Kopīgot, izmantojot


Microsoft Cloud for Sovereignty policy portfolio

Azure offers a range of built-in initiatives that align with various regulatory compliance frameworks and industry standards. These initiatives cover critical aspects such as data protection, network security, and access controls. By enforcing robust configurations and controls, you can enhance the sovereignty and security position of your organization's Azure resources and protect sensitive data from unauthorized access.

Microsoft Cloud for Sovereignty extends the existing Azure built-in initiatives and custom policy initiatives by regularly adding more initiatives.

Azure built-in policy initiatives

Azure built-in policy initiatives are a powerful tool set that enables centralized control across Azure resources and enforcement of specific configurations. These initiatives comprise a collection of policy definitions and support compliance with various regulatory frameworks, industry standards, and security best practices.

Initiatives offer a streamlined and automated approach to governance, allowing organizations to manage and monitor compliance at scale. For more information on policy initiatives, see What is Azure policy?.

Azure custom policy initiatives

Azure Policy custom initiatives help you to tailor a set of policies specifically to your organization's unique requirements, giving you control to enforce the standards and rules that best fit your environment. Microsoft Cloud for Sovereignty makes several custom policy initiatives and compliance mappings accessible through the industry-policy-portfolio repository on GitHub. Microsoft Cloud for Sovereignty policy initiatives aid in customizing deployments to reduce the time and complexity needed to audit environments and help meet established regulatory compliance frameworks and government requirements.

Microsoft Cloud for Sovereignty policy initiatives

Microsoft Cloud for Sovereignty initiatives and compliance mappings, which expand on the Azure built-in initiatives, help you automate policy enforcement and foster a robust governance framework that reduces the risk of noncompliance. Further, the initiatives also strengthen data protection measures. Organizations can use the large suite of available regulatory compliance built-in initiatives while we continue to expand on other frameworks.

Regulatory compliance policy initiatives

Microsoft Cloud for Sovereignty maintains several regulatory compliance policy initiatives in the industry-policy-portfolio repository. This portfolio contains a collection of initiatives to help you start your compliance journey.

These initiatives are available as Azure built-in and custom policy initiatives. You can find the built-in policy initiatives through the Azure Policy portal pages. For custom initiatives, you need to deploy the initiative into the tenant. For more information, see the industry-policy-portfolio repository. The policy initiatives and files contained in this repository intend to serve as a starting point. These files aren't intended to be final or comprehensive solutions, but helpful resources to jump-start your efforts.

In addition to the policy initiatives, you can find information about the policy framework and specific policies to control objective mapping in the industry-policy-portfolio repository.

The portfolio includes these policy initiatives:

Microsoft recently published two more regulatory compliance built-in policy initiatives; the Microsoft Cloud for Sovereignty Baseline Global Policies and the Microsoft Cloud for Sovereignty Baseline Confidential Policies.

For more information on these regulatory compliance policy initiatives, see industry-policy-portfolio.

Sovereignty Baseline policy initiatives

The Microsoft Clouds for Sovereignty policy initiatives are primarily designed to help demonstrate compliance against a specific security control framework. However, the Sovereignty Baseline policy initiatives are a special set of built-in Azure Policy Initiatives meant to supplement the frameworks with sovereignty controls.

The sovereignty controls help appropriate usage of Azure Confidential Computing offerings that provide data protection guardrails beyond what existing security control frameworks commonly require in an easy-to-adopt manner for organizations.

The Sovereignty Baseline policy initiatives provide organizations with a straightforward method to configure multiple Azure policies in a manner that addresses one or more of the sovereignty control objectives, listed as follows:

  • Customer data must be stored and processed entirely in data centers that reside in approved geopolitical regions based on customer-defined requirements.
  • Customers must approve the access of customer data by cloud and managed service operators.
  • Customer-defined sensitive customer data must only be accessible in an encrypted manner to cloud and managed service operators.
  • The customer must have exclusive control over deciding which identities can access keys used to decrypt customer-defined sensitive data.

These control objectives are Azure’s recommended best practices to address data sovereignty concerns by supporting appropriate usage and configurations within various Azure offerings that store or process customer data. If you feel there are other control objectives necessary to include within the baseline, you can create a feature request.

The Sovereignty Baseline policy initiatives come preinstalled with the Sovereign Landing Zone, or can be deployed in any Azure tenant as a built-in Azure Policy.

The Sovereignty Baseline policy initiatives don't replace built-in regulatory compliance initiatives or map directly to any of the frameworks. Organizations should continue to use their existing initiatives to demonstrate compliance with all appropriate regulatory frameworks.

For more information about how Microsoft views data sovereignty, review our white papers.

Important

Organizations are wholly responsible for ensuring their own compliance with all applicable laws and regulations. The information provided in this document doesn't constitute legal advice, and organizations should consult their legal advisors for any questions regarding regulatory compliance.

See also