Confidential
Page 1 of 38
10006599-2
NEW ZEALAND
GUIDANCE ON COMPLYING WITH REGULATORY REQUIREMENTS APPLICABLE TO FINANCIAL SERVICES
INSTITUTIONS USING CLOUD COMPUTING (AZURE)
Last update: November 2014
1. WHAT DOES THIS MICROSOFT GUIDANCE CONTAIN?
This guidance document provides a guide to complying with the regulatory process and requirements applicable to financial services institutions using
cloud computing. In this guidance financial services institutions means financial institutes, securities trading companies, insurance companies, capital
investment companies and other financial services institutions (“FSIs”).
Sections 2 to 6 of this guidance sets out information about the regulatory process and the regulations that apply.
Section 7 sets out questions in relation to outsourcing to a cloud services solution based on the laws, regulations and guidance that are relevant to
the use of cloud services. Although there is no requirement to complete a checklist like this one, we have received feedback from FSIs that a
checklist approach like this is very helpful. The checklist can be used:
(i) as a checklist for ensuring regulatory compliance with the requirements set out in the laws, regulations and guidelines (listed in Section 2);
and
(ii) as a tool to aid discussions with the regulator(s) (listed in Section 3), should they wish to discuss your organization’s overall approach to
compliance with their requirements.
Appendix One also contains a list of the items that the Privacy Commissioner states are useful to include in a contract with a cloud services provider
(but note these items are not mandatory.
Note that the RBNZ Outsourcing Policy does not contain detailed technical and operational requirements relating to the use of cloud services but,
rather, focuses more generally on issues such as risk management. However, on the basis that technical and operational factors (specifically
Confidential
Page 2 of 38
10006599-2
security) are directly relevant to risk strategy (and therefore compliance with the RBNZ Outsourcing Policy and Privacy Act), we have included some
specific detail on this point which should be useful for the purposes outlined above.
Note that this document is not intended as legal or regulatory advice and does not constitute any warranty or contractual commitment on the part of
Microsoft or its affiliates. Instead, it is intended to streamline the regulatory process for you. You should seek independent legal advice on your
technology outsourcing project and your legal and regulatory obligations. If you have any questions, please do not hesitate to get in touch with your
Microsoft contact.
2. WHAT LAWS, REGULATIONS AND GUIDANCE ARE RELEVANT?
RBNZ is not against outsourcing or the use of cloud services and recognizes that well-designed arrangements may make useful contributions to
improved efficiency for FSIs. However, its policy is to ensure that FSIs and their customers are not exposed to new or increased risks by virtue of
using outsourced services. Whilst there are no forms that must be completed, there are certain requirements that FSIs should be aware of. In
particular:
(i) large banks1 using cloud services need to consider the RBNZ Outsourcing Policy of January 2006 (“RBNZ Outsourcing Policy”);
(ii) all FSIs (whether large or small) need to consider their general RBNZ obligations to manage their business risks properly; and
(iii) all FSIs (whether large or small) need to consider the Privacy Act in relation to any outsourcing that may involve the processing of personal
data.
3. WHO IS/ARE THE RELEVANT REGULATOR(S)?
The Reserve Bank of New Zealand (“RBNZ”)
1 RBNZ will consider a bank as “large” if its liabilities net of amounts due to related parties exceed $10 billion. Currently, BNZ, ASB, ANZ National and Westpac are the only banks that are
considered “large”.
Confidential
Page 3 of 38
10006599-2
4. IS REGULATORY APPROVAL REQUIRED IN NEW ZEALAND?
No.
RBNZ does not require approval before FSI outsource IT functionality to a cloud services solution such as Microsoft Azure.
5. IS/ARE THERE (A) SPECIFIC FORM OR QUESTIONNAIRE(S) TO BE COMPLETED?
No.
Unlike in certain jurisdictions, such as Singapore, there are no specific forms or questionnaires that an FSI must complete when considering cloud
computing solutions.
6. DOES THE REGULATOR MANDATE SPECIFIC CONTRACTUAL REQUIREMENTS THAT MUST BE ADOPTED?
No.
RBNZ does not stipulate any mandatory contractual requirements that FSIs must ensure are included in their outsourcing contracts.
The Privacy Commissioner has created a document called ‘Cloud Computing: A guide to making the right choices’, February 2013 which contains
some useful items to check are included in the contract. Whilst these are not mandatory, Microsoft has included these in Appendix One to this
document and mapped them against where in the Microsoft documentation these are covered for ease of reference.
Confidential
Page 4 of 38
10006599-2
7. CHECKLIST
Key:
In blue text, Microsoft has included template responses that would demonstrate how your proposed use of Microsoft’s services would address the
point raised in the checklist. The suggested responses may provide sufficient detail but if you require further information, Microsoft will be happy to
provide this if you get in touch with your Microsoft contact. Some points are specific to your own internal operations and processes and you will need
to complete these answers as well.
In red italics, Microsoft has provided guidance to assist you with the points in the checklist.
Ref. Question/requirement Template response and guidance
A. OVERVIEW
This section provides a general overview of the Microsoft Azure solution.
1. Who is the service provider? The service provider is Microsoft Operations Pte Ltd, the regional licensing entity for
Microsoft Corporation, a global provider of information technology devices and
services, which is publicly-listed in the USA (NASDAQ: MSFT). Microsoft’s full
company profile is available here: https://www.microsoft.com/en-
us/news/inside_ms.aspx.
2. What type of cloud services would your organization be
using?
RBNZ guidance does not distinguish between different types of cloud solution but an
understanding of the type of solution (i.e. multi-tenant or dedicated) is relevant for your
organization’s own risk management purposes.
Microsoft’s “Azure” service, which is described in more detail here: Microsoft’s Azure.
Azure is a multi-tenant service. Data storage and processing for each tenant is
segregated through Active Directory structure and capabilities specifically developed to
Confidential
Page 5 of 38
10006599-2
Ref. Question/requirement Template response and guidance
help build, manage, and secure multi-tenant environments. Active Directory isolates
customers using security boundaries (also known as silos). This safeguards a
customer’s data so that the data cannot be accessed or compromised by co-tenants.
3. What activities and operations will be outsourced to the
service provider?
1. Compute
2. Data & Storage
3. Networking
4. Identity & Access Management
5. IT support services
B. COMPLIANCE WITH A BANK’S CONDITIONS OF REGISTRATION
New Zealand Banks are subject to various standard and non-standard conditions of registration. You will need to ensure that the proposed use of
Azure complies with any such conditions.
4. Please confirm whether the FSI is a “large bank” for the
purposes of RBNZ policy.
Many of the RBNZ requirements only apply to “large banks”. RBNZ will consider a bank
as “large” if its liabilities net of amounts due to related parties exceed $10 billion.
Currently, BENZ, ABS, AN National and Westpac are the only banks that are
considered “large”. Note that since all large banks in New Zealand are currently owned
by parent banks in Australia, those parent banks will be subject to Australian law and
regulation (including the outsourcing and cloud computing requirements of the
Australian Prudential Regulatory Authority (“APRA”)). Microsoft has prepared a similar
Q&A for APRA requirements in Australia and can share this with you on request.
Confidential
Page 6 of 38
10006599-2
Ref. Question/requirement Template response and guidance
5. Please confirm whether any of the following activities will be
affected by the proposed outsourcing:
(a) clearing and settlement obligations;
(b) identification of financial risk positions;
(c) monitoring and management of financial risk
positions; or
(d) access by existing customers to payments facilities.
RBNZ Outsourcing Policy, Sections A’S and A1. One of the key objectives of the RBNZ
Outsourcing Policy is to ensure that banks have the legal and practical ability to control
each of these activities.
None of these core banking functions will be outsourced or affected by the outsourcing.
Only the services and operations described in response to question A.3, above, are
being outsourced. Management will retain the legal and practical ability to control and
execute any outsourced functions.
6. Will the proposed outsourcing have any impact on the ability
of the board to manage, direct or supervise the business and
affairs of the FSI?
RBNZ Outsourcing Policy, Section A.5(a). The ability of the board to
manage/direct/supervise is a condition of registration.
The board will still have ultimate control of the business and affairs of the FSI and the
proposed use of Azure will not change this. The contract that we have in place with
Microsoft contains various contractual and technical means for us to ensure that we
have due supervision and control. See for example, the details set out in our response
to questions 8 (1(g) and 2) and 10 below.
7. Is the proposed outsourcing compliant with any other
standard or non-standard conditions of registration imposed
on the FSI?
RBNZ Outsourcing Policy, Section A.6. Some large banks are subject to non-standard
conditions of registration which may apply to their outsourcing arrangements. You will
need to consider whether such conditions exist and, if so, how (if at all) they may apply
to the proposed use of Azure.
C. RISK MANAGEMENT
Confidential
Page 7 of 38
10006599-2
Ref. Question/requirement Template response and guidance
RBNZ is particularly interested in the controls that the FSI has in place in respect of the outsourcing and how risks are managed. This section
looks at these requirements in more detail.
8. How do the proposed arrangements ensure that the
outsourcing does not create a risk that the operation and
management of the FSI might be interrupted for a material
length of time?
RBNZ Outsourcing Policy, Section B.10.
We have minimized the risks in the following ways:
1. Through our choice of service provider
a. Competence and experience. Microsoft is an industry leader in cloud computing.
Azure was built based on ISO/IEC 27001 standards and was the first major
business productivity public cloud service to have implemented the rigorous set of
global standards covering physical, logical, process and management controls.
b. Past track-record. 40% of the world’s top brands use Azure. We consulted various
case studies relating to Azure, which are available on the Microsoft website and
also considered the fact that Microsoft has amongst its customers some of the
world’s largest organizations and FSIs.
c. Specific financial services credentials. FSI customers in leading markets,
including in the UK, France, Germany, Australia, Singapore, Canada, the United
States and many other countries have performed their due diligence and, working
with their regulators, are satisfied that Azure meets their respective regulatory
requirements. This gives us confidence that Microsoft is able to help meet the high
burden of financial services regulation and is experienced in meeting these
requirements.
d. Microsoft’s staff hiring and screening process. All personnel with access to
Confidential
Page 8 of 38
10006599-2
Ref. Question/requirement Template response and guidance
customer data are subject to background screening, security training and access
approvals. In addition, the access levels are reviewed on a periodic basis to ensure
that only users who have appropriate business justification have access to the
systems. User access to data is also limited by user role. For example, system
administrators are not provided with database administrative access.
e. Financial strength of Microsoft. Microsoft Corporation is publicly-listed in the
United States and is amongst the world’s largest companies by market
capitalization. Microsoft’s audited financial statements indicate that it has been
profitable for each of the past three years. Its market capitalization is in the region
of USD 280 billion. Accordingly, we have no concerns regarding its financial
strength.
f. Business resumption and contingency plan. Microsoft offers contractually-
guaranteed uptime, hosted out of world class data centers with physical
redundancy at disk, NIC, power supply and server levels, constant content
replication, robust backup, restoration and failover capabilities, real-time issue
detection and automated response such that workloads can be moved off any
failing infrastructure components with no perceptible impact on the service, with
24/7 on-call engineering teams.
g. Security and internal controls, audit, reporting and monitoring. Microsoft is an
industry leader in cloud security and implements policies and controls on par with
or better than on-premises data centers of even the most sophisticated
organizations. We have confidence in the security of the solution and the systems
and controls offered by Microsoft. In addition to the ISO/IEC 27001 certification,
Azure is designed for security with controls for encryption of data at rest and
secure sockets layer (“SSL”)/transport layer security (“TLS”) encryption of data in
Confidential
Page 9 of 38
10006599-2
Ref. Question/requirement Template response and guidance
transit. The Microsoft service is subject to the SSAE16 SOC1 Type II audit, an
independent, third party audit.
2. Through specific technical measures in place to ensure that operation and
management not affected
Microsoft offers contractually-guaranteed uptime, globally available data centers for
primary and backup storage, physical redundancy at disk, NIC, power supply and
server levels, constant content replication, robust backup, restoration and failover
capabilities, real-time issue detection and automated response such that workloads
can be moved off any failing infrastructure components with no perceptible impact on
the service, 24/7 on-call engineering teams. See also the response to question 40
below.
9. What contractual controls does the FSI have in respect of the
outsourcing? Is the documentation clear on the rights and
obligations of each party to the contract and on service levels
and pricing, to a level commensurate with the function’s time
criticality, materiality and substitutability?
RBNZ Outsourcing Policy, Sections C.20 and D.36.
The provision of Azure is subject to the following contractual documents:
Microsoft Online Business and Services Agreement (a copy of which is
available on request); and
Service Level Agreement (“SLA”), a copy of which is available at:
http://azure.microsoft.com/en-us/support/legal/sla/
Both of these documents and the documents referred to therein very clearly set out the
rights and obligations of each party, the service levels and the pricing.
Confidential
Page 10 of 38
10006599-2
Ref. Question/requirement Template response and guidance
The documents provide us with a number of other contractual controls in respect of the
outsourcing, notably:
Microsoft is only contractually permitted to use our data to provide the online
services. Microsoft is not permitted to use our data for any other purposes,
including for advertising or other commercial purposes.
Microsoft commits that it will implement and maintain appropriate technical and
organizational measures, internal controls, and information security routines
intended to protect our data against accidental, unauthorized or unlawful
access, disclosure, alteration, loss, or destruction.
Microsoft commits that it has in place audit mechanisms in order to verify that
the online services meet appropriate security and compliance standards.
In addition, the contractual process can culminate in the regulator’s
examination of Microsoft’s premises. We also have the opportunity to
participate in the Microsoft Online Services Customer Compliance Program,
which is a for-fee program that facilitates our ability to: (a) assess the services’
controls and effectiveness; (b) access data related to service operations; (c)
maintain insight into operational risks of the services; (d) be provided with
additional notification of changes that may materially impact Microsoft’s ability
to provide the services; and (e) provide feedback on areas for improvement in
the services.
The SLA contains Microsoft’s service level commitment, as well as the
remedies for us in the event that Microsoft does not meet the commitment.
Microsoft commits that it will not modify the terms of the SLA during the initial
Confidential
Page 11 of 38
10006599-2
Ref. Question/requirement Template response and guidance
term of our subscription.
10. What practical controls does the FSI have in respect of the
outsourcing?
RBNZ Outsourcing Policy, Section C.19 and C.21.
The solution provides a lot of tools which mean that we remain in practical control.
Microsoft’s SLA (as defined above) applies to the Azure product (linked in question 10
above and the details of which are summarized in the response to question 36 below).
Our IT administrators also have access to the Azure Service Health Dashboard, which
provides real-time and continuous monitoring of the Azure service. The Service Health
Dashboard provides our IT administrators with information about the current availability
of each service or tool (and history of availability status) details about service disruption
or outage, scheduled maintenance times. The information is provided via an RSS feed.
Amongst other things, it provides a contractual uptime guarantee for the Azure product
and covers performance monitoring and reporting requirements which enable us to
monitor Microsoft’s performance on a continuous basis against service levels. We also
have very extensive contractual audit and inspection rights, plus access to the
independent SSAE16 SOC1 Type II audit, which enable us to verify their performance
(as detailed further in section F below).
As part of the support we receive from Microsoft, we also have access to a technical
account manager who is responsible for understanding our challenges and providing
expertise, accelerated support and strategic advice tailored to our organization. This
includes both continuous hands-on assistance and immediate escalation of urgent
issues to speed resolution and keep mission-critical systems functioning. We are
confident that such arrangements provide us with the appropriate mechanisms for
Confidential
Page 12 of 38
10006599-2
Ref. Question/requirement Template response and guidance
managing performance and problems.
Our contract with Microsoft clearly provides that ownership of our data remains with us
and we retain rights to access our data at all times. On top of this, as mentioned above,
Microsoft’s services are audited by an independent third party (see our response
8(1)(g) above) and there are various audit and inspection rights (as detailed in section
F below).
Our contractual agreements also allow to terminate the arrangements with Microsoft for
our convenience, which would enable us to move to another provider if required.
11. What internal processes does the FSI have in place to
manage the risks to the business associated with any
outsourcing arrangements?
RBNZ Outsourcing Policy, Section D.33. This requires you to have in place and explain
your internal processes. The RBNZ Outsourcing Policy states that a wider range of
outsourcing arrangements could be acceptable where a bank has established a
“credible internal process to manage the risks to its business associated with any
outsourcing arrangements”. There are no minimum requirements or detail provided
when it comes to internal processes but it would be usual to expect this to include:
processes for management review and sign off by the board;
risk management policies;
business continuity and disaster recovery plans; and
outsourcing policies.
D. PRIVACY AND DATA PROTECTION
Confidential
Page 13 of 38
10006599-2
Ref. Question/requirement Template response and guidance
In addition to RBNZ requirements, FSIs in New Zealand are of course subject to privacy and data protection requirements under New Zealand law.
This section looks at how the use of Azure complies with these requirements.
12. What data will be processed by the service provider on
behalf of the FSI?
Customer data (including customer name, contact details, account information,
payment card data, security credentials and correspondence).
Employee data (including employee name, contact details, internal and external
correspondence by email and other means and personal information relating to
their employment with the organization).
Transaction data (data relating to transactions in which the organization is
involved).
Indices (for example, market feeds).
Other personal and non-personal data relating to the organization’s business
operations as an FSI.
We ensure, pursuant to the terms of the contract in place with the service provider, that
all data (but in particular any customer data) is treated with the highest level of security
so that we can continue to comply with our legal and regulatory obligations and our
commitments to customers. We do of course only collect and process data that is
necessary for our business operations in compliance with all applicable laws and
regulation and this applies whether we process the data on our own systems or via a
cloud solution such as Microsoft Azure.
13. How does the service provider and the proposed solution
comply with New Zealand privacy law requirements relating
The Office of the Privacy Commissioner (“OPC”) published a cloud computing checklist
and “Cloud Computing – A guide to making the right choices”. Microsoft New Zealand
Confidential
Page 14 of 38
10006599-2
Ref. Question/requirement Template response and guidance
to the cloud? Limited has prepared a standard response to help organizations assess the Azure
cloud service against the OPC checklist and guide. Please see the standard response
here. Note that this response is in relation to the checklist for small businesses
contained in the OPC guide but may still provide useful information relevant to FSIs.
Confidential
Page 15 of 38
10006599-2
Ref. Question/requirement Template response and guidance
E. OFFSHORING
RBNZ has no issue in principle with the use of service providers located outside of New Zealand. However, it does consider that use of non-NZ
service providers can, in some circumstances, give rise to some additional risks. This section looks at how any potential risks are mitigated.
14. Will the proposed outsourcing require offshoring? If so, from
which territory(ies) will the outsourced cloud services be
provided?
RBNZ Outsourcing Policy, Section C.23 to C.26.
Microsoft informs us that it takes a regional approach to hosting of Azure data.
Microsoft is transparent in relation to the location of our data. Microsoft data center
locations are made public on the Microsoft Trust Center.
Microsoft enables customers to select the region that it is provisioned from. Under the
OST, Microsoft commits that if a customer provisions its tenant in the United States or
EU, Microsoft will store the customer’s data at rest in the United States or EU, as
applicable.
The table below will need to be amended depending on the specific solution that you
are taking up.
# Locations of Data
Centre
Classification of DC: Tier
I, II, III or IV
Storing your
organization’s data (Y/N)
1.
2.
Confidential
Page 16 of 38
10006599-2
Ref. Question/requirement Template response and guidance
15. Would proceedings relating to the outsourcing have to be
brought in another jurisdiction’s court under that jurisdiction’s
laws?
RBNZ Outsourcing Policy, Section C.23.
The governing law is that of Washington, however the parties have the ability to bring
proceedings in the locations as follows:
If Microsoft brings the action, the jurisdiction will be where we are located (i.e. New
Zealand);
If we bring the action, the jurisdiction will be the state of Washington; and
Both parties can seek injunctive relief with respect to a violation of intellectual
property rights or confidentiality obligations in any appropriate jurisdiction.
16. Is there a risk that the duties and powers of the service
provider’s own regulator(s) in the country(ies) in which the
service will be hosted could cause the regulator(s) to
intervene in such a way as to intervene with the provider’s
performance?
RBNZ Outsourcing Policy, Section C.24.
Microsoft’s data center locations are recognized as stable, safe and reliable
jurisdictions in respect of their legal systems, regulatory regime, technology and
infrastructure. The circumstances in which authorities in these countries may have
rights to access customer information are not considered to be unwarranted.
The data center locations have been selected by Microsoft taking into careful account
the country and socio-economic factors. We are confident that the data center
locations offer extremely stable political and socio-economic environments with robust
and transparent legal frameworks. Microsoft data center locations are made public on
the Microsoft Trust Center.
17. What measures are in place to ensure that performance by
the service provider of the outsourced functions outside of
RBNZ Outsourcing Policy, Section C.25.
Confidential
Page 17 of 38
10006599-2
Ref. Question/requirement Template response and guidance
New Zealand would not complicate the logistics of ensuring
timely performance? For example, due to time zone
differences, differences in statutory holidays, the extra time
needed to access essential staff and systems.
Microsoft works with customers around the world (including many in New Zealand) and
its operations are set up to ensure that logistical issues for international customers do
not arise. For example, time zones and statutory holidays will not be an issue, since
Microsoft’s services are provided 24/7 without reference to statutory holidays. We do
not see any issue in terms of needing extra time to access essential staff and systems,
since we have audit and inspection rights (as detailed in section F below).
Commitments on the location of data at rest is discussed at p 9 of the OST, and may
depend on where a customer provisions its service tenancy or specify as a Geo for the
online service. More details are set out, non-contractually, on the Trust Center for each
applicable online service. The other considerations are also relevant to the location of
Microsoft’s data centers:
a. Political (i.e. cross-broader conflict, political unrest etc). Azure offers data-
location transparency so that the organizations and regulators are informed of the
jurisdiction(s) in which data is hosted. We are confident that Microsoft’s data
center locations offer extremely stable political environments.
b. Country/socioeconomic. Azure offers data-location transparency so that the
organizations and regulators are informed of the jurisdiction(s) in which data is
hosted. The centers are strategically located around the world taking into account
country and socioeconomic factors. We are confident that Microsoft’s data center
locations offer extremely stable socioeconomic environments.
c. Infrastructure/security/terrorism. Microsoft’s data centers are built to exacting
standards, designed to protect customer data from harm and unauthorized access.
Data center access is restricted 24 hours per day by job function so that only
Confidential
Page 18 of 38
10006599-2
Ref. Question/requirement Template response and guidance
essential personnel have access. Physical access control uses multiple
authentication and security processes, including badges and smart cards, biometric
scanners, on-premises security officers, continuous video surveillance and two-
factor authentication. The data centers are monitored using motion sensors, video
surveillance and security breach alarms.
d. Environmental (i.e. earthquakes, typhoons, floods). Microsoft data centers are
built in seismically safe zones. Environmental controls have been implemented to
protect the data centers including temperature control, heating, ventilation and air-
conditioning, fire detection and suppression systems and power management
systems, 24-hour monitored physical hardware and seismically-braced racks.
These requirements are covered by Microsoft’s ISO/IEC 27001 accreditation for
Azure.
18. What measures are in place to avoid the risk that competition
for the service provider’s resources could impede the
performance of functions for the FSI?
RBNZ Outsourcing Policy, Section C.25.
Microsoft is one of the largest providers of cloud services globally and has capacity to
service a large number of customers without the risk of competition for resources. Our
organization would be subject to the same prioritization as any other customer of the
same services from Microsoft. Of course, the services are protected by Microsoft’s SLA
and its coinciding terms and conditions. More information on SLA is available at:
http://azure.microsoft.com/en-us/support/legal/sla/.
Microsoft provides a contractual, financially-backed uptime guarantee for the Azure
product.
Microsoft also ensures that a raft of different safeguards and arrangements are in place
Confidential
Page 19 of 38
10006599-2
Ref. Question/requirement Template response and guidance
to prevent and minimize the impact of any technology failure. Microsoft is subject to
very high international auditing standards in this regard which provide us with a great
deal of comfort. The resources that Microsoft has in place also mean that we do not
foresee risks in relation to the adequacy of Microsoft to fulfill obligations or provide
remedies and restitution.
Microsoft is an industry leader in cloud computing. Azure was built based on ISO/IEC
27001 standards and was the first major business productivity public cloud service to
have implemented the rigorous set of global standards covering physical, logical,
process and management controls. FSI customers in leading markets, including in the
UK, France, Germany, Australia, Singapore, Canada, the United States and many
other countries have performed their due diligence and, working with their regulators,
are satisfied that Azure meets their respective regulatory requirements. This gives us
confidence that Microsoft is able to help meet the high burden of financial services
regulation and is experienced in meeting these requirements.
F. TECHNICAL AND OPERATIONAL RISK Q&A
RBNZ guidance does not focus on detailed technical and operational requirements relating to the use of cloud services but, rather, focuses more
generally on issues such as risk management. However, on the basis that technical and operational factors (for example, data security) are
directly relevant to risk management strategy, this section provides some detailed information about the Azure service.
19. Does the service provider permit audit by RBNZ? Yes.
We are confident that in our choice of Microsoft as Cloud Service Provider (“CSP”) we
have far more extensive audit rights than most if not all other service providers offer.
This was an important factor in our decision to choose Microsoft. Microsoft offers the
Confidential
Page 20 of 38
10006599-2
Ref. Question/requirement Template response and guidance
right for RBNZ to conduct audits. There is a contractual audit/inspection right, so that
RBNZ can carry out inspections or examinations of Microsoft’s facilities, systems,
processes and data relating to the services to determine and confirm that it is in
compliance with applicable laws and regulations and assess the soundness of the risk
management processes and controls which it has in place. In addition, Microsoft is
subject to third party audits (see our response to question 20 below).
Microsoft also offers a Compliance Framework Program. If you take-up the
Compliance Framework Program, you may add this additional information about its key
features: the regulator audit/inspection right, access to Microsoft’s security policy, the
right to participate at events to discuss Microsoft’s compliance program, the right to
receive audit reports and updates on significant events, including security incidents,
risk-threat evaluations and significant changes to the business resumption and
contingency plans.
20. Are the provider’s services subject to any third party audit? Yes.
As part of Microsoft’s certification requirements, they are required to undergo regular
independent third party auditing (via the SSAE16 SOC1 Type II audit, a globally-
recognized standard), and Microsoft shares with us the independent third party audit
reports.
21. What security controls are in place to protect the
transmission and storage of confidential information such as
customer data within the infrastructure of the service
provider?
Microsoft as an outsourcing partner is an industry leader in cloud security and
implements policies and controls on par with or better than on-premises data centers of
even the most sophisticated organizations, as described elsewhere in this document.
The Microsoft Azure security features consist of three parts: (a) built-in security
Confidential
Page 21 of 38
10006599-2
Ref. Question/requirement Template response and guidance
features; (b) security controls; and (c) scalable security. These include 24-hour
monitored physical hardware, isolated customer data, automated operations and lock-
box processes, secure networks and encrypted data.
Microsoft implements the Microsoft Security Development Lifecycle (“SDL”) which is a
comprehensive security process that informs every stage of design, development and
deployment of Microsoft software and services, including Azure. Through design
requirements, analysis of attack surface and threat modeling, the SDL helps Microsoft
predict, identify and mitigate vulnerabilities and threats from before a service is
launched through its entire production lifecycle.
Networks within the Azure data centers are segmented to provide physical separation
of critical back-end servers and storage devices from the public-facing interfaces. Edge
router security allows the ability to detect intrusions and signs of vulnerability. Azure
uses industry-standard transport protocols such as SSL and TLS between user devices
and Microsoft data centers, and within data centers themselves. With virtual networks,
industry standard IPsec protocol can be used to encrypt traffic between the corporate
VPN gateway and Azure. Encryption can be enabled for traffic between VMs and end
users.
Microsoft also implements traffic throttling to prevent denial-of-service attacks. It uses
the “prevent, detect and mitigate breach” process as a defensive strategy to predict
and prevent security breaches before they happen. This involves continuous
improvements to built-in security features, including port-scanning and remediation,
perimeter vulnerability scanning, OS patching to the latest updated security software,
network-level DDOS (distributed denial-of-service) detection and prevention and multi-
factor authentication for service access. From a people and process standpoint,
Confidential
Page 22 of 38
10006599-2
Ref. Question/requirement Template response and guidance
preventing breach involves auditing all operator/administrator access and actions, zero
standing permission for administrators in the service, “Just-In-Time (JIT) access and
elevation” (that is, elevation is granted on an as-needed and only-at-the-time-of-need
basis) of engineer privileges to troubleshoot the service, and segregation of the
employee email environment from the production access environment. Employees who
have not passed background checks are automatically rejected from high privilege
access, and checking employee backgrounds is a highly scrutinized, manual-approval
process.
Azure offers a wide range of data encryption capabilities up to AES-256. Options
include .NET cryptographic services, Windows Server public key infrastructure (PKK)
components, Active Directory Rights Management Services (AD RMS), and Bitlocker
for data import/export scenarios.
22. How are customers authenticated? Azure can use two-factor authentication to enhance security. Typical authentication
practices that require only a password to access resources may not provide the
appropriate level of protection for information that is sensitive or vulnerable. Two-factor
authentication is an authentication method that applies a stronger means of identifying
the user. The Microsoft phone-based two-factor authentication solution allows users to
receive their PINs sent as messages to their phones, and then they enter their PINs as
a second password to log on to their services.
23. What are the procedures for identifying, reporting and
responding to suspected security incidents and violations?
This is an issue that we take very seriously. We have therefore checked these
procedures in detail with Microsoft and are confident that they provide excellent means
to enable us to identify, report and respond properly and promptly in the event of any
security incident or violation.
Confidential
Page 23 of 38
10006599-2
Ref. Question/requirement Template response and guidance
First, there are robust procedures offered by Microsoft that enable the prevention of
security incidents and violations arising in the first place and detection in the event that
they do occur. Specifically:
a. Microsoft implements 24 hour monitored physical hardware. Data center
access is restricted 24 hours per day by job function so that only essential
personnel have access to customer applications and services. Physical access
control uses multiple authentication and security processes, including badges and
smart cards, biometric scanners, on-premises security officers, continuous video
surveillance, and two-factor authentication.
b. Microsoft implements “prevent, detect, and mitigate breach”, which is a
defensive strategy aimed at predicting and preventing a security breach before it
happens. This involves continuous improvements to built-in security features,
including port scanning and remediation, perimeter vulnerability scanning, OS
patching to the latest updated security software, network-level DDOS (distributed
denial-of-service) detection and prevention, and multi-factor authentication for
service access.
c. Wherever possible, human intervention is replaced by an automated, tool-
based process, including routine functions such as deployment, debugging,
diagnostic collection, and restarting services. Azure continues to invest in systems
automation that helps identify abnormal and suspicious behavior and respond
quickly to mitigate security risk. Microsoft is continuously developing a highly
effective system of automated patch deployment that generates and deploys
solutions to problems identified by the monitoring systems—all without human
Confidential
Page 24 of 38
10006599-2
Ref. Question/requirement Template response and guidance
intervention. This greatly enhances the security and agility of the service.
d. Microsoft conducts penetration tests to enable continuous improvement of
incident response procedures. These internal tests help Azure security experts
create a methodical, repeatable, and optimized stepwise response process and
automation.
Second, in the event that a security incident or violation is detected, Microsoft
Customer Service and Support notifies Azure subscribers by updating the Service
Health Dashboard that is available on the Azure portal. We would have access to
Microsoft’s dedicated support staff, who have a deep knowledge of the service.
Microsoft provides a Recovery Time Objective (“RTO”) of 30 min or less for Virtual
Machines and Storage, 1 hour or less for Virtual Network., and a Recovery Point
Objective (“RPO”) of 1 minute or less for Storage..
Finally, after the incident, Microsoft provides a thorough post-incident review report
(“PIR”). The PIR includes:
An incident summary and event timeline.
Broad customer impact and root cause analysis.
Actions being taken for continuous improvement.
Microsoft will provide the PIR within five business days following resolution of the
service incident. Administrators can also request a PIR using a standard online service
request submission through the Azure portal or a phone call to Microsoft Customer
Confidential
Page 25 of 38
10006599-2
Ref. Question/requirement Template response and guidance
Service and Support.
24. How is end-to-end application encryption security
implemented to protect PINs and other sensitive data
transmitted between terminals and hosts?
Azure offers a wide range of data encryption capabilities up to AES-256. Options
include .NET cryptographic services, Windows Server public key infrastructure (PKK)
components, Active Directory Rights Management Services (AD RMS), and Bitlocker
for data import/export scenarios.
Networks within the Azure data centers are segmented to provide physical separation
of critical back-end servers and storage devices from the public-facing interfaces. Edge
router security allows the ability to detect intrusions and signs of vulnerability. Azure
uses industry-standard transport protocols such as SSL and TLS between user devices
and Microsoft data centers, and within data centers themselves. With virtual networks,
industry standard IPsec protocol can be used to encrypt traffic between the corporate
VPN gateway and Azure. Encryption can be enabled for traffic between VMs and end
users.
25. Are there procedures established to securely destroy or
remove the data when the need arises?
Yes.
Microsoft uses best practice procedures and a wiping solution that is NIST 800-88
compliant. For hard drives that can’t be wiped it uses a destruction process that
destroys it (i.e. shredding) and renders the recovery of information impossible (e.g.,
disintegrate, shred, pulverize, or incinerate). The appropriate means of disposal is
determined by the asset type. Records of the destruction are retained.
All Microsoft Online Services utilize approved media storage and disposal management
services. Paper documents are destroyed by approved means at the pre-determined
end-of-life cycle.
Confidential
Page 26 of 38
10006599-2
Ref. Question/requirement Template response and guidance
“Secure disposal or re-use of equipment and disposal of media” is covered under the
ISO/IEC 27001 standards against which Microsoft is certified.
26. Are there procedures to ensure that access to production
data is restricted on a 'least privilege' basis? If yes, provide a
description of these procedures.
Yes.
Microsoft applies strict controls over which personnel roles and personnel will be
granted access to customer data. Personnel access to the IT systems that store
customer data is strictly controlled via role-based access control (“RBAC”) and lock
box processes. Access control is an automated process that follows the separation of
duties principle and the principle of granting least privilege. This process ensures that
the engineer requesting access to these IT systems has met the eligibility
requirements, such as a background screen, fingerprinting, required security training
and access approvals. In addition, the access levels are reviewed on a periodic basis
to ensure that only users who have appropriate business justification have access to
the systems.
27. Are there documented security procedures for safeguarding
premises and restricted areas? If yes, provide descriptions of
these procedures.
Yes.
Physical access control uses multiple authentication and security processes, including
badges and smart cards, biometric scanners, on-premises security officers, continuous
video surveillance and two-factor authentication. The data centers are monitored using
motion sensors, video surveillance and security breach alarms.
28. Are there documented security procedures for safeguarding
hardware, software and data in the data center?
Yes.
The security procedures for safeguarding hardware, software and security are
documented by Microsoft in its Standard Response to Request for Information –
Confidential
Page 27 of 38
10006599-2
Ref. Question/requirement Template response and guidance
Security and Privacy. This confirms how the following aspects of Microsoft’s operations
safeguard hardware, software and data:
Compliance
Data Governance
Facility
Human Resources
Information Security
Legal
Operations
Risk Management
Release Management
Resiliency
Security Architecture
29. How are privileged system administration accounts
managed? Describe the procedures governing the issuance
(including emergency usage), protection, maintenance and
Access to the IT systems that store customer data is strictly controlled via RBAC (as
defined above) and lock box processes. Access control is an automated process that
follows the separation of duties principle and the principle of granting least privilege.
This process ensures that the engineer requesting access to these IT systems has met
Confidential
Page 28 of 38
10006599-2
Ref. Question/requirement Template response and guidance
destruction of these accounts. the eligibility requirements, such as a background screen, fingerprinting, required
security training, and access approvals. In addition, the access levels are reviewed on
a periodic basis to ensure that only users who have appropriate business justification
have access to the systems. User access to data is also limited by user role. For
example, system administrators are not provided with database administrative access.
In emergency situations, a “Just-In-Time (JIT) access and elevation system” is used
(that is, elevation is granted on an as-needed and only-at-the-time-of-need basis) of
engineer privileges to troubleshoot the service.
30. Are the activities of privileged accounts captured (e.g.
system audit logs) and reviewed regularly? Indicate the party
reviewing the logs and the review frequency.
Yes.
An internal, independent Microsoft team will audit the log at least once per quarter.
31. Are the audit/activity logs protected against tampering by
users with privileged accounts? Describe the safeguards
implemented.
Yes.
All logs are saved to the log management system which a different team of
administrators manages. All logs are automatically transferred from the production
systems to the log management system in a secure manner and stored in a tamper-
protected way.
32. Is access to sensitive files, commands and services
restricted and protected from manipulation? Provide details
of controls implemented.
Yes.
System level data such as configuration data/file and commands are managed as part
of the configuration management system. Any changes or updates to or deletion of
those data/files/commands will be automatically deleted by the configuration
management system as anomalies.
Confidential
Page 29 of 38
10006599-2
Ref. Question/requirement Template response and guidance
33. Are file integrity checks in place to detect unauthorized
changes to databases, files, programs and system
configuration? Provide details of checks implemented.
Yes.
System level data such as configuration data/file and commands are managed as part
of the configuration management system. Any changes or updates to or deletion of
those data/files/commands will be automatically deleted by the configuration
management system as anomalies.
34. Are password controls for critical applications/systems
reviewed for compliance on a regular basis?
Yes.
All access to production and customer data require multi-factor authentication. Use of
strong password is enforced as mandatory and password must be changed on a
regular basis.
35. Are remote access activities tracked and reviewed? Provide
details of controls implemented.
Yes.
Administrators who have access to applications have no physical access to the
production so administrators have to remotely access the controlled, monitored remote
access facility. All operations through this remote access facility are logged.
36. Does the service provider have a disaster recovery or
business continuity plan? If yes, provide documentation or
details.
Yes.
Microsoft offers contractually-guaranteed uptime, globally available data centers for
primary and backup storage, physical redundancy at disk, NIC, power supply and
server levels, constant content replication, robust backup, restoration and failover
capabilities, real-time issue detection and automated response such that workloads
can be moved off any failing infrastructure components with no perceptible impact on
the service, 24/7 on-call engineering teams. See also the response to question 40
Confidential
Page 30 of 38
10006599-2
Ref. Question/requirement Template response and guidance
below.
37. What are the recovery time objectives (RTO) of systems or
applications outsourced to the service provider?
30 min or less for Virtual Machines and Storage, 1 hour or less for Virtual Network.
38. What are the recovery point objectives (RPO) of systems or
applications outsourced to the service provider?
1 minute or less for Storage.
39. What are the data backup and recovery arrangements for
your organization’s data that resided with the service
provider?
Microsoft’s arrangements are as follows:
Redundancy
Physical redundancy at server, data center, and service levels
Data redundancy with robust failover capabilities
Functional redundancy with offline functionality
Resiliency
Active load balancing
Automated failover with human backup
Recovery testing across failure domains
Distributed Services
Distributed component services limit scope and impact of any failures in a
Confidential
Page 31 of 38
10006599-2
Ref. Question/requirement Template response and guidance
component.
Directory data replicated across component services insulates one service
from another in any failure events.
Simplified operations and deployment.
Monitoring
Internal monitoring built to drive automatic recovery
Outside-in monitoring raises alerts about incidents
Extensive diagnostics provide logging, auditing, and granular tracing
Simplification
Standardized hardware reduces issue isolation complexities
Fully automated deployment models.
Standard built-in management mechanism
Human backup
Automated recovery actions with 24/7 on-call support
Team with diverse skills on the call provides rapid response and resolution
Confidential
Page 32 of 38
10006599-2
Ref. Question/requirement Template response and guidance
Continuous improvement by learning from the on-call teams
Continuous learning
If an incident occurs, Microsoft does a thorough post-incident review every time
Microsoft’s post-incident review consists of analysis of what happened,
Microsoft’s response, and Microsoft’s plan to prevent it in the future
40. How frequently does the service provider conduct disaster
recovery tests?
At least once per year.
41. Have you jointly tailored and tested your disaster recovery or
business continuity plan with the service provider? If yes,
please provide a report on the test results.
You are welcome to raise this with your Microsoft contact if you have any questions
about how your disaster recovery/business continuity plan would interface with that of
Microsoft.
In general, it would be Microsoft that would need to take action to recover the Azure
service in a disaster/business continuity situation. Any internal actions can be carried
out by our organization without coordinating with Microsoft.
42. In the event of contract termination with the service provider,
either on expiry or prematurely, are you able to have all IT
information and assets promptly removed or destroyed?
Yes.
Microsoft uses best practice procedures and a wiping solution that is NIST 800-88
compliant. For hard drives that can’t be wiped it uses a destruction process that
destroys it (i.e. shredding) and renders the recovery of information impossible (e.g.,
disintegrate, shred, pulverize, or incinerate). The appropriate means of disposal is
determined by the asset type. Records of the destruction are retained.
Confidential
Page 33 of 38
10006599-2
Ref. Question/requirement Template response and guidance
All Microsoft Online Services utilize approved media storage and disposal management
services. Paper documents are destroyed by approved means at the pre-determined
end-of-life cycle.
“Secure disposal or re-use of equipment and disposal of media” is covered under the
ISO/IEC 27001 standards against which Microsoft is certified.
Confidential
Page 34 of 38
10006599-2
APPENDIX ONE
MANDATORY CONTRACTUAL REQUIREMENTS
The Privacy Commissioner has created a document called ‘Cloud Computing: A guide to making the right choices’, February 2013 which contains some
useful items to check are included in the contract. Whilst these are not mandatory, Microsoft has included these in the table below and mapped them against
where in the Microsoft documentation these are covered for ease of reference.
Key:
Where relevant, a cross-reference is included in red italics to the underlying regulation that sets out the contractual requirement.
In blue text, Microsoft has provided you with a reference to where in the agreement the contractual requirement is covered for ease of reference.
Terms used below as follows:
OST = Online Services Terms
EA = Enterprise Agreement
Enrolment = Enterprise Enrolment
FSA = Financial Services Amendment
MBSA = Microsoft Business and Services Agreement
PUR = Product Use Rights
SLA = Online Services Service Level Agreement
Confidential
Page 35 of 38
10006599-2
Ref. Requirement Microsoft agreement reference
1. Check the contract. Make sure your key concerns are covered in
the contract or in the standard terms and conditions. In particular
check:
(i) Whether the provider has to tell you if something
goes wrong (for instance if there is a security
breach);
(ii) How would you notify your customers if their
data is lost or stolen?
(iii) How you’re going to know whether the provider
is living up to the terms of the agreement (for
example does it get regular independent audits
done that you’ll be able to check?);
(iv) Who is liable and what the penalties are if
something goes wrong?
(v) What country’s laws apply if there is a legal
dispute and who the appropriate regulator might
be?
(vi) Whether mediation or arbitration is available;
(vii) Whether your provider is insured against privacy
breaches;
Privacy Commissioner Cloud Computing: A guide to making the right choices,
February 2013, p9.
Taking each of the points in turn:
(i) Microsoft will notify us if it becomes aware of any security incident, and will
take reasonable steps to mitigate the effects and minimize the damage resulting
from the security incident (see OST, page 9). In addition, as set out on page 13
of the OST, Microsoft maintains a record of security breaches with a description
of the breach, the time period, the consequences of the breach, the name of the
reporter, and to whom the breach was reported, and the procedure for recovering
data. Finally, see (iii) below in terms of monitoring which allows for real-time
monitoring so that breaches would be apparent.
Furthermore, Microsoft commits to comply with (and is audited against) ISO/IEC
27018. Under paragraph A.9 of this international standard Microsoft is required
to promptly notify customers of any unauthorized access to personal information
or unauthorized access to processing equipment or facilities resulting in loss,
disclosure or alteration to personal information.
(ii) This is more an internal matter for the FSI.
(iii) The OST specifies the monitoring mechanisms that Microsoft puts in place in
order to verify that the online services meet appropriate security and compliance
standards. This commitment is reiterated in the FSA.
Clause 1f of the Financial Services Amendment gives the customer the
Confidential
Page 36 of 38
10006599-2
Ref. Requirement Microsoft agreement reference
(viii) What the provider’s disaster recovery plans
cover.
opportunity to participate in the Microsoft Online Services Customer Compliance
Program, which is a for-fee program that facilitates the customer’s ability to (a)
assess the services’ controls and effectiveness, (b) access data related to
service operations, (c) maintain insight into operational risks of the services, (d)
be provided with additional notification of changes that may materially impact
Microsoft’s ability to provide the services, and (e) provide feedback on areas for
improvement in the services.
Clauses 1e and 1f of the FSA detail the examination and influence rights that are
granted to the customer and the regulator. Clause 1e sets out a process which
can culminate in the regulator’s examination of Microsoft’s premises.
In addition, under paragraph 18 of ISO/IEC 27018 Microsoft is required, where
individual customer audit rights are impractical or may increase risks to security,
to make available, before and during our contract with Microsoft, independent
evidence that information security is implemented and operated in accordance
with Microsoft’s policies and procedures.
(iv) The SLA contains Microsoft’s service level commitment, as well as the
remedies for the customer in the event that Microsoft does not meet the
commitment, including services credits. MBSA section 6 deals with liability.
MBSA section 5 sets out Microsoft’s obligation to defend the regulated entity
against third party infringement and breach of confidence claims. Microsoft’s
liability under section 5 is unlimited.
(v) MBSA section 11h sets out the choice of law provision. Either, the contract is
governed by the laws of the State of Washington if the contract is with a Microsoft
Confidential
Page 37 of 38
10006599-2
Ref. Requirement Microsoft agreement reference
affiliate located outside of Europe; or the contract is governed by the laws of
Ireland if the contract is with a European Microsoft affiliate.In addition, as
mentioned above, Clause 1e sets out a process which can culminate in the
regulator’s examination of Microsoft’s premises.
(vi) MBSA section 11e sets out the jurisdictions in which parties should bring their
actions. Microsoft must bring actions against the customer in the countries
where the customer’s contracting party is headquartered. The customer must
bring actions against: (a) in Ireland if the action is against a Microsoft affiliates in
Europe; (b) in the State of Washington, if the action is against a Microsoft affiliate
outside of Europe; or (c) in the country where the Microsoft affiliate delivering the
services has its headquarters if the action is to enforce a Statement of Services.
(vii) MBSA section 10 deals with insurance. In practice, Microsoft maintains self-
insurance arrangements for much of the areas where third party insurance is
typically obtained. Microsoft has taken the commercial decision to take this
approach, and does not believe that this detrimentally impacts upon its
customers given that Microsoft is an extremely substantial entity.
(viii) As set out on page 13 of the OST Microsoft maintains emergency and
contingency plans for the facilities in which Microsoft information systems that
process Customer Data are located. Business Continuity Management (“BCM”)
forms part of the scope of the accreditation that Microsoft remains in relation to
the online services, and Microsoft commits to maintain a data security policy that
complies with these accreditations (see OST page 13). BCM also forms part of
the scope of Microsoft’s annual third party compliance audit.
Confidential
Page 38 of 38
10006599-2