Professional Documents
Culture Documents
Microsoft cloud services are You own your data and identities
The largest portfolio of compliance standards and
built on a foundation of trust and the responsibility for Compliance
certifications in the industry.
and security. Microsoft provides protecting them, the security of
you security controls and your on-premises resources, and
capabilities to help you protect the security of cloud components We explain what we do with your data, and how it is
your data and applications. you control (varies by service type). Transparency
secured and managed, in clear, plain language.
The responsibilities and controls for the security of applications and networks vary by the service type.
Microsoft operates and secures Microsoft operates and secures the Microsoft operates and secures Private clouds are on-premises
the infrastructure, host operating infrastructure and host operating the base infrastructure and host solutions that are owned,
system, and application layers. system layers. operating system layers. operated, and secured by you.
Data is secured at datacenters Private clouds differ from
You control access and secure your You control access and secure
and in transit between Microsoft traditional on-premises
data, identities, and applications, data, identities, applications,
and the customer. infrastructure in that they follow
including applying any infrastructure virtualized operating systems,
cloud principles to provide
You control access and secure controls available from the cloud and any infrastructure controls
cloud availability and flexibility.
your data and identities, including service. available from the cloud service.
configuring the set of application
You control all application code and
controls available in the cloud
configuration, including sample code
service.
provided by Microsoft or other
sources.
Keys to success
Enterprise organizations benefit from taking a methodical approach to cloud
security. This involves investing in core capabilities within the organization Your responsibility for security is based on the type of cloud service. The
that lead to secure environments. following chart summarizes the balance of responsibility for both
Microsoft and the customer.
Governance & Identity Systems and
Security Policy Identity Management Responsibility SaaS PaaS IaaS On-prem
Microsoft recommends developing Identity services provide the
policies for how to evaluate, adopt, and foundation of security systems. Most Data governance &
use cloud services to minimize creation enterprise organizations use existing rights management
of inconsistencies and vulnerabilities identities for cloud services, and these
that attackers can exploit. identity systems need to be secured at Client endpoints
or above the level of cloud services.
Ensure governance and security Account & access
policies are updated for cloud services
and implemented across the
Threat Awareness management
organization: Organizations face a variety of security Identity & directory
Identity policies threats with varying motivations. infrastructure
Evaluate the threats that apply to your
Data policies
organization and put them into context Application
Compliance policies and by leveraging resources like threat
documentation intelligence and Information Sharing
Network controls
Administrative Privilege and Analysis Centers (ISACs).
Microsoft Customer
Security in a Cloud-Enabled World
Microsoft Virtual Academy http://aka.ms/securecustomermva
ISO 27018
SOC 1 Type 2
SOC 2 Type 2
CSA STAR 1
United States
FedRAMP
Government
CJIS
DoD DISA
Level 2 Level 4
ITAR
IRS 1075
FERPA N/A
UK G-Cloud v6
Singapore MTCS
Japan FISC
August 2016 2016 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at ITSPdocs@microsoft.com.
Microsoft Cloud Security What IT architects need to know about security and
trust in Microsoft cloud services and platforms
Microsoft s role
Microsoft is committed to the privacy and security Learn more...
Data Privacy
Data ownership
It s your data.
We define customer data as all the data (including all
Data access
text, sound, software, or image files) that a customer You are in control of your data. You have control over where
provides, or that is provided on customers behalf, to your data is stored and how it is securely accessed and
Microsoft through use of the Online Services. deleted. Depending on the service, you choose where your
data is stored geographically.
Data use
We do not use customer data for purposes unrelated to Privacy reviews
providing the service, such as advertising. We have a No As part of the development process, privacy reviews are
Standing Access policy access to customer data by performed to verify that privacy requirements are adequately
Microsoft personnel is restricted, granted only when addressed. This includes verifying the presence of privacy-
necessary for support or operations, and then revoked related features that allow customers to control who can
when no longer needed. access their data and configure the service to meet the
customer s regulatory privacy requirements.
Disclosure of government request for data
Learn more . . .
If a government approaches us for Data portability Read more...
access to customer data, we redirect the
inquiry to you, the customer, whenever It s your data, so if you
possible. We have and will challenge in ever choose to leave the Protecting Data and
Law Enforcement court any invalid legal demand that service, you can take your Privacy in the Cloud
data with you and have it
Requests Report prohibits disclosure of a government
deleted permanently from
request for customer data.
our servers.
Learn more...
Operational Security
for Online Services
(OSA)
August 2016 2016 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at ITSPdocs@microsoft.com.
Microsoft Cloud Security What IT architects need to know about security and
trust in Microsoft cloud services and platforms
1. Security strategy, governance, and operationalization: Provide clear vision, standards, and guidance for your organization
A. Develop cloud security policies B. Manage continuous threats D. Contain risk by assuming breach
Policies enable you to align your security The evolution of security threats and changes When planning security controls and security
controls with your organization s goals, risks, require comprehensive operational capabilities response processes, assume an attacker has
and culture. Policies should provide clear and ongoing adjustments. Proactively manage compromised other internal resources such as
unequivocal guidance to enable good decisions this risk. user accounts, workstations, and applications.
by all practitioners. Establish operational capabilities to monitor Assume an attacker will use these resources as
Document security policies in enough detail alerts, investigate incidents, initiate remediation an attack platform.
to guide personnel into quick and accurate actions, and integrate lessons learned. Modernize your containment strategy by:
decisions while adopting and managing cloud Build external context of threats using Identifying your most critical assets such as
services. Ensure you have sufficient detail on available resources such as threat intelligence mission-critical data, applications, and
policy areas that are well-established and feeds, Information Sharing and Analysis Centers dependencies. Security for these must be at a
critically important to your security posture. (ISACs), and other means. higher level without compromising usability.
Balance security and usability. Security Validate your security posture by authorized Enhancing isolation between security zones
controls that overly restrict the ability of red team and/or penetration testing activity. by increasing rigor of exception management.
admins and users to accomplish tasks will be Apply threat modelling techniques to all
worked around. Build buy-in through both White paper: Microsoft Enterprise Cloud Red
authorized exceptions and analysis of these
threat education and inclusion in the security Teaming
application data flows including identities
design process. White paper: Determined Adversaries and used, data transmitted, application and
Document protocols and processes for Targeted Attacks platform trustworthiness, and ability to inspect
performing critically important security tasks interaction.
such as using administrative credentials, Focus containment within a security zone
C. Manage continuous innovation
responding to common security events, and on preserving integrity of the administrative
recovering from significant security incidents. The rate of capability releases and updates from model rather than on network isolation.
Embrace Shadow IT. Identify the cloud services requires proactive management of
unmanaged use of devices, cloud services, potential security impacts.
and applications. Identify business Define a monthly cadence to review and
requirements that led to their use as well as integrate updates of cloud capabilities,
the business risk that they bring. Work with regulatory and compliance requirements,
business groups to enable required evolving threats, and organizational objectives.
capabilities while mitigating risks. Prevent configuration drift with periodic
reviews to ensure technologies, configurations,
and operational practices stay in compliance
with your policies and protocols.
2. Administrative control: Defend against the loss of control of your cloud services and on-premises systems
A. Least privilege admin model C. Use strong authentication E. Enforce stringent security standards
Apply least privilege approaches to your Use credentials secured by hardware or Multi- Administrators control significant numbers of
administrative model, including: Factor Authentication (MFA) for all identities organizational assets. Rigorously measure and
Limit the number of administrators or with administrative privileges. This mitigates enforce stringent security standards on
members of privileged groups. risk of stolen credentials being used to abuse administrative accounts and systems. This
privileged accounts. includes cloud services and on-premises
Delegate less privileges to accounts.
dependencies such as Active Directory, identity
Provide privileges on demand. Azure Multi-Factor Authentication
systems, management tools, security tools,
Have existing administrators perform tasks Authenticating identities without passwords administrative workstations, and associated
instead of adding additional administrators. through Microsoft Passport operating systems.
Provide processes for emergency access and
rare use scenarios.
F. Monitor admin accounts
D. Use dedicated admin accounts and Closely monitor the use and activities of
Securing Privileged Access
workstations administrative accounts. Configure alerts for
TechEd 2014: Privileged Access Management for Separate high impact assets from highly prevalent activities that are high impact as well as for
Active Directory internet browsing and email risks: unusual or rare activities.
Use dedicated accounts for privileged White paper: Microsoft Azure Security and
administrative roles for cloud services and on- Audit Log Management
B. Harden security dependencies
premises dependencies.
Security dependencies include anything that has Auditing in Office 365
Use dedicated, hardened workstations for
administrative control of an asset. Ensure that
administration of high-business impact IT G. Educate and empower admins
you harden all dependencies at or above the
assets.
security level of the assets they control. Security Educate administrative personnel on likely
dependencies for cloud services commonly Do not use high privilege accounts on devices threats and their critical role in protecting their
include identity systems, on-premises where email and web browsing take place. credentials and key business data.
management tools, administrative groups and Securing Privileged Access Administrators are the gatekeepers of access to
accounts, and workstations where these many of your critical assets. Empowering them
accounts logon. White paper: Security Management in Microsoft with this knowledge will enable them to be
Azure better stewards of your assets and security
Microsoft Advanced Threat Analytics
posture.
A. Establish information protection C. Find and protect sensitive assets D. Set organizational minimum standards
priorities Identify and classify sensitive assets. Define the Establish minimum standards for trusted devices
The first step to protecting information is technologies and processes to automatically and accounts that access any data assets
identifying what to protect. Develop clear, apply security controls. belonging to the organization. This can include
simple, and well-communicated guidelines to device configuration compliance, device wipe,
identify, protect, and monitor the most Encryption in Office 365
enterprise data protection capabilities, user
important data assets anywhere they reside. Azure Rights Management authentication strength, and user identity.
Trustworthy Computing: Data governance Windows 10 Enterprise Data Protection
Overview of data loss prevention policies
Data classification toolkit Manage access to email and SharePoint
Information Protection for Office 365 Office 365 Reports with Microsoft Intune
B. Protect High Value Assets (HVAs) Document fingerprinting E. Establish user policy and education
Establish the strongest protection for assets that Azure Key Vault Users play a critical role in information security
have a disproportionate impact on the and should be educated on your policies and
organizations mission or profitability. Perform Always Encrypted (Database Engine) norms for the security aspects of data
stringent analysis of HVA lifecycle and security creation, classification, compliance, sharing,
dependencies, and establish appropriate security Active Directory Rights Management Service protection, and monitoring.
controls and conditions.
4. User identity and device security: Strengthen protection of accounts and devices
A. Use Strong Authentication C. Educate, empower, and enlist users D. Monitor for account and
Use credentials secured by hardware or Multi- Users control their own accounts and are on the credential abuse
Factor Authentication (MFA) for all identities to front line of protecting many of your critical One of the most reliable ways to detect abuse
mitigate the risk that stolen credentials can be assets. Empower your users to be good stewards of privileges, accounts, or data is to detect
used to abuse accounts. of organizational and personal data. At the same anomalous activity of an account.
User identities hosted in Azure Active time, acknowledge that user activities and errors Identify activity that is normal and physically
Directory (Azure AD). carry security risk that can be mitigated but possible. Alert on unusual activity to enable
On-premises accounts whose authentication is never completely eliminated. Focus on rapid investigation and response.
federated from on-premises Active Directory. measuring and reducing risk from users. For accounts in Azure AD, use the integrated
Azure Multi-Factor Authentication Educate users on likely threats and their role analytics to detect unusual activity.
in protecting business data.
Microsoft Passport and Windows Hello White paper: Microsoft Azure Security and
Increase adversary cost to compromise user
Audit Log Management
accounts.
B. Manage trusted and compliant devices Explore gamification and other means of Auditing in Office 365
Establish, measure, and enforce modern security increasing user engagement.
standards on devices that are used to access
corporate data and assets. Apply configuration
standards and rapidly install security updates to
lower the risk of compromised devices being
used to access or tamper with data.
Manage device compliance policies for Microsoft
Intune
Microsoft Security Compliance Manager (SCM)
Enhanced Mitigation Experience Toolkit (EMET)
August 2016 2016 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at ITSPdocs@microsoft.com.
Microsoft Cloud Security What IT architects need to know about security and
trust in Microsoft cloud services and platforms
Services and
More Microsoft Platform Options Identity Networking Hybrid
cloud IT resources aka.ms/cloudarchoptions aka.ms/cloudarchidentity aka.ms/cloudarchnetworking aka.ms/cloudarchhybrid
August 2016 2016 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at ITSPdocs@microsoft.com.