Blog SOC for Azure: Securing Microsoft Azure Environments

SOC for Azure: Securing Microsoft Azure Environments

If you’re looking for a SOC report for Microsoft Azure-hosted environments, you’re not the only one. Many companies working with sensitive data understand that there is shared responsibility for data confidentiality, integrity, and accountability.

As Azure’s architecture is quite complex, you’ll need a certified SOC auditing expert to assess your compliance through a SOC 2 report. Due to the intertwined nature of Office 365 and other Azure products, it’s critical to keep your audits up to date. In general, you should have a SOC report completed every year to ensure continuing compliance.

However, a SOC report cannot be produced in-house. So, you will need an impartial third party to perform a truly independent audit. Before experts like TrustNet can begin the SOC assessment, you’ll need documentation of your business practices, development practices, hiring practices, and more.

If you do not have such documentation, a professional auditor, like TrustNet, can assist you with producing them.

Important SOC Items to Know Regarding Microsoft Azure

Here are some Azure-specific items to keep in mind:

- The Azure model distributes responsibility for keeping data safe between the company and Microsoft.
- Azure is responsible only for the security of its physical servers. Whatever your company decides to provision and use is on your company.
- For an audit to pass, your company’s specific responsibilities must be enumerated first. This is best done with the help of a professional.
- A SOC 2 covers all facets of your environment. It covers everything from your company’s hiring process to how data is transmitted between your company and Azure and the project lifecycle.
- It’s important to note that deep-trail audit reports must be enabled on Azure for a proper audit. These logs will also help your company pinpoint areas of non-compliance.
- Though you may choose any certified auditor to evaluate your SOC compliance, the best option is to choose better-known companies with good reputations.

How Can I Distribute a Copy of the SOC Report to a Customer?

Customers are interested in your business’s SOC report because it confirms that you’re keeping their data safe. It’s common for companies to require a copy of your SOC audit before contracting with you. So, how do you send customers your audit and proof of authenticity?

A SOC 2 report containing confidential and sensitive information should not be publicly posted. If you share the report with customers or prospective customers, you may want to obtain a Non-Disclosure Agreement and use a watermark that identifies the customer.

Critical Next Steps for SOC 2 Success in Microsoft Azure

There are a few proactive steps you can take to ensure your SOC report is a success.

First, ideally, with the help of a professional, you’ll need to assess precisely what access controls within your domain need to be secured.

Second, you should understand the AICPA’s Trust Services Criteria, or “TSC.” These are the control objectives that must be met to be compliant with SOC 2.

The Trust Services Criteria established by the AICPA are:

- Security
- Confidentiality of data during processing
- Ongoing availability of systems
- Maintenance of the processing integrity of information
- Privacy of sensitive data

Remember that these should only be assessed after domains of responsibility are established. Here are the primary domains that the five TSCs cover:

- Data
- Software (even if not part of the Microsoft Suite)
- People (employees, contractors, users, managers)
- Processes (everyday handling of business, automatic or manual)
- Infrastructure (everything utilized by your company to function)

Obtaining your SOC report can be a complex process, which is why partnering with a seasoned professional team like TrustNet is essential to ensure a seamless and thorough audit.