliance (HITRUST), a leading security and privacy standards development and accreditation organization, Office 365 is certified to the objectives specified in the NIST CSF.
  • UK Government G-Cloud. The UK Government G-Cloud is a cloud computing certification for services used by government entities in the United Kingdom. Azure has received official accreditation from the UK Government Pan Government Accreditor.

Benefits of cloud computing

Cloud computing isn’t an all-or-nothing service approach. Companies can choose to use the cloud to store their data and execute logic as much, or as little, as necessary to fulfill their business requirements. Existing businesses might choose a gradual movement to save money on infrastructure and administration costs (referred to as “lift and shift”), while a new company might start in the cloud.

Let’s learn some of the top benefits of cloud computing.

It’s cost-effective

Cloud computing provides a pay-as-you-go or consumption-based pricing model.

This consumption-based model brings with it many benefits, including:

  • No upfront infrastructure costs
  • No need to purchase and manage costly infrastructure that you may not use to its fullest
  • The ability to pay for additional resources only when they are needed
  • The ability to stop paying for resources that are no longer needed

Paper bill and a cloud representing cost effectiveness

This also allows for better cost prediction. Prices for individual resources and services are provided so you can predict how much you will spend in a given billing period based on your expected usage. You can also perform analysis based on future growth using historical usage data tracked by your cloud provider.

It’s scalable

You can increase or decrease the resources and services used based on the demand or workload at any given time. Cloud computing supports both vertical and horizontal scaling depending on your needs.

Vertical scaling, also known as “scaling up”, is the process of adding resources to increase the power of an existing server. Some examples of vertical scaling are: adding more CPUs, or adding more memory.

Horizontal scaling, also known as “scaling out”, is the process of adding more servers that function together as one unit. For example, you have more than one server processing incoming requests.

scalable

Scaling can be done manually or automatically based on specific triggers such as CPU utilization or the number of requests and resources that can be allocated or de-allocated in minutes.

It’s elastic

As your workload changes due to a spike or drop in demand, a cloud computing system can compensate by automatically adding or removing resources.

For example, imagine your website is featured in a news article, leading to a spike in traffic overnight. Since the cloud is elastic, it automatically allocates more computing resources to handle the increased traffic. When the traffic begins to normalize, the cloud automatically de-allocates the additional resources to minimize cost.

elastic

Another example is if you are running an application used by employees, you can have the cloud automatically add resources for the peak operating hours during which most people access the application, and remove the resources at the usual end of the day.

It’s current

When you use the cloud, you’re able to focus on what matters: building and deploying applications. Cloud usage eliminates the burdens of maintaining software patches, hardware setup, upgrades, and other IT management tasks. All of this is automatically done for you to ensure you’re using the latest and greatest tools to run your business.

current cloud

Additionally, the computer hardware is maintained and upgraded by the cloud provider. For example, if a disk fails, the disk will be replaced by the cloud provider. If new hardware update becomes available, you don’t have to go through the process of replacing your hardware. The cloud provider will ensure that the hardware updates are made available to you automatically.

It’s reliable

When you’re running a business, you want to be confident your data is always going to be there. Cloud computing providers offer data backup, disaster recovery, and data replication services to make sure your data is always safe. In addition, redundancy is often built into cloud services architecture so if one component fails, a backup component takes its place. This is referred to as fault tolerance and it ensures that your customers aren’t impacted when a disaster occurs.

Certificate representing reliability

It’s global

Cloud providers have fully redundant data-centers located in various regions all over the globe. This gives you a local presence close to your customers to give them the best response time possible no matter where in the world they are.

You can replicate your services into multiple regions for redundancy and locality, or select a specific region to ensure you meet data-residency and compliance laws for your customers.

Globe representing multiple datacenters

It’s secure

Think about how you secure your data center. You have physical security – who can access the building, who can operate the server racks, and so on. You also have digital security – who can connect to your systems and data over the network.

Cloud providers offer a broad set of policies, technologies, controls, and expert technical skills that can provide better security than most organizations can otherwise achieve. The result is strengthened security, which helps to protect data, apps, and infrastructure from potential threats.

Cloud Lock representing security

When it comes to physical security – threats to cloud infrastructure, cloud providers invest heavily in walls, cameras, gates, security personnel, and so on, to protect physical assets. They also have strict procedures in place to ensure employees have access only to those resources that they’ve been authorized to manage.

Let us talk about digital security. You want only authorized users to be able to log into virtual machines or storage systems running in the cloud. Cloud providers offer tools that help you mitigate security threats, and you must use these tools to protect the resources you use.

Summary

Cloud computing makes running a business easier. It’s cost-effective, scalable, elastic, current, reliable, and secure. This means you’re able to spend more time on what matters and less time managing the underlying details.

What is cloud computing?

Cloud computing

Introduction

When you turn on a light, you simply want the light to work. You know you need electricity for that to happen, but in that moment, the details of how the electricity gets to the light bulb aren’t important. You might not think about electricity being created in a power plant, traveling through a large network of high-voltage transmission lines to your town, going through a substation, and eventually making its way into your home.

The process of turning on a light is hidden behind the simple act of flipping a switch. At this point, electricity becomes a utility, which has many benefits. First, you only pay for what you need. When you buy a light bulb, you don’t pay your electricity provider up front for how long you could possibly use it. Instead, you pay for the amount of electricity that you actually use. Second, you don’t worry about how or when power plants upgrade to the latest technology. Finally, you don’t have to manage scaling the electricity. For example, as people move to your town, you can rest assured that your light will stay on.

As a technology professional, it would be nice to have these same benefits when developing and deploying applications. Storing data, streaming video, or even hosting a website all require managing hardware and software. This management is an unnecessary obstacle when delivering your application to your users. Luckily there is a solution to this problem: cloud computing.

 

Learning objectives

In this module, you will:

  • Explore common cloud computing services
  • Explore the benefits of cloud computing
  • Decide which cloud deployment model is best for you

What is cloud computing?

Cloud computing is renting resources, like storage space or CPU cycles, on another company’s computers. You only pay for what you use. The company providing these services is referred to as a cloud provider. Some example providers are Microsoft, Amazon, and Google.

The cloud provider is responsible for the physical hardware required to execute your work, and for keeping it up-to-date. The computing services offered tend to vary by cloud provider. However, typically they include:

  • Compute power – such as Linux servers or web applications
  • Storage – such as files and databases
  • Networking – such as secure connections between the cloud provider and your company
  • Analytics – such as visualizing telemetry and performance data

Cloud computing services

The goal of cloud computing is to make running a business easier and more efficient, whether it’s a small start-up or a large enterprise. Every business is unique and has different needs. To meet those needs, cloud computing providers offer a wide range of services.

You need to have a basic understanding of some of the services it provides. Let’s briefly discuss the two most common services that all cloud providers offer – compute power and storage.

Compute power

When you send an email, book a reservation on the Internet, pay a bill online, or even take this Microsoft Learn module you’re interacting with cloud-based servers that are processing each request and returning a response. As a consumer, we’re all dependent on the computing services provided by the various cloud providers that make up the Internet.

When you build solutions using cloud computing, you can choose how you want work to be done based on your resources and needs. For example, if you want to have more control and responsibility over maintenance, you could create a virtual machine (VM). A VM is an emulation of a computer – just like your desktop or laptop you’re using now. Each VM includes an operating system and hardware that appears to the user like a physical computer running Windows or Linux. You can then install whatever software you need to do the tasks you want to run in the cloud.

compute-power

The difference is that you don’t have to buy any of the hardware or install the OS. The cloud provider runs your virtual machine on a physical server in one of their data-centers – often sharing that server with other VMs (isolated and secure). With the cloud, you can have a VM ready to go in minutes at less cost than a physical computer.

VMs aren’t the only computing choice – there are two other popular options: containers and serverless computing.

What are containers?

Containers provide a consistent, isolated execution environment for applications. They’re similar to VMs except they don’t require a guest operating system. Instead, the application and all its dependencies is packaged into a “container” and then a standard run-time environment is used to execute the app. This allows the container to start up in just a few seconds, because there’s no OS to boot and initialize. You only need the app to launch.

The open-source project, Docker, is one of the leading platforms for managing containers. Docker containers provide an efficient, lightweight approach to application deployment because they allow different components of the application to be deployed independently into different containers. Multiple containers can be run on a single machine, and containers can be moved between machines. The portability of the container makes it easy for applications to be deployed in multiple environments, either on-premises or in the cloud, often with no changes to the application.

What is serverless computing?

Serverless computing lets you run application code without creating, configuring, or maintaining a server. The core idea is that your application is broken into separate functions that run when triggered by some action. This is ideal for automated tasks – for example, you can build a serverless process that automatically sends an email confirmation after a customer makes an online purchase.

The serverless model differs from VMs and containers in that you only pay for the processing time used by each function as it executes. VMs and containers are charged while they’re running – even if the applications on them are idle. This architecture doesn’t work for every app – but when the app logic can be separated to independent units, you can test them separately, update them separately, and launch them in microseconds, making this approach the fastest option for deployment.

Here’s a diagram comparing the three compute approaches we’ve covered.

vm-vs-container-vs-serverless

Storage

Most devices and applications read and/or write data. Here are some examples:

  • Buying a movie ticket online
  • Looking up the price of an online item
  • Taking a picture
  • Sending an email
  • Leaving a voicemail

In all of these cases, data is either read (looking up a price) or written (taking a picture). The type of data and how it’s stored can be different in each of these cases.

Illustration representing storage

Cloud providers typically offer services that can handle all of these types of data. For example, if you wanted to store text or a movie clip, you could use a file on disk. If you had a set of relationships such as an address book, you could take a more structured approach like using a database.

The advantage to using cloud-based data storage is you can scale to meet your needs. If you find that you need more space to store your movie clips, you can pay a little more and add to your available space. In some cases, the storage can even expand and contract automatically – so you pay for exactly what you need at any given point in time.

Summary

Every business has different needs and requirements. Cloud computing is flexible and cost-efficient, which can be beneficial to every business, whether it’s a small start-up or a large enterprise.