the_order/docs/architecture/SOVEREIGNTY_COMPLIANCE.md

Cloud for Sovereignty Compliance Guide

Last Updated: 2025-01-27
Status: Comprehensive Compliance Framework
Standard: Microsoft Cloud for Sovereignty

Overview

This document outlines how The Order project achieves and maintains compliance with Microsoft Cloud for Sovereignty requirements, ensuring data residency, operational control, and regulatory compliance.

Compliance Requirements

1. Data Residency

Requirement: All data must remain within specified geographic regions and never be replicated to non-approved regions.

Implementation:

• ✅ Azure Policy enforcement for region restrictions
• ✅ Regional resource groups and storage accounts
• ✅ Database geo-restrictions
• ✅ CDN regional restrictions
• ✅ No cross-region data replication (except for DR)

Verification:

# Check resource locations
az resource list --query "[].{Name:name, Location:location}" --output table

# Verify policy compliance
az policy state list --filter "complianceState eq 'NonCompliant'"

2. Operational Sovereignty

Requirement: Customer maintains control over operations with limited Microsoft access.

Implementation:

• ✅ Customer-managed encryption keys (CMK)
• ✅ Azure Lighthouse for customer control
• ✅ Independent logging and monitoring
• ✅ Customer-managed backups
• ✅ Audit trail independence

Key Vault Configuration:

• Premium SKU with HSM-backed keys
• Soft delete and purge protection enabled
• Private endpoints only
• Customer-managed keys for all services

3. Regulatory Compliance

Requirement: Compliance with local regulations, data protection laws, and industry standards.

Implementation:

• ✅ GDPR compliance (EU data protection)
• ✅ eIDAS compliance (electronic identification)
• ✅ ISO 27001 alignment
• ✅ SOC 2 Type II readiness
• ✅ Industry-specific compliance

Compliance Dashboards:

• Azure Policy compliance dashboard
• Microsoft Defender for Cloud compliance
• Regulatory compliance reporting
• Audit log retention (90 days production, 30 days dev)

Architecture Components

Management Group Hierarchy

Root Management Group
├── Landing Zones
│   ├── Platform (shared services)
│   ├── Production
│   ├── Staging
│   └── Development
├── Identity
├── Connectivity
└── Management

Regional Deployment

Each region includes:

• Hub virtual network with Azure Firewall
• Spoke virtual networks for workloads
• Private endpoints for all PaaS services
• Regional Key Vault with CMK
• Regional Log Analytics workspace
• Regional backup vault

Network Architecture

Hub-and-Spoke Model:

• Centralized security (Azure Firewall)
• Private connectivity (VPN/ExpressRoute)
• Network segmentation
• DDoS protection
• WAF for public endpoints

Private Endpoints:

• All PaaS services use private endpoints
• No public internet exposure
• DNS resolution via Private DNS zones
• Network security groups for additional isolation

Policy Framework

Data Residency Policies

Policy: Enforce data residency restrictions

{
  "if": {
    "allOf": [
      {
        "field": "location",
        "notIn": ["westeurope", "northeurope", "uksouth", ...]
      }
    ]
  },
  "then": {
    "effect": "deny"
  }
}

Policy: Require customer-managed encryption

{
  "if": {
    "allOf": [
      {
        "field": "Microsoft.Storage/storageAccounts/encryption.keySource",
        "notEquals": "Microsoft.Keyvault"
      }
    ]
  },
  "then": {
    "effect": "deny"
  }
}

Security Policies

Policy: Require private endpoints Policy: Enforce TLS 1.3 minimum Policy: Require MFA for all users Policy: Enforce RBAC assignments Policy: Require security monitoring

Compliance Policies

Policy: Enable Defender for Cloud Policy: Enable diagnostic logging Policy: Require backup configuration Policy: Enforce tag requirements Policy: Require cost management

Monitoring and Compliance

Compliance Monitoring

Azure Policy Compliance:

• Daily compliance scans
• Non-compliance alerts
• Compliance dashboard
• Remediation automation

Microsoft Defender for Cloud:

• Security posture assessment
• Regulatory compliance dashboard
• Security recommendations
• Threat protection

Cost Management:

• Budget alerts
• Cost anomaly detection
• Resource utilization tracking
• Reserved capacity optimization

Audit and Logging

Audit Logs:

• Activity logs (90 days retention)
• Diagnostic logs (30-90 days)
• Security logs (1 year retention)
• Compliance logs (7 years for legal)

Log Storage:

• Regional Log Analytics workspaces
• Customer-managed encryption
• Private endpoints only
• Immutable storage for compliance

Data Protection

Encryption

At Rest:

• Customer-managed keys (CMK)
• Azure Key Vault Premium with HSM
• Double encryption where available
• Key rotation policies

In Transit:

• TLS 1.3 minimum
• Certificate management via Key Vault
• Perfect Forward Secrecy
• Certificate pinning for APIs

Data Classification

Classification Levels:

• Public
• Internal
• Confidential
• Highly Confidential

Classification Tags:

• Applied to all resources
• Enforced via Azure Policy
• Used for access control
• Monitored for compliance

Access Control

Identity Management

Azure AD:

• Centralized identity management
• Conditional access policies
• MFA enforcement
• Privileged Identity Management (PIM)

RBAC:

• Least privilege principle
• Role-based access control
• Regular access reviews
• Just-in-time access

Network Access

Private Endpoints:

• All PaaS services
• No public internet access
• DNS resolution via Private DNS
• Network security groups

Azure Firewall:

• Centralized network security
• Application rules
• Network rules
• Threat intelligence

Backup and Disaster Recovery

Backup Strategy

Database Backups:

• Daily full backups
• Hourly incremental backups
• Point-in-time restore
• Geo-redundant storage (within region)

Storage Backups:

• Blob versioning
• Soft delete enabled
• Immutable storage for compliance
• Cross-region backup (DR only)

Configuration Backups:

• Terraform state backups
• Infrastructure as Code
• Configuration versioning
• Disaster recovery documentation

Disaster Recovery

RTO/RPO Targets:

• RTO: 4 hours
• RPO: 1 hour
• DR regions: Secondary region per primary
• Failover procedures: Automated and manual

DR Testing:

• Quarterly DR tests
• Failover procedures documented
• Recovery validation
• Lessons learned documentation

Compliance Reporting

Regular Reports

Monthly:

• Compliance status report
• Security posture assessment
• Cost optimization report
• Policy compliance summary

Quarterly:

• Regulatory compliance review
• Access review completion
• DR test results
• Security audit findings

Annually:

• Comprehensive compliance audit
• Third-party security assessment
• Regulatory certification renewal
• Architecture review

Compliance Checklist

Data Residency

• All resources in approved regions
• No cross-region replication (except DR)
• Regional resource groups
• Policy enforcement active

Operational Sovereignty

• Customer-managed keys for all services
• Independent logging and monitoring
• Customer-managed backups
• Audit trail independence

Security

• Zero Trust architecture
• Encryption at rest and in transit
• Private endpoints for all services
• Threat protection enabled

Compliance

• GDPR compliance verified
• eIDAS compliance verified
• Audit logs retained
• Compliance dashboards active

Monitoring

• Compliance monitoring active
• Security monitoring active
• Cost monitoring active
• Alerting configured

References

• Microsoft Cloud for Sovereignty
• Azure Well-Architected Framework
• Azure Security Benchmark
• GDPR Compliance
• eIDAS Compliance

---

Last Updated: 2025-01-27