Microsoft Achieves First Native Cloud Data Management Capabilities Certification

(US and Canada) Microsoft just announced its successful completion of the Cloud Data Management Capabilities (CDMC) 14 Key Controls and Automations certification. The announcement was made by Mike Flasko, Microsoft’s Vice President and General Manager for Data Governance in a company blog.

The certification was conducted by Accenture and Avanade, and the 14 Key Controls and Automations are a part of the EDM Council’s Cloud Data Management Capabilities framework. It was formulated as a best practice to help all industries accelerate the migration of sensitive and non-sensitive data to the cloud.

“When we first joined the EDM Council’s CDMC Work Group in May 2020, Microsoft was at the beginning of its journey building out what is now known as Microsoft Purview, our unified data governance and compliance solution. We joined over 300 industry data thought leaders with representation from the world’s largest banks and technology companies to identify a control standard to keep data safe,” says Flasko.

“Across every industry, we’ve seen that clients who are capitalizing on data are driving innovation and competitive advantage. With the CDMC certification of Microsoft’s cloud platform, our clients will be able to leverage industry-leading governance best practices advanced by the EDM Council, and we will expand this to more organizations and achieve stronger business outcomes,” added Simon Thomas, Global Head of Data and AI, Avanade.

Microsoft’s certification allows client companies across all sectors to implement best practices within their operational environments and ensure that the 14 Key Controls will protect their sensitive data cross-jurisdiction and speed up their certification against the CDMC Key Controls.

“The Cloud Data Management Capabilities framework represents the best practices in data on cloud from a huge number of financial services companies and other leading data practitioners from across other industry groups. It is great to see Microsoft natively certifying its platform against CDMC key controls, automating the most important capabilities in data management, which will help accelerate the adoption of cloud services. We are excited by their continuing contributions to extend CDMC into new areas this year,” said Oli Bage, Co-chair of CDMC Work Group and Head of Architecture for Data and Analytics at the London Stock Exchange Group.

Sharing his views, EDM Council President John Bottega said, “Microsoft’s certification of the CDMC 14 Automated Key Controls is an impressive accomplishment because it marks the completion of a comprehensive, in-depth confirmation of their cloud leadership. Having its cloud platform independently certified will give Microsoft’s clients even greater confidence in accelerating their adoption of cloud and hybrid-cloud strategies with the assurance that their data is controlled and protected.”

The 14 Key Controls and Automations include:

Governance and accountability

1. Data Control Compliance must be monitored for all data assets containing sensitive data through metrics and automated notifications.

2. The Ownership field in a data catalog must be populated for all sensitive data or otherwise reported to a defined workflow.

3. A register of Authoritative Data Sources and Provisioning Points must be populated for all data assets containing sensitive data.

4. The Data Sovereignty and Cross-Border Movement of sensitive data must be recorded, auditable, and controlled according to defined policy.

Cataloging and classification

5. Cataloging must be automated for all data at the point of creation or ingestion, with consistency across all environments.

6. Classification must be automated for all data at the point of creation or ingestion and must always be on.

Accessibility and usage

7. Entitlements and Access for Sensitive Data must default to the creator and owner and access must be tracked for all sensitive data.

8. Data Consumption Purpose must be provided for all Data Sharing Agreements involving sensitive data.

Protection and privacy

9. Appropriate Security Controls must be enabled for sensitive data and evidence must be recorded.

10. Data Privacy Impact Assessments must be automatically triggered for all personal data according to its jurisdiction.

Data lifecycle

11. Data Quality Measurement must be enabled for sensitive data with metrics distributed when available.

12. Data Retention, Archiving, and Purging must be managed according to a defined retention schedule.

Data and technical architecture

13. Data Lineage information must be available for all sensitive data.

14. Cost Metrics directly associated with data use, storage, and movement must be available in the catalog.