Microsoft Azure is an open and flexible cloud platform with integrated tools, templates, and managed services. With Azure’s integrated compute, database, storage, web, networking, and analytics services, you can use your existing skills and familiar technologies to build and manage apps and extend your IT functions into the cloud.

Azure provides businesses with the data security and privacy, control, and transparency they require. Confidential data is the lifeblood of any company, and protecting it from compromise is mission-critical. Companies in many industries are bound by extensive regulations regarding the use, transmission, and storage of customer data.

Security and privacy are built right into the Azure platform, beginning with the Security Development Lifecycle (SDL) that addresses security at every development phase from initial planning to launch, and Azure is continually updated to make it even more secure. Operational Security Assurance (OSA) builds on SDL knowledge and processes to provide a framework that helps ensure secure operations throughout the lifecycle of cloud-based services. Azure Security Center makes Azure the only public cloud platform to offer continuous security-health monitoring.

Secure identity

Azure enables you to manage user identities and credentials, and control access to protect business and personal information. Azure Active Directory (AAD) helps ensure that only authorized users can access your environments, data, and applications, and can provide multi-factor authentication for highly secure sign-in. AAD Privileged Identity Management helps to reduce the risk associated with administrative access.

AAD performs authentication, authorization, and access control, and supports industry-standard protocols such as SAML 2.0, WS-Federation, and OpenID Connect, so developers can integrate identity management into their apps across different platforms. Developers can build mobile and web apps that integrate with Microsoft and third party APIs with OAuth 2.0. AAD works as a standalone cloud directory for your organization or can be integrated with your on-premises Active Directory with directory sync and single sign-on (SSO). Federated applications can support user provisioning and password vaulting.

Arrow | Navigate to Azure Active Directory identity managementLearn more about Azure Active Directory identity management.

With Azure Multi-Factor Authentication (MFA), you can require users to verify their sign-ins via mobile app, phone call, or text message. Office 365 includes a form of MFA. Azure AAD Premium edition adds MFA, custom greetings, fraud alert, security reports, one-time bypass, blocking/unblocking of users, customizable caller ID for authentication phone calls, and more.

Arrow | Navigate to Azure MFALearn more about Azure MFA.

Secure infrastructure

Azure infrastructure security relies on secure practices and technologies to connect virtual machines to each other and to on-premises datacenters, while blocking unauthorized traffic. Azure Virtual Networks extend your on-premises network to the cloud, via a site-to-site virtual private network (VPN) or dedicated wide area network (WAN) link via Azure ExpressRoute, to create a cross-premises connection.

Arrow | Navigate to Azure network securityLearn more about Azure network security.

Infrastructure design and controls

Azure’s infrastructure is designed as a secure foundation that can host millions of customers simultaneously, giving you control and customization via a wide array of configurable security options. Azure prevents unauthorized and unintentional transfer of information between deployments in a multitenant architecture, using virtual local area network (VLAN) isolation, access control lists (ACLs), load balancers, and IP filters, along with traffic flow policies; network address translation (NAT) separates internal network traffic from external traffic.

The Azure Fabric Controller allocates infrastructure resources to tenant workloads and manages unidirectional communications from the host to virtual machines (VMs). The Azure hypervisor enforces memory and process separation between VMs and securely routes network traffic to guest OS tenants. Azure also implements isolation for tenants, storage, and virtual networks.

Network Security Groups (NSGs) control traffic to VM instances. NSGs, user-defined routing, IP forwarding, forced tunneling, and endpoint ACLs help to secure communications on Azure Virtual Networks, and Azure implements packet-filtering firewalls on all host and guest VMs by default.

Threat management

Microsoft continuously monitors servers, networks, and applications to detect threats. Azure’s multipronged threat-management approach uses intrusion detection, distributed denial-of-service (DDoS) attack prevention, penetration testing, behavioral analytics, anomaly detection, and machine learning to constantly strengthen its defense and reduce risks. Microsoft Antimalware for Azure protects Azure cloud services and virtual machines. You have the option to deploy third-party security solutions within your subscriptions, such as web application firewalls, network firewalls, antimalware, intrusion detection and prevention systems (IDS/IPS), and more.

Azure Security Center

Azure Security Center gives you control over the security of your cloud assets. You can define policies for your Azure subscriptions, deploy integrated security solutions from Microsoft and its partners, and get a centralized view of the security state of all your Azure resources. Azure Log Integration enables you to integrate these logs from assets deployed in Azure to on-premises Security Information Event Management (SIEM) systems.

Arrow | Navigate to how Azure Security Center worksLearn more about how Azure Security Center works.

Physical infrastructure security

Azure is deployed in Microsoft regional datacenters, which are protected by layers of defense-in-depth security that include perimeter fencing, video cameras, security personnel, secure entrances, and real-time communications networks, continuing through every area of the facility to each physical server unit.

Arrow | Navigate to virtual datacenter tourTo learn more about Microsoft’s global datacenters, take a virtual datacenter tour.

Secure apps and data

Azure uses industry-standard protocols to encrypt data in transit as it travels between devices and Microsoft datacenters and moves within datacenters, as well as data at rest in Azure Storage. This includes multiple capabilities for protecting data in transit and at rest, including encryption for data, files, applications, services, communications, and drives. Azure supports and uses numerous encryption mechanisms, including SSL/TLS, IPsec, and AES. You can configure BitLocker Drive Encryption on VHDs that contain sensitive information. Access to data by Azure support personnel requires your explicit permission and is granted on a “just in time” basis that is logged and audited, then revoked after completion of the engagement.

Data security features

Some data and storage security features in Azure:

  • You can encrypt your data before putting it into Azure, and you can store keys in your on-premises datacenter.
  • Client-side encryption for Azure Blob storage enables you to completely control the keys. The storage service never sees the keys and is incapable of decrypting the data. Azure Storage automatically encrypts your data prior to persisting to storage and decrypts prior to retrieval. Learn more about Azure Storage Service Encryption.
  • Storage Account Keys, Shared Access Signatures, management certificates, and other keys are unique to each Azure tenant.
  • You can use Azure Rights Management Services (RMS) for file- and data-level encryption and to prevent unintentional or deliberate leakage of data by authorized users.

Arrow | Navigate to Azure storage security and encryption best practicesLearn more about Azure storage security and encryption best practices.

Shared responsibility

Some organizations that consider public cloud computing mistakenly assume that after moving to the cloud the role of securing their data shifts entirely to the CSP. Cloud providers by design should provide security for certain elements, such as the physical infrastructure and network elements, but keeping your data secure is a shared responsibility in the cloud. Customers must implement security best practices and educate users in accessing cloud services securely. Different cloud service models affect the ways the responsibilities are shared and who has responsibility for which controls.

Arrow | Navigate to shared responsibilities for cloud computingLearn more about shared responsibilities for cloud computing.