This article is for informational purposes only. The information contained in this article must not be construed as legal advice. You must seek your own legal counsel for advice on compliance with regulatory requirements impacting your organisation.
SPORTSGROUND LTD MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS ARTICLE.
This article is intended for IT decision makers, and provides information about how the Sporty.co.nz platform uses Microsoft Azure to help address compliance, security and privacy requirements.
The Sporty platform for New Zealand schools and sports organisations is fully hosted with Microsoft Azure. Microsoft Azure is a trusted cloud-based platform that provides the benefits of cloud computing. This article references a white paper provided by Microsoft to address questions posed by customers in New Zealand who are considering a move to the cloud. Questions such as how secure is cloud data, where is data stored, how is it used, and who can access it are common. These types of questions usually relate to one of three areas – compliance, security and privacy.
From a compliance perspective, the way Azure is designed, built, operated and independently certified enables government agencies to meet the security and privacy requirements established by three key New Zealand information security and privacy mechanisms: the Protective Security Requirements, the NZ government Cloud Computing Risk & Assurance Framework and the Privacy Act 1993.
Security is increasingly a primary focus for customers when contemplating the cloud. Microsoft Azure provides multiple levels of security, starting with physical protection of datacenter locations to protect against physical intrusion, power failure, and network outages. Azure uses encryption to protect data in transit and at rest, and extensive monitoring and logging provides operational staff and customers with visibility into the environment. Microsoft designs and operates Azure using security best practices, which are embodied in programs such as the Microsoft Security Development Lifecycle (SDL), Microsoft Operational Security Assurance (OSA), and an “assume breach” strategy. Together, these programs and strategies help ensure that Azure is resilient to attack. Microsoft has received ISO 27001 security certification, which validates the benefits of this approach.
With the global nature of the cloud, customers want to know their privacy is assured. Microsoft Azure adheres to stringent privacy standards such as ISO 27018, which, among other things, assures customer data is never used for advertising. Should customers have concerns over data sovereignty, Azure provides complete control over where their data lives by allowing them to choose from 26 Azure regions in Asia, the Americas, and Europe. In addition, Microsoft does not provide any third party with direct or unfettered access to customer data, and always attempts to redirect government requests for data to the customer. Finally, tenant isolation and strict access controls help ensure that only customers can access their data by default.
Although Microsoft Azure addresses the compliance, security, and privacy requirements that New Zealand identifies, some requirements are the responsibility of the customer, such as controlling administrator passwords, and it is important for customers to understand the shared responsibilities associated with Microsoft Azure.
Download the full white paper regarding Microsoft Azure Compliance In the context of New Zealand Security and Privacy Requirements here.
Related Sporty support article: recommendation to use https.