Microsoft Azure is an open and flexible cloud platform with integrated tools, templates, and managed services. With Azure’s integrated compute, database, storage, web, networking, and analytics services, you can use your existing skills and familiar technologies to build and manage apps and extend your IT functions into the cloud.
Azure provides businesses with the data security and privacy, control, and transparency they require. Confidential data is the lifeblood of any company, and protecting it from compromise is mission-critical. Companies in many industries are bound by extensive regulations regarding the use, transmission, and storage of customer data.
Security and privacy are built right into the Azure platform, beginning with the Security Development Lifecycle (SDL) that addresses security at every development phase from initial planning to launch, and Azure is continually updated to make it even more secure. Operational Security Assurance (OSA) builds on SDL knowledge and processes to provide a framework that helps ensure secure operations throughout the lifecycle of cloud-based services. Azure Security Center makes Azure the only public cloud platform to offer continuous security-health monitoring.
Azure enables you to manage user identities and credentials, and control access to protect business and personal information. Azure Active Directory (AAD) helps ensure that only authorized users can access your environments, data, and applications, and can provide multi-factor authentication for highly secure sign-in. AAD Privileged Identity Management helps to reduce the risk associated with administrative access.
AAD performs authentication, authorization, and access control, and supports industry-standard protocols such as SAML 2.0, WS-Federation, and OpenID Connect, so developers can integrate identity management into their apps across different platforms. Developers can build mobile and web apps that integrate with Microsoft and third party APIs with OAuth 2.0. AAD works as a standalone cloud directory for your organization or can be integrated with your on-premises Active Directory with directory sync and single sign-on (SSO). Federated applications can support user provisioning and password vaulting.
Learn more about Azure Active Directory identity management.
With Azure Multi-Factor Authentication (MFA), you can require users to verify their sign-ins via mobile app, phone call, or text message. Office 365 includes a form of MFA. Azure AAD Premium edition adds MFA, custom greetings, fraud alert, security reports, one-time bypass, blocking/unblocking of users, customizable caller ID for authentication phone calls, and more.
Learn more about Azure MFA.
Azure infrastructure security relies on secure practices and technologies to connect virtual machines to each other and to on-premises datacenters, while blocking unauthorized traffic. Azure Virtual Networks extend your on-premises network to the cloud, via a site-to-site virtual private network (VPN) or dedicated wide area network (WAN) link via Azure ExpressRoute, to create a cross-premises connection.
Learn more about Azure network security.
Azure’s infrastructure is designed as a secure foundation that can host millions of customers simultaneously, giving you control and customization via a wide array of configurable security options. Azure prevents unauthorized and unintentional transfer of information between deployments in a multitenant architecture, using virtual local area network (VLAN) isolation, access control lists (ACLs), load balancers, and IP filters, along with traffic flow policies; network address translation (NAT) separates internal network traffic from external traffic.
The Azure Fabric Controller allocates infrastructure resources to tenant workloads and manages unidirectional communications from the host to virtual machines (VMs). The Azure hypervisor enforces memory and process separation between VMs and securely routes network traffic to guest OS tenants. Azure also implements isolation for tenants, storage, and virtual networks.
Network Security Groups (NSGs) control traffic to VM instances. NSGs, user-defined routing, IP forwarding, forced tunneling, and endpoint ACLs help to secure communications on Azure Virtual Networks, and Azure implements packet-filtering firewalls on all host and guest VMs by default.
Microsoft continuously monitors servers, networks, and applications to detect threats. Azure’s multipronged threat-management approach uses intrusion detection, distributed denial-of-service (DDoS) attack prevention, penetration testing, behavioral analytics, anomaly detection, and machine learning to constantly strengthen its defense and reduce risks. Microsoft Antimalware for Azure protects Azure cloud services and virtual machines. You have the option to deploy third-party security solutions within your subscriptions, such as web application firewalls, network firewalls, antimalware, intrusion detection and prevention systems (IDS/IPS), and more.
Azure Security Center gives you control over the security of your cloud assets. You can define policies for your Azure subscriptions, deploy integrated security solutions from Microsoft and its partners, and get a centralized view of the security state of all your Azure resources. Azure Log Integration enables you to integrate these logs from assets deployed in Azure to on-premises Security Information Event Management (SIEM) systems.
Learn more about how Azure Security Center works.
Azure is deployed in Microsoft regional datacenters, which are protected by layers of defense-in-depth security that include perimeter fencing, video cameras, security personnel, secure entrances, and real-time communications networks, continuing through every area of the facility to each physical server unit.
To learn more about Microsoft’s global datacenters, take a virtual datacenter tour.
Azure uses industry-standard protocols to encrypt data in transit as it travels between devices and Microsoft datacenters and moves within datacenters, as well as data at rest in Azure Storage. This includes multiple capabilities for protecting data in transit and at rest, including encryption for data, files, applications, services, communications, and drives. Azure supports and uses numerous encryption mechanisms, including SSL/TLS, IPsec, and AES. You can configure BitLocker Drive Encryption on VHDs that contain sensitive information. Access to data by Azure support personnel requires your explicit permission and is granted on a “just in time” basis that is logged and audited, then revoked after completion of the engagement.
Some data and storage security features in Azure:
Learn more about Azure storage security and encryption best practices.
Some organizations that consider public cloud computing mistakenly assume that after moving to the cloud the role of securing their data shifts entirely to the CSP. Cloud providers by design should provide security for certain elements, such as the physical infrastructure and network elements, but keeping your data secure is a shared responsibility in the cloud. Customers must implement security best practices and educate users in accessing cloud services securely. Different cloud service models affect the ways the responsibilities are shared and who has responsibility for which controls.
Learn more about shared responsibilities for cloud computing.