Tim Holman

My feedback

  1. 41 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Security and Compliance  ·  Flag idea as inappropriate…  ·  Admin →
    An error occurred while saving the comment
    Tim Holman commented  · 

    For a professional opinion, I've recently reviewed Azure from a PCI DSS compliance perspective - things don't look good - https://www.2-sec.com/2015/11/19/is-microsoft-azure-pci-dss-compliant-lessons-in-due-diligence/

  2. 58 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    8 comments  ·  Security and Compliance  ·  Flag idea as inappropriate…  ·  Admin →

    Hi Joseph! Thanks for bringing this issue to our attention. We have recently published updates to the Microsoft Azure Trust Center [http://azure.microsoft.com/en-us/support/trust-center/compliance/], and we are planning on releasing updated guidance specifically covering PCI compliance. Keep an eye on the Trust Center Resources page for the latest information, as well as the Azure Security and Compliance blog at http://azure.microsoft.com/blog. Thank you for your patience! Best regards,

    —Joel

    An error occurred while saving the comment
    Tim Holman commented  · 

    For a professional opinion, I've recently reviewed Azure from a PCI DSS compliance perspective - things don't look good - https://www.2-sec.com/2015/11/19/is-microsoft-azure-pci-dss-compliant-lessons-in-due-diligence/

    An error occurred while saving the comment
    Tim Holman commented  · 

    The Windows Azure PCI Attestation of Compliance (AoC) does not list any services that customers can actually go out and buy. The AoC certifies the following services:

    Azure Core Services, Azure Platform Services, Azure Directory Services, Data Processing, Infrastructure, Operations.

    ...but these services (at least by name, anyway), cannot be "bought".

    I've put together the following blog article, as to why a QSA such as myself with several years PCI DSS auditing experience, has an issue with Azure:

    https://www.2-sec.com/2015/11/19/is-microsoft-azure-pci-dss-compliant-lessons-in-due-diligence/

    An error occurred while saving the comment
    Tim Holman commented  · 

    I've been a QSA for several years, and with Azure, run into the issue that the services assessed as per the publicly avaiable AOC (Attestation of Compliance), do not match up with the Azure services you can actually go out and buy.
    As it stands, my clients have no assurance whatsoever that the specific Azure services they use are PCI DSS Compliant.
    As a QSA, I cannot accept the statements on various Azure web pages. I can only rely on the AOC, or dive in and assess Azure's systems myself.
    Still waiting for Microsoft's response on this, but in the meantime it appears AWS is the way to go.

Feedback and Knowledge Base