Plan, Implement, and Monitor Microsoft Cloud for Sovereignty
Microsoft Cloud for Sovereignty provides tools and guidance for IT professionals and information security officers throughout the cloud implementation lifecycle. The remainder of this article presents capabilities in the context of three stages of an implementation lifecycle and references detailed articles on each of the articles.
- Plan: Plan your cloud migration.
- Implement: Implement a sovereign and compliant architecture.
- Monitor and audit: Monitor and audit your data and workloads to keep them secure.
Plan
Public Sector organizations that have strict sovereignty requirements must incorporate their sovereignty objectives into their planning efforts. This process ensures that strategic decisions about cloud adoption align with those sovereignty requirements.
Sovereignty requirements
Microsoft Cloud Adoption Framework for Azure is a full lifecycle framework that enables cloud architects, IT professionals, and business decision makers to achieve their cloud adoption goals. The framework provides best practices, documentation, and tools that help you create and implement business and technology strategies for the cloud.
You can read Evaluate sovereign requirements to understand how to evaluate, identify, and document sovereignty requirements, and review recommendations for where these requirements can fit into broader planning efforts associated with the Cloud Adoption Framework for Azure.
Geo-availability of Cloud for Sovereignty
A key part of planning is to understand and evaluate the regional availability of sovereignty-related services. The article International availability of Microsoft Cloud for Sovereignty provides an overview.
Data residency options and the EU Data Boundary
Data residency is a common regulatory requirement for public sector data. Data residency requirements can limit where different types of data can be stored and processed. Some regulations might also impose restrictions on where data can be transferred. Microsoft Cloud for Sovereignty enables you to configure Sovereign Landing Zones (SLZs) to restrict the services and regions that can be used and enforce service configuration to fulfill the data residency requirements. For more information, see Data residency.
In addition, the EU Data Boundary is a geographically defined boundary within which Microsoft has committed to store and process customer data for major commercial enterprise online services including Azure, Dynamics 365, Power Platform, and Microsoft 365. The EU Data Boundary provides data residency commitments beyond what Microsoft Cloud for Sovereignty manages, particularly around the residency of data for nonregional Azure services. For more information, see EU Data Boundary.
Cloud for Sovereignty policy portfolio and baseline
The Sovereign policy portfolio includes the Sovereignty baseline policy initiatives and policy initiatives designed to help meet region-specific compliance regulations. These policy initiatives help public sector customers in their efforts to adhere to various regulatory frameworks quickly. These policy initiatives are accompanied by associated control mappings and documentation. For more information, see policy portfolio.
Sample reference architecture (preview)
A common scenario for SLZ deployment is to use LLMs to engage in conversations using your own data through the Retrieval Augmented Generation (RAG) pattern. This pattern enables you to harness the reasoning abilities of LLMs and generate responses based on your specific data without requiring fine-tuning of the model. It facilitates the seamless integration of LLMs into your existing business process or solutions. Explore how these technologies can be applied within Sovereign Landing Zones, while also considering important guardrails. For more information, see LLMs and Azure OpenAI in Retrieval Augmented Generation (RAG) pattern.
Implement
During the implementation stage, public sector organizations can accelerate the definition and deployment of sovereign environments using Microsoft Cloud for Sovereignty tools and guidelines.
Sovereign Landing Zone
Sovereign Landing Zone (SLZ) is a variant of Azure Landing Zone (ALZ) that provides an enterprise-scale cloud infrastructure focused on operational control of data at rest, in transit, and in use. An SLZ aligns Azure capabilities such as service residency, customer-managed keys, private links, and confidential computing to create a cloud architecture where data and workloads default to encryption and protection from threats. You can deploy an SLZ with a single PowerShell command and a few parameters.
SLZ is available on GitHub. For more information, see Overview of the Sovereign Landing Zone.
Workload templates
Workload templates provide production-quality, reusable, secure, and compliant-by-design automated deployments for common workload types. A workload template focuses on the properly configured deployment of one or more Azure Services in a reusable manner. For more information, see Workload templates for Sovereign Landing Zone.
Landing zone lifecycle management tools (preview)
Microsoft Cloud for Sovereignty provides the following landing zone lifecycle management tools through GitHub:
- Assessment: Performs a predeployment evaluation of Azure resources, such as their locations and Azure policy assignments, against established best practices.
- Policy Compiler: Streamlines the policy management process. It systematically analyzes your organization's policy initiatives by examining key components.
- Drift Analyzer: Monitors and compares the current state of the cloud environment with its original intended landing zone configuration. It identifies critical deviations or changes.
For more information, see Landing zone lifecycle management tools.
Sovereign Guardrails in Dataverse and Power Platform environments for more data sovereignty (preview)
You can configure Dataverse and Power Platform environments for enhanced data sovereignty. You can use Microsoft Power Platform Admin Center for centralized management of environments and settings, including tenant settings for controlling environment creation and management. You can also use specific access controls for Dataverse and Power Platform to ensure compliance with sovereignty requirements. For more information, see Configure your Dataverse and Power Platform environments for more data sovereignty.
Encryption and key management
It's crucial to implement the right encryption and key management strategy for a secure and sovereign implementation. For more information, see this article.
Azure Confidential Computing
Microsoft Cloud for Sovereignty helps customers configure and protect their data and resources in ways that comply with their specific regulatory and sovereignty requirements. It includes ensuring that parties outside the customer's control, including Microsoft, can't access customer data. Along with Azure confidential computing (ACC), Microsoft Cloud for Sovereignty provides customers with visibility into and control over all access to their workloads. ACC enhances customer sovereignty by removing or reducing privileged data access for a cloud provider operator and other actors, including software such as the hypervisor. ACC helps protect data throughout its lifecycle in addition to existing solutions, which protect data at rest and in transit. For more information, see Azure Confidential Computing.
Sample application
Use a sample Human Resources (HR) confidential application that ensures and validates that the Sovereign Landing Zone (SLZ) deployed infrastructure serves the confidential needs of customer workloads. For more information, see Confidential sample application.
Migrate and modernize
Microsoft Cloud for Sovereignty provides tools and guidance for migrating workloads to the cloud. For more information, see Overview of workload migrations.
Monitor and Audit
In addition to the rich set of services that Microsoft Azure provides to monitor your workloads and keep them secure, such as Azure Monitor and Defender for Cloud, Microsoft Cloud for Sovereignty introduces new capabilities and services.
Transparency logs (preview)
To earn the trust of sovereign customers, Microsoft Cloud for Sovereignty provides extra logging and monitoring controls that increase the level of transparency in Microsoft personnel activities. As a result, customers have visibility beyond standard public cloud capabilities to help in audit and access control requirements.
Transparency logs are available on a limited basis and subject to customer eligibility requirements. Approved customers receive a monthly report for their tenant that summarizes instances where a Microsoft engineer or support agent is granted temporary access to the customer's Azure resources.
For more information, see transparency logs.
Transparency controls in Dataverse and Power Platform (preview)
You can also set transparency controls in Dataverse and Power Platform, which are crucial for complying with sovereign policies.
For more information, see Transparency controls in Dataverse and Power Platform.
Government Security Program
The Government Security Program (GSP) is an existing Microsoft program designed to provide qualified government participants with the confidential information they need to trust Microsoft products and services. The program includes controlled access to source code, exchange of threat and vulnerability information, engagement on technical content about Microsoft products and services, and access to Transparency Centers. Microsoft Cloud for Sovereignty has expanded the GSP program to cover some Azure services. For more information, see Government Security Program.