Allow me to run my Windows Azure application in compliance with standards such as PCI, HIPAA, etc.
Robert Lavigne commented
Need to be able to put in PCI data.
Gotta have both HIPAA and PCI compliance. HIPAA is in place sorta. It is very hard to figure this out, but you don't have to be a huge company to take advantage of the HIPAA that is in place (even though it sounds like you need an EA, they have separate EAs for Azure only that don't require the 250 machines). Problem is that the HIPAA isn't in place on all the services.
As far as PCI goes, I haven't seen or heard anything.
I love the platform and love the recently announced new features and new web management platform but seriously how many years and this still hasn't been achieved. It is becoming hard / embarrassing to advocate Azure when Amazon Web Services hardware and software stack are now PCI compliant.
John Wyler commented
Mike, your idea was posted almost three years ago. I'm surprised MS hasn't received the PCI compliance certification yet. The only reason why I'm looking at AWS is they are compliant. I love Azure, and this limitation has to be eliminated ASAP.
John Wyler commented
I need to build a PCI DSS compliant application, and I cannot use third party gateways. I like Azure, but the fact that it's not PCI-compliant sucks. I think AWS is PCI compliant now.
Richard Conway commented
This would be nice but certificate would take ages. PCI-DSS is relevant for me for one the projects I'm on. I know that I can application harden to an extent that it would be no less secure than a hosted service but it's the compliance issue that's a problem. Check out the new Windows Azure Trust Centre which show Microsoft's commitment to understanding these kinds of issues.
The base Windows Azure operating system is now ISO 27001
“The Information Security Management System for Microsoft Windows Azure including development, operations and support for the compute, storage (Windows Azure Storage), virtual network and virtual machine services, in accordance with Windows Azure ISMS statement of applicability dated September 28, 2011. The ISMS meets the criteria of ISO/IEC 27001:2005 ISMS requirements Standard.”
Basically you need to store data securely at rest. You can easily encrypt/decrypt data when accessing it from Azure Storage, however it would be nice to have this built in to make it easier. Also, adding Transparent Data Encryption support to SQL Azure would help complete meeting these requirements. Go vote for it here: http://www.mygreatwindowsazureidea.com/forums/34685-sql-azure-feature-voting/suggestions/402425-enable-transparent-data-encryption
PCI compliance is absolutely mandatory in the Hospitality sector where taking credit card payments (securely) is a requirement. How is Microsoft/Azure going to look to support PCI and PA-DSS (the certifcation software vendors need to go through to ensure their apps are compliant)?
Paul Brown commented
In order to take credit card payments we are going to need to be PCI compliant (the merchants will often insist). Surely the intention of Azure is to also support SaaS vendors that will take card payments for their services which therefore makes PCI compliance quite crucial.
Don Rule commented
1. I need to know if there is any reason a Silverlight - Azure - SQL Azure application cannot be HIPAA compliant today (like database encryption - is it a hard requirement? - is it coming as a configuration option??)
2. the prescriptive guidance that Andy mentions would be great
This will definitely be a huge make/break with my company as well. Healthcare is growing real fast, especially with government requirements for EMR (Electronic Medical Record).
We are constantly being Audited, and will not touch anything that is not certified as HIPAA compliant.
Sage Grahame commented
Healthcare isn't a small industry by any means. Thanks for the link pita.o
Any chance the following publication may advance the conversation?
We could use this for some of our work with highload payment systems but only if it is PCI compliant and there is clear documentation on how it is secure.
Mike, we are in the health care space and this is a definite must for us.
Thanks for clarifying Andy, I appreciate it. Sorry about the typo.
Hello! It's HIPAA (Health Insurance Portability and Accountability Act). And yes, clear verbage describing how we're being HIPAA-compliant is going to be extremely important to any healthcare-related services.