I gave a presentation about Windows Azure the other day, and got some great questions that I would like to address with this blog post. Here they are in no particular order, with some answers I hope are useful to you:
“We have multiple Operating Companies who may want to leverage the features of Windows Azure. Is it recommended to setup a separate Windows Azure tenant for each Operating Company or Unit?”
This is an interesting operations question. I have worked with customers with separate independent organizational structures. Some of these firms converged, others diverged while some stayed put as is. Each situation has its own set of operational challenges. I am a big fan of simplicity, so I am naturally inclined to say use a single subscription if possible. There are some efficiencies you gain by having a single subscription – billing simplicity, single point of administration, technology solution simplicity, intra versus inter network performance and so on. From these broader advantages, you might start to recognize indirect benefits – sharing customized gold VM images across organizational departments/divisions, using the cloud as a model of security identity consolidation especially if this is something that is likely to happen with OnPremise Directory deployments later on, connecting resources and merging data together from these operating units est.
However there might be legal/regulatory/policy reasons for keeping individual subscriptions for each operating unit of the organization. For example, you might have two operating units in different countries, each with data and assets that should be kept physically separate as much as possible, from a legal and regulatory perspective. Check with the Legal/Policy department. Another reason is billing. If invoices are not handled by a single entity within the organization, it might be necessary to have separate subscriptions, so that you can bill each organization appropriately. With single and multiple subscriptions, I think you should have at least one person that has administrative access to all subscriptions, and has an organization wide view of how Windows Azure is being utilized.
“What about HIPAA compliance?”
Specific Windows Azure features [Virtual Machines, Cloud Services, Storage – Tables, Blobs, Queues, and Drives – and Networking] are covered by HIPAA BAA [Business Associate], an offering Microsoft provides to organizations that have Enterprise Agreements with them. Not all Windows Azure features are covered [for example, Media services] but that might change in the future as Microsoft works to expand coverage to its growing portfolio of Windows Azure services. If you are interested in Windows Azure and you belong to an organization that deals with PHI data, contact your Microsoft Account Manager to make sure that Windows Azure covers your specific needs.
Windows Azure meets other data protection and privacy laws: ISO/IEC 27001:2005 Audit and Certification, SOC 1 and SOC 2 SSAE 16/ISAE 3402 Attestation, Cloud Security Alliance Cloud Controls Matrix and Federal Risk and Authorization Management Program (FedRAMP). For more information please review Microsoft’s Windows Azure Trust Center Compliance Page
“Does it mean multiple customer shares one VM for the free and shared model?
Let’s start with some background to this question: the Windows Azure Web Sites feature is PaaS [Platform-as-a-Service] offering from Microsoft that currently comes in three flavors: Free [host up to ten sites], Shared and Standard. Both Free and Shared modes share the same architecture, and this architecture does host multiple websites instances for various subscribers/Windows Azure customers using a Shared VM approach. To get dedicated VMs for your applications, you would have to deploy your web site to the Windows Azure Web Sites Standard model. Each model plays really well to different scenarios. For example, it might make sense for your organization to use the free mode for your development environment, the Shared mode for QA and the dedicated mode for Production.
“Are the Server Platforms supported in Private Cloud Hosting?”
Again, some perspective with regards to this question: As of November 2013 Windows Azure Virtual Machines officially supports the following minimum platform versions – 64-bit versions of SQL Server 2008, SharePoint Server 2010, Team Foundation Server 2012, Project Server 2013, System Center 2012 SP1, HPC Pack 2012, BizTalk Server 2013, Dynamics GP 2013, Dynamics NAV 2013 and Forefront Identity Manager 2010 R2 SP1,. That is not to say that you cannot install earlier versions of these platforms on Windows Azure VMs. However, even though such workloads install successfully, they will not be supported by Microsoft. Which might be okay if you need to spin up a Development environment, and don’t really require support from Microsoft.
This leads up to the original question, which is more about private clouds, and not public offerings like Windows Azure. Microsoft uses their own virtualization platform to run Windows Azure (Hyper-V). As such, if you are running a Microsoft Hyper-V Virtualization Platform Private Cloud solution, the platforms listed above are supported as well, at a minimum. In fact, at the moment, OnPremise Private Cloud Hyper-V deployments supports even more server platforms than Windows Azure currently does. If you are using VMware or open source products instead, you will need to check with your vendor to ensure that your workload will be supported if it is virtualized on their platform.
For more information, take a look at the following: Hyper-V Supported Virtual Machines and Guest Operating Systems, Microsoft Server Software and Supported Virtualization Environments and Microsoft Server Software Support for Windows Azure Virtual Machines