Microsoft Azure Hosting Information
Azure is an ever-expanding set of cloud computing services that help organizations meet their business challenges. Azure gives customers the freedom to build, manage, and deploy applications on a massive, global network using their preferred tools and frameworks.
Security is a given in the cloud industry, and Azure take a proactive approach to security, compliance, and privacy.
Azure Compliance (English)
Azure Compliance (German)
Physical and Environmental Security
Microsoft datacenters have extensive layers of protection to reduce the risk of unauthorized physical access to datacenter resources. Microsoft designs, builds, and operates datacenters in a way that strictly controls physical access to the areas where customer data is stored. Microsoft has hundreds of Azure datacenters in 54 regions (as of 2019), and each of these has extensive multilayered protections to ensure unauthorized users cannot gain physical access to customer data. Layered physical security measures at Microsoft datacenters include access approval for the facility’s perimeter, the building’s perimeter, inside the building, on the datacenter floor. Physical security reviews of the facilities are conducted periodically to ensure the datacenters properly address Azure security requirements. Each facility is designed to run 24 hours a day, 365 days a year, and employs multiple layers of security measures to help protect operations from power failure, physical intrusion, and network outages. Perimeter: Security staff around the clock, facility setback requirements, fencing and other barriers, and continuous surveillance camera monitoring. Buildings: Alarms, seismic bracing, and security cameras, routine patrol of the datacenter by well-vetted and highly trained security personnel. Server facilities: Multifactor-authentication-based access controls that use biometrics and card readers, cameras, and backup power supplies. Datacenter floor: Full body metal detection screening and additional security scan, video monitoring, and restriction on allowed devices.
Azure provides the infrastructure to securely connect virtual machines (VMs) to one another and to connect on-premises datacenters with Azure VMs. The Azure infrastructure ensures that all infrastructure communications (for which Microsoft is responsible) that carry customer information are encrypted over the wire. Distributed denial-of-service (DDoS) protection at every Azure datacenter helps protect against even the largest of DDoS attacks seen on the internet today. Azure adheres to a rigorous set of security controls that govern operations and support. Microsoft deploys combinations of preventive, defensive, and reactive controls including the following mechanisms to help protect against unauthorized developer and administrative activity: Tight access controls on sensitive data, including a requirement for multifactor authentication, Combinations of controls that enhance independent detection of malicious activity, Multiple levels of monitoring, logging, and reporting, Just-in-time access, to minimize the number of people who have administrative privileges on a permanent or ongoing basis.
Azure offers protection for customer data both in transit and at rest, and supports encryption for data, files, applications, services, communications, and drives. Virtual machine encryption. You can encrypt Azure VMs using Azure Disk Encryption to protect the contents of both Windows and Linux VMs. This uses BitLocker for Windows and DM-Crypt for Linux to encrypt both the operating system volume and the data disks. Customer can encrypt data in storage and in transit to align with best practices for protecting the confidentiality and integrity of customer data. Azure supports various encryption models, including both client-side and server-side encryption.
Microsoft makes Azure security a priority at every step, including code development that follows the Security Development Lifecycle (SDL), a company-wide, mandatory process based on a rigorous set of security controls that govern operations, as well as robust incident response strategies. Operational Security Assurance (OSA) makes Microsoft business cloud services more resilient to attack by decreasing the amount of time needed to prevent, detect, and respond to real and potential internet-based security threats. Secure cloud solutions are the result of comprehensive planning, innovative design, and efficient operations. Microsoft makes security a priority at every step, and operational security best practices are integrated into every aspect of Azure. This includes implementing controls that restrict unauthorized access from Microsoft personnel and contractors.
Change management and test procedures are defined in internal Microsoft policies (e.g. Microsoft Azure Standard Operating Procedure: Hardware Change and Release Management (SOP ID: 24) and Microsoft Azure Standard Operating Procedure: Secure Development Lifecycle (SDL) (SOP ID: 15)).
For further information on Microsoft’s Standard Operating Procedures, click here.
Business Continuity Management
Azure offers resiliency for cloud-based applications and data by providing business continuity with High availability, Disaster recovery and Backup. Azure was the first cloud platform to provide a built-in backup and disaster recovery solution. Centralized monitoring, correlation, and analysis systems manage the large amount of information generated by devices within the Azure environment, providing continuous visibility and timely alerts to the teams that manage the service. Additional monitoring, logging, and reporting capabilities further enhance visibility. Site recovery and data backup are elements of a disaster recovery plan.
Incident Management Process
The guiding principle of Microsoft security strategy is to “assume breach.” The Microsoft global incident response team works around the clock to mitigate the effects of any attack and malicious activity against their cloud services. The goal of security incident management is to identify and remediate threats quickly, investigate thoroughly, and notify affected parties. The incident response team follows an established set of procedures for incident management, communication, and recovery. Azure Security Center provides a centralized, real-time monitoring view into the security state of customers hybrid cloud resources. Azure Security Center’s Investigation Path helps in identifying all the entities involved an attack, such as SQL injection, and quickly remediate against the attack.
“Security is everyone’s job.” Microsoft ensures everyone understands the attacker’s perspective, their goals, and the art of the possible attack. This will help capture the attention of everyone and raise the collective knowledge bar. Microsoft Developers, service engineers, and product managers understand security basics and know how to build security into software and services to make products more secure while still addressing business needs and delivering user value. Effective training complement and re-enforce security policies, OSA practices, standards, and security requirements and be guided by insights derived through data or newly available technical capabilities.
Microsoft has strict controls that restrict access to Azure by Microsoft personnel. Microsoft personnel do not have default access to cloud customer data. Azure manages and controls identity and user access to enterprise environments, data, and applications by federating user identities to Azure Active Directory and enabling multifactor authentication for more secure sign-in. Microsoft uses stringent identity management and access controls to limit data and systems access to those with a genuine business need (least-privileged). Azure enables access to environments, data, and applications to authorized users based on role assignment, role authorization, and permission authorization. Microsoft also conducts background verification checks of operations personnel and limits access to applications, systems, and network infrastructure in proportion to the level of background verification.
Safeguards for potential data transfer (Art. 44 GDPR)
EU Standard contractual clauses (controller to processor)
This information is provided by third parties. Tivian does not take responsibility for any error or misrepresentations.
Last updated January 2022.