Back

TechnologyDec 30, 2009

Windows Azure – Security

Credera Team

Security is essential to any computing environment, and Windows Azure is no different.  In any given field, experience is the key element to success, and Microsoft has more experience in the delivery and consumption of online services than any other company out there.  Microsoft has been managing online computing environments since 1994 when MSN was launched.  They have partnerships in place in over 100 countries that enables them to remain compliant with standards and requirements, and they provide services to hundreds of millions of customers around the world on any given day.  These partnerships and the global exposure ensure that Microsoft exercises the most stringent compliance to standards and security practices.  The Microsoft Information Security Program draws on more than 15 years of experience, and is constantly maintained and updated based on threats and security evaluations.

The Microsoft Online Services Security and Compliance (OSSC) team manages ongoing risk analysis and security control.  The OSSC team is responsible for enabling trustworthy online services through Azure.  This team has deployed a defense-in-depth approach to security that includes regular risk management reviews, development, and maintenance of a security control framework along with ongoing efforts and collaboration with law enforcement entities around the world.  This process is not new with Azure – it has been in place since MSN was launched in 1994.  Microsoft has been maintaining the Global Foundation Services (GFS) for years, as GFS provides the foundation for MSN, Windows Live and now the Windows Azure platform.  Their practices are tried and true, and have proven successful for hundreds of millions users.

Modernize applications and support business initiatives with Microsoft Azure

Explore Our Microsoft Consulting Services  →

Physical security, which provides for data privacy and service availability, is provided multiple perimeters, with access being more restricted at each perimeter.  A least privileged security policy is used, ensuring that only essential personnel actually get near the equipment.  Security measures include password, hardware tokens, smart cards and biometrics.

Specialized hardware such as load balancers, firewalls, and intrusion prevention devices ensure the integrity and security of the cloud network.  The infrastructure actively prevents denial of service attacks and uses gateway functions on dedicated hardware to perform packet inspection and take actions such as blocking suspicious activity.  A globally redundant internal and external DNS infrastructure provides for fault tolerance while additional security controls prevent distributed denial of service attacks and protect the integrity of DNS services.  Continuous monitoring for unauthorized software and DNS zone configuration changes as well as other disruptive service events ensures a secure, reliable DNS environment.

Microsoft classifies information assets to determine the strength of security controls to apply to data.  A matrix including the business impact and data sensitivity of compromised data is used to classify data.   For example, assets falling in the moderate impact category are subject to encryption requirements when they reside on removable media or when they are involved in external network transfers.  High impact data is additionally subject to encryption requirements for storage and for internal system or network transfers.  In Azure, symmetric encryption requires more than 128 bit keys while asymmetric encryption requires keys that are at least 2,048 bits long.