I’m excited to announce our second Azure Blueprint for an important compliance standard with the release of the PCI-DSS v3.2.1 blueprint. The new blueprint maps a core set of policies for Payment Card Industry (PCI) Data Security Standards (DSS) compliance to any Azure deployed architecture, allowing businesses such as retailers to quickly create new environments with compliance built in to the Azure infrastructure.
Azure Blueprints is a free service that enables customers to define a repeatable set of Azure resources that implement and adhere to standards, patterns, and requirements. Azure Blueprints allow customers to set up governed Azure environments that can scale to support production implementations for large-scale migrations.
Azure Blueprints is another reason why Azure is a strong platform for compliance, with the industry’s broadest and deepest portfolio of 91 compliance offerings. Azure is built using some of the most rigorous security and compliance standards in the world, and includes multi-layered security provided by Microsoft across physical datacenters, infrastructure, and operations. Azure is also built for the specific compliance needs of key industries, including over 50 compliance offerings specifically for the retail, health, government, finance, education, manufacturing, and media industries.
Compliance with regulations and standards such as ISO 27001, FedRAMP and SOC is increasingly necessary for all types of organizations, making control mappings to compliance standards a natural application for Azure Blueprints. Azure customers, particularly those in regulated industries, have expressed strong interest in compliance blueprints to help ease their compliance burdens. In March, we announced the ISO 27001 Shared Services blueprint sample which maps a set of foundational Azure infrastructure, such as virtual networks and policies, to specific ISO controls.
The PCI DSS is a global information security standard designed to prevent fraud through increased control of credit card data. Organizations that accept payments from credit cards must follow PCI DSS standards if they accept payment cards from the five major credit card brands. Compliance with PCI DSS is also required for any organization that stores, processes, or transmits payment and cardholder data.
The PCI-DSS v3.2.1 blueprint includes mappings to important PCI DSS controls, including:
- Segregation of duties. Manage subscription owner permissions.
- Access to networks and network services. Implement role-based access control (RBAC) to manage who has access to Azure resources.
- Management of secret authentication information of users. Audit accounts that don’t have multi-factor authentication enabled.
- Review of user access rights. Audit accounts that should be prioritized for review, including depreciated accounts and external accounts with elevated permissions.
- Removal or adjustment of access rights. Audit deprecated accounts with owner permissions on a subscription.
- Secure log-on procedures. Audit accounts that don’t have multi-factor authentication enabled.
- Password management system. Enforce strong passwords.
- Policy on the use of cryptographic controls. Enforce specific cryptographic controls and audit use of weak cryptographic settings.
- Event and operator logging. Diagnostic logs provide insight into operations that were performed within Azure resources.
- Administrator and operator logs. Ensure system events are logged.
- Management of technical vulnerabilities. Monitor missing system updates, operating system vulnerabilities, SQL vulnerabilities, and virtual machine vulnerabilities in Azure Security Center.
- Network controls. Manage and control networks and monitor network security groups with permissive rules.
- Information transfer policies and procedures. Ensure information transfer with Azure services is secure.
We are committed to helping our customers leverage Azure in a secure and compliant manner. Over the next few months we will release new built-in blueprints for HITRUST, UK National Health Service (NHS) Information Governance (IG) Toolkit, FedRAMP, and Center for Internet Security (CIS) Benchmark. If you would like to participate in any early previews please sign up with this form, or if you have a suggestion for a compliance blueprint, please share it via the Azure Governance Feedback Forum.
Learn more about the Azure PCI-DSS v3.2.1 blueprint in our documentation.