Skip to main content
Azure
  • 3 min read

Azure’s layered approach to physical security

Azure helps provide a highly secure foundation, built from the ground up, to host your infrastructure, applications, and data.

This is the first blog in a 4-part blog post series on how Microsoft Azure provides a secure foundation.

We have heard from many customers that cloud security is one of their top concerns. Another thing we’ve heard from customers is that they want clarity around what they are responsible for securing in Azure and what Azure will do. Azure helps provide a highly secure foundation, built from the ground up, to host your infrastructure, applications, and data. We understand the importance of protecting customer data, which is why we are committed to helping secure the datacenters that contain your data. Microsoft has invested over a billion dollars into security, including the physical security of the Azure platform, so you can devote your time and resources towards other business initiatives. Over the next few months, as part of the secure foundation blog series, we’ll discuss the components of physical, infrastructure (logical) and operational security that help make up Azure’s platform. Today, we are focusing on physical security.

Physical security refers to how Microsoft designs, builds and operates datacenters in a way that strictly controls physical access to the areas where customer data is stored. Our datacenters are certified to comply with the most comprehensive portfolio of internationally-recognized standards and certifications of any cloud service provider. We have an entire division at Microsoft devoted to designing, building and operating the physical facilities supporting Azure. This team is invested in maintaining state-of-the-art physical security.

We take a layered approach to physical security. Datacenters managed by Microsoft have extensive layers of protection: access approval, at the facility’s perimeter, at the building’s perimeter, inside the building, and on the datacenter floor. This layered approach reduces the risk of unauthorized users gaining physical access to data and the datacenter resources.

The first layer of physical security starts with requesting access prior to arriving at the datacenter. You must provide a valid business justification for your visit, such as compliance or auditing purposes. All requests are approved on a need-to-access basis by Microsoft employees. This is to help keep the number of individuals needed to complete a task in our datacenters to the bare minimum. Once permissions are granted, an individual only has access to the discrete area of the datacenter based on the approved business justification. Permissions are limited to a certain period of time and expire after the allowed time period.

The next layer of security is the building’s perimeter. When you arrive at a datacenter, you must go through a well-defined access point. Typically, tall fences made of steel and concrete encompass every inch of the perimeter. There are cameras around the datacenters, with a security team monitoring their videos 24/7 and 365 days of the year.

Once you gain access to the datacenter’s perimeter, you must pass additional security measures to enter the datacenter. The datacenter entrance is staffed with professional security officers who have undergone rigorous training and background checks. These security officers also routinely patrol the datacenter while they also monitor the videos of cameras inside the datacenter 24/7 and 365 days a year.. After you enter the building, you must pass two-factor authentication with biometrics to continue moving through the datacenter. If your identity is validated, you can enter the portion of the datacenter that you have approved access to and can stay there only for the duration of the time approved.

Once you arrive at the entrance to the requested part of the datacenter floor, you must pass a full body metal detection screening. To reduce the risk of unauthorized data entering or leaving the datacenter without our knowledge, only approved devices can make their way into the datacenter floor. Additionally, video cameras monitor the front and back of every virtual machine rack. Everything that you will do with your virtual machine will be tracked—the first time a hard disk goes into a virtual machine until it is cleaned and erased. Full body metal detection screening is repeated when you exit the datacenter floor. To leave the datacenter, you have to pass through an additional security scan.  

To help ensure that the cloud platform is secure, safeguarding our datacenters around the world is a top priority. We understand the importance of securing customer data and the risks of a security breach, which is why we have an invested over a billion dollars into world-class security, and why we will continue to grow these investments overtime. You can focus on your business priorities knowing your data and datacenter resources are highly secured.

To see the datacenter security in action for yourself, watch the following video.