Microsoft Azure

Microsoft Azure

Now you can take advantage of the latest security, privacy, and compliance features of Microsoft Azure. In this site, you’ll learn about the trusted cloud, how your data is stored and accessed, and our comprehensive approach to securing your IT environment.


Overview

Security and privacy are built right into the Azure platform, beginning with the Security Development Lifecycle (SDL). The SDL addresses security at every development phase and ensures that Azure is continually updated to make it even more secure. Operational Security Assurance (OSA) builds on SDL knowledge and processes to supply a framework that helps provide secure operations throughout the lifecycle of cloud-based services. Azure Security Center makes Azure the only public cloud platform to offer continuous security-health monitoring.

For Azure security technical resources, visit Azure Security Documentation

Manage and control identity and user accessEncrypt communications and operation processesIncrease network and infrastructure securityDefend against threatsShared responsibility

Azure helps you protect business and personal information by enabling you to manage user identities and credentials plus control access.

  • Helps ensure that only authorized users can access your environments, data, and applications.
  • Offers multi-factor authentication for highly secure sign-in, including specialized administrative access through Azure Active Directory Privileged Identity Management.

  • Performs authentication, authorization, and access control through industry-standard protocols such as SAML 2.0, WS-Federation, and OpenID Connect.
  • Helps developers integrate identity management into apps across different platforms and build mobile and web apps that integrate with Microsoft and third-party APIs with OAuth 2.0.
  • Works as a standalone cloud directory for your organization or can be integrated with your on-premises Active Directory with directory sync and single sign-on (SSO).
  • Allows federated applications to support user provisioning and password vaulting.
Learn more about Azure Active Directory identity management
  • Requires users to verify their sign-ins via mobile app, phone call, or text message.
  • Office 365 includes a form of Multi-Factor Authentication.
  • Azure Active Directory Premium edition adds Multi-Factor Authentication custom greetings, fraud alerts, security reports, one-time bypass, blocking/unblocking of users, customizable caller ID for authentication phone calls, and more.
Learn more about Azure Multi-Factor Authentication

Azure uses industry-standard protocols to encrypt data in transit. Your data is secure as it travels between devices and Microsoft datacenters, as it moves within datacenters, and when your data is at rest in Azure Storage. Capabilities include:

  • Protects data in transit and at rest, including encryption for data, files, applications, services, communications, and drives.
  • Supports and uses numerous encryption mechanisms, including SSL/TLS, IPsec, and AES.
  • Provides configuration support for BitLocker Drive Encryption on VHDs that contain sensitive information.
  • Ensures that access to data by Azure support personnel requires your explicit permission and is granted on a “just in time” basis that is logged and audited, then revoked after completion of the engagement.

Secure key management is essential to protecting data in the cloud. Azure Key Vault enables Azure subscribers to safeguard and control cryptographic keys and other secrets used by cloud apps and services.

  • Encrypt keys and small secrets like passwords using keys in Hardware Security Modules (HSMs).
  • Import or generate your keys in HSMs certified to FIPS 140-2 level 2 standards for added assurance so that your keys stay within the HSM boundary.
  • Simplify and automate tasks for SSL/TLS certificates by enrolling and automatically renewing certificates from supported Public Certification Authorities (CAs).
  • Provision and deploy new vaults and keys in minutes without waiting for procurement, hardware, or IT and centrally manage keys, secrets, and policies.
  • Maintain control over encrypted data—grant and revoke key use by your own and third-party applications as needed.
  • Segregate key management duties so developers can easily manage keys used for dev/test and migrate seamlessly to production keys managed by security operations.
  • Rapidly scale to meet the cryptographic needs of your cloud applications and match peak demand.
  • Achieve global redundancy by provisioning vaults in Azure datacenters worldwide and keep a copy in your own Hardware Security Modules (HSMs) for added durability.
Learn more about Azure Key Vault
  • You can encrypt your data before putting it into Azure and you can store keys in your on-premises datacenter.
  • Client-side encryption for Azure Blob storage enables you to completely control the keys. The storage service never sees the keys and is incapable of decrypting the data. Azure Storage automatically encrypts your data prior to persisting to storage and decrypts prior to retrieval.
  • Learn more about Azure Storage Service Encryption.

  • Storage Account Keys, Shared Access Signatures, management certificates, and other keys are unique to each Azure tenant.
  • You can use Azure Rights Management Services (RMS) for file- and data-level encryption and to prevent unintentional or deliberate leakage of data by authorized users.

Learn more about Azure storage security and encryption best practices

Azure provides the security-hardened infrastructure to connect virtual machines (VMs) to one another and to connect on-premises datacenters with Azure VMs. Azure blocks unauthorized traffic to and within Microsoft datacenters using a variety of technologies. Azure Virtual Networks extend your on-premises network to the cloud through IPsec-based site-to-site VPN technology or through a high-speed Azure ExpressRoute dedicated WAN link.

  • Extend your on-premises network to the cloud via a site-to-site virtual private network (VPN) or a dedicated wide area network (WAN) link.
  • Use Azure ExpressRoute to create a cross-premises connection.

Learn more about Azure network security

The Azure infrastructure is designed as a secure foundation that can host millions of customers simultaneously, giving you control and customization via a wide array of configurable security options. Azure prevents unauthorized and unintentional transfer of information between deployments in a multitenant architecture, using virtual local area network (VLAN) isolation, access control lists (ACLs), load balancers, and IP filters, along with traffic flow policies. Network address translation (NAT) separates internal network traffic from external traffic.

Azure Fabric Controller

  • Allocates infrastructure resources to tenant workloads and manages unidirectional communications from the host to VMs.
  • Uses the Azure hypervisor to enforce memory and process separation between VMs and to securely route network traffic to guest OS tenants. Azure also implements isolation for tenants, storage, and virtual networks.
Learn more about Azure Fabric Controller
  • NSGs allow control of traffic to Virtual Machine (VM) instances.
  • NSGs, user-defined routing, IP forwarding, forced tunneling, and endpoint ACLs help secure communications on Azure Virtual Networks.
  • Azure implements packet-filtering firewalls on all host and guest VMs by default.
Learn more about Network Security Groups (NSG)

Azure is deployed in Microsoft regional datacenters. These datacenters are protected by layers of defense-in-depth security that include perimeter fencing, video cameras, security personnel, secure entrances, and real-time communication networks. This multi-layered security model is in use throughout every area of the facility, including each physical server unit.

Want to know more about our global datacenter?

Take the virtual datacenter tour

Microsoft continuously monitors servers, networks, and applications to detect threats. The Azure multipronged threat-management approach includes technologies and processes to constantly strengthen Azure’s defenses and reduce risks and include:

  • Intrusion detection
  • Distributed denial-of-service (DDoS) attack prevention
  • Penetration testing
  • Behavioral analytics
  • Anomaly detection
  • Machine learning
  • Protects Azure cloud services and virtual machines.
  • Supports deployment of third-party security solutions within your subscriptions, such as web application firewalls, network firewalls, antimalware, intrusion detection and prevention systems (IDS/IPS), and more.
Learn more about Microsoft Antimalware for Azure
  • Gives you control over the security of your cloud assets.
  • Lets you define policies for your Azure subscriptions, deploy integrated security solutions from Microsoft and its partners, and get a centralized view of the security state of all your Azure resources.
  • Azure Log Integration allows you to integrate these logs from assets deployed in Azure to on-premises security information and event management (SIEM) systems.
Learn more about Azure Security Center

Some organizations, when considering public cloud computing, mistakenly assume that after moving to the cloud, the role of securing their data shifts entirely to the Cloud Service Provider (CSP). But this is not accurate. Cloud providers by design should provide security for certain elements such as the physical infrastructure and network components, but keeping your data secure in the cloud is a shared responsibility.

Customers must implement security best practices and educate users on how to access cloud services securely. Different cloud service models use different ways to manage.

Learn more about shared responsibilities for cloud computing

Sign up for a free Azure account and get just what you need

Your Azure solution is just a click away. Get the information and resources you need to create your free Azure account today. Find out what the cloud can offer your business and discover solutions that worldwide customers in the financial, retail, healthcare, and manufacturing industries already trust.