Microsoft Azure emphasizes robust security through compliance with industry standards and frameworks such as ISO 27001, SOC 1, SOC 2, and FedRAMP. It offers extensive measures for data protection, including multi-factor authentication, encryption in transit and at rest, and continuous monitoring for security threats. Additionally, Azure maintains strict data privacy commitments under regulations like HIPAA and GDPR, ensuring proper handling and protection of customer data.

1. Your vision. Your cloud.

4. Trustworthy
Computing
Initiative
Security
Development
LifecycleGlobal
Data Center
Services
Malware
Protection
Center
Microsoft Security
Response Center
Windows
Update
1st
Microsoft
Data
Center
Active
Directory
SOC 1
CSA Cloud
Controls Matrix
PCI DSS
Level 1
FedRAMP/
FISMA
UK G-Cloud
Level 2
ISO/IEC
27001:2005
HIPAA/
HITECH
Digital
Crimes
Unit
SOC 2
E.U. Data
Protection
Directive
https://www.microsoft.com/en-us/TrustCenter

5. https://cloudsecurityalliance.org/star-registrant/microsoft/
https://cloudsecurityalliance.org/

6. 6
Best practices
and guidance
Third-party
verification
Cloud Security
Alliance
Security
intelligence
report
Compliance
packages
Trust
Center
Access to
audit reports
Security Response
Center progress
report

7. 7
Restricted Use
Azure does not share
data with its advertiser-
supported services
Azure does not mine
Customer Data for
advertising
Read the fine print of other cloud service
provider’s privacy statements

8. Contractual Commitments
EU Data Privacy
Approval
• Microsoft makes strong contractual commitments to safeguard customer data
covered by HIPAA BAA, Data Processing Agreement, & E.U. Model Clauses
• Enterprise cloud-service specific privacy protections benefit every industry &
region
• Microsoft meets high bar for protecting privacy of EU customer data
• Microsoft offers customers EU Model Clauses for transfer of personal data
across international borders
• Microsoft’s approach was approved by the Article 29 committee of EU data
protection authorities – the first company to obtain this
Broad
contractual
scope

9. https://www.microsoft.com/en-
us/TrustCenter/Privacy/gdpr/readiness?&wt.srch=1&wt.mc_id=AID641639_SEM_CBaJdkAr&msclkid=ed
77bbb912621bf358a6e13cbccd9458

10. ISO 27001 SOC 1 Type 2
SOC 2 Type 2
FedRAMP/FISMA
PCI DSS Level 1
UK G-Cloud
Information
security
standards
Effective
controls
Government
& industry
certifications
Simplified Compliance

11. 11
Security Compliance Strategy
Security
analytics
Risk management
best practices
Security
benchmark
analysis
Test and
audit
Security
Compliance
Framework
• Security goals set in context of
business and industry
requirements
• Security analytics & best
practices deployed to detect
and respond to threats
• Benchmarked to a high bar of
certifications and accreditations
to ensure compliance
• Continual monitoring, test and
audit
• Ongoing update of certifications
for new services

12. 12
Program Description
ISO/IEC 27001
The ISO/IEC 27001:2005 certificate validates that Azure has implemented the internationally recognized information
security controls defined in this standard.
SOC 1
SSAE 16/ISAE 3402
Azure has also been audited against the Service Organization Control (SOC) reporting framework for SOC 1 Type 2
(formerly SAS 70), attesting to the design and operating effectiveness of its controls.
SOC 2
Azure has been audited for SOC 2 Type 2, which includes a further examination of Azure controls related to security,
availability, and confidentiality
FedRAMP/FISMA
Azure has received Provisional Authorization to Operate from the Federal Risk and Authorization Management
Program (FedRAMP) Joint Authorization Board (JAB), having undergone the assessments necessary to verify that it
meets FedRAMP security standards.
PCI DSS Level 1 Azure has been validated for PCI-DSS Level 1 compliance by an independent Qualified Security Assessor (QSA).
UK G-Cloud IL2
In the United Kingdom, Azure has been awarded Impact Level 2 (IL2) accreditation, further enhancing Microsoft and
its partner offerings on the current G-Cloud procurement Framework and CloudStore.
HIPAA BAA
To help customers comply with HIPAA and HITECH Act security and privacy provisions, Microsoft offers a HIPAA
Business Associate Agreement (BAA) to healthcare entities with access to Protected Health Information (PHI).
Certifications and Programs

13. Online Services Terms

15. Traditional
Storage
Servers
Physical Network
Operating System
Middleware
Virtualization
Data
Applications
Runtime
YouManage
IaaS
Storage
Servers
Physical Network
Operating System
Middleware
Virtualization
Data
Applications
Runtime
ManagedbyMicrosoft
YouManage
PaaS
ManagedbyMicrosoft
YouManage
Storage
Servers
Physical Network
Operating System
Middleware
Virtualization
Applications
Runtime
Data
SaaS
ManagedbyMicrosoft
Storage
Servers
Physical Network
Operating System
Middleware
Virtualization
Applications
Runtime
Data
Windows Azure Virtual Machines
Windows Server Hyper-V
Windows Server Windows Azure PaaS Services
Office 365
Dynamics CRM
Software Network

16. https://www.microsoft.com/en-
us/trustcenter/security#How-Microsoft-protects-your-data
Network Protection
Private, isolated network
Extend existing topology
Private, physical
connection
Data Protection
Data Redundancy
Options
Encryption - In-Transit
and At-Rest
Key Vault
Identity & Access
Manage user identities
Multi-factor
authentication
Role-based access
control

17. https://azure.microsoft.com/en-us/updates/ https://azure.microsoft.com/en-us/status/

18. Security embedded
in planning, design,
development, &
deployment
Rigorous controls to
prevent, detect,
contain, & respond to
threats
Hardening cloud
services through
simulated real-world
attacks
Global, 24x7 incident
response to mitigate
effects of attacks
Design and Operations
Operational
security
controls
Assume
breach
Incident
response
Software
Development
Lifecycle (SDL)
https://www.microsoft.com/en-us/trustcenter/security//designopsecurity

20. Service security starts with physical data center
Cameras
24X7 security staff
Barriers
Fencing
Alarms
Two-factor access control:
Biometric readers & card
readers
Security operations center
Days of backup power
Seismic bracing
BuildingPerimeter Computer room
https://www.microsoft.com/en-us/cloud-platform/global-datacenters

21. Architected for Secure Multi-tenancy
AZURE:
• Centrally manages the platform and isolates
customer environments using the Fabric
Controller
• Runs a configuration-hardened version of
Windows Server as the Host OS
• Uses Hyper-V Windows Server 2012 R2 - a
battle tested and enterprise proven
hypervisor
• Runs Windows Server on Guest VMs for
platform services
CUSTOMER:
• Manages their environment through service
management interfaces and subscriptions
• Chooses from the gallery or brings their own
OS for their Virtual Machines
Azure
Storage
SQL
Database
Fabric
Controller
Customer
Admin
Guest VM Guest VM
Customer 2
Guest VM
Customer 1
Portal
Smart API
End
Users
Host OS
Hypervisor
Microsoft Azure

22. ExpressRoute Connections
Customer 1
Isolated Virtual
Network
Deployment X
Microsoft Azure
Site 1
ExpressRoute
Peer
Site 2
WAN
AZURE:
• Offers private WAN connections via
ExpressRoute
• Enables access to Compute,
Storage, and other Azure services
CUSTOMERS:
• Can establish connections to Azure
at an ExpressRoute location
(Exchange Provider facility)
• Can directly connect to Azure from
your existing WAN network (such
as a MPLS VPN) provided by a
network service provider
• Manages certificates, policies, and
user access
https://azure.microsoft.com/en-us/services/expressroute/

23. VPN Connections
Customer 1
Isolated Virtual
Network
Deployment X
Microsoft Azure
VPN
Remote
Workers
Customer Site
Computers
Behind Firewall
AZURE:
• Enables connection from customer
sites and remote workers to Azure
Virtual Networks using Site-to-Site
and Point-to-Site VPNs
CUSTOMERS:
• Configures the P2S VPN client in
Windows
• Manages certificates, policies, and
user access
https://azure.microsoft.com/en-us/services/vpn-gateway/

24. Firewall Protection
Customer 1
Application Tier
Logic Tier
Database Tier
Virtual Network
Cloud Access Layer
AZURE:
• Controls access from the Internet, permits
traffic only to endpoints, and provides
load balancing and NAT at the Cloud
Access Layer
• Isolates traffic and provides intrusion
defense through a distributed firewall
• Defines access controls between tiers and
provides additional protection via the OS
firewall
CUSTOMER
• Applies corporate firewall using site-to-
site VPN
Client
443
443
VPN
Corp
Firewall
INTERNET
Microsoft Azure
https://www.microsoft.com/en-us/trustcenter/security/networksecurity

25. • Enables network segmentation & DMZ
scenarios
• Access Control Lists & Network traffic rules
as security group
• Security groups associated with Virtual
machines, Network Interfaces, or virtual
machine subnets (not GW subnet)
• Rules define a 5-tuple
• Rules are separated into Inbound and
Outbound rules
• Rules applied in order of priority
• Network traffic rules updated independent
of Virtual machines
• Controlled access to and from Internet
Virtual Network
Backend
10.3/16
Mid-tier
10.2/16
Frontend
10.1/16
VPN
GW
Internet
On Premises 10.0/16
S2S
VPNs
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-nsg

26. Encryption in Transit
AZURE:
• Encrypts most communication between
Azure datacenters
• Encrypts transactions through Azure Portal
using HTTPS
• Supports FIPS 140-2 ciphers
CUSTOMER:
• Can choose HTTPS for REST API
(recommended) for Storage
• Configures HTTPS endpoints for
application running in Azure
• Encrypts traffic between Web client and
server by implementing TLS on IIS
Azure
Portal
Azure
Data Center
Azure
Data Center
https://www.microsoft.com/en-us/trustcenter/security/encryption

27. AZURE:
• Applies regularly scheduled
updates to the platform
• Releases critical patches
immediately
• Rigorously reviews & tests all
changes
CUSTOMER:
• Applies similar patch
management strategies for their
Virtual Machines
Patch Management
Monthly MSRC
Patch Review
Patching
Rollout
Scanning
Audit
Validation
• Monitor 100,000+
vulnerability
reports
• Sourced from
customers &
worldwide network
of security
researchers
• Prioritize critical
updates
• Monthly OS
releases with
patches
• Reconciliation
report
• Resolution
summary
• Scanning &
reporting of all
Azure VMs
• Track & remediate
any findings

28. Antivirus/Antimalware
AZURE:
• Performs monitoring & alerting of
antimalware events for the platform
• Enables real time protection, on-
demand scanning, and monitoring
via Microsoft Antimalware for Cloud
Services and Virtual Machines
CUSTOMER:
• Configures Microsoft Antimalware or
an AV/AM solution from a partner
• Extracts events to SIEM
• Monitors alerts & reports
• Responds to incidents
Azure
Storage
Customer
Admin
Guest VM Cloud Services
Customer VMs
Portal
Smart API
Guest VM
Enable & configure
antimalware
Events
Extract Antimalware Health Events
to SIEM or other Reporting System
Event ID Computer Event Description Severity DateTime
1150 Machine1 Client in Healthy State
4 04/29/2014
2002 Machine2 Signature Updated Successfully
4 04/29/2014
5007 Machine3 Configuration Applied
4 04/29/2014
1116 Machine2 Malware Detected
1 04/29/2014
1117 Machine2 Malware Removed
1 04/29/2014
SIEM Admin View
Alerting & reporting
Microsoft Azure

30. Identity and Access Management with
Azure AD
AZURE:
• Provides enterprise cloud identity and
access management
• Enables single sign-on across cloud
applications
• Offers Multi-Factor Authentication for
enhanced security
CUSTOMER:
• Centrally manages users and access to
Azure, O365, and hundreds of pre-
integrated cloud applications
• Builds Azure AD into their web and
mobile applications
• Can extend on-premises directories to
Azure AD through synchronization
End Users
Active Directory
Azure
Active Directory Cloud Apps
https://www.microsoft.com/en-us/trustcenter/security/identity

31. https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-configure

32. Azure RBAC Enforcement Model
https://docs.microsoft.com/en-us/azure/azure-policy/azure-policy-introduction

33. Microsoft Employee Access Management
Pre-screened Admin
requests access
Leadership grants
temporary privilege
• No standing access to the platform and no access to customer Virtual Machines
• Grants least privilege required to complete task
• Multi-factor authentication required for all administration
• Access requests are audited and logged
Just in Time
&
Role-Based
Access
Microsoft Corporate
Network
Microsoft Azure
BLOBS
TABLES QUEUES
DRIVES

35. Blobs Files Disks Tables Queues
Object storage
Access via REST
File storage
Access via SMB, REST
IaaS VM VHD/ disks
Access via REST
NOSQL storage
Access via REST
Reliable Messaging
Access via REST
Streaming & random
object access scenarios
Lift n shift scenarios Persistent disks for
VMs
Premium option
KeyValue Store Scheduling async tasks

36. Hardware Datacenter Region
https://docs.microsoft.com/en-us/azure/architecture/resiliency/high-availability-azure-applications

37. Encryption at Rest
Virtual Machines:
• Boot and Data drives – Azure Disk
Encryption
• SQL Server – Transparent Data Encryption
• Files & folders - EFS in Windows Server
Storage:
• Blob Storage encryption
• Bitlocker encryption of drives for
import/export of data
• StorSimple with AES-256 encryption
Applications:
• Client Side encryption through .NET
Crypto API
• RMS SDK for file encryption by your
applications
https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption

38. Azure Key Vault
Resource Providers
Data Encryption Keys (DEK)
Customer Owned
Service Owned
Key Encryption Keys (KEK)
Azure Active Directory
https://azure.microsoft.com/en-us/services/key-vault/

39. Data Deletion
Data Destruction
• Wiping is NIST 800-88 compliant
• Defective disks are destroyed at the datacenter
• Immediately removed from primary location
• Geo-replicated copy of the data removed asynchronously
• Customers can only read from disk space they have written to
Disk Handling
https://blogs.msdn.microsoft.com/walterm/2014/09/04/mic
rosoft-azure-data-security-data-cleansing-and-leakage/

41. Monitoring and Logging
AZURE:
• Performs monitoring & alerting of
security events for the platform
• Enables security data collection via
Monitoring Agent or Windows Event
Forwarding
CUSTOMER:
• Configures monitoring
• Exports events to SQL Database,
HDInsight or a SIEM for analysis
• Monitors alerts & reports
• Responds to incidents
Azure
Storage
Customer
Admin
Guest VM Cloud Services
Customer VMs
Portal
Smart API
Guest VM
Enable Monitoring Agent
Events
Extract event information to SIEM
or other Reporting System
Event ID Computer Event Description Severity DateTime
1150 Machine1 Example security event
4 04/29/2014
2002 Machine2 Signature Updated Successfully
4 04/29/2014
5007 Machine3 Configuration Applied
4 04/29/2014
1116 Machine2 Example security event
1 04/29/2014
1117 Machine2 Access attempted
1 04/29/2014
SIEM Admin View
Alerting & reporting
HDInsight
Microsoft Azure
https://www.microsoft.com/en-us/trustcenter/security/auditingandlogging

42. AZURE:
• Provides big data analysis of logs for
intrusion detection & prevention for the
platform
• Employs denial of service attack
prevention measures for the platform
• Regularly performs penetration testing
CUSTOMER:
• Can add extra layers of protection by
deploying additional controls, including
web application firewalls
• Conducts penetration testing of their
applications
Threat Detection
Customer Environment
Application Tier
Logic Tier
Database Tier
Virtual Network
INTERNET
VPN
Corp 1
Cloud Access & Firewall Layer
THREAT DETECTION: DOS/IDS Layer
DOS/IDS Layer
DOS/IDS Layer
DOS/IDS Layer
End Users
Microsoft Azure
https://www.microsoft.com/en-us/trustcenter/security/threatmanagement

43. Built-in Azure, no setup
required
• Automatically discover
and monitor security of
Azure resources
Gain insights for hybrid
resources
• Easily onboard resources running
in other clouds
and on-premises
https://azure.microsoft.com/en-us/services/security-center/

44. https://www.microsoft.com/en-us/trustcenter/security#How-
Microsoft-protects-your-data