3bf47efa2b
- Add Well-Architected Framework implementation guide covering all 5 pillars - Create Well-Architected Terraform module (cost, operations, performance, reliability, security) - Add Cloud for Sovereignty compliance guide - Implement data residency policies and enforcement - Add operational sovereignty features (CMK, independent logging) - Configure compliance monitoring and reporting - Add budget management and cost optimization - Implement comprehensive security controls - Add backup and disaster recovery automation - Create performance optimization resources (Redis, Front Door) - Add operational excellence tools (Log Analytics, App Insights, Automation)
8.2 KiB
8.2 KiB
Cloud for Sovereignty Compliance Guide
Last Updated: 2025-01-27
Status: Comprehensive Compliance Framework
Standard: Microsoft Cloud for Sovereignty
Overview
This document outlines how The Order project achieves and maintains compliance with Microsoft Cloud for Sovereignty requirements, ensuring data residency, operational control, and regulatory compliance.
Compliance Requirements
1. Data Residency
Requirement: All data must remain within specified geographic regions and never be replicated to non-approved regions.
Implementation:
- ✅ Azure Policy enforcement for region restrictions
- ✅ Regional resource groups and storage accounts
- ✅ Database geo-restrictions
- ✅ CDN regional restrictions
- ✅ No cross-region data replication (except for DR)
Verification:
# Check resource locations
az resource list --query "[].{Name:name, Location:location}" --output table
# Verify policy compliance
az policy state list --filter "complianceState eq 'NonCompliant'"
2. Operational Sovereignty
Requirement: Customer maintains control over operations with limited Microsoft access.
Implementation:
- ✅ Customer-managed encryption keys (CMK)
- ✅ Azure Lighthouse for customer control
- ✅ Independent logging and monitoring
- ✅ Customer-managed backups
- ✅ Audit trail independence
Key Vault Configuration:
- Premium SKU with HSM-backed keys
- Soft delete and purge protection enabled
- Private endpoints only
- Customer-managed keys for all services
3. Regulatory Compliance
Requirement: Compliance with local regulations, data protection laws, and industry standards.
Implementation:
- ✅ GDPR compliance (EU data protection)
- ✅ eIDAS compliance (electronic identification)
- ✅ ISO 27001 alignment
- ✅ SOC 2 Type II readiness
- ✅ Industry-specific compliance
Compliance Dashboards:
- Azure Policy compliance dashboard
- Microsoft Defender for Cloud compliance
- Regulatory compliance reporting
- Audit log retention (90 days production, 30 days dev)
Architecture Components
Management Group Hierarchy
Root Management Group
├── Landing Zones
│ ├── Platform (shared services)
│ ├── Production
│ ├── Staging
│ └── Development
├── Identity
├── Connectivity
└── Management
Regional Deployment
Each region includes:
- Hub virtual network with Azure Firewall
- Spoke virtual networks for workloads
- Private endpoints for all PaaS services
- Regional Key Vault with CMK
- Regional Log Analytics workspace
- Regional backup vault
Network Architecture
Hub-and-Spoke Model:
- Centralized security (Azure Firewall)
- Private connectivity (VPN/ExpressRoute)
- Network segmentation
- DDoS protection
- WAF for public endpoints
Private Endpoints:
- All PaaS services use private endpoints
- No public internet exposure
- DNS resolution via Private DNS zones
- Network security groups for additional isolation
Policy Framework
Data Residency Policies
Policy: Enforce data residency restrictions
{
"if": {
"allOf": [
{
"field": "location",
"notIn": ["westeurope", "northeurope", "uksouth", ...]
}
]
},
"then": {
"effect": "deny"
}
}
Policy: Require customer-managed encryption
{
"if": {
"allOf": [
{
"field": "Microsoft.Storage/storageAccounts/encryption.keySource",
"notEquals": "Microsoft.Keyvault"
}
]
},
"then": {
"effect": "deny"
}
}
Security Policies
Policy: Require private endpoints Policy: Enforce TLS 1.3 minimum Policy: Require MFA for all users Policy: Enforce RBAC assignments Policy: Require security monitoring
Compliance Policies
Policy: Enable Defender for Cloud Policy: Enable diagnostic logging Policy: Require backup configuration Policy: Enforce tag requirements Policy: Require cost management
Monitoring and Compliance
Compliance Monitoring
Azure Policy Compliance:
- Daily compliance scans
- Non-compliance alerts
- Compliance dashboard
- Remediation automation
Microsoft Defender for Cloud:
- Security posture assessment
- Regulatory compliance dashboard
- Security recommendations
- Threat protection
Cost Management:
- Budget alerts
- Cost anomaly detection
- Resource utilization tracking
- Reserved capacity optimization
Audit and Logging
Audit Logs:
- Activity logs (90 days retention)
- Diagnostic logs (30-90 days)
- Security logs (1 year retention)
- Compliance logs (7 years for legal)
Log Storage:
- Regional Log Analytics workspaces
- Customer-managed encryption
- Private endpoints only
- Immutable storage for compliance
Data Protection
Encryption
At Rest:
- Customer-managed keys (CMK)
- Azure Key Vault Premium with HSM
- Double encryption where available
- Key rotation policies
In Transit:
- TLS 1.3 minimum
- Certificate management via Key Vault
- Perfect Forward Secrecy
- Certificate pinning for APIs
Data Classification
Classification Levels:
- Public
- Internal
- Confidential
- Highly Confidential
Classification Tags:
- Applied to all resources
- Enforced via Azure Policy
- Used for access control
- Monitored for compliance
Access Control
Identity Management
Azure AD:
- Centralized identity management
- Conditional access policies
- MFA enforcement
- Privileged Identity Management (PIM)
RBAC:
- Least privilege principle
- Role-based access control
- Regular access reviews
- Just-in-time access
Network Access
Private Endpoints:
- All PaaS services
- No public internet access
- DNS resolution via Private DNS
- Network security groups
Azure Firewall:
- Centralized network security
- Application rules
- Network rules
- Threat intelligence
Backup and Disaster Recovery
Backup Strategy
Database Backups:
- Daily full backups
- Hourly incremental backups
- Point-in-time restore
- Geo-redundant storage (within region)
Storage Backups:
- Blob versioning
- Soft delete enabled
- Immutable storage for compliance
- Cross-region backup (DR only)
Configuration Backups:
- Terraform state backups
- Infrastructure as Code
- Configuration versioning
- Disaster recovery documentation
Disaster Recovery
RTO/RPO Targets:
- RTO: 4 hours
- RPO: 1 hour
- DR regions: Secondary region per primary
- Failover procedures: Automated and manual
DR Testing:
- Quarterly DR tests
- Failover procedures documented
- Recovery validation
- Lessons learned documentation
Compliance Reporting
Regular Reports
Monthly:
- Compliance status report
- Security posture assessment
- Cost optimization report
- Policy compliance summary
Quarterly:
- Regulatory compliance review
- Access review completion
- DR test results
- Security audit findings
Annually:
- Comprehensive compliance audit
- Third-party security assessment
- Regulatory certification renewal
- Architecture review
Compliance Checklist
Data Residency
- All resources in approved regions
- No cross-region replication (except DR)
- Regional resource groups
- Policy enforcement active
Operational Sovereignty
- Customer-managed keys for all services
- Independent logging and monitoring
- Customer-managed backups
- Audit trail independence
Security
- Zero Trust architecture
- Encryption at rest and in transit
- Private endpoints for all services
- Threat protection enabled
Compliance
- GDPR compliance verified
- eIDAS compliance verified
- Audit logs retained
- Compliance dashboards active
Monitoring
- Compliance monitoring active
- Security monitoring active
- Cost monitoring active
- Alerting configured
References
- Microsoft Cloud for Sovereignty
- Azure Well-Architected Framework
- Azure Security Benchmark
- GDPR Compliance
- eIDAS Compliance
Last Updated: 2025-01-27