Azure #CosmosDB: Secure, private, compliant
Azure Cosmos DB is Microsoft’s globally distributed, multi-model database. Azure Cosmos DB enables you to elastically and independently scale throughput and storage across any number of Azure’s geographic regions with a single click. It offers throughput, latency, availability, and consistency guarantees with comprehensive service level agreements (SLAs), a feature that no other database service can offer.
A database that holds sensitive data across international borders must meet high standards for security, privacy, and compliance. Additionally, the cloud service provider must anticipate and be ready for new standards, such as the General Data Protection Regulation (GDPR), which will soon govern the collection and use of EU resident’s data. Microsoft has pledged that Azure services will be GDPR compliant by the May 25 implementation date.
Microsoft’s cloud privacy policies state that we will use your customer data only to provide the services we have agreed upon, and for purposes that are compatible with providing those services. We do not share your data with our advertiser-supported services, nor do we mine it for marketing or advertising.
Azure Cosmos DB also implements stringent security practices. All the documents, attachments and backups stored in Azure Cosmos DB are encrypted at rest and in transit without any configuration by you. You get the same low latency, and high throughput, availability, and functionality with encryption enabled.
Azure Cosmos DB is a multi-tenant hyper scale cloud platform that is available in all the Azure regions, more than 50 regions worldwide. Customers can specify the region(s) where their data should be located. Microsoft may replicate customer data to other regions within the same Geographical-region for high availability and data resiliency, but Microsoft will not replicate customer data outside the chosen geographical region (e.g., United States).
Azure Cosmos DB is available in four different Azure cloud environments:
- Azure public cloud service is available globally.
- Azure China is available through a unique partnership between Microsoft and one of the largest Internet providers in the country.
- Azure Germany provides services under a trusted data model, which ensures that the customer data remains in Germany only.
- Azure Government is available across 4 regions in the United States to US government agencies and their partners.
To help customers meet their own compliance obligations across regulated industries and markets worldwide, Azure maintains the largest compliance portfolio in the industry both in terms of breadth (total number of offerings), as well as depth (number of customer-facing services in assessment scope). Azure compliance offerings are grouped into four segments; globally applicable, US government specific, industry specific, and region/country specific. All of these are applicable to Azure Cosmos DB.
Azure compliance offerings are based on several types of assurances, such as:
- Formal certifications, attestations, validations, authorizations.
- Assessments produced by third-party auditing firms.
- Contractual amendments, self-assessments.
- Customer guidance documents produced by Microsoft.
As of April 2018, here is the full list of certificates for Azure Cosmos DB. You can find a more detailed description of each of these compliance offerings, and how they benefit you.
- CSA STAR Self-Assessment
- CSA STAR Certification
- CSA STAR Attestation
- ISO 20000-1:2011
- ISO 22301:2012
- ISO 27001:2013
- ISO 27017:2015
- ISO 27018:2014
- ISO 9001:2015
- SOC 1 Type 2
- SOC 2 Type 2
- SOC 3
- FIPS 140-2
- 23 NYCRR 500
- APRA (Australia)
- DPP (UK)
- FCA (UK)
- GxP (21 CFR Part 11)
- HIPAA and the HITECH Act
- MAS and ABS (Singapore)
- NEN 7510:2011 (Netherlands)
- NHS IG Toolkit (UK)
- PCI DSS Level 1
- Shared Assessments
- Argentina PDPA
- Australia IRAP Unclassified
- Canadian Privacy Laws
- EU ENISA IAF
- EU Model Clauses
- EU-US Privacy Shield
- Germany C5
- Germany IT-Grundschutz Workbook
- Japan My Number Act
- Netherlands BIR 2012
- Singapore MTCS Level 3
- Spain DPA
- UK Cyber Essentials Plus
- UK G-Cloud
- UK PASF (covers physical datacenter infrastructure)
To help you comply with national, regional, and industry-specific requirements governing the collection and use of individuals’ data, Microsoft offers the most comprehensive set of compliance offerings of any cloud service provider. See the detail updated list of all the compliance offered.