Design and operational security
Microsoft protects your data with a trustworthy technology foundation
Microsoft cloud services and software are built on the same trustworthy technology foundation that applies to all products and services. Microsoft designs its services and software with security in mind to help ensure that its cloud infrastructure is resilient and defended from attacks.
The guiding principle of the Microsoft security strategy is to “assume breach.” So, our global incident response team works continuously to mitigate the effects of any attacks against Microsoft cloud services. These practices are backed by security “centers of excellence” that fight digital crime, combat malware, and respond to security incidents and vulnerabilities in our software.
Microsoft uses stringent identity management and access controls to limit data and systems access to those with a genuine business need (least-privileged). Account password controls enforce password complexity rules and require periodic rotation. We implement system design and policies to prevent personnel who have authorized access to customer data from using it for purposes beyond those identified for their roles. Security policies set the standards and define procedures for data protection.
Microsoft has invested in systems and controls that automate most Office 365 operations while intentionally limiting Microsoft personnel access to customer content. Humans govern the service, but software operates it. This enables Microsoft to manage Office 365 at scale, and to manage the risks of internal threats to customer content (such as malicious actor or the spear-phishing of a Microsoft engineer).
As an example: By default, Microsoft engineers have no standing administrative privileges and no standing access to customer content in Office 365. A Microsoft engineer may have restricted (and audited) secured access to a customer’s content for a limited amount of time, only when necessary for service operations and only when approved by a member of senior management at Microsoft (and, for customers who are licensed for the Customer Lockbox feature, the customer).
Microsoft subcontractors are held to the same security standards as full-time employees. Subcontractors who work in facilities or on equipment controlled by Microsoft must follow our data protection standards, and all other subcontractors must follow data protection standards that are equivalent to our own. Microsoft subcontractor agreements are designed to ensure the safeguarding of customer information, and subcontractors’ work is regularly monitored.
Operational Security Assurance (OSA) makes Microsoft business cloud services more resilient to attack by decreasing the amount of time needed to prevent, detect, and respond to real and potential Internet-based security threats. It ensures that operational activities follow rigorous security guidelines and validates that these guidelines are followed. When issues arise, a feedback loop helps ensure that future revisions of OSA support mitigations that address them.
An “assume breach” strategy enables Microsoft to harden its business cloud services and stay ahead of emerging threats. In this approach, the design, engineering, and operations teams assume that attackers have already exploited vulnerabilities or gained privileged access. A dedicated “red team” of security experts simulates real-world attacks at the network, platform, and application layers, challenging the ability of Microsoft Azure and Microsoft Office 365 to detect, protect against, and recover from security breaches.
Microsoft has integrated the National Institute of Standards & Technology’s (NIST) Cybersecurity Framework into our enterprise risk-management program to inform and influence our security risk practices. Using the NIST Cybersecurity Framework to evaluate the security maturity of our products enables teams across the company to share a better understanding of our security capabilities. The framework facilitates conversations about the maturity of our enterprise-level security, helping us structure and maintain consistent security methodology and terminology. The NIST Cybersecurity Framework is also a key component in how we track security assurance and communicate about security maturity.
Secure apps and data
The Security Development Lifecycle (SDL) is a company-wide, mandatory process that aims to reduce the number and severity of vulnerabilities in Microsoft software. Introduced in 2004, the SDL embeds security requirements in the entire software development lifecycle. As technology evolves and criminals become more sophisticated, so does the SDL, which has significantly decreased the number and severity of vulnerabilities in Microsoft software over the past decade.
Microsoft provides tools to help developers build and maintain secure apps, protect data from threats, and address security compliance requirements, while at the same time reducing development costs.
- Attack Surface Analyzer 1.0 helps you understand your attack surface before and after new apps are deployed.
- Microsoft Threat Modeling Tool 2016 helps engineers find and address system security issues.
- MiniFuzz basic file fuzzing tool is designed to ease adoption of fuzz testing (inputting large amounts of random data to cause a crash that will reveal security vulnerabilities).
- Regular expression file fuzzing tool tests for potential denial-of-service vulnerabilities.
Security centers of excellence
Microsoft created specialized groups and teams to provide intensive focus on specific security issues, including:
- The Microsoft Digital Crimes Unit brings together experts who are dedicated to disrupting cybercrime threats such as botnet-driven Internet attacks and online child sexual exploitation.
- The Microsoft Security Response Center, led by some of the world’s most experienced security experts, delivers a worldwide security response, collaborates with the security community to help improve customer security, advances innovation in the security landscape, provides authoritative security guidance, and publishes the semi-annual Security Intelligence Report.
- The Microsoft Malware Protection Center is the antimalware research-and-response organization within Microsoft that protects computer systems from malicious software attacks. The center continuously monitors millions of computers worldwide, gathering and analyzing threat data. With help from researchers around the world, it can identify and mitigate new threats within hours of their discovery.