Some of the biggest concerns that customers have, when deciding on a cloud provider, is whether their data is safe, whether the privacy of their data will be protected, whether Microsoft will be transparent about how/when your data will be accessed, and what compliance standards does Microsoft adhere to. These are always top of the list when having a conversation with a customer about moving or deploying workloads into Azure. Most customers feel their data is better protected behind their own firewall, as they have total control. Microsoft has implemented software development with enhanced security, operational management, and threat mitigation practices, helping them to deliver services that achieve higher levels of security, privacy, and compliance than most customers could achieve on their own. Anyone who has undergone compliance audits knows the complexity and cost of doing this. Microsoft is working hard to earn your trust and has made a big investment in the foundation of security, privacy, transparency, and compliance across Azure and its datacenters.
This all sounds good, but does Microsoft just expect you to trust what you hear. Of course not, hence the Microsoft Azure Trust Center. This is one of the first sites I point a customer to when discussing security and compliance within Azure. This is no different than placing your money in a bank, buying a home, or a new car. You don’t just trust what they tell you do you? I hope not. If you are like me, you want to see it in writing somewhere. Any customer looking to utilize Azure should be familiar with the Microsoft Azure Trust Center. There is a lot of information published here which can make it over-whelming for customers to sift through. I have spent many hours helping with audits and my intent with this post is to make this a little easier for you to understand and provide a place that you and your customers can reference as well.
Today, customers are more focused on building security and value into their applications rather than their infrastructure. This is where Cloud Computing comes in to shift some of the complexities of managing such an infrastructure. This allows the customer to move from a CAPEX spending model to and OPEX model. With that comes the concern around security as you are shifting some of that risk to a cloud provider such as Microsoft. Does this mean we no longer need to be concerned about security? Not at all. We just need to look at it from a different perspective. We can now leverage Microsoft’s experience as a result of comprehensive planning, innovative design, and efficient operations to ensure our data is safe. So how is this done?
The Microsoft Cloud is protected at the physical, network, host, application, and data layers so that our online services are resilient to attack. This is done through continuous proactive monitoring, penetration testing, and the application of security guidelines and operational processes mentioned below.
Security design and operations
- Microsoft designs its software for security from the ground up and helps ensure that the cloud infrastructure is resilient to attack.
- Microsoft deploys combinations of preventive, defensive, and reactive controls including multi-factor authentication (MFA), detection of malicious activity, and multiple levels of monitoring, logging, and reporting.
- Microsoft conducts background verification checks of certain operations personnel and limits access based on level of verification.
- Microsoft uses an “assume breach” strategy with internal security teams to simulate attacks which allows them to stay ahead of emerging threats.
- Microsoft has a global, 24×7 incident response service that works to mitigate the effects of attacks and malicious activity.
- Azure runs in geo-distributed Microsoft facilities that run 24x7x365 and employs various measures to help protect operations from power failure, physical intrusion, and network outages.
- Datacenters comply with industry standards (ISO 27001) for physical security and availability.
- Managed, monitored, and administered by Microsoft operations personnel.
- Centralized monitoring provides continuous visibility and timely alerts to the teams that manage the services.
- Perimeter security includes staff, facility setback requirements, barriers and fencing.
- Buildings incorporate alarms, operations center, seismic bracing, and cameras.
- Computer rooms require MFA, cameras, and days of backup power.
- Azure uses integrated deployment systems to manage the distribution and installation of security updates for Microsoft software.
- Azure software components must go through a virus scan prior to deployment.
- Microsoft conducts regular penetration testing to improve Azure security controls and processes.
- Azure has a defense system against Distributed Denial-of-Service (DDoS) attacks on Azure platform services.
Note: Customers are allowed to carry out pen testing of their own applications as long as you agree to the terms and notify Microsoft prior. Check out the Penetration testing overview page for more info.
An important concept to understand is that in the cloud service model, the responsibilities for network protection and management are shared between the cloud provider and the customer. Customers do not have physical access, but they implement the logical equivalent within their cloud environment through tools such as Guest operating system (OS) firewalls, Virtual Network Gateway configuration, and Virtual Private Networks.
- Azure uses logical isolation to segregate each customer’s data from that of others.
- Within a virtual network, resources can communicate through private IP addresses. Each virtual network is isolated from other virtual networks.
- Microsoft enables connections from customer sites and remote workers to Azure Virtual Networks using Site-to-Site and Point-to-Site VPNs.
- For better performance, customers can use an optional ExpressRoute, a private fiber link into Azure data centers that keeps their traffic off the Internet.
- Built-in cryptographic technology enables customers to encrypt communications within and between deployments, between Azure regions, and from Azure to on-premises data centers.
Azure allows customers to encrypt data and manage keys, and safeguards customer data for applications, platform, system and storage using three specific methods: encryption, segregation, and destruction.
- Azure is a multitenant service, meaning each customer has data isolation
- Data protection at rest is obtained through a wide range of encryption capabilities.
- Azure Key Vault helps streamline key management and maintain control of keys
- Azure uses industry standard transport protocols such as TLS between devices and Microsoft datacenters, and within datacenters themselves.
- Customers can encrypt data in storage and in transit to align with best practices for protecting confidentiality and data integrity.
- Data may be replicated within a selected geographic area for redundancy.
- Microsoft follows strict standards for overwriting storage resources before reuse.
Identity and Access
Microsoft has strict controls that restrict access to Azure by Microsoft employees. Azure also enables customers to control access to their environments, data and applications through Azure AD. Azure Active Directory is a comprehensive identity and access management solution in the cloud. Microsoft Azure provides MFA that delivers strong authentication via a range of easy verification options via phone call, text message, or mobile app. In addition, security reports are used to monitor access patterns and to proactively identify and mitigate potential threats.
Customers will only use cloud providers in which they have trust that the privacy of their information will be protected, and that their data will be used in a manner consistent with their expectations. Listed below are a few of the operational practices adhered to by Microsoft.
You own your data
Microsoft believes that when a customer utilizes Azure, they retain exclusive ownership of their data. Microsoft defines customer data as “all data, including all text, sound, video or image files, and software that are provided to Microsoft by, or on behalf of, Customer through use of the Online Service.” Customers can access their own customer data at any at any time and for any reason without assistance from Microsoft.
Control over data location
Most Azure services permit customers to specify the particular geography where their data will be stored. Data may be replicated within a selected geographic area for redundancy, but will not be replicated outside it for redundancy
To ensure control over encrypted data, customers have the option to generate and manage their own encryption keys, and determine who is authorized to use them. They also have the option to revoke Microsoft’s copy of their encryption key, although this may limit Microsoft’s ability to troubleshoot or repair problems and security threats.
Microsoft provides an approach allowing customers to restrict system access to authorized users based on role assignment, role authorization, and permission authorization. Tools in multiple Microsoft cloud services support authorization based on a user’s role, simplifying access control across defined groups of users.
When customers delete data or leave a Microsoft cloud service, Microsoft follows standards for overwriting storage resources before reuse, as well physical destruction of decommissioned hardware, including deletion of data and the destruction of storage hardware.
Click here for additional info on Privacy.
As customers decide to move their data to the cloud, they need to understand how their data is being handled. Customers expect full disclosure as to the policies and procedures that are in place to protect the storage of their data as well as who has access to it. Microsoft understands this and provides full transparency via third-party audit reports and certifications.
How Microsoft helps secure your data
Microsoft builds security into software code using the Security Development Lifecycle. This company-wide, mandatory development process embeds security requirements into the entire software lifecycle, from planning through deployment.
Where your data is stored and used
Microsoft provides visibility to customers as to the location of where their data is stored throughout a number of global datacenters. Microsoft will not use customer data for advertising purposes. Upon cancellation of your subscription, customers will be able to extract their data at which point Microsoft will follow strict standards for removing any data from their systems.
Who has access to your data
Microsoft will never disclose Azure customer data to a government or law enforcement agency except as directed by the customer or where required by law. Microsoft engineers are granted access, under management oversight, only when necessary. That access is carefully controlled and logged, and revoked as soon as it is no longer needed. Microsoft regularly publishes a Law Enforcement Requests Report that discloses the scope and number of government requests received. This report can be found at the Microsoft Transparency Hub.
Click here for additional info on transparency.
Azure meets a broad set of international and industry-specific compliance standards, as well as country-specific standards. Microsoft uses third-party auditors to ensure that Azure is following the strict standards mandated around security and privacy. As previously mentioned, you may want to verify these security controls. Microsoft allows you to request these audit reports and compliance packages. Also, you can request detailed audit results from the certifying third parties or through your Microsoft account representative. These reports can be accessed through the Microsoft Cloud Service Trust Portal. Here you will see Compliance Reports and Trust Documents based on industry and region. Customers with active subscriptions to Office 365 for Business, Dynamics CRM Online, and Microsoft Azure Active Directory accounts can access the portal directly. Those who do not will be required to signup and enable Azure AD.
Depending on the certification that your company must comply with, be it national, regional, or industry-specific, Microsoft offers an abundance or certifications and attestations. You may ask, how are these kept up-to-date. Microsoft has a team of experts who work with the engineering, operations, and regulatory bodies to track standards and regulations to ensure these controls are built into existing and new services. At the time of this writing there are a total of 43 certifications and growing.
Here is a list of the top security certifications. Click here for a complete list of security certifications and more info.
Security concerns can prevent a customer from moving into the cloud. Microsoft understands this and is making every effort to be transparent and provide access to resources such as audit reports to ensure their customers have the utmost confidence in their ability to protect customer’s data. Microsoft is working hard to earn your trust. You can feel confident when moving to the cloud with Microsoft.