Data protection compliance and the development of Azure services: Let’s start from the basics

With the transition period for the EU General Data Protection Regulation (GDPR) nearing its end (in around 7 months), companies are busy trying to figure out how to achieve compliance concerning existing and new cloud service solutions. With regard to cloud services, such as Azure and Office 365, the cloud vendor acts as the Data Processor in relation to the customer. Major international cloud service vendors have high pressure and a strong willingness to meet the EU requirements, and many users have already noticed that Microsoft, for example, has updated the terms and conditions of its online services in line with the GDPR.

Once the cloud vendors have updated their operating models and terms and conditions to meet the new requirements, the compliance of the cloud solution itself must be evaluated in term of technology and process by customer and their partners (note registry owners' responsibility). Even if security and management are already at a good level, they will need to pay attention to new obligations, such as accountability requirement and registered persons' rights. Data privacy requirements are an extensive topic, but this article will focus on two aspects: security planning in the implementation of data privacy and the implementation of accountability.

Identify, plan and implement

The GDPR risk-based approach means that the client does not need to shoot missiles at paper airplanes once an understanding of the risks has been established. However, regardless of the risk level, security will now need to be implemented more carefully than before, taking the expanded concept of personal data into consideration, from system logs to metadata, images and even video clips, for example.

Segmentation and segregation strategies will continue to be the most important aspect guiding security planning. Combined with the numerous technologies provided by Azure that support security, this will offer opportunities to develop solutions with an extremely high level of security. Application developers and infrastructure experts will have to work hard to keep up with the continuous change. You are familiar with Azure Key Vault, but have you already noticed Managed Service Identity preview? Should you start to evaluate what Azure Confidential Computing will mean to your security development?

When building security, the diverse range of cloud service models is an opportunity, but it also sets new requirements for security. The planning and operation of server-based solutions partly relies on traditional models. Many solutions are scalable from Azure to Office 365 SaaS by means of Logic App and Flow integration, for example. This means entirely new types of solutions in terms of security and management. And what about highly automated continuous integration and delivery in line with the DevOps model, possibly combined with container and microservice architecture? These require new ways to ensure security. In practice, this means automation related to subscription and resource management and monitoring. By the way, check out the Secure DevOps Kit for Azure tools available on GitHub!

The geographical limitation of Azure services to Europe by means of resource policies is a practical example of the technical implementation of a management model for a service platform with regard to the GDPR. Currently in its preview, the Azure Policy is a welcome addition to the effective implementation and monitoring of resource policies. It also implements Microsoft's vision that the capabilities related to administration must be on the cloud service platform, instead of being separate products.

Taking things for granted is one of the biggest dangers in security. Mark Russinovich, CTO at Azure, blogged about security threats that had realized in practice in Azure services. The things on top of his list sounded very familiar: user credentials that are easy to guess, and ports that are open to public networks. In other words, in a rapidly changing world of cloud services, typically with an increasing level of freedom, it cannot be assumed that developers, architects, infrastructure experts and project managers, or any other actors in your multi-vendor cloud service environment, are familiar with all of the good practices, not matter how self-evident such practices may seem.

Prove it!

In implementing accountability, it is key that the system and its controls are documented in terms of both technology and operations. The Azure Platform Governance model is an important tool proving that the secure operation and continuous development of the cloud service platform are ensured. The on-boarding process for applications and solutions is an essential part of the governance model. The process is intended to ensure that compliance has been taken into account, from design to implementation and operations. The importing of solutions through a predetermined process must not be a hindrance. Instead, it must be an accelerator that enables the necessary issues to be rapidly reviewed with the appropriate parties. If you want to hear more about our practical implementations and models for the Azure Platform Governance and our Managed Service that supports continuous changes, contact us!

At Microsoft Ignite in Orlando, I witnessed a small miracle indicating that the significance of cloud service governance is beginning to be noticed. The first session of the morning included 'governance' in its topic, and the house was full! I wasn't expecting this. With regard to accountability, the conditional access in Azure AD has been addressed several times here: what if access to a critical system required approval of the guidelines and responsibilities related to processing personal data (Terms of Use)?

In the implementation of data privacy, no written rule is useful unless it is implemented. In an organization, responsibility must concern everyone down to the owner of the pair of hands that performs the actual work. How will you ensure that this person has read and understood the practices and has also understood their personal responsibility? To all the HR departments out there: we can help!

Stop! Getting the basics right

My next topic is slightly sensitive, but I'll take the risk. Here goes: On the overtaking lane of business units, a ramp must be built that runs through ICT department. Ideally, it involves a 'pit stop,' a short break, after which the journey continues, more securely than before: compliance has been confirmed in terms of both technology and processes. Documented technologies and processes ensure a win in the race. On the podium, the business operations and ICT department can pop open a bottle of bubbly. And the only loser is shadow ICT.

Information and data security ensures the implementation of data privacy. In other words, in addition to careful technical planning, key elements of security include pedantic administrative practices. The processes, however, must not compromise flexibility. The Azure Governance model is not a dusty bunch of papers. Instead, it is a continuously developing set of compact guidelines and their technical implementations with recurring actions and tasks. If I were an ICT manager, I would develop governance model in a manner that would ensure that my company's cloud services were not controlled by any employee or partner who has not been proven to have familiarized themselves with the governance model. Development projects would not be carried out by any developer or project manager who has not been provided with basic training on comprehensive cloud-service security, including the secure management of the source code and the model of shared responsibility for cloud services.

Ismo Husso
Lead Cloud Architech

The writer has years of experience in cloud services and their development, particularly Microsoft Azure and Office 365. You can also follow Ismo on LinkedIn and Twitter.