{"id":8437,"date":"2023-04-17T08:00:18","date_gmt":"2023-04-17T15:00:18","guid":{"rendered":"https:\/\/www.microsoft.com\/insidetrack\/blog\/?p=8437"},"modified":"2023-06-30T13:19:23","modified_gmt":"2023-06-30T20:19:23","slug":"simplifying-compliance-evidence-management-with-microsoft-azure-confidential-ledger","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/insidetrack\/blog\/simplifying-compliance-evidence-management-with-microsoft-azure-confidential-ledger\/","title":{"rendered":"Simplifying compliance evidence management with Microsoft Azure confidential ledger"},"content":{"rendered":"

\"MicrosoftThe Microsoft Digital Employee Experience (MDEE) team is using Microsoft Azure confidential ledger to create a centralized evidence store to streamline auditing needs. This evidence store enables teams from across Microsoft to store records and data related to regulatory compliance in a single location. A single collection point simplifies evidence storage for developers and compliance managers, and it also provides a single access point for auditors.<\/p>\n

Capturing evidence with Microsoft Azure confidential ledger<\/h2>\n

Microsoft Azure confidential ledger gives the team a head start on managing evidence records. Based on a permissioned blockchain model, Azure confidential ledger offers unique data-integrity advantages, including immutability, making the ledger append-only and tamper proof. This structure helps ensure that all records are kept intact.<\/p>\n

In our environment, proving that some action occurred, or piece of data existed can be difficult, especially after some time has passed. The solutions we\u2019re building around Azure confidential ledger provide an attested, reliable source of truth for our teams to use for compliance-related data.<\/p>\n

\u2014Martin O\u2019Flaherty, principal PM manager, Microsoft Digital Employee Experience<\/p>\n<\/blockquote>\n

The confidential ledger runs exclusively on hardware-backed secure enclaves, a heavily monitored and isolated runtime environment that keeps potential attacks at bay. No one is above the ledger, not even Microsoft. Azure confidential ledger runs on a minimal trusted computing base (TCB), which prevents access to ledger service by developers, datacenter technicians, and cloud administrators.<\/p>\n

\"Sinha
Astha Sinha, a senior product manager for development experience, and Martin O\u2019Flaherty, a principal PM manager, are helping Microsoft transform how it supports internal auditing processes.<\/figcaption><\/figure>\n

Martin O\u2019Flaherty is leading the implementation of Azure confidential ledger within MDEE. \u201cIn our environment, proving that some action occurred, or piece of data existed can be difficult, especially after some time has passed,\u201d says O\u2019Flaherty, a principal PM manager in MDEE. \u201cThe solutions we\u2019re building around Azure confidential ledger provide an attested, reliable source of truth for our teams to use for compliance-related data.\u201d<\/p>\n

O\u2019Flaherty stresses the importance of a centralized location for all users of compliance data. \u201cOur engineers know where they need to store compliance data and our compliance managers have a single point of reference,\u201d he says. \u201cIn addition, auditors have an attested, comprehensive data repository that they can use to observe and confirm compliance in whatever regulatory domain they\u2019re investigating.\u201d<\/p>\n

Azure confidential ledger offers storage for a multitude of evidence types, including records related to business transactions, updates to trusted assets, administrative control changes, and operational and security events. All data entries can be verified for all user transactions through transaction-specific receipts. Tamper evidence is also available for server nodes and blocks stored on the decentralized ledger.<\/p>\n

We use Azure DevOps for the majority of our application development. Any changes made to our internal applications, services, and solutions are managed through Azure DevOps, so it\u2019s a great place to start collecting the data necessary for SOX compliance. Azure confidential ledger provides a huge improvement over our previous methods for tracking this data.<\/p>\n

\u2014Damon Gray, principal group engineering manager, Microsoft Digital Employee Experience<\/p>\n<\/blockquote>\n

Evidence recorded in the Azure confidential ledger returns a tamper-proof signed receipt that can be referenced for auditing. This improves the evidence collection and verification process, thus increasing efficiency and allowing teams more valuable time to innovate. For the MDEE team and the auditors they support, Azure confidential ledger serves as a one-stop, centralized, and verifiable evidence store.<\/p>\n

Tracking Sarbanes-Oxley compliance data in Microsoft Azure DevOps<\/h2>\n

The team in MDEE is currently implementing a solution for tracking Sarbanes-Oxley (SOX) compliance across Microsoft Azure DevOps environments. SOX compliance records are required for many operational and financial events. For example, applications, services, and solutions that the Employee Experience team manage all have SOX\u2013based requirements for change auditing.<\/p>\n

\"Bose
Abarna Bose, a principal product manager, and Damon Gray, a principal group engineering manager, are helping Microsoft transform how it supports internal auditing processes.<\/figcaption><\/figure>\n

\u201cWe use Azure DevOps for the majority of our application development,\u201d says Damon Gray, a principal group engineering manager in MDEE. \u201cAny changes made to our internal applications, services, and solutions are managed through Azure DevOps, so it\u2019s a great place to start collecting the data necessary for SOX compliance. Azure confidential ledger provides a huge improvement over our previous methods for tracking this data.\u201d<\/p>\n

When SOX auditors audit changes in SOX\u2013bound applications, they look for clear documentation of the required steps used to deploy changes to application code into the production environment. In the past, engineering teams created an email containing all the necessary deployment details, including service catalog information, build data, pull-request details, release notes, and release approval. The email was circulated to the engineering team, and an engineering manager validated all changes and marked the deployment for approval After a formal email approval from the engineering manager was received, the release manager in the team takes the deployment to production.<\/p>\n

Azure confidential ledger is perfect for use cases where critical metadata records must be stored in an unmodifiable, permanent state. It\u2019s an immutable store that our SOX auditors can consult with full confidence in its integrity and validity.<\/p>\n

\u2014Abarna Bose, principal product manager, Microsoft Digital Employee Experience<\/p>\n<\/blockquote>\n

\u201cWith Azure confidential ledger, the manual nature of this process becomes automated and centralized,\u201d says Bhavana Konchada, a senior software engineer in MDEE. \u201cPotential for human error in the email-based processes is replaced by the consistency of proscribed automated processes. Data taken out of the Azure DevOps context via email in the previous processes remains intact in Azure DevOps and is sent directly to Azure confidential ledger.\u201d<\/p>\n

The solution can be customized to streamline other audit processes like HIPPA, CMMC and other federal audits. \u201cAzure confidential ledger being backed by blockchain technology makes it a preferable and trustworthy solution for auditors,\u201d Konchada says.<\/p>\n

Integrating Azure confidential ledger with Azure DevOps is a relatively straightforward process. The team uses a custom Azure DevOps pipeline task that\u2019s injected into the end of the release pipeline, containing the SOX\u2013relevant data. When the release is triggered, Azure DevOps calls the custom task that writes the data to Azure confidential ledger. Specifically, data can include the change that was made, who made the change, when the change was made, and whether the change was approved.<\/p>\n

\u201cAzure confidential ledger is perfect for use cases where critical metadata records must be stored in an unmodifiable, permanent state,\u201d says Abarna Bose, a principal product manager who is responsible for SOX compliance standards in MDEE. \u201cIt\u2019s an immutable store that our SOX auditors can consult with full confidence in its integrity and validity.\u201d<\/p>\n

Ensuring the quality and integrity of compliance data isn\u2019t easy in a large environment like ours. The required information is always stored in many different locations, under the management of many different teams, and these locations are often difficult to catalog.<\/p>\n

\u2014Astha Sinha, senior product manager, Microsoft Digital Employee Experience<\/p>\n<\/blockquote>\n

\"Beneson
Rob Beneson (left) is a partner director of software engineering leading the MDEE development team implementing the solution for tracking Sarbanes-Oxley (SOX) compliance across Microsoft Azure DevOps environments and Bhavana Konchada is a senior software engineer who conceptualized the project.<\/figcaption><\/figure>\n

Bose underscores the importance of a centralized store, when SOX\u2013bound applications and services are scattered across different business groups and Azure DevOps accounts at Microsoft. \u201cA central store like the one we\u2019re using in Azure confidential ledger is invaluable. It infuses simplicity into an otherwise complicated and fragmented set of development environments,\u201d she says.<\/p>\n

Extending Microsoft Azure confidential ledger<\/h2>\n

O\u2019Flaherty and his team are expanding the scope of their SOX compliance solution for Azure DevOps and are investigating other areas where Azure confidential ledger can be used to implement centralized compliance data management at Microsoft. His team has learned many lessons from their implementation.<\/p>\n

\u201cEnsuring the quality and integrity of compliance data isn\u2019t easy in a large environment like ours,\u201d says Astha Sinha, a senior product manager for developer experiences in MDEE. \u201cThe required information is always stored in many different locations, under the management of many different teams, and these locations are often difficult to catalog.\u201d<\/p>\n

Sinha and her team are using confidential ledger to make it easier for developers and auditors to track compliance in line with the development process, without extra work or processes piled on top. The solution is helping to build stronger trust within the regulatory compliance environment and providing a trustworthy source of compliance information that can be widely used.<\/p>\n

\"Key<\/p>\n

Here are some insights we learned as we transformed our internal auditing processes:<\/p>\n