5 questions every executive should be asking their security team

    Nothing's worse for a brand than a cyberattack. Learn how to minimize the risk.

    Download the free e-book >

    In today’s complex and regulated environment, businesses need to focus on building more secure solutions that deliver value to their customers, partners, and shareholders—both in the cloud and on premises. Microsoft has decades-long experience building enterprise software and running some of the largest online services in the world, and leverages this experience to implement and continuously improve security-aware software development, operational management, and threat mitigation practices that are essential to the strong protection of services and data.

    The guiding principle of Microsoft’s security strategy is to “assume breach,” and Microsoft’s global incident response team works around the clock to mitigate the effects of any attack against the Microsoft business cloud. Security is built into Microsoft business products and cloud services from the ground up, starting with the Security Development Lifecycle, a mandatory development process that embeds security requirements into every phase of the development process. Microsoft complies with both international and industry-specific compliance standards and participates in rigorous third-party audits, which verify our security controls.

    Security topicsSecure apps and data
    Design and operational securityAzure
    EncryptionCommercial Support
    Identity and access managementDynamics 365
    Threat managementIntune
    Auditing and loggingOffice 365
    Network securityPower BI
    Visual Studio Team Services
    Windows Server 2016

    Secure identity

    Identity and access management

    Identity and access management are key to securing Microsoft enterprise products and services. Microsoft uses stringent identity management and access controls to limit data and system access to those with a genuine business need, employing the principle of least-privileged access. These features help protect business and personal information from unauthorized access, while facilitating its availability to legitimate users.

    System design and policies are implemented to prevent personnel who have authorized access to customer data from using it for purposes beyond those identified for their roles. Security policies set the standards and define procedures for data protection.

    Azure Active Directory (AAD) is a comprehensive identity and access management cloud solution that helps secure access to your data and on-premises and cloud applications, and simplifies the management of users and groups. It combines core directory services, advanced identity governance, security, and application access management, and is a key component of most Microsoft business cloud services, as well as thousands of third-party SaaS apps. AAD also makes it easy for developers to build policy-based identity management into their applications.

    Arrow | Navigate to Microsoft’s identity and access management technologiesLearn more about Microsoft’s identity and access management technologies.

    Secure infrastructure

    Secure strategy

    An “assume breach” strategy enables Microsoft to harden its business products and cloud services and stay ahead of emerging threats by assuming that attackers have already exploited vulnerabilities or gained privileged access. A dedicated “red team” of security experts simulates real-world attacks at the network, platform, and application layers, challenging Microsoft Azure and Microsoft Office 365 to continually improve the ways they detect, protect against, and recover from security breaches.

    Arrow | Navigate to live site penetration testing against Microsoft cloud infrastructure, services, and applicationsLearn more about live site penetration testing against Microsoft cloud infrastructure, services, and applications.

    Secure operations

    Operational Security Assurance (OSA) makes Microsoft business cloud services more resilient to attack by decreasing the amount of time needed to prevent, detect, and respond to real and potential Internet-based security threats. It ensures that operational activities follow rigorous security guidelines and validates that these guidelines are followed. When issues arise, a feedback loop helps ensure that future revisions of OSA support mitigations that address them.

    Arrow | Navigate to operational security for online servicesLearn more about operational security for online services.

    Secure networks

    Microsoft network infrastructure helps block undesirable traffic to and within Microsoft datacenters, using such technologies as firewalls, partitioned local area networks (LANs), and the physical separation of back-end servers from public-facing interfaces. Virtual networks, Network Security Groups (NSGs), ExpressRoute, and forced tunneling are some of the technologies that help connect services and clients and connect on-premises datacenters to the Microsoft business cloud. Windows Server 2016 includes enhanced network security features such as Shielded VMs, the host-based datacenter firewall, and enhancements to IP address management (IPAM).

    Arrow | Navigate to Microsoft network securityLearn more about Microsoft network security.

    Threat management

    Microsoft uses intrusion detection, distributed denial-of-service (DDoS) attack prevention, penetration testing, data analytics, and machine learning to constantly strengthen its defense and reduce risks. Antimalware protection is built into Microsoft business software and cloud services to protect both your on-premises systems and your virtual machines in the cloud.

    Arrow | Navigate to how Microsoft handles threat managementLearn more about how Microsoft handles threat management.

    Auditing and logging

    Microsoft offers centralized monitoring, logging, and analysis systems to provide continuous visibility, timely alerts, and reports so you can create an audit trail. You can configure operating system components to generate logs for security analysis and monitoring, and use Azure logging to track administrative operations, system access and changes, and export information to a Security Information and Event Management (SIEM) system.

    Arrow | Navigate to auditing and loggingLearn more about auditing and logging.

    Secure apps and data


    Technological safeguards, such as encrypted communications and operational processes, enhance the security of our customers’ applications and data. For data in transit, the Microsoft business cloud uses industry-standard encrypted transport protocols between user devices and Microsoft datacenters, and within datacenters themselves. For data at rest, the Microsoft Cloud offers a wide range of encryption capabilities up to AES-256, giving you the flexibility to choose the solution that best meets your needs. Windows Server 2016 includes familiar encryption technologies for protecting data at rest, such as BitLocker full-volume encryption and Encrypting File System file-level encryption.

    Arrow | Navigate to how Microsoft products and services use encryptionLearn more about how Microsoft products and services use encryption.

    The Security Development Lifecycle (SDL)

    The SDL is a companywide, mandatory program that aims to reduce the number and severity of vulnerabilities in Microsoft software. Introduced in 2004, the SDL embeds security requirements in the entire software development lifecycle. As technology evolves and criminals become more sophisticated, so does the SDL, which has significantly decreased the number and severity of vulnerabilities in Microsoft software over the past decade.

    Arrow | Navigate to  Security Development LifecycleLearn more about the Security Development Lifecycle.

    Get more specific information about the robust security that’s built right into each of the following Microsoft business cloud services and software products:

    Shared responsibility

    Whether in the cloud or in an on-premises datacenter, security is a shared responsibility between customer and vendor. It is the responsibility of the software vendor or cloud services provider (CSP) to provide security for certain elements, such as the physical infrastructure and network elements, build security into its product or service, and provide updates to fix vulnerabilities. It is the responsibility of the customer to implement security best practices and educate users in doing so. Different cloud service models affect the ways the responsibilities are shared and who has responsibility for which controls.

    Arrow | Navigate to shared responsibilities for cloud computingLearn more about shared responsibilities for cloud computing (PDF, 608 KB).