Microsoft Azure Trust Center

Last Updated: February 2014

Security

Azure runs in geographically dispersed datacenters that comply with key industry standards, such as ISO/IEC 27001:2005, for security and reliability. They are managed, monitored, and administered by Microsoft operations staff that have years of experience in delivering the world’s largest online services with 24 x 7 continuity.

In addition to datacenter, network, and personnel security practices, Azure incorporates security practices at the application and platform layers to enhance security for application developers and service administrators.

Standard Response to Request for Information: Security and Privacy

The Cloud Security Alliance published the Cloud Control Matrix (CCM) to support customers in the evaluation of cloud services.  In response to this publication, Microsoft has created a white paper to outline how Azure security controls map to the CCM controls framework, providing customers with in-depth information on Azure security policies and procedures.  Please see Azure Cloud Security Alliance STAR submission for more information.

Azure Security Incident and Abuse Reporting

To report suspected security issues or abuse of Azure, please contact the cert.microsoft.com team, which is available 24x7.

Penetration Testing

Microsoft conducts regular penetration testing to improve Azure security controls and processes. We understand that security assessment is also an important part of our customers' application development and deployment. Therefore, we have established a policy for customers to carry out authorized penetration testing on their applications hosted in Azure. Because such testing can be indistinguishable from a real attack, it is critical that customers conduct penetration testing only after obtaining approval in advance from Azure Customer Support. Penetration testing must be conducted in accordance with our terms and conditions. Requests for penetration testing should be submitted with a minimum of 7-day advanced notice.

To learn more or to initiate penetration testing, please download the Penetration Testing Approval Form and then contact Azure Customer Support.

Security Resources for Azure

Technical Overview of the Security Features in the Azure Platform
This document provides a summary of some of the technical and organizational security measures for Azure.

Azure Security Overview
This in-depth paper provides a detailed discussion of some of the security features and controls implemented in Azure.

Security Best Practices for Developing Azure Applications
This paper focuses on the recommended approaches for designing and developing secure applications for Azure.

Azure Network Security
This paper provides guidance on securing network communication for applications deployed in Azure, enabling customers to determine how best to protect their virtual infrastructure and data.

Azure Data Security (Cleansing and Leakage)
This blog posting details procedures implemented in Azure to prevent data leakage or exposure of customer data upon data deletion.

Azure Security Notes
This document from the Patterns and Practices team provides solutions for securing common application scenarios on Azure.

Crypto Services and Data Security in Azure
This MSDN article provides an overview of cryptography concepts and related security in Azure.

Azure: Understanding Security Account Management in Azure
Cloud computing relieves some of the security burden, but you still have an active role in managing access, securing communications and ensuring data protection. This TechNet article covers best practices for creating and managing administrative accounts, using certificates for authentication, and handling transitions when employees begin or terminate employment.

Securing and Authenticating a Service Bus Connection
This MSDN Library article discusses how to develop applications that use the Azure Service Bus to perform secure connections.

Scenarios and Solutions Using Azure Active Directory Access Control
This section of the MSDN Library contains articles that discuss how to use the Azure Active Directory Access Control for securing web applications, single sign-on, user authorization, and more.

Security Guidelines for SQL Database
This paper provides an overview of security guidelines for customers who connect to SQL Database (formerly SQL Azure), and who build secure applications on SQL Database.

Business Continuity for Azure
This MSDN article provides guidance on how to use Azure to achieve business continuity and disaster recovery goals.

Business Continuity in SQL Database
This MSDN article describes the business continuity capabilities provided by SQL Database (formerly SQL Azure). The purpose of creating database backups is to enable you to recover from data loss caused by the failure of individual servers and devices, unwanted data modifications and deletions, and widespread loss of datacenter facilities.