Any Compliance information around Azure Managed Instance?

[Anmolgan81]

Can anyone tell me if there is any information around FedRAMP compliance if we talk about the Azure SQL Managed Instance? We are unable to find any information on that, if this is something similar to Azure SQL Database then we need to verify that first.

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 28ca1f7f-5a34-0f23-10ce-3ff24c76db97
• Version Independent ID: 5c4a22c4-78fc-911d-9fa0-8dfab1653b6e
• Content: Azure SQL Database Managed Instance Overview
• Content Source: articles/sql-database/sql-database-managed-instance.md
• Service: sql-database
• GitHub Login: @bonova
• Microsoft Alias: bonova

[Mike-Ubezzi-MSFT]

@Anmolgan81 Thank you for your interest in Azure cloud services. Please review the following document as it relates to FedRAMP compliance:Federal Risk and Authorization Management Program (FedRAMP). To be compliant you will need to deploy services to Microsoft's government cloud: Azure Government In looking thorough the Azure Government docs, it does not appear that SQL Managed Instance is available at this time:Azure Government Databases Please let us know if you have additional questions.

[Anmolgan81]

@Mike-Ubezzi-MSFT I have a customer who wants to be compliant for FedRAMP for Public and Government, its understandable that SQL Managed Instance is not available for government, but there has to be some blueprint or something for public environment

[Mike-Ubezzi-MSFT]

@Anmolgan81 Let me raise this to the product group outside the normal process, as it is unique. Thank you.

[Anmolgan81]

ok thanks @Mike-Ubezzi-MSFT

[Anmolgan81]

Hi @Mike-Ubezzi-MSFT did you heard back from product group?

[Mike-Ubezzi-MSFT]

@Anmolgan81 I have not heard anything back but today is the first full week with most everyone returning from the holiday. In the meantime, can you create an entry in the Azure SQL User Voice as there is currently no related entry at this time. I hope to hear back in the next couple days.

[Anmolgan81]

I have created a SQL user voice and it can be found here https://feedback.azure.com/forums/34192--general-feedback/suggestions/36465118-azure-sql-managed-instance-fedramp-compliance-cont

[CarlRabeler]

@Mike-Ubezzi-MSFT I have also raised this issue with the security team

[Anmolgan81]

Hi @Mike-Ubezzi-MSFT @CarlRabeler Any updates on the FedRAM Compliance's from the PG team?

[CarlRabeler]

No, not yet.

[Anmolgan81]

Any updates on this?

[Mike-Ubezzi-MSFT]

@Anmolgan81 It looks like Managed Instance in the Federal space will be in Public Preview late summer or early Fall (late Q1/early Q2 CY2019). Additional information might become available as this ask is making rounds to all the important product groups. Thank you for yor persistence and continued patience.

[Anmolgan81]

Hi Mike, thanks for the information, we will.keep on reviewing this thread for additional information.

Regards Anmol Ganju

[Mike-Ubezzi-MSFT]

@Anmolgan81 Given that we have provided you an initial timeframe for this, we will close this but we can still continue the dialog. You and others can still comment and ask questions and we will respond but, for the purposes of tracking this as an open issue, we need to close this to stop the clock in terms of metrics. Thank you for your understanding.

[Mike-Ubezzi-MSFT]

@Anmolgan81 I have some additional details to provide you but wanted to know if you are specifically looking for the Managed Instance in government cloud? I have a document to send you. Can you send an email to AzCommunity at Microsoft.com referencing this issue and I will send you that document:

It depends what level of FedRAMP compliance the customer is looking for. All of our ring 0 production services in the public cloud (which include Azure SQL DB and Azure SQL DB Managed Instance) are FedRAMP compliant at the FedRAMP medium (moderate) level. See attached.

I need to get you see attached. Thanks!

[Anmolgan81]

Hi @Mike-Ubezzi-MSFT I have just mailed azcommunity@microsoft.com an email around the information for azure managed instance for public and goverment cloud. Do let us know if you can send me that documentation

[Anmolgan81]

Hi @Mike-Ubezzi-MSFT Thanks for the documenation I couldnt find any description for azure managed instance in the public cloud? I am looking for is the controls that are necessery to implement on the azure managed instance and the azure security services that are related to it? If there is a documenation around this mechanism representing controls and neccessery steps to implement the same in the azure managed instance then that will be really helpful for me and the customer.

[Anmolgan81]

I am specifically looking for fedRAMP compliance details around SQL Managed instance for azure public. Since azure managed instance is not available in azure goverment, we will not consider it for now, but we will be looking into the documentations for SQL Managed Instance for azure public.

[Mike-Ubezzi-MSFT]

@Anmolgan81 Can you provide more specific details around controls? In looking at the FedRAMP website, there are a ton of details such as the FedRAMP Security Controls Baseline, and there is the Security Assessment Framework. If you could be very specific about what you need in the Azure Public Cloud edition of the SQL Managed Instance service offering, that would help identify the areas where we currently meet the requirements and the areas where we currently do not.

[Mike-Ubezzi-MSFT]

@Anmolgan81 In the FedRAMP Security Controls Baseline .xlsx spreadsheet (referenced above), there are High, Moderate, and Low (tabs) control specification as per the FedRAMP program. You will need to look through this spreadsheet to ensure your customer's requirements are met. As for the other controls, the Security Assessment Framework .pdf document has additional items, however, they are more at the FedRAMP program level but still, they are program level controls and might apply to your project.

[Anmolgan81]

Hi @Mike-Ubezzi-MSFT we are looking for controls details on FedRAMP High and FedRAMP Medium, we are not sure what controls are related to Azure SQL Managed Instance, as of now we need some details about different controls that are related to various azure sql managed instance security services like, SQL Auditing, Data Masking, Transparent Data Encryption, Azure AD Authentication, Azure AD Logins, and Threat detection, if you have details around different controls that are applicable to above services, that will be helpful.

[Anmolgan81]

@Mike-Ubezzi-MSFT are the High, Medium Compliance information for Azure sql database and managed instance are the same as you have stated in above posts

"All of our ring 0 production services in the public cloud (which include Azure SQL DB and Azure SQL DB Managed Instance) are FedRAMP compliant at the FedRAMP medium (moderate) level. See attached."

Is that written anywhere for azure public azure managed instance compliance pages?

[Mike-Ubezzi-MSFT]

@Anmolgan81 Azure SQL services in public cloud comply with the Moderate Baseline controls.

[Anmolgan81]

@Mike-Ubezzi-MSFT Thanks for the information.

[sdecker]

@Mike-Ubezzi-MSFT I'm the customer Anmol has been asking for. We currently run our SaaS offering on Azure Government using SQL in VMs. We have various findings related to the CIS and STIG SQL 2016 DB compliance baselines. We are looking to move to a mix of Azure SQL and Managed Instances to resolve the compliance findings. We understand that MI is not in Azure Government yet, but we need to ensure we implement whatever necessary extra controls are required. For example even though SQL Azure complies with Moderate Baseline controls we as an end user my enable the audit log functionality. Since MI provides even more access to functionality like Linked Servers I would expect more to fall to our responsibility. We are looking for this information to be shared before GA so we can plan our work.

[Anmolgan81]

Hi @Mike-Ubezzi-MSFT Can we reopne this post, and help the customer on the requirments?

[CarlRabeler]

@bonova @jovanpop-msft could you look at this thread?

[Mike-Ubezzi-MSFT]

@sdecker @Anmolgan81 I highly suggest this activity engage a Microsoft Consultant or a member of the of the SQL product team directly, as this is beyond the scope of this documentation channel. If you look at this: FedRAMP Program Documents, which opens an Excel spreadsheet, click on moderate baseline controls, there are the items SQL Managed Instance complies with.

Per the product group:

All of our ring 0 production services in the public cloud (which include Azure SQL DB and Azure SQL DB Managed Instance) are FedRAMP compliant at the FedRAMP medium (moderate) level.

It appears that a line by line analysis needs to take place to ensure the items covered in the moderate baseline controls meet or do not meet your requirements.

I will assign to the content owner for these details to be added to the documentation.

[CarlRabeler]

Azure SQL Database (all deployment options) is compliant with FedRAMP and other compliance standards - for more information, see https://www.microsoft.com/en-us/TrustCenter/Compliance/FedRAMP and https://gallery.technet.microsoft.com/Overview-of-Azure-c1be3942

[CarlRabeler]

Adding notes to 4 topics pointing specifically to the compliance pages. @Mike-Ubezzi-MSFT please close

[Mike-Ubezzi-MSFT]

We will now proceed to close this thread. If there are further questions regarding this matter, please comment and we will gladly continue the discussion.