# Cloud for Sovereignty Compliance Guide **Last Updated**: 2025-01-27 **Status**: Comprehensive Compliance Framework **Standard**: Microsoft Cloud for Sovereignty ## Overview This document outlines how The Order project achieves and maintains compliance with Microsoft Cloud for Sovereignty requirements, ensuring data residency, operational control, and regulatory compliance. ## Compliance Requirements ### 1. Data Residency **Requirement**: All data must remain within specified geographic regions and never be replicated to non-approved regions. **Implementation**: - ✅ Azure Policy enforcement for region restrictions - ✅ Regional resource groups and storage accounts - ✅ Database geo-restrictions - ✅ CDN regional restrictions - ✅ No cross-region data replication (except for DR) **Verification**: ```bash # Check resource locations az resource list --query "[].{Name:name, Location:location}" --output table # Verify policy compliance az policy state list --filter "complianceState eq 'NonCompliant'" ``` ### 2. Operational Sovereignty **Requirement**: Customer maintains control over operations with limited Microsoft access. **Implementation**: - ✅ Customer-managed encryption keys (CMK) - ✅ Azure Lighthouse for customer control - ✅ Independent logging and monitoring - ✅ Customer-managed backups - ✅ Audit trail independence **Key Vault Configuration**: - Premium SKU with HSM-backed keys - Soft delete and purge protection enabled - Private endpoints only - Customer-managed keys for all services ### 3. Regulatory Compliance **Requirement**: Compliance with local regulations, data protection laws, and industry standards. **Implementation**: - ✅ GDPR compliance (EU data protection) - ✅ eIDAS compliance (electronic identification) - ✅ ISO 27001 alignment - ✅ SOC 2 Type II readiness - ✅ Industry-specific compliance **Compliance Dashboards**: - Azure Policy compliance dashboard - Microsoft Defender for Cloud compliance - Regulatory compliance reporting - Audit log retention (90 days production, 30 days dev) ## Architecture Components ### Management Group Hierarchy ``` Root Management Group ├── Landing Zones │ ├── Platform (shared services) │ ├── Production │ ├── Staging │ └── Development ├── Identity ├── Connectivity └── Management ``` ### Regional Deployment Each region includes: - Hub virtual network with Azure Firewall - Spoke virtual networks for workloads - Private endpoints for all PaaS services - Regional Key Vault with CMK - Regional Log Analytics workspace - Regional backup vault ### Network Architecture **Hub-and-Spoke Model**: - Centralized security (Azure Firewall) - Private connectivity (VPN/ExpressRoute) - Network segmentation - DDoS protection - WAF for public endpoints **Private Endpoints**: - All PaaS services use private endpoints - No public internet exposure - DNS resolution via Private DNS zones - Network security groups for additional isolation ## Policy Framework ### Data Residency Policies **Policy**: Enforce data residency restrictions ```json { "if": { "allOf": [ { "field": "location", "notIn": ["westeurope", "northeurope", "uksouth", ...] } ] }, "then": { "effect": "deny" } } ``` **Policy**: Require customer-managed encryption ```json { "if": { "allOf": [ { "field": "Microsoft.Storage/storageAccounts/encryption.keySource", "notEquals": "Microsoft.Keyvault" } ] }, "then": { "effect": "deny" } } ``` ### Security Policies **Policy**: Require private endpoints **Policy**: Enforce TLS 1.3 minimum **Policy**: Require MFA for all users **Policy**: Enforce RBAC assignments **Policy**: Require security monitoring ### Compliance Policies **Policy**: Enable Defender for Cloud **Policy**: Enable diagnostic logging **Policy**: Require backup configuration **Policy**: Enforce tag requirements **Policy**: Require cost management ## Monitoring and Compliance ### Compliance Monitoring **Azure Policy Compliance**: - Daily compliance scans - Non-compliance alerts - Compliance dashboard - Remediation automation **Microsoft Defender for Cloud**: - Security posture assessment - Regulatory compliance dashboard - Security recommendations - Threat protection **Cost Management**: - Budget alerts - Cost anomaly detection - Resource utilization tracking - Reserved capacity optimization ### Audit and Logging **Audit Logs**: - Activity logs (90 days retention) - Diagnostic logs (30-90 days) - Security logs (1 year retention) - Compliance logs (7 years for legal) **Log Storage**: - Regional Log Analytics workspaces - Customer-managed encryption - Private endpoints only - Immutable storage for compliance ## Data Protection ### Encryption **At Rest**: - Customer-managed keys (CMK) - Azure Key Vault Premium with HSM - Double encryption where available - Key rotation policies **In Transit**: - TLS 1.3 minimum - Certificate management via Key Vault - Perfect Forward Secrecy - Certificate pinning for APIs ### Data Classification **Classification Levels**: - Public - Internal - Confidential - Highly Confidential **Classification Tags**: - Applied to all resources - Enforced via Azure Policy - Used for access control - Monitored for compliance ## Access Control ### Identity Management **Azure AD**: - Centralized identity management - Conditional access policies - MFA enforcement - Privileged Identity Management (PIM) **RBAC**: - Least privilege principle - Role-based access control - Regular access reviews - Just-in-time access ### Network Access **Private Endpoints**: - All PaaS services - No public internet access - DNS resolution via Private DNS - Network security groups **Azure Firewall**: - Centralized network security - Application rules - Network rules - Threat intelligence ## Backup and Disaster Recovery ### Backup Strategy **Database Backups**: - Daily full backups - Hourly incremental backups - Point-in-time restore - Geo-redundant storage (within region) **Storage Backups**: - Blob versioning - Soft delete enabled - Immutable storage for compliance - Cross-region backup (DR only) **Configuration Backups**: - Terraform state backups - Infrastructure as Code - Configuration versioning - Disaster recovery documentation ### Disaster Recovery **RTO/RPO Targets**: - RTO: 4 hours - RPO: 1 hour - DR regions: Secondary region per primary - Failover procedures: Automated and manual **DR Testing**: - Quarterly DR tests - Failover procedures documented - Recovery validation - Lessons learned documentation ## Compliance Reporting ### Regular Reports **Monthly**: - Compliance status report - Security posture assessment - Cost optimization report - Policy compliance summary **Quarterly**: - Regulatory compliance review - Access review completion - DR test results - Security audit findings **Annually**: - Comprehensive compliance audit - Third-party security assessment - Regulatory certification renewal - Architecture review ## Compliance Checklist ### Data Residency - [ ] All resources in approved regions - [ ] No cross-region replication (except DR) - [ ] Regional resource groups - [ ] Policy enforcement active ### Operational Sovereignty - [ ] Customer-managed keys for all services - [ ] Independent logging and monitoring - [ ] Customer-managed backups - [ ] Audit trail independence ### Security - [ ] Zero Trust architecture - [ ] Encryption at rest and in transit - [ ] Private endpoints for all services - [ ] Threat protection enabled ### Compliance - [ ] GDPR compliance verified - [ ] eIDAS compliance verified - [ ] Audit logs retained - [ ] Compliance dashboards active ### Monitoring - [ ] Compliance monitoring active - [ ] Security monitoring active - [ ] Cost monitoring active - [ ] Alerting configured ## References - [Microsoft Cloud for Sovereignty](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/sovereignty/) - [Azure Well-Architected Framework](https://learn.microsoft.com/en-us/azure/architecture/framework/) - [Azure Security Benchmark](https://learn.microsoft.com/en-us/azure/security/benchmarks/) - [GDPR Compliance](https://learn.microsoft.com/en-us/compliance/regulatory/gdpr) - [eIDAS Compliance](https://learn.microsoft.com/en-us/compliance/regulatory/offering-eidas) --- **Last Updated**: 2025-01-27