Microsoft has decades-long experience building enterprise software and running some of the largest online services in the world. It has leveraged this to implement and continuously improve security-aware software development, operational management, and threat mitigation practices that are essential to the strong protection of data in the cloud.
Security is built into Azure from the ground up, starting with the Secure Development Lifecycle, a mandatory development process that embeds security requirements into every phase of the development process. We help ensure that the Azure infrastructure is resilient to attack by mandating that our operational activities follow the rigorous security guidelines laid out in the Operational Security Assurance (OSA) process.
Design and operational security
Microsoft Azure security begins with a trustworthy technology foundation. Microsoft designs its software for security from the ground up and helps ensure that the Azure infrastructure is resilient to attack. We assume breaches of our systems as a security strategy, and our global incident response team works around the clock to mitigate the effects of any attacks against the security of Azure. These are backed by centers of excellence that fight digital crime, respond to security incidents and vulnerabilities in Microsoft software, and combat malware.
Identity and access
To help you manage and safeguard user access to your environments, data, and applications, you can federate user identities to Azure Active Directory and enable multi-factor authentication for more secure sign-in.
Azure Active Directory is a comprehensive identity and access management cloud solution that helps secure access to your data and on-premises and cloud applications, and simplify the management of users and groups. It combines core directory services, advanced identity governance, security, and application access management. Azure Active Directory also makes it easy for developers to build policy-based identity management into their applications.
Azure multi-factor authentication requires the use of more than one verification method to authenticate a user. Azure helps safeguard user access to data and applications with this extra layer of authentication for both on-premises and cloud applications. It delivers strong authentication with a range of easy verification options while meeting user demand for a simple sign-in process.
Encryption and key management
Technological safeguards, such as encrypted communications and operation processes, help keep customer data secure. You have the flexibility to implement additional encryption and manage your own keys.
For data in transit, Azure uses industry-standard transport protocols between user devices and Microsoft datacenters, and within datacenters themselves. You can enable encryption for traffic between your own virtual machines (VMs) and end users. With virtual networks, you can use industry-standard IPsec protocol to encrypt traffic between your corporate VPN gateway and Azure.
For data at rest, Azure offers a wide range of encryption capabilities up to AES-256, giving you the flexibility to choose the solution that best meets your needs.
Azure Key Vault helps you easily and cost-effectively streamline key management and maintain control of keys used by cloud apps and services to encrypt data.
Learn more about Azure Key Vault
Azure networking provides the infrastructure necessary to securely connect VMs to one another and to connect on-site datacenters with Azure VMs. Azure blocks unauthorized traffic to and within Microsoft datacenters, using a variety of technologies such as firewalls, partitioned local area networks (LANs), and the physical separation of back-end servers from public-facing interfaces.
Azure Virtual Network extends your on-premises network to the cloud through site-to-site VPN, much the way you’d set up and connect to a remote branch office. You control the network topology, including configuration of DNS and IP address ranges, and manage it just like your on-site infrastructure. Azure Virtual Network enables you to assign multiple deployments within a subscription to a virtual network and allow those deployments to communicate with each other using private IP addresses. Each virtual network is isolated from other virtual networks.
To protect against online threats, Azure offers Microsoft Antimalware for cloud services and virtual machines, and uses detection and mitigation techniques to protect against DDoS attacks. Customers can also run antimalware solutions from partners on their VMs.
Monitoring, logging, and reporting
To help you manage the large amount of information generated by devices within the Azure environment, Azure offers centralized monitoring and analysis systems that provide continuous visibility and timely alerts to the teams who manage the service.
In addition to the robust security capabilities built into Azure, the Azure Marketplace offers a rich array of additional security products built by our partners for Azure.
Microsoft conducts regular penetration testing to improve Azure security controls and processes. However, we understand that security assessment is also an important part of our customers' application development and deployment. So, we have established a policy for you to carry out authorized penetration testing on your applications hosted in Azure. Because such testing can be indistinguishable from a real attack, it is critical that customers conduct penetration testing only after getting advance approval from Azure Customer Support. You must conduct penetration testing in accordance with our terms and conditions, and requests should be submitted with a minimum of seven-day advance notice.