Platform: AZURE
| Category | Criteria Name | Supported | Notes | Caveats |
|---|---|---|---|---|
| Authentication & Authorization | API Key Management | False | Authentication is managed through kubeconfig files and tokens, not API keys. | Not applicable. |
| Authentication & Authorization | API Key Management | True | Function and host keys provide a mechanism for securing HTTP-triggered functions. These keys can be managed and rotated. | |
| Authentication & Authorization | API Key Management | True | API keys are used for authenticating to deployed models. These keys can be regenerated and managed. | |
| Authentication & Authorization | API Key Management | True | While API keys can be used for some services, the primary method for programmatic access is through service principals and managed identities. | Not the primary authentication method. |
| Authentication & Authorization | API Key Management | False | API key management would need to be implemented at the application level. | Not a direct feature. |
| Authentication & Authorization | IAM Integration | True | Azure RBAC is used to manage access to Azure Machine Learning workspaces and resources. | |
| Authentication & Authorization | IAM Integration | True | AKS integrates with Azure AD for authentication and Kubernetes RBAC for authorization. | |
| Authentication & Authorization | IAM Integration | True | Azure RBAC can be used to control access to the function app and its settings. | |
| Authentication & Authorization | IAM Integration | True | Azure Role-Based Access Control (RBAC) is fully integrated with Azure VMs, allowing for granular control over who can manage the VM and its resources. | |
| Authentication & Authorization | IAM Integration | True | Azure RBAC is used to manage access to the App Service and its settings. | |
| Authentication & Authorization | MFA | True | MFA can be enforced for users authenticating to the cluster via Azure AD. | Enforced through Azure AD. |
| Authentication & Authorization | MFA | True | MFA can be enforced for users managing the App Service. | Applies to administrative access. |
| Authentication & Authorization | MFA | True | Azure Multi-Factor Authentication can be enforced for users accessing the Azure management plane to manage VMs. | Applies to administrative access to the Azure portal and APIs. |
| Authentication & Authorization | MFA | True | MFA can be enforced for administrators managing the function app. | Applies to administrative access. |
| Authentication & Authorization | MFA | True | MFA can be enforced for users accessing the Azure portal and APIs to manage Azure Machine Learning. | Applies to administrative access. |
| Authentication & Authorization | Service Account Support | True | Kubernetes service accounts can be used to provide identities for pods. Managed identities can be used for the cluster to access other Azure resources. | |
| Authentication & Authorization | Service Account Support | True | Azure Functions support Managed Identities for accessing other Azure resources securely. | |
| Authentication & Authorization | Service Account Support | True | Azure Managed Identities can be used to provide an identity for applications running on a VM to access other Azure resources without needing to manage credentials. | |
| Authentication & Authorization | Service Account Support | True | Managed identities can be used to access other Azure resources. | |
| Authentication & Authorization | Service Account Support | True | Managed identities and service principals can be used for programmatic access to Azure Machine Learning services. | |
| Authentication & Authorization | Standard Protocols | True | AKS uses standard protocols for authentication and authorization. | |
| Authentication & Authorization | Standard Protocols | True | App Service has built-in support for authentication using Azure AD, which supports OAuth 2.0 and OpenID Connect. | |
| Authentication & Authorization | Standard Protocols | True | Authentication to the Azure API for managing VMs uses standard protocols like OAuth 2.0. | |
| Authentication & Authorization | Standard Protocols | True | Azure Functions can be configured to use OAuth 2.0 / OpenID Connect for authentication. | |
| Authentication & Authorization | Standard Protocols | True | Azure Machine Learning APIs use OAuth 2.0 for authentication. | |
| Compliance & Certifications | Compliance Documentation | True | Compliance documentation is available through the Azure Trust Center. | |
| Compliance & Certifications | Compliance Documentation | True | Compliance documentation is available through the Azure Trust Center. | |
| Compliance & Certifications | Compliance Documentation | True | Compliance documentation is available through the Azure Trust Center. | |
| Compliance & Certifications | Compliance Documentation | True | Compliance documentation is available through the Azure Trust Center. | |
| Compliance & Certifications | Compliance Documentation | True | Azure provides compliance documentation and reports through the Azure Trust Center. | |
| Compliance & Certifications | Industry Certifications | True | Azure holds numerous industry certifications. | |
| Compliance & Certifications | Industry Certifications | True | Azure holds numerous industry certifications. Customers are responsible for the compliance of their specific applications. | |
| Compliance & Certifications | Industry Certifications | True | Azure holds numerous industry certifications. | |
| Compliance & Certifications | Industry Certifications | True | Azure as a platform holds numerous industry certifications (e.g., ISO 27001, SOC 2, HIPAA, GDPR). Customers are responsible for the compliance of their applications. | |
| Compliance & Certifications | Industry Certifications | True | Azure holds numerous industry certifications. | |
| Data Loss Prevention (DLP) | Data Masking/Redaction | False | Data masking would need to be implemented at the application level. | Not a direct feature. |
| Data Loss Prevention (DLP) | Data Masking/Redaction | False | Data masking and redaction are not features of Azure VMs. This would need to be implemented at the application level. | Not a direct feature of Azure VMs. |
| Data Loss Prevention (DLP) | Data Masking/Redaction | False | Data masking would need to be implemented at the application level. | Not a direct feature. |
| Data Loss Prevention (DLP) | Data Masking/Redaction | False | Data masking would need to be implemented in the function code. | Not a direct feature. |
| Data Loss Prevention (DLP) | Data Masking/Redaction | False | Data masking is not a direct feature of Azure Machine Learning. | Not a direct feature. |
| Data Loss Prevention (DLP) | Sensitive Data Scanning | False | DLP would need to be implemented at the application level. | Not a direct feature. |
| Data Loss Prevention (DLP) | Sensitive Data Scanning | False | DLP is not a direct feature of Azure Machine Learning. Customers would need to integrate with other services or implement their own solutions. | Not a direct feature. |
| Data Loss Prevention (DLP) | Sensitive Data Scanning | False | DLP is not a feature of Azure VMs. Customers would need to install and configure their own DLP solutions within the guest OS. | Not a direct feature of Azure VMs. |
| Data Loss Prevention (DLP) | Sensitive Data Scanning | False | DLP would need to be implemented through third-party tools or custom solutions within the cluster. | Not a direct feature. |
| Data Loss Prevention (DLP) | Sensitive Data Scanning | False | DLP is not a direct feature of Azure Functions. It would need to be implemented in the function code or through integration with other services. | Not a direct feature. |
| Data Residency & Sovereignty | Cross-Region Data Transfer Controls | True | Data transfer can be controlled by configuring VNets and firewall rules for the Azure Machine Learning workspace and its associated resources. | Customer is responsible for configuring network controls. |
| Data Residency & Sovereignty | Cross-Region Data Transfer Controls | True | Data transfer between regions is controlled by the customer. Network Security Groups (NSGs) and VNet configurations can be used to restrict traffic flow between different regions. | Requires customer configuration. |
| Data Residency & Sovereignty | Cross-Region Data Transfer Controls | True | VNet integration and network rules can be used to control traffic. | Customer is responsible for configuring network settings. |
| Data Residency & Sovereignty | Cross-Region Data Transfer Controls | True | Customers can control data transfer by configuring network settings and ensuring the function does not call services in other regions. | Depends on function implementation and integration with other services. |
| Data Residency & Sovereignty | Cross-Region Data Transfer Controls | True | Network policies and VNet configurations can be used to control traffic between regions. | Customer is responsible for configuring network policies. |
| Data Residency & Sovereignty | Data Location Transparency | True | The region of deployment is clearly visible in the Azure Portal, and documentation specifies data handling policies. | |
| Data Residency & Sovereignty | Data Location Transparency | True | The location of the AKS cluster is visible in the Azure Portal. | |
| Data Residency & Sovereignty | Data Location Transparency | True | Azure provides documentation on data residency and customers can verify the location of their resources through the Azure Portal. | |
| Data Residency & Sovereignty | Data Location Transparency | True | The location of the App Service plan is visible in the Azure Portal. | |
| Data Residency & Sovereignty | Data Location Transparency | True | Azure provides clear documentation on its regions and availability zones. Customers can verify the location of their VMs through the Azure Portal and APIs. | |
| Data Residency & Sovereignty | Region Selection | True | AKS clusters are deployed into specific Azure regions. | |
| Data Residency & Sovereignty | Region Selection | True | Azure Functions can be deployed to specific Azure regions, allowing control over where the function code and data are processed. | |
| Data Residency & Sovereignty | Region Selection | True | Azure Virtual Machines can be deployed into specific Azure regions, allowing customers to control the geographic location of their VMs and associated data to meet data residency requirements. | |
| Data Residency & Sovereignty | Region Selection | True | Customers can choose the Azure region where their App Service plan will be deployed. | |
| Data Residency & Sovereignty | Region Selection | True | Azure Machine Learning workspaces and associated resources can be deployed to specific Azure regions, allowing for control over the location of data and models. | |
| Encryption | Encryption at Rest | True | Data on AKS nodes is encrypted at rest by default. Encryption of data in etcd can also be enabled. | |
| Encryption | Encryption at Rest | True | Content in App Service is stored in Azure Storage, which is encrypted at rest. | |
| Encryption | Encryption at Rest | True | Function code and settings stored in Azure Storage are encrypted at rest. Any data stored by the function in other services will inherit that service's encryption capabilities. | |
| Encryption | Encryption at Rest | True | Azure Disk Encryption allows for the encryption of OS and data disks for VMs at rest using Azure Key Vault for key management. Both platform-managed keys and customer-managed keys are supported. | |
| Encryption | Encryption at Rest | True | Data at rest, including models and training data, is encrypted by default. Customer-managed keys are also supported for enhanced control. | |
| Encryption | Encryption in Transit | True | Communication between AKS components is encrypted using TLS. Customers are responsible for encrypting traffic within the cluster. | |
| Encryption | Encryption in Transit | True | All HTTP-triggered functions have an HTTPS endpoint. Communication with other Azure services is also encrypted. | |
| Encryption | Encryption in Transit | True | Traffic between Azure data centers is encrypted. For connections to the VM, customers can configure SSL/TLS for their applications and use protocols like SSH or RDP for secure management. | Customer is responsible for configuring encryption within the VM's OS and applications. |
| Encryption | Encryption in Transit | True | App Service provides managed TLS certificates and supports custom certificates. HTTPS is enforced by default. | |
| Encryption | Encryption in Transit | True | All communication with Azure Machine Learning services is encrypted using TLS. | |
| Logging & Monitoring | Access Logging | True | Application Insights provides detailed logging of function executions and requests. | Requires integration with Application Insights. |
| Logging & Monitoring | Access Logging | True | Logging can be enabled to track requests to deployed models. | Requires configuration. |
| Logging & Monitoring | Access Logging | True | Guest-level logging and diagnostics can be configured to collect logs from within the VM. | Requires configuration. |
| Logging & Monitoring | Access Logging | True | Audit logs capture information about requests to the API server. | |
| Logging & Monitoring | Access Logging | True | Web server logs can be enabled to capture information about HTTP requests. | Requires enabling web server logging. |
| Logging & Monitoring | Audit Logging | True | Azure Activity Log tracks management operations on the App Service. | |
| Logging & Monitoring | Audit Logging | True | Azure Activity Log tracks management operations on the Azure Machine Learning workspace. | |
| Logging & Monitoring | Audit Logging | True | Azure Activity Log records all management operations performed on VMs. | |
| Logging & Monitoring | Audit Logging | True | AKS control plane logs, including audit logs, can be sent to Azure Monitor. | |
| Logging & Monitoring | Audit Logging | True | Azure Activity Log tracks management operations on the function app. | |
| Logging & Monitoring | Log Retention | True | Log retention policies can be configured in Application Insights and Log Analytics. | |
| Logging & Monitoring | Log Retention | True | Log Analytics workspaces allow for configurable log retention. | |
| Logging & Monitoring | Log Retention | True | Log retention can be configured in Log Analytics. | |
| Logging & Monitoring | Log Retention | True | Log Analytics workspaces in Azure Monitor allow for configurable log retention policies. | |
| Logging & Monitoring | Log Retention | True | Log retention can be configured in Log Analytics. | |
| Logging & Monitoring | Monitoring & Alerting | True | Azure Monitor and Application Insights provide comprehensive monitoring and alerting for Azure Functions. | |
| Logging & Monitoring | Monitoring & Alerting | True | Azure Monitor can be used to monitor metrics and set up alerts for Azure Machine Learning. | |
| Logging & Monitoring | Monitoring & Alerting | True | Azure Monitor provides comprehensive monitoring of VMs, including metrics, logs, and alerting capabilities. | |
| Logging & Monitoring | Monitoring & Alerting | True | Azure Monitor for containers provides comprehensive monitoring and alerting for AKS. | |
| Logging & Monitoring | Monitoring & Alerting | True | Azure Monitor and Application Insights provide comprehensive monitoring and alerting for App Service. | |
| Network Security | API Gateway Integration | True | Azure API Management can be used to manage and secure the endpoints of deployed machine learning models. | Indirectly. |
| Network Security | API Gateway Integration | True | Azure API Management and Application Gateway can be used as ingress controllers for AKS. | |
| Network Security | API Gateway Integration | True | Azure API Management can be used to manage and secure APIs hosted on Azure VMs. | Indirectly. |
| Network Security | API Gateway Integration | True | Azure Functions can be imported into Azure API Management to provide a full-featured API gateway. | |
| Network Security | API Gateway Integration | True | App Service can be integrated with Azure API Management. | |
| Network Security | DDoS Protection | True | Azure provides DDoS protection for the underlying infrastructure. | Inherited from the Azure platform. |
| Network Security | DDoS Protection | True | Azure provides DDoS protection for the underlying infrastructure. | Inherited from the Azure platform. |
| Network Security | DDoS Protection | True | Azure provides DDoS protection for the underlying infrastructure. | Inherited from the Azure platform. |
| Network Security | DDoS Protection | True | Azure provides basic DDoS protection for all services. Azure DDoS Protection Standard provides enhanced mitigation capabilities. | Basic protection is included, Standard tier offers more features. |
| Network Security | DDoS Protection | True | Azure provides DDoS protection for the underlying infrastructure. | Inherited from the Azure platform. |
| Network Security | Firewall Rules | True | Access restrictions can be configured to limit access based on IP address. | |
| Network Security | Firewall Rules | True | Network policies can be used to control traffic between pods. NSGs can be used to control traffic to and from the cluster. | |
| Network Security | Firewall Rules | True | Network Security Groups (NSGs) act as a stateful firewall to control inbound and outbound traffic to VMs. | |
| Network Security | Firewall Rules | True | Access restrictions can be configured to limit which IP addresses can access a function app. | |
| Network Security | Firewall Rules | True | NSGs can be used to control traffic to and from the VNet where Azure Machine Learning is deployed. | |
| Network Security | Private Access | True | Private endpoints and VNet integration can be used to secure access to App Service. | |
| Network Security | Private Access | True | Private AKS clusters can be created, where the API server is only accessible from within a VNet. | |
| Network Security | Private Access | True | Azure VMs can be deployed within a Virtual Network (VNet), isolating them from the public internet. Azure Private Link can be used for private access to other Azure services. | |
| Network Security | Private Access | True | Azure Functions can be integrated with VNets, and private endpoints can be used to invoke functions privately. | Available in premium and dedicated plans. |
| Network Security | Private Access | True | Azure Machine Learning workspaces can be secured within a VNet, and Private Link can be used for private access. | |
| Secure Development Lifecycle (SDL) | API Design Principles | True | The Azure REST API follows Microsoft's SDL. | Applies to the Azure management API. |
| Secure Development Lifecycle (SDL) | API Design Principles | True | The Azure REST API follows Microsoft's SDL. | Applies to the Azure management API. |
| Secure Development Lifecycle (SDL) | API Design Principles | True | The Azure REST API follows Microsoft's SDL. | Applies to the Azure management API. |
| Secure Development Lifecycle (SDL) | API Design Principles | True | The Azure REST API follows Microsoft's SDL. | Applies to the Azure management API. |
| Secure Development Lifecycle (SDL) | API Design Principles | True | The Azure REST API follows Microsoft's Secure Development Lifecycle (SDL) and is designed with security in mind. | Applies to the Azure management API. |
| Secure Development Lifecycle (SDL) | Code Review & Testing | True | Microsoft performs security testing and code reviews of the Azure platform. | Applies to the Azure platform. |
| Secure Development Lifecycle (SDL) | Code Review & Testing | True | Microsoft performs security testing and code reviews of the Azure platform. Customers are responsible for the security of their own code. | Applies to the Azure platform. |
| Secure Development Lifecycle (SDL) | Code Review & Testing | True | Microsoft performs security testing and code reviews of the Azure platform. | Applies to the Azure platform. |
| Secure Development Lifecycle (SDL) | Code Review & Testing | True | Microsoft performs security testing and code reviews of the Azure platform. Customers are responsible for the security of their own function code. | Applies to the Azure platform. |
| Secure Development Lifecycle (SDL) | Code Review & Testing | True | Microsoft performs rigorous security testing and code reviews of the Azure platform. Customers are responsible for the security of their own code running on the VMs. | Applies to the Azure platform. |
| Vulnerability Management & Patching | Security Updates | True | Microsoft is responsible for patching the Azure Machine Learning service. | Microsoft manages the underlying infrastructure. |
| Vulnerability Management & Patching | Security Updates | True | Microsoft is responsible for patching the Functions runtime and the underlying OS. | Microsoft manages the runtime and underlying infrastructure. |
| Vulnerability Management & Patching | Security Updates | True | Microsoft patches the AKS control plane. Customers are responsible for upgrading the node images to get the latest security patches. | Microsoft manages the control plane. Customer is responsible for upgrading the nodes. |
| Vulnerability Management & Patching | Security Updates | True | Microsoft is responsible for patching the underlying infrastructure. Customers are responsible for patching the guest OS and applications running on the VM. | Customer is responsible for patching the guest OS and applications. |
| Vulnerability Management & Patching | Security Updates | True | Microsoft is responsible for patching the App Service platform. | Microsoft manages the platform. |
| Vulnerability Management & Patching | Vulnerability Scanning | True | Microsoft performs regular vulnerability scanning of the Azure platform. | Microsoft manages the underlying infrastructure. |
| Vulnerability Management & Patching | Vulnerability Scanning | True | Microsoft performs vulnerability scanning of the Azure platform. | Microsoft manages the platform. |
| Vulnerability Management & Patching | Vulnerability Scanning | True | Microsoft Defender for Containers provides vulnerability scanning for container images. | Requires enabling Microsoft Defender for Containers. |
| Vulnerability Management & Patching | Vulnerability Scanning | True | Microsoft Defender for Cloud provides vulnerability scanning and management for VMs. | Requires enabling Microsoft Defender for Cloud. |
| Vulnerability Management & Patching | Vulnerability Scanning | True | Microsoft performs vulnerability scanning of the Azure platform. | Microsoft manages the platform. |