Sie sind auf Seite 1von 9

Microsoft Cloud Security What IT architects need to know about security and

trust in Microsoft cloud services and platforms

for Enterprise Architects

This topic is 1 of 5 in a series 1 2 3 4 5

Introduction to Security in a Cloud-Enabled World

Security in the cloud is a partnership Microsoft s Trusted Cloud principles
The security of your Microsoft cloud services is a partnership between
you and Microsoft. Safeguarding your data with state-of-the-art
technology, processes, and encryption is our priority.

Privacy by design with a commitment to use customers

Privacy &
information only to deliver services and not for
Microsoft You Control

Microsoft cloud services are You own your data and identities
The largest portfolio of compliance standards and
built on a foundation of trust and the responsibility for Compliance
certifications in the industry.
and security. Microsoft provides protecting them, the security of
you security controls and your on-premises resources, and
capabilities to help you protect the security of cloud components We explain what we do with your data, and how it is
your data and applications. you control (varies by service type). Transparency
secured and managed, in clear, plain language.

The responsibilities and controls for the security of applications and networks vary by the service type.

SaaS PaaS IaaS Private cloud

Software as a Service Platform as a Service Infrastructure as a Service

Microsoft operates and secures Microsoft operates and secures the Microsoft operates and secures Private clouds are on-premises
the infrastructure, host operating infrastructure and host operating the base infrastructure and solutions that are owned,
system, and application layers. system layers. host operating system layers. operated, and secured by you.
Data is secured at datacenters Private clouds differ from
You control access and secure your You control access and secure
and in transit between Microsoft traditional on-premises
data, identities, and applications, data, identities, applications,
and the customer. infrastructure in that they follow
including applying any infrastructure virtualized operating systems,
cloud principles to provide
You control access and secure controls available from the cloud and any infrastructure controls
cloud availability and flexibility.
your data and identities, including service. available from the cloud
configuring the set of application service.
You control all application code and
controls available in the cloud
configuration, including sample code
provided by Microsoft or other sources.

Keys to success
Enterprise organizations benefit from taking a methodical approach to cloud
security. This involves investing in core capabilities within the organization Your responsibility for security is based on the type of cloud service. The
that lead to secure environments. following chart summarizes the balance of responsibility for both
Microsoft and the customer.
Governance & Identity Systems and
Security Policy Identity Management Responsibility SaaS PaaS IaaS On-prem
Microsoft recommends developing Identity services provide the
policies for how to evaluate, adopt, and foundation of security systems. Most Data governance &
use cloud services to minimize creation enterprise organizations use existing rights management
of inconsistencies and vulnerabilities identities for cloud services, and these
that attackers can exploit. identity systems need to be secured at Client endpoints
or above the level of cloud services.
Ensure governance and security Account & access
policies are updated for cloud services
and implemented across the
Threat Awareness management
organization: Organizations face a variety of security Identity & directory
• Identity policies threats with varying motivations. infrastructure
Evaluate the threats that apply to your
• Data policies
organization and put them into context Application
• Compliance policies and by leveraging resources like threat
documentation intelligence and Information Sharing
Network controls
Administrative Privilege and Analysis Centers (ISACs).

Management Data Protection Operating system

Your IT administrators have control You own your data and control how it
over the cloud services and identity should be used, shared, updated, and
management services. Consistent published. Physical hosts
access control policies are a
dependency for cloud security. You should classify your sensitive data
and ensure it is protected and Physical network
Privileged accounts, credentials, and
monitored with appropriate access
workstations where the accounts are
used must be protected and control policies wherever it is stored Physical datacenter
monitored. and while it is in transit.

Microsoft Customer
Security in a Cloud-Enabled World
Microsoft Virtual Academy

See pages 2-5 for more information and resources.

August 2017 © 2017 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdop
Microsoft Cloud Security What IT architects need to know about security and
trust in Microsoft cloud services and platforms

for Enterprise Architects

This topic is 2 of 5 in a series 1 2 3 4 5

Top security certifications

Many international, industry, and regional organizations independently This page summarizes the top certifications. For a complete list of security
certify that Microsoft cloud services and platforms meet rigorous security certifications and more information, see the Microsoft Trust Center.
standards and are trusted. By providing customers with compliant, View compliance by service
independently verified cloud services, Microsoft also makes it easier for you
to achieve compliance for your infrastructure and applications.

Regulatory and Microsoft

Office 365 Microsoft Azure Microsoft Intune
Compliance Domain Dynamics 365

Broadly Applicable ISO 27001

ISO 27017

ISO 27018

SOC 1 / SOC 2 / SOC 3

CSA Star

United States


Level 4 Level 4

FDA 21 CFR Part 11


IRS 1075

Industry Specific HIPAA / HITECH

PCI DSS Level 1 N/A N/A N/A



Region/Country Specific EU Model Clauses

UK G-Cloud v6

Australia CCSL (IRAP)

Singapore MTCS

Japan FISC

New Zealand GCIO

Spain ENS

China DJCP
Microsoft Cloud Security What IT architects need to know about security and
trust in Microsoft cloud services and platforms

for Enterprise Architects

This topic is 3 of 5 in a series 1 2 3 4 5

Microsoft s role
Microsoft is committed to the privacy and security Learn more...

of your data and applications in the cloud Microsoft

Through industry-leading security practices and unmatched experience running some of the largest Trustworthy
online services around the globe, Microsoft delivers enterprise cloud services customers can trust.
Decades of engineering experience has enabled Microsoft to develope leading-edge best practices
in the design and management of online services. This model summarizes Microsoft s
comprehensive approach, starting with your data and drilling down to the physical media and
datacenters. Be sure to review the customer responsibilities to learn about your role in the security

Data Privacy
Data ownership
It s your data.
We define customer data as all the data (including all
Data access
text, sound, software, or image files) that a customer You are in control of your data. You have control over where
provides, or that is provided on customers behalf, to your data is stored and how it is securely accessed and
Microsoft through use of the Online Services. deleted. Depending on the service, you choose where your
data is stored geographically.
Data use
We do not use customer data for purposes unrelated to Privacy reviews
providing the service, such as advertising. We have a No As part of the development process, privacy reviews are
Standing Access policy — access to customer data by performed to verify that privacy requirements are adequately
Microsoft personnel is restricted, granted only when addressed. This includes verifying the presence of privacy-
necessary for support or operations, and then revoked related features that allow customers to control who can
when no longer needed. access their data and configure the service to meet the
customer s regulatory privacy requirements.
Disclosure of government request for data
Learn more . . .
If a government approaches us for Data portability
access to customer data, we redirect the
inquiry to you, the customer, whenever It s your data, so if you
possible. We have and will challenge in ever choose to leave the Protecting Data and
Law Enforcement court any invalid legal demand that service, you can take your Privacy in the Cloud
data with you and have it
Requests Report prohibits disclosure of a government
deleted permanently from
request for customer data.
our servers.

Data encryption and rights management

Data at rest
Data in transit Office 365 and other SaaS
Best-in-class encryption is used to help secure data in services use encryption at
transit between datacenters and you, as well as at rest to protect your data
Microsoft datacenters. Additionally, customers can enable on Microsoft servers.
Perfect Forward Secrecy (PFS). PFS uses a different
encryption key for every connection, making it more Azure Rights Management (Azure RMS)
difficult for attackers to decrypt connections. Azure RMS uses encryption, identity, and authorization
policies to help secure your files and email. Protection stays
Encryption for Azure-based solutions with the files and emails, independently of the location —
For Azure-based solutions, you can choose to implement inside or outside your organization, networks, file servers,
additional encryption using a range of approaches — you and applications.
control the encryption method and keys. Built-in TLS • You can use Azure RMS with Learn more...
cryptography enables customers to encrypt communications Office 365: SharePoint Online
within and between deployments, from Azure to on-premises and Exchange Online.
datacenters, and from Azure to administrators and users. • You can configure Azure RMS for Azure Rights
your entire organization. Management
Azure Key Vault • You can bring your own key to
comply with your organization
Safeguard cryptographic keys and other secrets used by cloud policies.
apps and services. Microsoft does not see or extract your keys.

Identity and access Azure Active Directory and Multi-Factor

You control access to your data and applications Azure Active Directory enables customers to manage access to
Microsoft offers comprehensive identity and access Azure, Office 365, and a world of other cloud apps. Multi-Factor
management solutions for customers to use across Azure and Authentication and access monitoring offer enhanced security.
other services such as Office 365, helping them simplify the
management of multiple environments and control user
access across applications.
Third-party SaaS identity management
Azure AD enables easy integration and single sign-on to many of
today s popular SaaS applications, such as Salesforce.
Continued on next page
Software and services
Secure Development Lifecycle (SDL)
Privacy and security considerations are embedded through
the SDL, a software development process that helps Secure development
developers build more secure software and address security
and privacy compliance requirements. The SDL includes:
across the Microsoft Learn more...
• Risk assessments Security
• Attack surface analysis and Microsoft Azure, Office 365,
reduction Dynamics CRM Online, and all Development
• Threat modeling other enterprise cloud services Lifecycle
• Incident response use the processes documented
• Release review and certification in the SDL.

Proactive testing and monitoring Prevent Breach, Assume Breach

In addition to the Prevent breach practices of threat modeling,
Learn more...
Microsoft Digital Crimes Unit code reviews, and security testing, Microsoft takes an assume
Microsoft's Digital Crimes Unit (DCU) breach approach to protecting services and data:
seeks to provide a safer digital experience • Simulate real-world breaches
for every person and organization on the • Live site penetration testing Read more...
planet by protecting vulnerable • Centralized security logging
populations, fighting malware, and and monitoring Microsoft Enterprise
reducing digital risk. • Practice security incident
Cloud Red Teaming

Microsoft Cyber Defense Operations Center

The Microsoft Cyber Defense Operations Center is a 24x7
cybersecurity and defense facility that unites our security experts
and data scientists in a centralized location. Advanced software
tools and real-time analytics help us protect, detect, and
respond to threats to Microsoft's cloud infrastructure, products
and devices, and our internal resources.

Datacenter infrastructure and

networking security Private connection
Learn more...
Customers can use
Operational Security for Online Services (OSA) ExpressRoute to establish a
private connection to Azure Microsoft Azure
OSA is a framework that focuses on infrastructure issues to
help ensure secure operations throughout the lifecycle of datacenters, keeping their ExpressRoute
cloud-based services. traffic off the Internet.

Learn more...

Operational Security
for Online Services

Physical datacenter security

24-hour monitored physical security
Datacenters are physically constructed, managed, and
monitored to shelter data and services from unauthorized Data destruction
access as well as environmental threats. When customers delete data or leave a service, they can take
their data with them and have it deleted permanently from
Microsoft servers. Microsoft follows strict standards for
overwriting storage resources before reuse, as well as for the
Zero standing privileges physical destruction of decommissioned hardware. Faulty
Microsoft maintains a No Standing Access policy on drives and hardware are demagnetized and destroyed.
customer data. We've engineered our products so that a
majority of service operations are fully automated and only
a small set of activities require human involvement. Access Learn more...
by Microsoft personnel is granted only when necessary for
support or operations; access is carefully managed and Video: Microsoft Cloud Azure
logged, then revoked when no longer needed. Datacenter
access to the systems that store customer data is strictly Data Center(s) – The Inside
controlled via lock box processes. 'Long Tour

August 2017 © 2017 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdop
Microsoft Cloud Security What IT architects need to know about security and
trust in Microsoft cloud services and platforms

for Enterprise Architects

This topic is 4 of 5 in a series 1 2 3 4 5

Customer responsibilities and roadmap

Take a systematic approach to security for on-premises and in the cloud
While Microsoft is committed to the privacy and security of your data and Refer to these example solutions for implementation guidance:
applications in the cloud, customers must take an active role in the security Microsoft Security Guidance for Political Campaigns, Nonprofit
partnership. Ever-evolving cybersecurity threats increase the requirements for Organizations, and Other Agile Organizations
security rigor and principles at all layers for both on-premises and cloud
assets. Enterprise organizations are better able to manage and address Microsoft 365 Enterprise Documenation
concerns about security in the cloud when they take a systematic approach.
Moving workloads to the cloud shifts many security responsibilities and costs Important: How to use this page
to Microsoft, freeing your security resources to focus on the critically
This page includes a methodical list of actions that Microsoft recommends
important areas of data, identity, strategy, and governance.
to defend your data, identities, and applications against cybersecurity
threats. These actions are categorized and presented in a stack. Categories
at the top of the stack apply across SaaS, PaaS, IaaS, and private cloud. The
scope of categories decreases further down the stack.

SaaS PaaS IaaS Private cloud

Software as a Service Platform as a Service Infrastructure as a Service

1. Security strategy, governance, and operationalization: Provide clear vision, standards, and guidance for your organization

A. Develop cloud security policies B. Manage continuous threats D. Contain risk by assuming breach
Policies enable you to align your security The evolution of security threats and changes When planning security controls and security
controls with your organization s goals, risks, require comprehensive operational capabilities response processes, assume an attacker has
and culture. Policies should provide clear and ongoing adjustments. Proactively manage compromised other internal resources such as
unequivocal guidance to enable good decisions this risk. user accounts, workstations, and applications.
by all practitioners. • Establish operational capabilities to monitor Assume an attacker will use these resources as
• Document security policies in enough detail alerts, investigate incidents, initiate remediation an attack platform.
to guide personnel into quick and accurate actions, and integrate lessons learned. Modernize your containment strategy by:
decisions while adopting and managing cloud • Build external context of threats using • Identifying your most critical assets such as
services. Ensure you have sufficient detail on available resources such as threat intelligence mission-critical data, applications, and
policy areas that are well-established and feeds, Information Sharing and Analysis Centers dependencies. Security for these must be at a
critically important to your security posture. (ISACs), and other means. higher level without compromising usability.
• Balance security and usability. Security • Validate your security posture by authorized • Enhancing isolation between security zones
controls that overly restrict the ability of red team and/or penetration testing activity. by increasing rigor of exception management.
admins and users to accomplish tasks will be Apply threat modelling techniques to all
worked around. Build buy-in through both White paper: Microsoft Enterprise Cloud Red
authorized exceptions and analysis of these
threat education and inclusion in the security Teaming
application data flows including identities
design process. used, data transmitted, application and
• Document protocols and processes for platform trustworthiness, and ability to inspect
performing critically important security tasks
C. Manage continuous innovation interaction.
such as using administrative credentials, The rate of capability releases and updates from • Focus containment within a security zone
responding to common security events, and cloud services requires proactive management of on preserving integrity of the administrative
recovering from significant security incidents. potential security impacts. model rather than on network isolation.
• Embrace Shadow IT. Identify the • Define a monthly cadence to review and
unmanaged use of devices, cloud services, integrate updates of cloud capabilities,
and applications. Identify business regulatory and compliance requirements,
requirements that led to their use as well as evolving threats, and organizational objectives.
the business risk that they bring. Work with • Prevent configuration drift with periodic
business groups to enable required reviews to ensure technologies, configurations,
capabilities while mitigating risks. and operational practices stay in compliance
with your policies and protocols.

Continued on next page

SaaS PaaS IaaS Private cloud
Software as a Service Platform as a Service Infrastructure as a Service

2. Administrative control: Defend against the loss of control of your cloud services and on-premises systems

A. Least privilege admin model C. Use strong authentication E. Enforce stringent security standards
Apply least privilege approaches to your Use credentials secured by hardware, Multi- Administrators control significant numbers of
administrative model, including: Factor Authentication (MFA), and conditional organizational assets. Rigorously measure and
• Limit the number of administrators or access for all identities with administrative enforce stringent security standards on
members of privileged groups. privileges. This mitigates risk of stolen administrative accounts and systems. This
credentials being used to abuse privileged includes cloud services and on-premises
• Delegate less privileges to accounts.
accounts. dependencies such as Active Directory, identity
• Provide privileges on demand just in time systems, management tools, security tools,
Azure Multi-Factor Authentication
• Have existing administrators perform tasks administrative workstations, and associated
Conditional access in Azure Active Directory operating systems.
instead of adding additional administrators.
• Provide processes for emergency access and Authenticating identities without passwords
rare use scenarios. through Microsoft Passport F. Monitor admin accounts
Closely monitor the use and activities of
Securing Privileged Access
D. Use dedicated admin accounts and administrative accounts. Configure alerts for
Enable Azure AD Privileged Identity workstations activities that are high impact as well as for
Management unusual or rare activities.
Separate high impact assets from highly prevalent
internet browsing and email risks: Enable Azure AD Privileged Identity
B. Harden security dependencies • Use dedicated accounts for privileged Management
administrative roles for cloud services and on- Cloud App Security
Security dependencies include anything that has
premises dependencies.
administrative control of an asset. Ensure that
you harden all dependencies at or above the • Use dedicated, hardened workstations for G. Educate and empower admins
security level of the assets they control. Security administration of high-business impact IT Educate administrative personnel on likely
dependencies for cloud services commonly assets. threats and their critical role in protecting their
include identity systems, on-premises • Do not use high privilege accounts on devices credentials and key business data.
management tools, administrative groups and where email and web browsing take place. Administrators are the gatekeepers of access to
accounts, and workstations where these many of your critical assets. Empowering them
Securing Privileged Access
accounts logon. with this knowledge will enable them to be
White paper: Security Management in Microsoft better stewards of your assets and security
Microsoft Advanced Threat Analytics Azure posture.

3. Data: Identify and protect your most important information assets

A. Establish information protection C. Find and protect sensitive assets D. Set organizational minimum standards
priorities Identify and classify sensitive assets. Define the Establish minimum standards for trusted devices
The first step to protecting information is technologies and processes to automatically and accounts that access any data assets
identifying what to protect. Develop clear, apply security controls. belonging to the organization. This can include
simple, and well-communicated guidelines to device configuration compliance, device wipe,
identify, protect, and monitor the most File Protection Solutions in Office 365 enterprise data protection capabilities, user
important data assets anywhere they reside. Secure SharePoint Online sites and files authentication strength, and user identity.
File Protection Solutions in Office 365 Identity and Device Protection for Office 365
Prevent data loss in Office 365
Information Protection for Office 365 Recommended security policies and
Manage data governance in Office 365 configurations for Microsoft 365
Data classification toolkit

B. Protect High Value Assets (HVAs) Azure Information Protection E. Establish user policy and education
Establish the strongest protection for assets that Azure Key Vault Users play a critical role in information security
have a disproportionate impact on the and should be educated on your policies and
organizations mission or profitability. Perform Always Encrypted (Database Engine) norms for the security aspects of data
stringent analysis of HVA lifecycle and security creation, classification, compliance, sharing,
dependencies, and establish appropriate security SQL database dynamic data masking protection, and monitoring.
controls and conditions.

4. User identity and device security: Strengthen protection of accounts and devices

A. Use Strong Authentication C. Educate, empower, and enlist users D. Monitor for account and
Use credentials secured by hardware or Multi- Users control their own accounts and are on the credential abuse
Factor Authentication (MFA) for all identities to front line of protecting many of your critical One of the most reliable ways to detect abuse
mitigate the risk that stolen credentials can be assets. Empower your users to be good stewards of privileges, accounts, or data is to detect
used to abuse accounts. of organizational and personal data. At the same anomalous activity of an account.
• User identities hosted in Azure Active time, acknowledge that user activities and errors • Identify activity that is normal and physically
Directory (Azure AD). carry security risk that can be mitigated but possible. Alert on unusual activity to enable
• On-premises accounts whose authentication is never completely eliminated. Focus on rapid investigation and response.
federated from on-premises Active Directory. measuring and reducing risk from users. • Use Cloud App Security to detect and alert
Azure Multi-Factor Authentication • Educate users on likely threats and their role on anomalous activity.
in protecting business data. • For accounts in Azure AD, use the integrated
Microsoft Passport and Windows Hello analytics to detect unusual activity.
• Increase adversary cost to compromise user
Cloud App Security
B. Manage trusted and compliant devices • Explore gamification and other means of
Establish, measure, and enforce modern security increasing user engagement. White paper: Microsoft Azure Security and
standards on devices that are used to access Audit Log Management
Protect your account and devices from hackers
corporate data and assets. Apply configuration and malware Auditing in Office 365
standards and rapidly install security updates to
lower the risk of compromised devices being
used to access or tamper with data.
Identity and Device Protection for Office 365 and
other SaaS services
Recommended security policies and
configurations for Microsoft 365

Continued on next page

PaaS IaaS Private cloud
Platform as a Service Infrastructure as a Service

5. Application security: Ensure application code is resilient to attacks

A. Secure applications that you acquire B. Follow the Security Development

• Review the security development processes Lifecycle (SDL)
and operational practices of vendors before Software applications with source code you develop
acquiring applications. Build this into your or control are a potential attack surface. These
acquisition process. include PaaS apps, PaaS apps built from sample
• Follow security configuration guidance and code in Azure (such as WordPress sites), and apps
recommendations provided by the vendor for that interface with Office 365.
the application.
Follow code security best practices in the Microsoft
• Apply all vendor security updates as rapidly as
Security Development Lifecycle (SDL) to minimize
your testing requirements allow. Ensure to
vulnerabilities and their security impact.
update middleware and dependencies
installed with the applications. See:
• Discontinue your use of software before it
reaches end of support status.

6. Network: Ensure connectivity, isolation, and visibility into anomalous behavior

A. Update your network security strategy B. Optimize with cloud capabilities

and architecture for cloud computing Cloud computing offers uniquely flexible network
Ensure your network architecture is ready for the capabilities as topologies are defined in software.
cloud by updating your current approach or Evaluate the use of these modern cloud capabilities
taking the opportunity to start fresh with a to enhance your network security auditability,
discoverability, and operational flexibility.
modern strategy for cloud services and
platforms. Align your network strategy with your:
• Overall security strategy and governance C. Manage and monitor network security
• Containment model and identity strategy Ensure your processes and technology capabilities
• Cloud services capabilities and constraints are able to distinguish anomalies and variances in
Your design should address securing configurations and network traffic flow patterns.
communications: Cloud computing utilizes public networks, allowing
• Inbound from the Internet rapid exploitation of misconfigurations that should
• Between VMs in a subscription be avoided or rapidly detected and corrected.
• Across subscriptions • Closely monitor and alert on exceptions.
• To and from on-premises networks • Apply automated means to ensure your network
• From remote administration hosts configuration remains correct and unusual traffic
patterns are detected.
Microsoft Cloud Networking for Enterprise Architects

Azure security best practices and patterns

IaaS Private cloud

Infrastructure as a Service

7. Operating system and middleware: Protect integrity of hosts

A. Virtual operating system

Secure the virtual host operating system (OS) and middleware running
on virtual machines. Ensure that all aspects of the OS and middleware
security meet or exceed the level required for the host, including:
• Administrative privileges and practices
• Software updates for OS and middleware
• Security Configuration Baseline
• Use of Group Policy Objects (GPOs)
• Installation methods and media
• Use of scheduled tasks
• Anti-malware and intrusion detection/prevention
• Host firewall and IPsec configurations
• Event log configuration and monitoring

B. Virtual OS management tools

System management tools have full technical control of the host operating
systems (including the applications, data, and identities), making these a
security dependency of the cloud service. Secure these tools at or above
the level of the systems they manage. These tools typically include:
• Configuration Management
• Operations Management and Monitoring
• Backup
• Security Update and Patch Management

Microsoft Cloud Services and Network Security

Microsoft Azure Security blog
Azure security best practices and patterns

Continued on next page

Private cloud

8. Private cloud or on-premises environments: Secure the foundation

A. Physical network D. Storage G. Fabric management

Secure the networks you install and operate in The security assurances of on-premises services The security assurances of the fabric are
your datacenters. Follow the guidelines and depend on the security of the storage systems. dependent on the security integrity of the
principles outlined in the Operating system and These include: software and tools used to manage it. These
middleware section (above). • Storage management tools can include:
• Storage administrator accounts and groups • Configuration management
B. Fabric and datacenter identities • Operations management
• Workstations used by storage administrators
The accounts used to manage the fabric have • Storage device operating systems and • Virtual machine management
technical control of the fabric, making them a firmware • Backup
security dependency of the fabric and all the
Secure these systems at or above the level Secure these resources at or above the level
services hosted on it. These include local and
required for all applications, identities, operating required for the services and data hosted on
domain accounts with administrative privileges
systems, and data hosted on them. the fabric.
over systems including:
• Active Directory domains where fabric
resources are joined
E. Physical operating systems and H. Virtualization solution
• Virtualization host operating systems
middleware Virtual machines depend on the virtualization
• Fabric management tools Operating systems and middleware installed on fabric for security assurances. The fabric
physical server hardware are a security includes:
Follow the security guidelines in the
dependency of the services that run on them. • Virtualization management tools
Administrative privileges and identities section
Secure these resources at or above the level • Virtualization administrators
(above) for these resources.
required for the services and data hosted on the
• Workstations used by these administrators
fabric using the guidelines in the Operating
C. Server and device firmware • VM host operating systems
system and middleware section (above).
Firmware, the software embedded into the fabric • Firmware on the VM host hardware
hardware, is a security dependency of cloud F. Physical security Secure these systems at or above the level
services and a potential attack vector. Validate required for all applications, identities, and
and harden this software, including the Physical security assurances of the hardware
data hosted on the virtualization solution.
following: hosting a cloud service must be at or above the
level required for all of the applications, data,
• Baseboard Management Controllers (BMCs)
and identities hosted on it. Physical security
for hardware lights out or remote access For information about how Azure datacenters
protects all of the security dependencies,
• Server motherboard firmware including: are secured, see:
• Interface card firmware • Server hardware • Trusted Cloud: Microsoft Azure Security,
• Dedicated appliance firmware/software Privacy, and Compliance
• Storage devices
• Network devices • Operational Security for Online Services
• Administrative workstations
• Installation media
• Smart cards, one-time password tokens, and
any passwords written on paper

Microsoft Trust Center


August 2017 © 2017 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdop
Microsoft Cloud Security What IT architects need to know about security and
trust in Microsoft cloud services and platforms

for Enterprise Architects

This topic is 5 of 5 in a series 1 2 3 4 5

A Cloud Security Journey

Microsoft has extensive experience in cybersecurity and threat detection and This page lays out a typical cloud security roadmap based on our experience
response. We provide professional services to our customers. The Microsoft realizing business value from the cloud and defending cloud -based assets
Services Cybersecurity team is a team of world-class architects, consultants, against cybersecurity threats.
and engineers that empowers organizations to move to the cloud securely,
modernize their IT platforms, and avoid and mitigate breaches. Services A typical journey to the cloud includes key security transformations that span
include: your organization s IT culture, governance, policy, processes technology, and
• High value asset protection security controls. The most common changes and challenges are:
• Risk assessments • Establishing and validating trust of cloud providers.
• Network monitoring and threat detection • Shifting primary defenses to identity, data, and application layers.
• Incident response and recovery • Keeping up with cloud security capabilities and controls.
• Keeping up with cybersecurity threats.

How can Microsoft Services help you?

Assessing and planning Cloud workload migration Administration, identity, and
cloud security and hardening host security
Building a complete roadmap for cloud security Microsoft can help you harden your current Securing administrative privileges is critical for
requires knowing where you stand. Microsoft can cloud assets, securely migrating workloads to cloud services and the on-premises identity and
help you build a tailored roadmap for: the cloud, and creating new workloads in the security capabilities they depend on. Microsoft
• Security strategy and capabilities. cloud that are hardened from day one. has developed industry leading solutions to
• Identity strategy and alignment. Microsoft has expertise and experience to help protect and monitor administrative privileges
you maximize your security assurances of cloud that address challenges with people, process, and
• Office 365 security.
infrastructure and brand presence assets, technology elements, including:
• Azure subscription and workload security. including: • Hardening administration of cloud services.
• Information protection and rights • Office 365 security configuration hardening. • Hardening administration of Active Directory
• Azure workload analysis, migration, and and identity systems.
security hardening. • Hardening infrastructure management tools
• Hardened workstations for social media and and systems.
Threat detection and incident brand management. • Just-in-time and just enough administrative
response • Hardened consoles for cloud infrastructure privileges.
Microsoft has world-class incident response teams
• Hardening applications and application
with extensive experience handling targeted
development processes for PaaS and hybrid
attacks by determined adversaries. Microsoft can
applications using the Microsoft Security Where to start?
help you with detecting these threats, hunting for
Development Lifecycle (SDL) and Microsoft recommends starting with a view
adversaries in your environment, responding to
international standard ISO 27034-1. of your entire organization and addressing
incidents, and recovering IT service integrity and
availability after an attack. Services include: • Designing, implementing, and securing your top risks first:
private clouds. • Assess your cloud security position to get
• Incident response support (over the phone and
onsite). a broad view of the road ahead.
• Proactive hunt for persistent adversaries in your
Support, operations, and service • Enable advanced threat detection.
environment. management: sustaining the gains • Address top risks — protect business-
• Recovery from cybersecurity attacks. Security in the cloud is a journey. Sustaining critical social accounts and cloud
your security assurances requires ongoing administrative privileges accounts with
investment into a maintainable operations hardened workstations and security
model that encompasses people, processes, tailored to those roles.
and technology. Microsoft Services provides a
wide range of cloud and security IT support
services, including IT staff training, health and
risk assessments, and assistance with adoption
of recommended practices. Microsoft IT Service
Management (ITSM) services empower you to
implement lifecycle management within IT by
addressing the readiness of people and
processes required to leverage technology
capabilities effectively.

Engaging Microsoft professional services Security incident response

Getting started If you would like assistance with any of the Customers with a Premier Support Agreement
cybersecurity or Trusted Cloud security capabilities have ready access to highly specialized security
described on this page, contact your Microsoft support engineers and onsite incident response
Services representative, or visit teams. For customers with an existing Premier
services. agreement, no additional contracting action is
necessary to initiate incident response activities
from Microsoft. Contact your technical account
manager (TAM) for more information.

Services and
More Microsoft Platform Options Identity Networking Hybrid
cloud IT resources

August 2017 © 2017 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdop