Simplifying compliance evidence management with Microsoft Azure confidential ledger

|

Cable cords plugged into a middle of row switch configuration.
Microsoft is working with Microsoft Azure confidential ledger to create and pilot a centralized evidence store to streamline its Sarbanes Oxley (SOX) auditing needs.

Microsoft Digital technical storiesThe Microsoft Digital Employee Experience (MDEE) team is using Microsoft Azure confidential ledger to create a centralized evidence store to streamline auditing needs. This evidence store enables teams from across Microsoft to store records and data related to regulatory compliance in a single location. A single collection point simplifies evidence storage for developers and compliance managers, and it also provides a single access point for auditors.

Capturing evidence with Microsoft Azure confidential ledger

Microsoft Azure confidential ledger gives the team a head start on managing evidence records. Based on a permissioned blockchain model, Azure confidential ledger offers unique data-integrity advantages, including immutability, making the ledger append-only and tamper proof. This structure helps ensure that all records are kept intact.

In our environment, proving that some action occurred, or piece of data existed can be difficult, especially after some time has passed. The solutions we’re building around Azure confidential ledger provide an attested, reliable source of truth for our teams to use for compliance-related data.

—Martin O’Flaherty, principal PM manager, Microsoft Digital Employee Experience

The confidential ledger runs exclusively on hardware-backed secure enclaves, a heavily monitored and isolated runtime environment that keeps potential attacks at bay. No one is above the ledger, not even Microsoft. Azure confidential ledger runs on a minimal trusted computing base (TCB), which prevents access to ledger service by developers, datacenter technicians, and cloud administrators.

Sinha and O’Flaherty shown in individual portrait photos that have been joined together in a photo collage.
Astha Sinha, a senior product manager for development experience, and Martin O’Flaherty, a principal PM manager, are helping Microsoft transform how it supports internal auditing processes.

Martin O’Flaherty is leading the implementation of Azure confidential ledger within MDEE. “In our environment, proving that some action occurred, or piece of data existed can be difficult, especially after some time has passed,” says O’Flaherty, a principal PM manager in MDEE. “The solutions we’re building around Azure confidential ledger provide an attested, reliable source of truth for our teams to use for compliance-related data.”

O’Flaherty stresses the importance of a centralized location for all users of compliance data. “Our engineers know where they need to store compliance data and our compliance managers have a single point of reference,” he says. “In addition, auditors have an attested, comprehensive data repository that they can use to observe and confirm compliance in whatever regulatory domain they’re investigating.”

Azure confidential ledger offers storage for a multitude of evidence types, including records related to business transactions, updates to trusted assets, administrative control changes, and operational and security events. All data entries can be verified for all user transactions through transaction-specific receipts. Tamper evidence is also available for server nodes and blocks stored on the decentralized ledger.

We use Azure DevOps for the majority of our application development. Any changes made to our internal applications, services, and solutions are managed through Azure DevOps, so it’s a great place to start collecting the data necessary for SOX compliance. Azure confidential ledger provides a huge improvement over our previous methods for tracking this data.

—Damon Gray, principal group engineering manager, Microsoft Digital Employee Experience

Evidence recorded in the Azure confidential ledger returns a tamper-proof signed receipt that can be referenced for auditing. This improves the evidence collection and verification process, thus increasing efficiency and allowing teams more valuable time to innovate. For the MDEE team and the auditors they support, Azure confidential ledger serves as a one-stop, centralized, and verifiable evidence store.

Tracking Sarbanes-Oxley compliance data in Microsoft Azure DevOps

The team in MDEE is currently implementing a solution for tracking Sarbanes-Oxley (SOX) compliance across Microsoft Azure DevOps environments. SOX compliance records are required for many operational and financial events. For example, applications, services, and solutions that the Employee Experience team manage all have SOX–based requirements for change auditing.

Bose and Gray shown in individual portrait photos that have been joined together in a photo collage.
Abarna Bose, a principal product manager, and Damon Gray, a principal group engineering manager, are helping Microsoft transform how it supports internal auditing processes.

“We use Azure DevOps for the majority of our application development,” says Damon Gray, a principal group engineering manager in MDEE. “Any changes made to our internal applications, services, and solutions are managed through Azure DevOps, so it’s a great place to start collecting the data necessary for SOX compliance. Azure confidential ledger provides a huge improvement over our previous methods for tracking this data.”

When SOX auditors audit changes in SOX–bound applications, they look for clear documentation of the required steps used to deploy changes to application code into the production environment. In the past, engineering teams created an email containing all the necessary deployment details, including service catalog information, build data, pull-request details, release notes, and release approval. The email was circulated to the engineering team, and an engineering manager validated all changes and marked the deployment for approval After a formal email approval from the engineering manager was received, the release manager in the team takes the deployment to production.

Azure confidential ledger is perfect for use cases where critical metadata records must be stored in an unmodifiable, permanent state. It’s an immutable store that our SOX auditors can consult with full confidence in its integrity and validity.

—Abarna Bose, principal product manager, Microsoft Digital Employee Experience

“With Azure confidential ledger, the manual nature of this process becomes automated and centralized,” says Bhavana Konchada, a senior software engineer in MDEE. “Potential for human error in the email-based processes is replaced by the consistency of proscribed automated processes. Data taken out of the Azure DevOps context via email in the previous processes remains intact in Azure DevOps and is sent directly to Azure confidential ledger.”

The solution can be customized to streamline other audit processes like HIPPA, CMMC and other federal audits. “Azure confidential ledger being backed by blockchain technology makes it a preferable and trustworthy solution for auditors,” Konchada says.

Integrating Azure confidential ledger with Azure DevOps is a relatively straightforward process. The team uses a custom Azure DevOps pipeline task that’s injected into the end of the release pipeline, containing the SOX–relevant data. When the release is triggered, Azure DevOps calls the custom task that writes the data to Azure confidential ledger. Specifically, data can include the change that was made, who made the change, when the change was made, and whether the change was approved.

“Azure confidential ledger is perfect for use cases where critical metadata records must be stored in an unmodifiable, permanent state,” says Abarna Bose, a principal product manager who is responsible for SOX compliance standards in MDEE. “It’s an immutable store that our SOX auditors can consult with full confidence in its integrity and validity.”

Ensuring the quality and integrity of compliance data isn’t easy in a large environment like ours. The required information is always stored in many different locations, under the management of many different teams, and these locations are often difficult to catalog.

—Astha Sinha, senior product manager, Microsoft Digital Employee Experience

Beneson and Konchada shown in individual portrait photos that have been joined together in a photo collage.
Rob Beneson (left) is a partner director of software engineering leading the MDEE development team implementing the solution for tracking Sarbanes-Oxley (SOX) compliance across Microsoft Azure DevOps environments and Bhavana Konchada is a senior software engineer who conceptualized the project.

Bose underscores the importance of a centralized store, when SOX–bound applications and services are scattered across different business groups and Azure DevOps accounts at Microsoft. “A central store like the one we’re using in Azure confidential ledger is invaluable. It infuses simplicity into an otherwise complicated and fragmented set of development environments,” she says.

Extending Microsoft Azure confidential ledger

O’Flaherty and his team are expanding the scope of their SOX compliance solution for Azure DevOps and are investigating other areas where Azure confidential ledger can be used to implement centralized compliance data management at Microsoft. His team has learned many lessons from their implementation.

“Ensuring the quality and integrity of compliance data isn’t easy in a large environment like ours,” says Astha Sinha, a senior product manager for developer experiences in MDEE. “The required information is always stored in many different locations, under the management of many different teams, and these locations are often difficult to catalog.”

Sinha and her team are using confidential ledger to make it easier for developers and auditors to track compliance in line with the development process, without extra work or processes piled on top. The solution is helping to build stronger trust within the regulatory compliance environment and providing a trustworthy source of compliance information that can be widely used.

Key Takeaways

Here are some insights we learned as we transformed our internal auditing processes:

  • Boosting productivity: Developing this solution will help ensure authenticity of evidence and reduce the amount of time spent authenticating and validating data.
  • Reinforcing trust in your organization: Driving this kind of transformation will allow you to build stronger customer relationships because you will be providing them with more trustworthy information.

Related links

Recent