NOTE: You May Not Distribute This SOC 2 Report for Microsoft Azure To
Total Page:16
File Type:pdf, Size:1020Kb
NOTE: You may not distribute this SOC 2 report for Microsoft Azure to other parties, except where Microsoft Azure is a component of the services you deliver to your customers. In this circumstance, you may distribute this SOC 2 report to current and prospective customers / users of your own services. You must provide recipients of this SOC 2 report written documentation of the function that Azure provides as it relates to your services. You must keep a complete and accurate record of entities and the personnel of such entities to whom this SOC 2 report is provided. You must promptly provide copies of such records to Microsoft or Deloitte & Touche LLP upon request. You must display or deliver the language in this paragraph or language that is substantially equivalent to this paragraph to recipients of this SOC 2 report for Microsoft Azure. Microsoft Corporation - Microsoft Azure (Azure & Azure Government) System and Organization Controls (SOC) 2 Report July 1, 2018 - June 30, 2019 Table of contents Executive Summary 1 Section I: Independent Service Auditors’ Report for the Security, Availability, Processing Integrity, and Confidentiality Criteria and CCM Criteria 4 Section II: Management’s Assertion 9 Section III: Description of Microsoft Azure System 11 Section IV: Information Provided by Independent Service Auditor Except for Control Activities and Criteria Mappings 73 Section V: Supplemental Information Provided by Microsoft Azure 306 Executive Summary Microsoft Azure Scope Microsoft Azure and Microsoft Datacenters Period of Examination July 1, 2018 to June 30, 2019 Applicable Trust Services Criteria Security, Availability, Processing Integrity, and Confidentiality • Santa Clara, CA (BY1/2/3/4/21/22) • Dublin, Ireland (DB3/4/5, • Phoenix, AZ (PHX20) DUB06/07/08/20/24) • Des Moines, IA (DM1/2/3, DSM05) • Paris, France (PAR20/21/22) • Chicago, IL (CH1/3, CHI20) • Marseille, France (MRS20) • San Antonio, TX (SN1/2/3/4/5/6) • Campinas, Brazil • Ashburn, VA (BL2/3/5/7) (CPQ01/02/20) • Boydton, VA (BN1/3/4/6) • Fortaleza, Brazil (FOR01) • Bristow, VA (BLU) • Rio de Janeiro, Brazil (RIO01) • Reston, VA (BL4/6/30) • Sao Paulo, Brazil (GRU) • Tukwila, WA (TK5) • Santiago, Chile (SCL01) • Quincy, WA (CO1/2, MWH01) • Humacao, Puerto Rico (PR1) • Cheyenne, WY (CYS01/04) • Abu Dhabi, United Arab • San Jose, CA (SJC31) Emirates (AUH20) • Sterling, VA (BL20) • Hong Kong (HK1/2, HKG20) • Toronto, Canada (YTO20) • Mumbai, India (BOM01) • Quebec City, Canada (YQB20) • Dighi, India (PNQ01) Datacenter Location(s) • Macquarie Park, Australia (SYD03) • Dubai, United Arab Emirates • Melbourne, Australia (MEL01) (DXB20) • Sydney, Australia (SYD21, SYD22) • Ambattur, India (MAA01) • Canberra, Australia (CBR20, • Osaka, Japan (OSA01/02/20) CBR21) • Tokyo, Japan (KAW, • Vienna, Austria (VIE) TYO01/20/21/22) • Vantaa, Finland (HEL01) • Cyberjaya, Malaysia (KUL01) • Amsterdam, Netherlands • Singapore (SG1/2/3, SIN20) (AM1/2/3, AMS04/05/06/20) • Busan, South Korea (PUS01, • Berlin, Germany (BER20) PUS20) • Durham, United Kingdom (MME20) • Seoul, South Korea (SEL20) • Frankfurt, Germany (FRA21) • Johannesburg, South Africa • Chessington, United Kingdom (JNB20/21/22) (LON20) • Cape Town, South Africa • London, United Kingdom (LON21) (CPT20) • Cardiff, United Kingdom (CWL20) 1 Microsoft Azure • Ashburn, VA (ASH) • Madrid, Spain (MAD30) • Athens, Greece (ATH01) • Manchester, United Kingdom • Atlanta, GA (ATA) (MAN30) • Auckland, New Zealand (AKL01) • Manila, Philippines (MNL30) • Bangkok, Thailand (BKK30) • Marseille, France (MRS01) • Barcelona, Spain (BCN30) • Queretaro, Mexico (MEX30) • Berlin, Germany (BER30) • Miami, FL (MIA) • Boston, MA (BOS01) • Milan, Philippines (MIL30) • Brisbane, Australia (BNE01) • Montreal, Canada (YMQ01) • Brussels, Belgium (BRU30) • Mumbai, India (BOM02) • Bucharest, Romania (BUH01) • New Delhi, India (DEL01) • Budapest, Hungary (BUD01) • Newark, NJ (EWR30) • Busan, South Korea (PUS03) • New York City, NY (NYC) • Cape Town, South Africa (CPT02) • Palo Alto, CA (PAO) • Chicago, IL (CHG) • Paris, France (PAR02/PRA) • Copenhagen, Denmark (CPH30) • Perth, Australia (PER01) Edge Sites • Dallas, TX (DAL) • Phoenix, AZ (PHX01) • Denver, CO (DEN02) • Prague, Czech Republic • Dubai, United Arab Emirates (PRG01) (DXB30) • San Jose, CA (SJC) • Frankfurt, Germany (FRA) • Santiago, Chile (SCL30) • Helsinki, Finland (HEL03) • Seattle, WA (WST) • Hong Kong (HKB) • Seoul, South Korea (SLA) • Honolulu, HI (HNL01) • Sofia, Bulgaria (SOF01) • Houston, TX (HOU01) • Stockholm, Sweden (STO) • Johannesburg, South Africa • Taipei, Taiwan (TPE30/31) (JNB02) • Tokyo, Japan (TYA/TYB) • Kuala Lumpur, Malaysia (KUL30) • Toronto, Canada (YTO01) • Las Vegas, NV (LAS01) • Vancouver, Canada (YVR01) • Lisbon, Portugal (LIS01) • Warsaw, Poland (WAW01) • Los Angeles, CA (LAX) • Zagreb, Croatia (ZAG30) • Zurich, Switzerland (ZRH) Subservice Providers N/A Opinion Result Unqualified Testing Exceptions 1 2 Section I: Independent Service Auditors’ Report for the Security, Availability, Processing Integrity, and Confidentiality Criteria, CCM Criteria, and C5 . Deloitte & Touche LLP 925 Fourth Avenue Suite 3300 Seattle, WA 98104-1126 USA Tel: 206-716-7000 Fax: 206-965-7000 www.deloitte.com Section I: Independent Service Auditors’ Report for the Security, Availability, Processing Integrity, and Confidentiality Criteria, CCM Criteria, and C5 Microsoft Corporation One Microsoft Way Redmond, WA, 98052-6399 Scope We have examined the attached description of the system of Microsoft Azure and Microsoft datacenters (the “Service Organization” or “Azure”) related to in-scope services for Azure and Azure Government cloud environments1 throughout the period July 1, 2018 to June 30, 2019 (the “Description”) based on the criteria for a description of a service organization’s system set forth in DC Section 200, 2018 Description Criteria for a Description of a Service Organization’s System in a SOC 2® Report (“description criteria”) and the suitability of the design and operating effectiveness of controls stated in the Description throughout the period July 1, 2018 to June 30, 2019 to provide reasonable assurance that Azure’s service commitments and system requirements were achieved based on the trust services criteria relevant to security, availability, processing integrity, and confidentiality (“applicable trust services criteria”)2 set forth in TSP Section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy. We have also examined the suitability of the design and operating effectiveness of controls to meet the criteria set forth in the Cloud Security Alliance’s (CSA) Cloud Controls Matrix (CCM) Version 3.0.1 control specifications (“CCM criteria”) and the objectives set forth in the Bundesamt für Sicherheit in der Informationstechnik (BSI) Cloud Computing Compliance Controls Catalogue (“C5”). BSI requires an attestation in order for the service provider to be considered certified as having met the objectives set forth in the BSI’s C5. The information included in Section V, “Supplemental Information Provided by Microsoft Azure” is presented by management of Azure to provide additional information and is not a part of the Description. Information about Service Organization’s Compliance, Infrastructure Redundancy and Data Durability, Data Backup and Recovery, E.U. Data Protection Directive, Additional Resources, Management’s Response to Exceptions Noted, and User Entity Responsibilities, has not been subjected to the procedures applied in the examination of the Description and the suitability of the design and operating effectiveness of the controls, to achieve (a) Azure’s service 1 In-scope services and coverage periods are defined in the Azure and Azure Government Report Scope Boundary and Azure Supporting Infrastructure Services subsections in Section III of this SOC 2 report. Applicability of the Processing Integrity Trust Services Criteria is defined in the Azure and Azure Government Report Scope Boundary subsection in Section III of this SOC 2 report. In-scope datacenters, edge sites and coverage periods are defined in the Locations Covered by this Report subsection in Section III of this SOC 2 report. 2 Applicable trust services criteria for Microsoft datacenters are Security and Availability. 4 commitments and system requirements based on the applicable trust services criteria; (b) the CCM criteria; and (c) the objectives set forth in C5. Service Organization’s Responsibilities Azure is responsible for its service commitments and system requirements and for designing, implementing, and operating effective controls within the system to provide reasonable assurance that Azure’s service commitments and system requirements were achieved. Azure has provided the accompanying assertion titled “Management’s Assertion” (“assertion”) about the Description and the suitability of design and operating effectiveness of controls stated therein. Azure is also responsible for preparing the Description and assertion, including the completeness, accuracy, and method of presentation of the Description and assertion; providing the services covered by the Description; selecting the applicable trust services criteria; and stating the related controls in the Description; and identifying the risks that threaten the achievement of (a) the Service Organization’s service commitments and system requirements; (b) the CCM criteria; and (c) the objectives set forth in C5. Service Auditors’ Responsibilities Our responsibility is to express