In Azure Management and Governance, Blog, Cloud Adoption, Cloud Governance

isv app migration security and compliance guide

Data and regulatory compliance – and by extension, security – are among the most important factors to consider for Canadian ISVs that are considering a cloud migration. This is especially true of organizations that want to serve highly regulated industries, such as healthcare, finance, or government. And while cloud providers such as Microsoft Azure provide a robust toolset with which to remain compliant, at the end of the day the legal burden falls on the ISV to follow regulations. Failure to do so can result in significant fines and significant brand damage.

Equifax is a prime example of this. After a high profile data breach, the company spent years under intense media scrutiny and wound up paying the FTC a $425 million legal settlement.[i]

For Canadian ISVs, remaining compliant with the Personal Information Protection and Electronic Documents Act (PIPEDA) is of paramount importance. For that reason, Canadian ISVs are turning to Microsoft Azure for the tools they need to scale to their services nationally and beyond, all while ensuring PIPEDA compliance.

That said, simply migrating your data to Azure does not ensure compliance. For Canadian ISVs, there are several things to consider before you can feel confident about meeting compliance standards.

Understand Canadian data and privacy regulations

The first thing that Canadian ISVs need to look at in terms of regulatory compliance laws is PIPEDA. It governs how businesses collect, use, and disclose personally identifiable information.

The Act requires organizations to comply with ten fair information principles. For example, PIPEDA dictates that companies must obtain permission from an individual before collecting or using their personal information (this is the “consent” principle). Similarly, the “individual access” principle gives individuals the right to access their information, while the “identifying purposes” principle rules that personal information use is restricted to the purposes that were originally agreed upon.

It’s worth noting that BC, Alberta, and Quebec have their own privacy laws that override PIPEDA, but that’s only because they have been deemed “substantially similar” to the federal law. Therefore, while it makes sense to understand your local laws, compliance with PIPEDA likely equates to compliance with those laws too.

Remain Compliant

Microsoft Azure maintains technical and organizational measures to ensure companies remain compliant with PIPEDA. They published a document to help prepare Canadian organizations for an Azure migration, which provides an overview of how Microsoft’s various services can help Canadian organizations meet compliance regulations in Azure.

To support Canadian organizations that have concerns about data sovereignty, Microsoft built two data centers in Canada, one in Quebec City and one in Toronto. These ensure Canadian data always remains on Canadian soil when at-rest.

Leverage built-in security tools

The best way to ensure sensitive information is tracked and kept secure is to leverage Azure Information Protection, which can be used to classify, label, and protect emails and documents. The tool works by using a ruleset defined by your organization and so can be tailored to your organization’s needs.

For best results, pair Information Protection with Azure Rights Management (Azure RMS). RMS integrates with the entire suite of Microsoft tools, from Office 365 to Azure AD, and protects data using encryption, identity, and authorization policies. It protects your data independent of where it’s located, making it the ideal solution for emails, shared documents and data-in-transit.

To get started with these two tools, follow these steps:

  1. Deploy Azure Information Protection for your organization.
  2. Apply labels that reflect your business requirements, i.e. use a tag named “highly confidential” on all documents and emails that contain top-secret data to classify and protect your data.
  3. Configure usage logging for RMS so that you can monitor how your organization is using the protection service.

When issues do arise, ISVs can identify them and respond far quicker than they could with an on-premises solution. That’s because Azure has a robust security and compliance toolset and a comprehensive set of guidelines for dealing with virtually any scenario. Through tools such as Azure Compliance Manager and Azure Security Centre, ISVs can identify vulnerabilities in their applications and respond to threats before they cause significant problems.

A word of caution regarding these tools: Companies need to be aware that achieving compliance in Azure is about more than just turning certain tools on and off. It requires managerial policies and processes to be set up and is therefore imperative that management and IT work closely towards achieving compliance on Azure.

Expand beyond Canada

Lastly, it is important to remain cognizant of security and compliance regulations around the globe, not just in Canada. Most ISVs are creating SaaS applications that are built to scale and have the potential to reach a worldwide market. By migrating to Azure, you can reach over 140 countries, each of which Microsoft has created built-in compliance solutions for. These solutions can support your business by reducing the time it takes to meet regulatory compliance while ensuring your reputation goes untarnished as your business grows.

Have more questions about security in the cloud? Contact the experts at Hanu today – we’re happy to answer any questions you have regarding your specific security requirements.

isv app migration security and compliance guide