Microsoft takes strong measures to help protect data from authorized access. Means, the data organizations are creating is secured from inappropriate use, making the organization the only one that owns and controls where the data should be stored.
Nevertheless, data storage may be a bit complicated due to the globalization aspect organizations may have due to their global activity. Thus, Microsoft offers multiple services across the globe including different locations where organizations can store and control their data.
With this in mind, let’s have a quick look at how they offer these locations worldwide.
The first one to mention would be Azure Data Centers, which are physical locations where the data center has its own independent networking, cooling, and power. Essentially, these large buildings contain all the hardware and infrastructure for reliable, high-quality data storage.
Azure Data Centers are organized in availability zones so that several data centers can be within the same availability zone. Several availability zones form Azure Region – a set of data centers deployed within a latency-defined perimeter and low latency network.
Next comes Azure Geography – an area in the world with at least one Azure Region. It defines deiscete markets that preserve data residency and compliance boundaries. They allow customers (with specific data residency and compliance needs) to keep data and applications close to each other.
Geographies are fault tolerant to withstand a complete region failure through their connection to Azure dedicated high-capacity network infrastructure.
Region Pairing, Region Services and Zonal Service
There are some other concepts that we want to highlight, which are good to know in relation to Finance and Operations.
We utilize region pairing to make our services reliable and protect against regionwide incidents. Pairings are predefined and cannot be overridden. Such a strategy is called cross-region or paired region.
Having said that, Finance & Operations apps are considered regional services, meaning all the components and services run within a single region. In comparison to, for example, Azure DevOps or Azure Active Directory – those services are non-regional and will run across multiple regions, fully transparent to you as a user.
One more final terminology that could be useful is Zonal Service – a service insured to run within an availability zone. This is completely managed to ensure the best available option for a product as this provides even more stringent latency and performance.
Enabling Data Residency & Data Protection in Azure
Next, we want to share some good locations for you to discover more information when you need it.
The first is a white paper written by Christoph Siegert, Debra Shinder, and David Burt, covering data residency and protection in Azure. This is not a Dynamics 365-specific White Paper but covers Azure in general. This is pretty common for Dynamics 365 implementations to include several different Azure Cloud services, so taking a holistic view is strongly recommended.
The White Paper has information on how customers can control data residency, how Microsoft protects customers from unauthorized access, and how Microsoft challenges government requests and 3rd party orders. It also talks about MS’ approach to compliance with privacy regulations and standards for protecting customer data.
The second white paper we want to call out is the one that covers what Microsoft does to ensure resiliency for the services that are provided, and this one is called Azure Resiliency: business continuity and disaster recovery.
It has information on what we do to maintain a strong service level agreement for uptime and the measures to be taken to meet business requirements for recovery time objectives, time to recovery, and failures. It is a good document for organizations planning to move their applications from on-premises to the cloud and to understand how resilience is designed into an Azure well architecture framework.
Regional and Non-Regional Services
We have already mentioned in the Azure terminology section that Microsoft has some services that will be regional while others will be non-regional. This means we may copy the data used between regions inside the selected geography.
One example is the geography of Europe, where data is copied between West Europe (with data center in the Netherlands) to North Europe (with data center in Ireland).
Data Residency in Azure sheds light on various geographies so that you better understand their data residency boundaries. It also shows you a list of the regional and non-regional services.
Scoping Data Protection Requirements Example
As you begin analyzing and assessing what data you need to protect in the cloud, you might consider that the data can be grouped into different protection classifications. And this is important so that you do not pick the same protection strategy for all the data but decide it in a way that makes sense and has the correct scope.
If you select the same strict and stringent protection classification for all the data, you might not best utilize the services, and this can easily become an unnecessary blocker for your deployment in the cloud. Think about that: you will have some data you can store for general purposes and still be within compliance with applicable regulations.
Then, you might have some data that requires to have additional protection and an additional level of security if it needs to be stored outside of these defined boundaries.
And, in some rare cases, there are very strict regulations on very specific kinds of data – we call them sacred data. You can think of it as highly sensitive data that simply cannot leave the geographic boundaries, not even the backup of this data.