In today’s complex and regulated environment, businesses need to focus on building more secure solutions that deliver value to their customers, partners, and shareholders—both in the cloud and on premises. Microsoft has decades-long experience building enterprise software and running some of the largest online services in the world, and leverages this experience to implement and continuously improve security-aware software development, operational management, and threat mitigation practices that are essential to the strong protection of services and data.
The guiding principle of Microsoft’s security strategy is to “assume breach,” and Microsoft’s global incident response team works around the clock to mitigate the effects of any attack against the Microsoft business cloud. Security is built into Microsoft business products and cloud services from the ground up, starting with the Security Development Lifecycle, a mandatory development process that embeds security requirements into every phase of the development process. Microsoft complies with both international and industry-specific compliance standards and participates in rigorous third-party audits, which verify our security controls.
|Security topics||Secure apps and data|
|Design and operational security||Azure|
|Identity and access management||Dynamics 365|
|Auditing and logging||Office 365|
|Network security||Power BI|
|Visual Studio Team Services|
|Windows Server 2016|
Identity and access management are key to securing Microsoft enterprise products and services. Microsoft uses stringent identity management and access controls to limit data and system access to those with a genuine business need, employing the principle of least-privileged access. These features help protect business and personal information from unauthorized access, while facilitating its availability to legitimate users.
System design and policies are implemented to prevent personnel who have authorized access to customer data from using it for purposes beyond those identified for their roles. Security policies set the standards and define procedures for data protection.
Azure Active Directory (AAD) is a comprehensive identity and access management cloud solution that helps secure access to your data and on-premises and cloud applications, and simplifies the management of users and groups. It combines core directory services, advanced identity governance, security, and application access management, and is a key component of most Microsoft business cloud services, as well as thousands of third-party SaaS apps. AAD also makes it easy for developers to build policy-based identity management into their applications.
Learn more about Microsoft’s identity and access management technologies.
An “assume breach” strategy enables Microsoft to harden its business products and cloud services and stay ahead of emerging threats by assuming that attackers have already exploited vulnerabilities or gained privileged access. A dedicated “red team” of security experts simulates real-world attacks at the network, platform, and application layers, challenging Microsoft Azure and Microsoft Office 365 to continually improve the ways they detect, protect against, and recover from security breaches.
Operational Security Assurance (OSA) makes Microsoft business cloud services more resilient to attack by decreasing the amount of time needed to prevent, detect, and respond to real and potential Internet-based security threats. It ensures that operational activities follow rigorous security guidelines and validates that these guidelines are followed. When issues arise, a feedback loop helps ensure that future revisions of OSA support mitigations that address them.
Learn more about operational security for online services.
Microsoft network infrastructure helps block undesirable traffic to and within Microsoft datacenters, using such technologies as firewalls, partitioned local area networks (LANs), and the physical separation of back-end servers from public-facing interfaces. Virtual networks, Network Security Groups (NSGs), ExpressRoute, and forced tunneling are some of the technologies that help connect services and clients and connect on-premises datacenters to the Microsoft business cloud. Windows Server 2016 includes enhanced network security features such as Shielded VMs, the host-based datacenter firewall, and enhancements to IP address management (IPAM).
Learn more about Microsoft network security.
Microsoft uses intrusion detection, distributed denial-of-service (DDoS) attack prevention, penetration testing, data analytics, and machine learning to constantly strengthen its defense and reduce risks. Antimalware protection is built into Microsoft business software and cloud services to protect both your on-premises systems and your virtual machines in the cloud.
Learn more about how Microsoft handles threat management.
Microsoft offers centralized monitoring, logging, and analysis systems to provide continuous visibility, timely alerts, and reports so you can create an audit trail. You can configure operating system components to generate logs for security analysis and monitoring, and use Azure logging to track administrative operations, system access and changes, and export information to a Security Information and Event Management (SIEM) system.
Learn more about auditing and logging.
Technological safeguards, such as encrypted communications and operational processes, enhance the security of our customers’ applications and data. For data in transit, the Microsoft business cloud uses industry-standard encrypted transport protocols between user devices and Microsoft datacenters, and within datacenters themselves. For data at rest, the Microsoft Cloud offers a wide range of encryption capabilities up to AES-256, giving you the flexibility to choose the solution that best meets your needs. Windows Server 2016 includes familiar encryption technologies for protecting data at rest, such as BitLocker full-volume encryption and Encrypting File System file-level encryption.
Learn more about how Microsoft products and services use encryption.
The SDL is a companywide, mandatory program that aims to reduce the number and severity of vulnerabilities in Microsoft software. Introduced in 2004, the SDL embeds security requirements in the entire software development lifecycle. As technology evolves and criminals become more sophisticated, so does the SDL, which has significantly decreased the number and severity of vulnerabilities in Microsoft software over the past decade.
Learn more about the Security Development Lifecycle.
Get more specific information about the robust security that’s built right into each of the following Microsoft business cloud services and software products:
Whether in the cloud or in an on-premises datacenter, security is a shared responsibility between customer and vendor. It is the responsibility of the software vendor or cloud services provider (CSP) to provide security for certain elements, such as the physical infrastructure and network elements, build security into its product or service, and provide updates to fix vulnerabilities. It is the responsibility of the customer to implement security best practices and educate users in doing so. Different cloud service models affect the ways the responsibilities are shared and who has responsibility for which controls.
Learn more about shared responsibilities for cloud computing (PDF, 608 KB).