Microsoft Cloud for Sovereignty policy portfolio
Azure offers a range of built-in initiatives that align with various regulatory compliance frameworks and industry standards. These initiatives cover critical aspects such as data protection, network security, and access controls. By enforcing robust configurations and controls, you can enhance the sovereignty and security position of your organization's Azure resources and protect sensitive data from unauthorized access.
Microsoft Cloud for Sovereignty extends the existing Azure built-in initiatives by regularly adding more initiatives.
Azure built-in policy initiatives
Azure built-in policy initiatives are a powerful tool set that enables centralized control across Azure resources and enforcement of specific configurations. These initiatives comprise a collection of policy definitions and support compliance with various regulatory frameworks, industry standards, and security best practices.
Initiatives offer a streamlined and automated approach to governance, allowing organizations to manage and monitor compliance at scale. For more information on policy initiatives, see What is Azure policy?.
Microsoft Cloud for Sovereignty policy initiatives
Microsoft Cloud for Sovereignty initiatives and compliance mappings, which expand on the Azure built-in initiatives, help you automate policy enforcement and foster a robust governance framework that reduces the risk of noncompliance. Further, the initiatives also strengthen data protection measures. Organizations can use the large suite of available regulatory compliance built-in initiatives while we continue to expand on other frameworks.
Regulatory compliance policy initiatives
Microsoft Cloud for Sovereignty maintains several regulatory compliance policy initiatives.
One of these policy initiatives is in support of the cloud-specific technical requirements within the Government information security baseline (Baseline informatiebeveiliging Overheid or BIO in Dutch), the foundational standards framework for information security within all levels of the Netherlands government (central government, municipalities, provinces, and water boards). For more information on the BIO cloud theme initiative, see azure-policy/built-in-policies/policySetDefinitions.
Microsoft Cloud for Sovereignty recently published two additional regulatory compliance built-in policy initiatives; the Microsoft Cloud for Sovereignty Baseline Global Policies and the Microsoft Cloud for Sovereignty Baseline Confidential Policies.
Sovereignty Baseline policy initiatives
The Microsoft Clouds for Sovereignty policy initiatives are primarily designed to help demonstrate compliance against a specific security control framework. However, the Sovereignty Baseline policy initiatives are a special set of built-in Azure Policy Initiatives meant to supplement the frameworks with sovereignty controls.
The sovereignty controls help enable appropriate usage of Azure Confidential Computing offerings that provide data protection guardrails past what existing security control frameworks commonly require in a manner that is easy for organizations to adopt.
The Sovereignty Baseline policy initiatives provide organizations with a straightforward method to configure multiple Azure policies in a manner that addresses one or more of the sovereignty control objectives, listed as follows:
- Customer data must be stored and processed entirely in data centers that reside in approved geopolitical regions based on customer-defined requirements.
- Customers must approve the access of customer data by cloud and managed service operators.
- Customer-defined sensitive customer data must only be accessible in an encrypted manner to cloud and managed service operators.
- The customer must have exclusive control over deciding which identities can access keys used to decrypt customer-defined sensitive data.
These control objectives are Azure’s recommended best practices to address data sovereignty concerns by supporting appropriate usage and configurations within various Azure offerings that store or process customer data. If you feel there are other control objectives necessary to include within the baseline, you can create a feature request.
The Sovereignty Baseline policy initiatives come preinstalled with the Sovereign Landing Zone, or can be deployed in any Azure tenant as a built-in Azure Policy.
The Sovereignty Baseline policy initiatives don't replace built-in regulatory compliance initiatives or map directly to any of the frameworks. Organizations should continue to use their existing initiatives to demonstrate compliance with all appropriate regulatory frameworks.
For more information about how Microsoft views data sovereignty, review our white papers.
Custom policy initiatives
Microsoft Cloud for Sovereignty makes several custom policy initiatives and compliance mappings accessible through the Cloud for Sovereignty policy portfolio on GitHub. Microsoft Cloud for Sovereignty policy initiatives aid in customizing deployments to reduce the time and complexity needed to audit environments and help meet established regulatory compliance frameworks and government requirements.
The current custom initiatives focus on:
The Italian Cloud Strategy, which contains the strategic guidelines for migration to the cloud of data and digital services of the Italian Public Administration, the National Cybersecurity Agency (ACN) issued a set of requirements for the qualification of Cloud Services and Cloud Services Infrastructures. The policy initiatives and files contained in this repository are intended to serve as a starting point. These files aren't intended to be final or comprehensive solutions, but rather a helpful resource to jumpstart your efforts.
A custom Azure policy initiative and a control mapping that help customers meet guidelines defined by the Cloud security Alliance (CSA) Cloud Controls Matrix (CCM) v4 cybersecurity control framework for cloud computing.
To assist with the deployment of custom policy initiatives, see the New-PolicySets.ps1 script on GitHub. In addition, you can use Microsoft Defender for Cloud capabilities for custom initiatives.
Important
Organizations are wholly responsible for ensuring their own compliance with all applicable laws and regulations. The information provided in this document doesn't constitute legal advice, and organizations should consult their legal advisors for any questions regarding regulatory compliance.