Not everyone needs the security and compliance of the Department of Defense (DoD) but with enterprise cloud adoption at a fever pitch , it’s nice to know that the Pentagon approves of Microsoft Azure. Earlier this year the United States DoD awarded Azure an Information Impact Level 5 DoD Provisional Authorization, the highest certification in terms of unclassified data. Microsoft’s Azure general manager, Tom Keane, confirmed that the distinction makes Azure “the first commercial cloud service to be awarded an Information Impact Level 5 DoD Provisional Authorization by the Defense Information Systems Agency (DISA).”
Again, for most companies, it’s not critical that the Pentagon approves of your cloud platform. However, if you work in the DoD space, you can now use Azure Government for all sensitive controlled unclassified information (CUI). CUI is information the federal government creates or possesses that a law, regulation, or government wide policy requires, or specifically permits, an agency to handle by means of safeguarding or dissemination controls. Microsoft has done all the leg work upfront so government projects can simply use Azure Government as an authorization baseline and avoid costly FedRamp and DISA reviews.
To achieve the certification, Microsoft had to setup separate cloud infrastructure much like they do for Azure Healthcare and HIPAA/HITECH regulations. Information Impact Level 5 requires processing in dedicated infrastructure that ensures physical separation of DOD customers from non-DoD customers. Even though Azure Government is a distinct Azure Region, it’s running the same platform as the rest of Azure. Consequently, much of what the DoD reviewed and certified is part of the broad Azure platform and available to all customers.
The democratization of high-end enterprise capabilities, previously only available to the largest and most sophisticated companies, is part of the appeal of the cloud. In Azure, for instance, any customer gets access to Microsoft’s global threat intelligence network through Azure Security Center. Another example would be the Azure compliance certifications which often apply to broadly to the Azure platform and can be leveraged by anyone. Certifications like Information Impact Level 5 benefit the rest of the Azure community as so many of the requirements become a part of the general Azure cloud platform.
We think approval of this certification is significant for all industry cloud use cases. It sends a signal to the marketplace that Microsoft takes security very seriously and meeting the federal-specific requirements is another very tangible example of that. Announcements like this should give any business leader extreme comfort and confidence that the cloud represents an opportunity for enhanced security and not an increase in risk.