How can we improve Windows Azure's Compliance?

← Compliance

Allow me to run my Windows Azure application in compliance with standards such as PCI, HIPAA, etc.

340 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    Forgot password?
    Create a password
    I agree to the terms of service
    Signed in as (Sign out)
    Close
    Close
    You have left! (?) (thinking…)
    Mike WickstrandAdminMike Wickstrand (Admin, Microsoft Windows Azure) shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    18 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Forgot password?
      Create a password
      I agree to the terms of service
      Signed in as (Sign out)
      Close
      Close
      Submitting...
      • CaseyCasey commented  ·   ·  Flag as inappropriate

        Gotta have both HIPAA and PCI compliance. HIPAA is in place sorta. It is very hard to figure this out, but you don't have to be a huge company to take advantage of the HIPAA that is in place (even though it sounds like you need an EA, they have separate EAs for Azure only that don't require the 250 machines). Problem is that the HIPAA isn't in place on all the services.

        As far as PCI goes, I haven't seen or heard anything.

      • EmbersEmbers commented  ·   ·  Flag as inappropriate

        I love the platform and love the recently announced new features and new web management platform but seriously how many years and this still hasn't been achieved. It is becoming hard / embarrassing to advocate Azure when Amazon Web Services hardware and software stack are now PCI compliant.

      • John WylerJohn Wyler commented  ·   ·  Flag as inappropriate

        Mike, your idea was posted almost three years ago. I'm surprised MS hasn't received the PCI compliance certification yet. The only reason why I'm looking at AWS is they are compliant. I love Azure, and this limitation has to be eliminated ASAP.

      • John WylerJohn Wyler commented  ·   ·  Flag as inappropriate

        I need to build a PCI DSS compliant application, and I cannot use third party gateways. I like Azure, but the fact that it's not PCI-compliant sucks. I think AWS is PCI compliant now.

      • Richard ConwayRichard Conway commented  ·   ·  Flag as inappropriate

        This would be nice but certificate would take ages. PCI-DSS is relevant for me for one the projects I'm on. I know that I can application harden to an extent that it would be no less secure than a hosted service but it's the compliance issue that's a problem. Check out the new Windows Azure Trust Centre which show Microsoft's commitment to understanding these kinds of issues.

      • AzureAzure commented  ·   ·  Flag as inappropriate

        The base Windows Azure operating system is now ISO 27001

        “The Information Security Management System for Microsoft Windows Azure including development, operations and support for the compute, storage (Windows Azure Storage), virtual network and virtual machine services, in accordance with Windows Azure ISMS statement of applicability dated September 28, 2011. The ISMS meets the criteria of ISO/IEC 27001:2005 ISMS requirements Standard.”

      • crpietschmanncrpietschmann commented  ·   ·  Flag as inappropriate

        Basically you need to store data securely at rest. You can easily encrypt/decrypt data when accessing it from Azure Storage, however it would be nice to have this built in to make it easier. Also, adding Transparent Data Encryption support to SQL Azure would help complete meeting these requirements. Go vote for it here: http://www.mygreatwindowsazureidea.com/forums/34685-sql-azure-feature-voting/suggestions/402425-enable-transparent-data-encryption

      • RobSRobS commented  ·   ·  Flag as inappropriate

        PCI compliance is absolutely mandatory in the Hospitality sector where taking credit card payments (securely) is a requirement. How is Microsoft/Azure going to look to support PCI and PA-DSS (the certifcation software vendors need to go through to ensure their apps are compliant)?

      • Paul BrownPaul Brown commented  ·   ·  Flag as inappropriate

        In order to take credit card payments we are going to need to be PCI compliant (the merchants will often insist). Surely the intention of Azure is to also support SaaS vendors that will take card payments for their services which therefore makes PCI compliance quite crucial.

      • Don RuleDon Rule commented  ·   ·  Flag as inappropriate

        1. I need to know if there is any reason a Silverlight - Azure - SQL Azure application cannot be HIPAA compliant today (like database encryption - is it a hard requirement? - is it coming as a configuration option??)
        2. the prescriptive guidance that Andy mentions would be great

      • BrianBrian commented  ·   ·  Flag as inappropriate

        This will definitely be a huge make/break with my company as well. Healthcare is growing real fast, especially with government requirements for EMR (Electronic Medical Record).

        We are constantly being Audited, and will not touch anything that is not certified as HIPAA compliant.

      • andrew.mcclenaghanandrew.mcclenaghan commented  ·   ·  Flag as inappropriate

        We could use this for some of our work with highload payment systems but only if it is PCI compliant and there is clear documentation on how it is secure.

      • ShaunTShaunT commented  ·   ·  Flag as inappropriate

        Mike, we are in the health care space and this is a definite must for us.

      • AndyAndy commented  ·   ·  Flag as inappropriate

        Hello! It's HIPAA (Health Insurance Portability and Accountability Act). And yes, clear verbage describing how we're being HIPAA-compliant is going to be extremely important to any healthcare-related services.

      Compliance

      Feedback and Knowledge Base

      (thinking…)