Design Compliance Strategy
Data is one of most precious resources for many companies. It could be a big enterprise but also small SaaS. It is also one of components in shared responsibility model but today I would like to focus more on regulations required in industries or by government in our countries.
Regulations
Data is an unbelievably valuable resource and is subject to numerous regulations in many regions of the world. As an example, in the European region, we have GDPR with tell us and requires us how and where our data should be stored or processed and even what information we should provide for our customers on their request. Of course, there are many more regulations specific to industries. Examples of such standards, organizations, controls, and legislation are ISO27001, NIST, PCI-DSS.
Compliance strategy
According to Gartner analysis Worldwide Public Cloud Services End-User Spending Forecast (Millions of U.S. Dollars) https://www.gartner.com/en/newsroom/press-releases/2021-04-21-gartner-forecasts-worldwide-public-cloud-end-user-spending-to-grow-23-percent-in-2021
Behind those numbers is also a large amount of data stored and processed by our systems which is getting bigger and bigger from year to year. This is the reason we should take care of data governance and design appropriate compliance strategies which help us to meet requirements provided by distinct types of regulations.
Fortunately, Microsoft has some tools which help us in this task.
Tools
Microsoft offers a few tools which help us with identification and governance of data in our systems. Below are a few of them.
- Azure Policy
Azure Policy helps to enforce organizational standards and to assess compliance at-scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to the per-resource, per-policy granularity. It also helps to bring your resources to compliance through bulk remediation for existing resources and automatic remediation for added resources.
- Microsoft Defender for Cloud
Microsoft Defender for Cloud is a Cloud Workload Protection Platform (CWPP) that also delivers Cloud Security Posture Management (CSPM) for all your Azure, on-premises, and multi-cloud (Amazon AWS and Google GCP) resources.
- Microsoft Priva
Priva’s capabilities are available through two solutions: Priva Privacy Risk Management , which provides visibility into your organization’s data and policy templates for reducing risks; and Priva Subject Rights Requests , which provides automation and workflow tools for fulfilling data requests. You can choose to purchase one or both modules to suit your organization’s needs.
- Microsoft Purview Compliance Manager
Microsoft Purview Compliance Manager is a feature in the Microsoft Purview compliance portal that helps you manage your organization’s compliance requirements with greater ease and convenience. Compliance Manager can help you throughout your compliance journey, from taking inventory of your data protection risks to managing the complexities of implementing controls, staying current with regulations and certifications, and reporting to auditors.
How to design compliance strategy?
- First, we need to understand what type of compliance we should meet in our industry with Cloud Data Integrity at its Finest | Microsoft Trust Center can help as a lot as starting point to understand what type of Privacy and Compliance we need.
- Second step we can go deeper and check what regulations we need to meet as ex. in Poland Financial Services Compliance resources for Poland (microsoft.com)
- The third step is to analyze what type of data do we have in our systems. Here we can use several tools for that as ex. Data Discovery & Classification on Azure SQL databases or Microsoft Priva to analyze data in Office 365.
- The fourth step is to implement Azure Policy Initiatives which enable Data Discovery & Classification on database instances
- The fifth step is to enable Microsoft Defender for Cloud and specific regulatory standards for our industry
- The sixth step is to monitor progress in Regulatory compliance score metrics in Defender for Cloud
Summary
Using tools provided by Microsoft it is quite easy to begin with design of compliance strategy, but things get more complicated if the amount of data and services which we are using is huge.