Microsoft Cloud for Sovereignty policy portfolio

Azure offers a range of built-in initiatives that align with various regulatory compliance frameworks and industry standards. These initiatives cover critical aspects such as data protection, network security, and access controls. By enforcing robust configurations and controls, you can enhance the sovereignty and security position of your organization's Azure resources and protect sensitive data from unauthorized access.

Microsoft Cloud for Sovereignty extends the existing Azure built-in initiatives and custom policy initiatives by regularly adding more initiatives.

Azure built-in policy initiatives

Azure built-in policy initiatives are a powerful tool set that enables centralized control across Azure resources and enforcement of specific configurations. These initiatives comprise a collection of policy definitions and support compliance with various regulatory frameworks, industry standards, and security best practices.

Initiatives offer a streamlined and automated approach to governance, allowing organizations to manage and monitor compliance at scale. For more information on policy initiatives, see What is Azure policy?.

Azure custom policy initiatives

Azure Policy custom initiatives help you to tailor a set of policies specifically to your organization's unique requirements, giving you control to enforce the standards and rules that best fit your environment. Microsoft Cloud for Sovereignty makes several custom policy initiatives and compliance mappings accessible through the industry-policy-portfolio repository on GitHub. Microsoft Cloud for Sovereignty policy initiatives aid in customizing deployments to reduce the time and complexity needed to audit environments and help meet established regulatory compliance frameworks and government requirements.

Microsoft Cloud for Sovereignty policy initiatives

Microsoft Cloud for Sovereignty initiatives and compliance mappings, which expand on the Azure built-in initiatives, help you automate policy enforcement and foster a robust governance framework that reduces the risk of noncompliance. Further, the initiatives also strengthen data protection measures. Organizations can use the large suite of available regulatory compliance built-in initiatives while we continue to expand on other frameworks.

Regulatory compliance policy initiatives

Microsoft Cloud for Sovereignty maintains several regulatory compliance policy initiatives in the industry-policy-portfolio repository. This portfolio contains a collection of initiatives to help you start your compliance journey.

These initiatives are available as Azure built-in and custom policy initiatives. You can find the built-in policy initiatives through the Azure Policy portal pages. For custom initiatives, you need to deploy the initiative into the tenant. For more information, see the industry-policy-portfolio repository. The policy initiatives and files contained in this repository intend to serve as a starting point. These files aren't intended to be final or comprehensive solutions, but helpful resources to jump-start your efforts.

In addition to the policy initiatives, you can find information about the policy framework and specific policies to control objective mapping in the industry-policy-portfolio repository.

The portfolio includes these policy initiatives:

• NIS2 Directive (preview) enhances the cybersecurity and resilience of critical infrastructure and digital services across the European Union, ensuring a higher level of protection against cyber threats.
• Spain Esquema Nacional de Seguridad (ENS) High-Level Security Measures mandates security controls for public organizations and Information and Communications Technology (ICT) providers, ensuring compliance with Spanish and EU standards to protect data and services.
• New Zealand Information Security Manual (NZ ISM) aims to establish processes and controls to protect New Zealand Government information and systems.
• Government information security baseline (Baseline informatiebeveiliging Overheid or BIO in Dutch) is the foundational standards framework for information security within all levels of the Netherlands government (central government, municipalities, provinces, and water boards).
• Italian Cloud Strategy contains the strategic guidelines for migration to the cloud of data and digital services of the Italian Public Administration, and the National Cybersecurity Agency (ACN) issued a set of requirements for the qualification of Cloud Services and Cloud Services Infrastructures.
• A custom Azure policy initiative and a control mapping that help customers meet guidelines defined by the Cloud security Alliance (CSA) Cloud Controls Matrix (CCM) v4 cybersecurity control framework for cloud computing.
• Microsoft Cloud for Sovereignty Baseline Global Policies and the Microsoft Cloud for Sovereignty Baseline Confidential Policies.

Microsoft recently published two more regulatory compliance built-in policy initiatives; the Microsoft Cloud for Sovereignty Baseline Global Policies and the Microsoft Cloud for Sovereignty Baseline Confidential Policies.

For more information on these regulatory compliance policy initiatives, see industry-policy-portfolio.

Sovereignty Baseline policy initiatives

The Microsoft Clouds for Sovereignty policy initiatives are primarily designed to help demonstrate compliance against a specific security control framework. However, the Sovereignty Baseline policy initiatives are a special set of built-in Azure Policy Initiatives meant to supplement the frameworks with sovereignty controls.

The sovereignty controls help appropriate usage of Azure Confidential Computing offerings that provide data protection guardrails beyond what existing security control frameworks commonly require in an easy-to-adopt manner for organizations.

The Sovereignty Baseline policy initiatives provide organizations with a straightforward method to configure multiple Azure policies in a manner that addresses one or more of the sovereignty control objectives, listed as follows:

• Customer data must be stored and processed entirely in data centers that reside in approved geopolitical regions based on customer-defined requirements.
• Customers must approve the access of customer data by cloud and managed service operators.
• Customer-defined sensitive customer data must only be accessible in an encrypted manner to cloud and managed service operators.
• The customer must have exclusive control over deciding which identities can access keys used to decrypt customer-defined sensitive data.

These control objectives are Azure’s recommended best practices to address data sovereignty concerns by supporting appropriate usage and configurations within various Azure offerings that store or process customer data. If you feel there are other control objectives necessary to include within the baseline, you can create a feature request.

The Sovereignty Baseline policy initiatives come preinstalled with the Sovereign Landing Zone, or can be deployed in any Azure tenant as a built-in Azure Policy.

The Sovereignty Baseline policy initiatives don't replace built-in regulatory compliance initiatives or map directly to any of the frameworks. Organizations should continue to use their existing initiatives to demonstrate compliance with all appropriate regulatory frameworks.

For more information about how Microsoft views data sovereignty, review our white papers.

See also

• Azure Policy built-in initiative definitions
  
• What is Azure policy?