This article provides guidance on how to get your business compliant with PCI, HIPAA, GDPR, FedRAMP, SOC 2 by leveraging cloud services of AWS, GCP and Azure.
Organizations providing IT Managed Services, Software Development, Software as a Service, infrastructure-as-a-service, platform-as-a-service tend to have their application products hosted on the cloud environments. In order to achieve compliance with standards of PCI, HIPAA, GDPR, FedRAMP, and SOC 2, organizations must implement the controls specified in the SOC 2 Trust Services Principles.
These controls include:
- Security: Organizations must ensure the security of their systems and data, including protection from unauthorized access and malware.
- Confidentiality: Organizations must ensure that their systems and data are protected from unauthorized access.
- Integrity: Organizations must ensure the accuracy and completeness of their systems and data.
- Availability: Organizations must ensure that their systems and data are available when needed.
Organizations can leverage on cloud services of AWS, Azure or Google Cloud to implement the required controls with regulations.
Below table provides an high level overview of available cloud services for AWS, Azure or Google Cloud that organizations can leverage on to meet the required regulatory requirements and stay secure and compliant.
| AWS | Azure | Google Cloud | |||
| AI and machine learning | |||||
| AI containers | AWS Deep Learning Containers | GPU support on AKS | Deep Learning Containers | ||
| Data labeling | Amazon SageMaker Ground Truth | Azure Machine Learning data labeling | Vertex Data Labeling | ||
| Online fraud detection | Amazon Fraud Detector | N/A | reCAPTCHA Enterprise | ||
| Analytics | |||||
| Business analytics | Amazon QuickSight, Amazon FinSpace | Power BI Embedded, Microsoft Graph Data Connect (preview) | Looker, Google Data Studio | ||
| Data lake creation | Amazon HealthLake (preview), AWS Lake Formation | Azure Data Lake Storage | Cloud Storage | ||
| Data sharing | AWS Data Exchange, AWS Lake Formation | Azure Data Share | Analytics Hub (preview), Cloud Dataprep (partnership with Trifacta) | ||
| Application integration | |||||
| API development and management | Amazon API Gateway, AWS AppSync | Azure API Apps | API Gateway, Apigee, Cloud Endpoints | ||
| Event routing, third-party integration | Amazon AppFlow, Amazon EventBridge, Amazon Simple Notification Service | Event Grid | Pub/Sub | ||
| Messaging | Amazon MQ, Amazon Simple Queue Service | Azure Web PubSub (preview), Queue Storage, Service Bus | Pub/Sub | ||
| Workflow orchestration | AWS Data Pipeline, Amazon Managed Workflows for Apache Airflow | Logic Apps | Cloud Composer, Workflows | ||
| Business applications | |||||
| Document sharing and storage | Amazon WorkDocs | Microsoft Word | Google Docs, Google Workspace Essentials | ||
| Email and calendar | Amazon WorkMail | Outlook | Gmail | ||
| Low-code/no-code | Amazon Honeycode (preview) | Microsoft PowerApps, Project Bonsai (preview) | AppSheet | ||
| Video calls and chat | Amazon Chime | Microsoft Teams | Google Meet | ||
| Voice assistant | Alexa for Business | Cortana | Google Assistant | ||
| Compute | |||||
| Autoscaling | AWS EC2 Auto Scaling | Azure Autoscale, Azure virtual machine scale sets | Managed instance groups (MIGs) | ||
| Functions as a service | AWS Lambda | Azure Functions | Cloud Functions | ||
| High performance computing cluster management | AWS ParallelCluster | Azure CycleCloud, Azure FXT Edge Filer | N/A | ||
| VM image builder | EC2 Image Builder | Azure VM Image Builder | N/A | ||
| PaaS | AWS Elastic Beanstalk, Red Hat OpenShift Service on AWS | App Service, Azure Cloud Services, Azure Spring Cloud, Azure Red Hat OpenShift | App Engine | ||
| Quantum computing | Amazon Braket | Azure Quantum (preview) | N/A | ||
| Virtual machines | Amazon EC2 | Virtual Machines | Compute Engine | ||
| Virtual private server | Amazon Lightsail | N/A | N/A | ||
| VMware integration | VMware Cloud on AWS | Azure VMware Solution | VMware Engine | ||
| Containers | |||||
| Container registry | Amazon Elastic Container Registry (ECR), ECR Public | Azure Container Registry | Artifact Registry, Container Registry | ||
| Managed container service | AWS Copilot, Amazon Elastic Container Service (ECS), Amazon Elastic Kubernetes Service (EKS) | Azure Kubernetes Service (AKS) | Google Kubernetes Engine (GKE) | ||
| Serverless containers | AWS App Runner, AWS Fargate | Azure Container Instances (ACI) | Cloud Run | ||
| Databases | |||||
| Blockchain | Amazon Managed Blockchain, Amazon Quantum Ledger Database (QLDB) | Azure Blockchain Service (preview), Azure Blockchain Development Kit, Azure Blockchain Workbench (preview), Microsoft Azure Confidential Ledger (preview) | N/A | ||
| Caching | Amazon ElastiCache (Memcached, Redis) | Azure Cache for Redis, Azure HPC Cache | Cloud Memorystore | ||
| Time-series database | Amazon Timestream | Azure Time Series Insights | Cloud Bigtable | ||
| Developer tools | |||||
| App configuration parameter storage | AWS AppConfig | App Configuration | Cloud Storage | ||
| Artifact management | AWS CodeArtifact | Azure Artifacts, GitHub Packages | Artifact Registry (preview) | ||
| Code debugging | AWS X-Ray | Visual Studio Code | Cloud Debugger, Firebase Crashlytics | ||
| CI/CD | AWS CodeBuild, AWS CodeDeploy, AWS CodePipeline, AWS CodeStar | Azure Boards, Azure DevOps, Azure Pipelines | Cloud Build, Tekton | ||
| Development kits | AWS Cloud Development Kit, Amazon Corretto | Azure SDKs | Cloud SDK | ||
| Private repository | AWS CodeCommit, AWS Serverless Application Repository | Azure Repos | Cloud Source Repositories | ||
| Testing | AWS Device Farm, AWS Fault Injection Simulator | Visual Studio App Center, Azure Test Plans, Azure Internet Analyzer (preview) | Google Firebase Test Lab | ||
| IoT | |||||
| Cloud-device connections, data collection and management | AWS IoT Analytics, AWS IoT Core, AWS IoT Device Defender, AWS IoT Device Management, AWS IoT Events, AWS IoT SiteWise | Azure IoT Central, Azure IoT Hub, Azure Defender for IoT, Azure Sphere | Cloud IoT Core | ||
| IoT edge compute | AWS Greengrass | Azure IoT Edge, Azure Percept (preview) | Edge TPU | ||
| Microcontroller OS | FreeRTOS | Azure RTOS | N/A | ||
| Virtual modeling | AWS IoT Things Graph | Azure Digital Twins | N/A | ||
| Management and governance | |||||
| Automation | AWS CloudFormation, AWS Proton, AWS OpsWorks | Azure Resource Manager, Azure Automation | Cloud Deployment Manager, Cloud Foundation Toolkit, Cloud Scheduler | ||
| Anomaly detection | CloudWatch Anomaly Detection | Anomaly Detector | Anomaly Detection | ||
| Application portfolio and data governance | AWS Service Catalog | Azure Managed Applications, Azure Blueprints (preview), Azure Purview (preview) | Dataplex, Private Catalog, Service Directory | ||
| Configuration management | AWS Config | Azure App Configuration | Cloud Asset Inventory | ||
| Health dashboard | Personal Health Dashboard | Resource Health, Azure Service Health | Cloud Monitoring | ||
| Hybrid and multi-cloud management | Amazon EKS Anywhere (preview), Amazon ECS Anywhere | Azure Arc | Google Anthos, Network Connectivity Center (preview) | ||
| Monitoring | Amazon CloudWatch, Amazon CloudWatch Logs, AWS Transit Gateway Network Manager, Amazon Lookout for Metrics, Amazon Managed Service for Prometheus (preview) | Azure Monitor, Network Watcher, Log Analytics, Azure Metrics Advisor (preview) | Operations, Cloud Operations for GKE (formerly Stackdriver), Network Intelligence Center | ||
| Multi-account management | AWS Control Tower, AWS Organizations | Azure Management Groups, Azure Lighthouse | N/A | ||
| Policy management | AWS Organizations | Azure Policy | Organization Policy Service | ||
| Web-based user interface | AWS Management Console | Azure Portal | Cloud Console | ||
| Migration | |||||
| Database migration | AWS Database Migration Service | Azure Database Migration Service | Database Migration Service (preview) | ||
| Disaster recovery | CloudEndure Disaster Recovery | Azure Site Recovery | N/A | ||
| Migration tracker | AWS Migration Hub | Azure Migrate | N/A | ||
| Server migration | AWS App2Container, AWS Server Migration Service, CloudEndure Migration | Azure Migrate | Migrate for Anthos, Migrate for Compute Engine, VM migration | ||
| Miscellaneous | |||||
| Customer engagement | Amazon Connect, Contact Lens for Amazon Connect | Azure Communication Services, Azure SignalR Service | Contact Center AI | ||
| End user communications | Amazon Pinpoint, Amazon Simple Email Service | Azure Notification Hubs | Firebase Cloud Messaging | ||
| Geolocation APIs and services | Amazon Maps API, Amazon Location Service | Azure Maps | Google Maps Platform | ||
| Fast Healthcare Interoperability Resources | FHIR Works on AWS | Azure API for FHIR | Apigee HealthAPIx, Cloud Healthcare API | ||
| Industrial and other workplace monitoring tools | Amazon Lookout for Vision, Amazon Lookout for Equipment, Amazon Panorama (preview), Amazon Monitron | Azure IoT | Vision AI, Visual Inspection AI | ||
| Media services | Amazon Elastic Transcoder, AWS Elemental suite, Amazon Interactive Video Service, Amazon Kinesis Video Streams | Azure Media Player, Content Protection, Encoding, Live and On-Demand Streaming, Azure Video Analyzer (preview), Media Services | OpenCue, Transcoder API (preview) | ||
| Robotics application development | AWS RoboMaker | N/A | Cloud Robotics Core | ||
| Virtual desktop | Amazon WorkSpaces, Amazon AppStream 2.0 | Azure Virtual Desktop, Citrix Virtual Apps and Desktops, VMware Horizon Cloud on Microsoft Azure | N/A | ||
| Virtual reality, mixed reality app development | Amazon Sumerian | Azure Digital Twins, Kinect DK, Object Anchors (preview), Remote Rendering (preview), Spatial Anchors | Google VR | ||
| Networking | |||||
| Build, deploy and manage APIs | Amazon API Gateway | Azure API Apps, API Management | Apigee API Management Platform | ||
| Content delivery network | Amazon CloudFront | Content Delivery Network (CDN) | Cloud CDN | ||
| Domain name system | Amazon Route 53 | Azure DNS | Cloud DNS | ||
| Load balancing | Elastic Load Balancing (ELB) | Application Gateway, Load Balancer, Traffic Manager | Cloud Load Balancing | ||
| Network accelerator | AWS Global Accelerator | Accelerated Networking | Premium Network Service Tier | ||
| Network area translation | NAT Gateway | Virtual Network NAT, Azure Route Server (preview) | Cloud NAT | ||
| VPC | Amazon VPC | Azure Virtual Network | Virtual Private Cloud | ||
| VPC/VM secure connector | AWS Transit Gateway, AWS VPN | Azure Bastion, Azure Private Link, Azure VPN gateway | Cloud VPN, Direct Peering, VPC Service Controls | ||
| Security | |||||
| Audit and compliance reports and controls | AWS Artifact, AWS Audit Manager | Service Trust Portal | Assured Workloads | ||
| Centralized security management | AWS Security Hub | Security Center | Security Command Center | ||
| Certificate management | AWS Certificate Manager | App Service | Certificate Authority Service | ||
| Confidential computing | AWS Nitro Enclaves | Azure Confidential Computing | Confidential Computing | ||
| Data discovery and classification | Amazon Macie | Data Catalog, Azure Information Protection | Data Catalog, Cloud Data Loss Prevention | ||
| Distributed denial-of-service (DDoS) protection | AWS Shield | Azure DDoS Protection | Google Cloud Armor | ||
| End-user identity management | Amazon Cognito | Azure Active Directory B2C | Firebase Authentication | ||
| Firewall management | AWS Firewall Manager, AWS Network Firewall, AWS WAF | Azure Firewall Manager, Web Application Firewall | Cloud Armor, Cloud firewalls | ||
| Identity and access management | AWS Identity and Access Management | Azure Active Directory, role-based access control (Azure RBAC), Azure Active Directory External Identities | BeyondCorp Enterprise, Identity and Access Management, Identity Platform, Identity-Aware Proxy | ||
| Key management | AWS Key Management Service, AWS CloudHSM | Key Vault, Azure Dedicated HSM | Cloud Key Management | ||
| Multifactor authentication | AWS Multi-Factor Authentication | Azure AD Multi-Factor Authentication | Google Authenticator, Titan Security Key | ||
| Microsoft Active Directory compatible directory service | AWS Directory Service for Microsoft Active Directory | Azure Active Directory Domain Service | Managed Service for Microsoft Active Directory | ||
| Security data analysis | Amazon Detective | Security Center | Chronicle, Risk Protection Program (preview) | ||
| Secrets management | AWS Secrets Manager | Azure Key Vault | Secret Manager | ||
| Single sign-on | AWS Single Sign-On | Azure Active Directory single single-on | Cloud Identity | ||
| Signoff for cloud provider data access requests | N/A | Customer Lockbox | Access Transparency | ||
| Threat Detection | Amazon GuardDuty | Microsoft Azure Attestation, Azure Defender, Azure Sentinel | Chronicle, Phishing Protection, Web Risk, Event Threat Detection (preview) | ||
| Vulnerability scanning | Amazon Inspector | Security Center | Web Security Scanner | ||
| Storage | |||||
| Archival storage | S3 Glacier, S3 Glacier Deep Archive | Archive Storage | Archive Storage | ||
| Backup | AWS Backup | Azure Backup | N/A | ||
| Block storage | Amazon Block Store (EBS) | Azure Disk Storage | Persistent Disk, Local SSD | ||
| File storage | Amazon Elastic File Service (EFS), Amazon FSx for Windows File Server, Amazon FSx for Lustre | Avere vFXT for Azure, Azure Files, Azure NetApp Files, Azure FXT Edge Filer | Filestore | ||
| Object storage | Amazon S3 | Azure Blob Storage | Cloud Storage, Cloud Storage for Firebase | ||
*AWS, Google and Microsoft use different terminology to describe services that are in preview, beta or alpha.
**Several Google and Microsoft services in this section are not explicitly available through Google Cloud and Microsoft Azure, respectively. They are part of each vendor’s broader cloud portfolio
BOTTOM LINE
While meeting the AICPA’s reporting guidelines, we customize your report, including an executive summary that highlights critical information that is most important to your customers. The remainder of the report is organized by topical areas so that stakeholders can easily find details when needed.
E Secure 360 is recognized as one of the market leaders in security, privacy, and internal control services. We have a dedicated practice of risk and control specialists with deep industry focus and experience. The E Secure 360 opinion stating that you’re operating controls meet SOC 2 standards is likely to reinforce customer confidence in your company.