Personally Identifiable Information (PII)

---

Azure manages Personally Identifiable Information (PII) in hosted ScanSearch by using a combination of robust security controls, data governance frameworks, and compliance with global data protection regulations. Here’s a detailed breakdown of how Azure handles PII:

Azure operates on a shared responsibility model where both Microsoft and ScanSearch have defined roles in protecting data, including PII:

• Azure’s responsibilities include securing the underlying infrastructure (data centers, physical hardware, and the network).
• ScanSearch responsibilities include configuring and managing their hosted applications and data, including securing their own PII using Azure’s tools and features.

Azure provides encryption for data both at rest and in transit, which is essential for protecting PII:

• Data at Rest: Azure ensures that all data stored in its services is encrypted by default. Azure Storage Service Encryption (SSE) automatically encrypts data stored in Azure Blob Storage, Azure Files, and other services. ScanSearch also uses Azure Key Vault to manage and control encryption keys, providing an additional layer of security by allowing ScanSearch to use its own encryption keys (BYOK - Bring Your Own Key).
• Data in Transit: PII is protected when it moves between systems using Transport Layer Security (TLS) 1.2+ for secure communication over the network. Azure also offers Azure VPN and ExpressRoute for customers who need private, encrypted communication channels for sensitive data.

Azure uses Azure Active Directory (AAD) to control who has access to PII stored in hosted applications:

• Role-Based Access Control (RBAC): Through RBAC, ScanSearch and its customers can define roles and grant users the minimum necessary permissions to access data, ensuring that only authorized personnel can access PII.
• Multi-Factor Authentication (MFA): AAD allows administrators to enforce MFA, which adds another layer of security when accessing applications that store PII. MFA requires ScanSearch to provide multiple forms of verification, significantly reducing the risk of unauthorized access.
• Conditional Access: Azure provides Conditional Access policies, allowing ScanSearch to enforce rules such as requiring MFA when accessing data from untrusted networks or preventing access from certain locations.
• Privileged Identity Management (PIM): For accounts with elevated privileges (e.g., system administrators who can access PII), Azure provides PIM, which allows for just-in-time access and auditing of administrative actions.

Azure offers several tools and services to help developers and administrators secure the ScanSearch hosted application:

• Azure Security Center: This provides continuous security assessments and recommendations for securing the hosted ScanSearch application.. It can detect vulnerabilities, including those that might expose PII.
• Secure DevOps: Azure provides a DevSecOps environment, incorporating security directly into the development process. ScanSearch Developers can use Azure DevOps and GitHub for CI/CD pipelines, along with tools like Azure Static Web Apps and App Service to implement best practices for data security during the development lifecycle.

For hosted databases that store PII, Azure offers a suite of features:

• Transparent Data Encryption (TDE): Available for Azure SQL Database and other Azure-managed databases, TDE automatically encrypts database files and backups.
• Always Encrypted: For highly sensitive data like PII, Azure SQL provides an “Always Encrypted” feature, which ensures that data is encrypted not only at rest and in transit but also when in use. The database can store the PII in encrypted form, while the encryption keys are held externally in Azure Key Vault.
• Advanced Threat Protection: This service offers anomaly detection, flagging unusual patterns that could indicate a breach or an attempt to access sensitive data like PII.

Azure provides network isolation and advanced security features to protect PII from unauthorized access:

• Azure Virtual Network (VNet): ScanSearch has a secure, isolated network environment in Azure, where the hosted ScanSearch application that handle PII are deployed. Network traffic is isolated, reducing exposure to external threats.
• Azure Firewall and Network Security Groups (NSGs): These tools help to control the traffic entering and exiting a VNet. Azure Firewall can block or allow specific traffic based on security rules, while NSGs act as a more granular filter, defining which traffic is allowed at the subnet or individual resource level.
• Web Application Firewall (WAF): For applications that expose PII via web interfaces, Azure’s WAF, part of Azure Front Door, helps protect against common web vulnerabilities like SQL injection or cross-site scripting (XSS) that could be used to access PII.

Azure provides ScanSearch tools to monitor and audit the access and use of PII:

• Azure Monitor and Log Analytics: These services enable ScanSearch to log events and monitor activity across their Azure resources. This includes tracking who accessed PII, from where, and under what conditions.
• Azure Policy: ScanSearch can define and enforce policies that ensure that only approved resources can store PII. Azure Policy continuously evaluates resources against these policies, ensuring compliance.
• Microsoft Sentinel: This is Azure’s Security Information and Event Management (SIEM) system, which helps organizations detect, investigate, and respond to security incidents, including those involving PII.

Azure integrates with Microsoft Information Protection (MIP), enabling ScanSearch to create Data Loss Prevention (DLP) policies. These policies prevent the accidental or unauthorized sharing of sensitive data like PII by monitoring its use and flow across services.

Azure is compliant with a wide range of global, regional, and industry-specific data protection regulations. Some key certifications include:

• General Data Protection Regulation (GDPR): Azure provides tools to help customers comply with GDPR requirements, such as managing the data subject’s rights, including the right to access and delete PII.
• Health Insurance Portability and Accountability Act (HIPAA): Azure provides tools for healthcare organizations to meet HIPAA requirements for securing PII related to health information.
• ISO/IEC 27001: Azure’s compliance with this international standard demonstrates its commitment to securing information assets, including PII.

Azure offers a suite of tools to respond to security incidents involving PII:

• Azure Security Center provides recommendations and alerts for securing resources that store PII.
• Azure’s Incident Response Playbooks: In the event of a breach, Azure provides guidance on how to respond, including how to notify affected parties and comply with breach notification requirements (e.g., GDPR’s 72-hour notification rule).