Beruflich Dokumente
Kultur Dokumente
http://www.microsoft.com/trust
Microsoft Azure Responses to Motion Picture Association of America Common Guidelines
NOTE: Certain recommendations contained herein may result in increased data, network, or compute resource
usage, and increase your license or subscription costs.
This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR
STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
(c) 2016 Microsoft Corporation. All rights reserved. This document is provided "as-is." Information and views expressed in
this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using
it. Some examples are for illustration only and are fictitious. No real association is intended or inferred.
This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may
copy and use this document for your internal, reference purposes.
P A G E | 02
Microsoft Azure Responses to Motion Picture Association of America Common Guidelines
Table of Contents
1 INTRODUCTION ......................................................................................................................................... 4
P A G E | 03
Microsoft Azure Responses to Motion Picture Association of America Common Guidelines
1 Introduction
Content security and protection is critical for feature film development, as there are multiple
points in the workflow where digital assets can be compromised or stolen. Dailies, rough cuts,
and visual effects are just some of the materials exposed during normal production, and the
box-office impacts of a security breach on a blockbuster project can reach tens of millions of
dollars.
At the same time, production IT systems (in-house / on-premises or rented) remain a significant
overhead expense for studios—one they would like to minimize while still protecting highly
valuable content. By moving workflows into the Microsoft Azure public cloud, producers and
content creators can enhance the security of their productions and:
To help major studios, partners, and vendors design infrastructure and solutions that ensure the
security of digital film assets, the Motion Picture Association of America (MPAA) provides best-
practices guidance and security control frameworks. The MPAA also performs content security
assessments on behalf of its member companies (Walt Disney Studios Motion Pictures,
Paramount Pictures Corporation, Sony Pictures Entertainment Inc., Twentieth Century Fox Film
Corporation, Universal City Studios LLC, and Warner Bros. Entertainment Inc.).
Microsoft Azure is the first hyper-scale, multi-tenant public cloud to successfully complete a
security and compliance assessment by the MPAA’s independent auditors. This means that
companies who do business with major studio film productions can use Azure to help reduce
the IT costs normally associated with secure content creation, management, and distribution.
Azure complies with the MPAA’s best-practices guidelines for application and cloud security,
covering the following services: Azure AD, ACS, Batch, Cache, CDN, ExpressRoute, Event Hubs
(Service Bus), Import/Export Services, Media Services, Portal, Premium Storage, Scheduler, SQL
DB, Storage, Storage Files, Virtual Machines, Virtual Networks, and WorkFlow.
P A G E | 04
Microsoft Azure Responses to Motion Picture Association of America Common Guidelines
This “Common Guidelines” document, and its companion “Azure Responses to MPAA
Application and Cloud Security Guidelines”, provide the framework for evaluating Azure’s
capabilities to support secure content workflows in the cloud. The details presented below
enable deep insight into core Azure operations and architecture, such as physical security,
infrastructure management, privacy policies, business continuity, and more.
You will note that some responses are shaded blue. This indicates a question or control
objective that is either the customer’s responsibility, or one that is distributed between the
customer and Azure. For example, user data classification is up to the customer and how it
defines security boundaries on content, but Azure also has system data that is classified
according to Microsoft’s information security management policy. Azure provides features that
customers can use to classify data, but does not itself classify a customer’s data within an Azure
Storage account.
For more information about the MPAA frameworks and best-practices guidelines, please visit
http://www.mpaa.org/content-security-program/.
P A G E | 05
Microsoft Azure Responses to Motion Picture Association of America Common Guidelines
Q. 100A: Do you have X Management has established defined roles and responsibilities
MS-1.0 information and to oversee implementation of the information security policy
MS-3.0
content security job across Azure.
positions with well-
defined responsibilities?
Q. 101: Do you have policies X Microsoft Azure has designed and implemented an information
MS-4.0 and procedures for security management system (ISMS) framework that addresses
content security and industry best-practices for information security and privacy.
asset protection? The ISMS has been documented and communicated in a
customer-facing Information Security Policy, which is available
through the Service Trust Portal
(https://www.microsoft.com/en-
us/TrustCenter/STP/default.aspx).
Q. 102: Do you have a business X Business Continuity Plans (BCPs) have been documented and
MS-6.0 to continuity and disaster published for critical Azure services, which provide roles and
MS.6.1 recovery plan, which responsibilities with detailed procedures for recovery and
includes a defined reconstitution of systems to a known state per defined
business continuity Recovery Time Objectives (RPO) and Recovery Point Objectives
team? (RPO). Plans are reviewed on an annual basis, at a minimum.
P A G E | 06
Microsoft Azure Responses to Motion Picture Association of America Common Guidelines
Q. 103: Do you have change X Operational Security Assurance (OSA) is a framework that
MS-7.0 control policies and incorporates the knowledge gained through a variety of
procedures? capabilities that are unique to Microsoft, including the
Microsoft Security Development Lifecycle (SDL), the Microsoft
Security Response Center program, and deep awareness of the
cybersecurity threat landscape. OSA combines this knowledge
with the experience of running hundreds of thousands of
servers in data centers around the world. Microsoft uses OSA
to minimize risk by ensuring that ongoing operational activities
follow rigorous security guidelines and by validating that
guidelines are actually being followed effectively. When issues
arise, a feedback loop helps ensure that future revisions of OSA
contain mitigations to address them.
The OSA process also uses feedback from online service teams
within Microsoft to continuously evaluate and improve the OSA
process. This feedback is also considered confidential, and it is
protected in accordance with Microsoft internal policies.
Q. 104: Do you have an X Microsoft Azure has developed robust processes to facilitate a
MS-5.0 to 5.3 incident response plan coordinated response to incidents if one was to occur. A
DS-9.3
that establishes an security event may include, among other things, unauthorized
incident response team, access resulting in loss, disclosure or alteration of data.
reporting procedures,
response processes, and The Microsoft Azure Incident Response process follows the
following phases:
P A G E | 07
Microsoft Azure Responses to Motion Picture Association of America Common Guidelines
Q. 105: Do you review X Azure performs and annual review and audit of its ISMS and
MS-1.1 information and results are provided to management. Metrics regarding
MS-1.3
content security information security events are reviewed by management
policies on an annual teams on an ongoing basis and at least monthly.
MS-4.1
basis?
This involves monitoring ongoing effectiveness and
improvement of the ISMS control environment by reviewing
security issues, audit results, and monitoring status, and by
planning and tracking necessary corrective actions.
Q. 106: What types of All Microsoft employees and vendors who have information
MS-10.0 background checks system access undergo screening prior to being authorized.
(employment, criminal Microsoft requires full time employees (FTEs) and vendors to
history, credit, drug undergo a background check as part of the Microsoft HR hiring
screening, etc.) do you practices. Background checks are required for new hires or
conduct for persons personnel transferring to positions that involve access to
(new employees, customers’ work sites and/or sensitive areas, including access
contractors, interns, to customer PII. Background checks are also required due to
third-parties, etc.) that contractual requirements with certain customers and are
work at your facility? reviewed on a regular basis.
(Please provide details
in the comments box)
P A G E | 08
Microsoft Azure Responses to Motion Picture Association of America Common Guidelines
Q. 107: Do all employees, X The Microsoft Master Vendor Agreement (MMVA) requires that
MS-11.0 to contractors, and third- the third party comply with all applicable Microsoft security
MS-12.2 party workers sign a policies and, implement security procedures to prevent
confidentiality disclosure of Microsoft confidential information, and
agreement upon hire implement their own information security program. In addition
and annually to the standard security clauses included in the MMVA, third
thereafter? parties are expected to adhere to the following security
requirements:
All third party service providers must comply with
Microsoft security and privacy policies and standards;
All third party service providers should follow the
requirements stated in the Microsoft Vendor Code of
Conduct document; and
All third party service providers (including Off-Facility (OF)
third party personnel) are be required to take security and
privacy training annually.
Q. 107A: Does the agreement X Based on the services to be provided, the Microsoft Azure
MS-11.0 to include requirements manager is responsible for ensuring that the contract with the
MS-12.2 for handling and third party service provider has signed the appropriate
protecting content, and Information Exchange Agreements (IEAs), which include
returning content upon confidentiality, privacy, and security requirements. The IEAs
termination of the include a Non-Disclosure Agreement (NDA), Input Agreement
relationship? (IA), and Technical Documentation Agreement (TDA).
Q. 108: Do employees, X All personnel must complete annual security training to learn
MS-4.2 contractors, and about Azure security and compliance requirements including
vendors have to sign- security policies and standards. Training also supports
off that they have read important security initiatives and the awareness and mitigation
content security and of top risks.
asset protection policies
and procedures? All Azure employees must complete the mandatory training
along with role-based training.
Q. 109: Do management, X All appropriate Microsoft staff take part in Azure and/or
MS-1.2 employees, and Microsoft Cloud Infrastructure Operations (MCIO)-sponsored
MS-4.3
contractors receive security training programs, and are recipients of periodic
training on security security awareness updates when applicable. Security
(content security, education is an on-going process and is conducted regularly in
security awareness, order to minimize risks. An example of an internal training is
cybersecurity, Internet Microsoft Security 101. Microsoft also has non-disclosure
usage, etc.) on an provisions in our employee contracts.
annual basis?
All Azure and/or MCIO staff are required to take training
determined to be appropriate to the services being provided
and the role they perform.
P A G E | 09
Microsoft Azure Responses to Motion Picture Association of America Common Guidelines
Q. 109A: Do you have social X All appropriate Microsoft staff take part in Azure and/or MCIO-
MS-4.0 media policies or sponsored security training programs, and are recipients of
MS-1.2
guidelines that address periodic security awareness updates when applicable. Security
the following: how education is an on-going process and is conducted regularly in
employees are allowed order to minimize risks. An example of an internal training is
to associate themselves Microsoft Security 101. Microsoft also has non-disclosure
with the facility; provisions in our employee contracts.
prohibit the sharing of
sensitive information or All Azure and/or MCIO staff are required to take training
content to the outside determined to be appropriate to the services being provided
online community; and and the role they perform.
standards of behavior?
Q. 110: Do you have X The customer is responsible for secure workflow processes
MS-8.0 to 8.1 documented workflows surrounding data uploaded and processed within their Azure
tracking content and subscription environment. Customers can take advantage of
authorization native dynamic encryption within Azure Media Services (up to
checkpoints for the AES 256) or pre-encrypt data prior to upload into Azure
following: delivery, storage.
ingest, movement,
storage, removal and However, for content assets handled by Microsoft through
destruction? services such as Azure Import / Export, processes are in place
for the secure receipt, processing, and return of physical hard
drives submitted to an Azure datacenter. This includes
segregated, caged storage with restricted access, secure server
media connections, and monitored facilities at all points.
Q. 110A: Do you review and X Information security management plans are reviewed annually
MS-8.0 to 8.1 update documented and updated as needed.
workflows for changes
in process on an
annual basis?
Q. 111: Do you perform a risk X Azure has adopted information classification schemes
MS-2.0 to assessment for content consistent with the Microsoft Operating Systems division.
MS-2.1 workflows and sensitive Information is classified into three categories in consideration
assets on an annual of criticality and sensitivity, including supplemental categories
basis? for customer content (e.g., customer secrets, email bodies,
storage data) or personally identifiable information (e.g.,
customer contact information, usernames, IP address).
P A G E | 010
Microsoft Azure Responses to Motion Picture Association of America Common Guidelines
Physical Security
Q. 203: Do you notify the client X Data stored in Azure is owned, controlled, and accessed by the
studio and obtain customer. Customers select and control data regions, data
MS-12.6
approval, before redundancy / replication, and offload--Microsoft does not use
content is offloaded to third-party content storage.
a subcontractor or
Azure employees only access customer data upon
another company?
management approval through logged and audited processes
for designated customer support purposes.
Q. 204: Do you secure all X Electronic access control devices are installed on doors
entry/exit points to the separating the reception area from the facilities’ interior to
PS-1.0
facility, including restrict access to approved personnel only. Datacenter lobbies
PS-1.2 windows, doors, and have man-trap portal devices that require access card and
loading docks with biometric hand geometry to pass beyond the lobby.
access controlled
doors? Pre-approved deliveries are received in a secure loading bay
and are monitored by authorized personnel. Loading bays are
physically isolated from information processing facilities.
P A G E | 011
Microsoft Azure Responses to Motion Picture Association of America Common Guidelines
Q. 205: Does your facility X Applies to: Fencing, Walls, Lighting, Window Grates, Security
utilize physical Patrols, Other (including Cameras, SOC, motion detectors,
PS-4.0 to
perimeter protection? electrified fencing, door sensors).
PS-4.3
If yes, please provide
details such as fencing,
walls, gates, security
patrols, etc.
Q. 206A: Do you require rooms X Azure does not access customer data.
used for screening
PS-1.1
purposes to be access-
controlled?
Q. 206B: Do you control access X Procedures have been established to restrict physical access to
to areas where content the datacenter to authorized employees, vendors, contractors,
PS-1.1
is handled by and visitors. Security verification and check-in are required for
segregating the content personnel requiring temporary access to the interior data
area from other facility center facility including tour groups or visitors.
areas (e.g.,
administrative offices, Access authorizations for data centers are managed using an
waiting rooms, loading authorized access list of personnel, which has been approved
docks, courier pickup by the Datacenter Management team. Physical keys and access
and drop-off areas, badges are stored within the Security Operations Center and
replication and inventoried multiple times per day.
mastering)?
Q. 207: Does your facility have X All facility entry and exit points are monitored throughout the
intruder alarms? day and alarms are present and activated during non-business
PS-5.0 to PS
hours. Emergency exits are alarmed and under video
5.2
If yes, please describe surveillance.
the types of intruder
alarms being utilized
(e.g., door sensors,
motion detectors, glass
break sensors, etc.) and
note areas covered
(entries, exits, storage,
vaults, windows, etc.).
Q. 208: Have you configured X Escalation procedures, including requirements for contacting
your alarm systems to law enforcement, are clearly defined and provided to all
PS-5.3
notify security directly security personnel as part of the Microsoft Incident Response
and/or the police and Plan.
other relevant
personnel (i.e. incident
response team)?
P A G E | 012
Microsoft Azure Responses to Motion Picture Association of America Common Guidelines
Q. 209: Do you restrict the X Alarms and alarm codes are managed through a combination
alarm system to of controls including separation of duties, automation,
PS-5.4 to
authorized personnel redundant verification, and the principle of least privilege.
PS.5.5
with unique arm and
disarm codes for each Physical security responsibilities are clearly assigned to specific
individual? job roles, including alarm arming and disarming.
Q. 210: Do you review or X All access to the datacenter is immediately revoked when a
update this access user has transferred or is no longer with Microsoft.
PS-5.4 to
quarterly or when there
PS.5.5
is a change in Microsoft also performs a Quarterly Access Review (QAR) using
personnel? DCAT as the source of record. Users must be reviewed by data
center management and all changes must be reviewed and
approved before closing the QAR.
Q. 211: Do you test the alarm X The data center alarm system is 24/7/365. Alarms are
system on a quarterly monitored in real-time by our Lenel system, along with our
PS-5.6
basis? DCAT tool. Any maintenance done on the alarm system is
performed under dual-control, and alarms are tested once they
are brought back online. All testing and maintenance is
documented and retained in accordance with Microsoft legal
information retention policies.
Q. 212: During a power outage, X Datacenters have mitigated the risk of power outages by
do fire doors fail shut in having dedicated 24x7 uninterruptible power supply (UPS) and
PS-5.7
restricted areas and fail emergency power support, which may include generators.
open in other areas? Regular maintenance and testing is conducted for both the
UPS and generators. Data centers have made arrangements for
emergency fuel delivery.
Q. 212A: Do you have a process X Procedures have been established to restrict physical access to
to manage facility the datacenters to authorized employees, vendors, contractors,
PS-6.0 to
access? and visitors. Security verification and check-in are required for
PS-6.2
personnel requiring temporary access to the interior datacenter
facility, including tour groups or visitors.
Q. 212B: Is access for restricted X Procedures have been established to restrict physical access to
areas restricted to the datacenter to authorized employees, vendors, contractors,
PS-6.0 to
authorized personnel? and visitors. Security verification and check-in are required for
PS-6.2
personnel requiring temporary access to the interior datacenter
facility including tour groups or visitors.
P A G E | 013
Microsoft Azure Responses to Motion Picture Association of America Common Guidelines
Q. 213: How do you control X Applies to: Keys, electronic cards / fobs, pin locks, biometrics.
access into the facility Other
PS-7.0 to
(keys, electronic card,
PS-8.5 Access to the data center facilities is restricted. The main
pin locks, biometrics,
interior and reception areas have electronic card access control
etc.)?
devices on the perimeter door(s), which restrict access to the
interior facilities. Rooms within the Microsoft datacenter that
contain critical systems (servers, generators, electrical panels,
network equipment, etc.) are restricted through various security
mechanisms such as electronic card access control, keyed lock,
anti-tailgating and/or biometric devices.
Q. 214: Do you have a process X All Physical Keys are tracked using a combination of DCAT,
for tracking issued physical security control systems, and the SOC key box.
PS-7.0 to
keys, retrieving keys Approval to check-out keys is submitted, reviewed, and
PS-8.5
back from terminated approved through the DCAT system. Key inventory is reviewed
employees or persons every shift change.
who no longer need
access, and re-keying Processes are in place to retrieve keys that have not been
locks / disabling access checked back in. If not successful, a procedure is in place to re-
for lost keys? key a rack or in the event of a facility key, rekeying the entire
facility.
Q. 215: Do you log and review X Access to all facility rooms is logged in real-time. If access to
daily electronic access those areas is not granted, an alarm will sound in the Security
PS-10.0 to
for the following Operations Center, and an immediate security dispatch will
PS-10.3
restricted areas: occur.
masters/stampers
vault, pre-mastering,
server/machine room,
scrap room, high-
security cages; and
weekly for all other
areas?
Q. 216: Does your facility X The total number of cameras varies from datacenter to
utilize security cameras datacenter, but all entry/egress points, as well as the
PS-9.0 to
(CCTV)? surrounding perimeter, loading bays, and select areas within
PS-9.1
If yes, how many the facility (such as at fire doors and storage areas) are
cameras are installed covered.
throughout the facility?
P A G E | 014
Microsoft Azure Responses to Motion Picture Association of America Common Guidelines
Q. 216A: Do the cameras cover X CCTV is used to monitor physical access to datacenters and the
restricted areas and information systems. Cameras are positioned to monitor
PS-9.0 to
entry/exit points (e.g. perimeter doors, facility entrances and exits, interior aisles,
PS-9.1
server room, vault, caged areas, high-security areas, shipping and receiving, facility
areas where content is external areas such as parking lots and other areas of the
stored or handled)? facilities.
Q. 216B: Are the areas of X All areas of camera coverage have proper lighting, along with
camera coverage well emergency lighting in the case of a power outage. These lights
PS-9.0 to
lighted, utilize motion are run off of a separate emergency panel, so that lighting is on
PS-9.1
activated lights, or during the change over from UPS to on-premises generators.
infrared or low-light
capable? In some facilities, lighting is dimmed if no movement has been
detected in a certain time period. Those lights have been
reviewed and verified that the level of lighting is still sufficient
for CCTV coverage.
Q. 217: What is the image X Image specifications vary across facilities depending on
resolution and frame location security requirements and vendor installations (for
PS-9.1
rate of the CCTV leased datacenters).
system?
(Please specify in the
comments box to the
right)
Q. 218: Do you place the DVR X All access and attempted access to electronic badge-protected
for the CCTV system in doors is centrally logged and audited on an exception basis.
PS-9.2
a secure access- Automated tools alert the appropriate personnel if a security
controlled location event is detected.
(e.g., computer room,
locked closet, and
cage)?
Q. 219: Do you retain CCTV X All CCTV footage is retained for a minimum of 90 days.
data for a period of at
PS-9.3
least 90 days?
Q. 219A: How often is CCTV X All CCTV data is verified during investigations, along with
data retention and upgrades of the system.
PS-9.3
CCTV image capture
quality verified?
(Please specify in the
comments box to the
right)
Q. 220: Do you have policy and X All individuals who enter the facility must agree to the
procedures for Microsoft Datacenter work site rules. These rules dictate what
PS-11.0 to
searching all personnel can be brought into and out of the building.
PS-11.4
and visitors that exit
PS-11.7 the building and also
when entering and
PS-11.8
exiting restricted areas,
for client content?
P A G E | 015
Microsoft Azure Responses to Motion Picture Association of America Common Guidelines
Q. 221: Do you periodically X Microsoft does not employ a search process within our fully
audit and find ways to managed sites.
PS-11.6
improve the search
process?
Q. 222: If your facility performs X Azure does not provide media replication services.
Replication, do you
PS-11.9
review the exit search
process for security
guards upon exit?
Q. 222A: If your facility performs X Azure does not provide media replication services.
Replication, do you
PS-11.9
segregate security
guard responsibilities
(search process) for
overseeing
plant/production areas
from exit points?
Q. 224: Do you have a content X Asset Management is owned by the Datacenter Logistics
asset management teams. They use a combination of internal tools to track all
PS-12.1
system that tracks assets from acquisition, installation, deployment, management,
content assets using and retirement of infrastructure assets. Asset IDs are affixed to
barcodes or unique all assets and are scanned into the system and throughout the
tracking identifiers? lifecycle of an asset.
If yes, please describe
the details of the
information that the
asset management
system records.
(Please specify in the
comments box to the
right)
Q. 225: Does the content asset X Azure does not provide asset management, processing, or tracking
management system for customer content, and as such does not use a check-in/check-
PS-12.2, PS-
perform the following: out mechanism.
12.4, PS-12.5
track asset movements,
use alias in place of Customers may use the Azure Import/Export Service for bulk-
studio names, create a upload and download of digital content into/from their
daily aging report for subscription, and all handling of physical media (hard drives) is
assets checked out and monitored and logged. Media is stored securely in locked cages
not returned? and may not be accessed by anyone but authorized Azure support
personnel. Customer media is only keep on-site during the transfer
process, and is immediately returned to the customer upon
completion.
Q. 226: Do you review content X Customers are responsible for managing content and digital assets
asset management logs within their subscription environment. Azure provides mechanisms
PS-12.3
at least weekly? for logging access to files, applications and data (such as Azure
Diagnostics Services).
P A G E | 016
Microsoft Azure Responses to Motion Picture Association of America Common Guidelines
Q. 226A: Does the review include X Please see response to Question 226 above.
an investigation of
PS-12.3
anomalies?
Q. 227: How frequently are X Asset Inventory counts are performed quarterly by the logistics
inventory counts team on site. Assets on-site (scanned and records) are compared to
PS-13.0-PS-
performed and physical observations (Tile, Row, Colo, etc.). These results are
13.1
reconciled with records reviewed by data center management and any issues are resolved
in the content asset and a new test is performed.
management system?
Q. 228: Do you lock up assets if X Azure does not handle customers' physical assets.
shipments are delayed
PS-12.6
or returned? Infrastructure devices such as servers, hard disks, or network
systems are kept in secure loading bays prior to deployment, as
well as upon decommissioning / destruction.
Q. 229: Do you store blank X Azure does not produce physical media, and does not keep such
media and raw stock in resources on-site.
PS-14.0, PS-
a secured location (e.g.,
14.2
locked cabinet, safe However, customers using the Azure Import/Export service have
etc.)? their physical drives kept in locked and monitored cages until they
are processed and returned.
Q. 230: Do you track (reconcile X Azure does not produce physical media.
existing raw stock with
PS-14.1
work orders) the
consumption of raw
materials on a monthly
basis?
Q. 232: Do you store client X Azure does not produce physical media, and does not keep such
assets in a secure resources on-site.
PS-15.1
physical location (e.g.,
locked cabinet, safe However, customers using the Azure Import/Export service have
etc.)? their physical drives kept in locked and monitored cages until they
are processed and returned.
Q. 233: Do you have the X Customers are responsible for ensuring appropriate access controls
capability to segregate and encryption are used for the assets they store in their Azure
PS-15.1
high security assets subscription. Azure provides the mechanisms for securing digital
from other assets in content, and ensures data isolation through mechanisms such as
storage upon client Storage Access Keys, BitLocker volume encryption, Azure Rights
request? Management, PlayReady, and others.
Q. 237: Do you have a X Customers are responsible for enforcing their own data retention
documented asset policies. Microsoft Azure provides tools to securely delete data
PS-16.1
disposal policy? including immediately removing the index from the primary
location, and removal of any geo-replicated copies of the data
(index) asynchronously. Media wiping is NIST 800-88 compliant,
defective disks are destroyed, and customers can only read from
disk space to which they have previously written.
[see
http://blogs.msdn.com/b/walterm/archive/2012/02/01/windows-
azure-data-cleansing-and-leakage.aspx]
P A G E | 017
Microsoft Azure Responses to Motion Picture Association of America Common Guidelines
Q. 238: Do you store rejected, X Microsoft does not provide media production services.
damaged, and obsolete
PS-16.0 to
stock containing client Microsoft uses best practice procedures and a media wiping
PS-16.1
assets in a secure solution that is NIST 800-88 compliant. For hard drives that can’t
location before they are be wiped we use a destruction process that destroys it (i.e.
erased, degaussed, shredding) and renders the recovery of information impossible
shredded, or physically (e.g., disintegrate, shred, pulverize, or incinerate). The appropriate
destroyed before means of disposal is determined by the asset type. Records of the
disposal? destruction are retained. Microsoft Azure services utilize approved
media storage and disposal management services. Paper
documents are destroyed by approved means at the pre-
determined end-of-life cycle.
Q. 239: "Do you dispose of Applies to: Degaussing, Shredding, Physical Destruction, other
rejected, damaged, and
PS-16.1
obsolete stock? Data destruction techniques vary depending on the type of data
If yes, what methods object being destroyed, whether it is subscriptions, storage, virtual
are used for disposal machines, or databases. In Azure's multi-tenant environment,
(e.g. degaussing, careful attention is taken to ensure that one customer’s data is not
shredding or physically allowed to either “leak” into another customer’s data, or when a
destruction)?" customer deletes data, no other customer (including, in most cases,
the customer who once owned the data) can gain access to that
deleted data.
P A G E | 018
Microsoft Azure Responses to Motion Picture Association of America Common Guidelines
Q. 241B: Does the third party X The third-party provides Microsoft Datacenter Operations with a
destruction company certificate of destruction, which is verified and stored in Redmond,
PS-16.3
provide a certificate of Washington.
destruction for each
completed job?
Q. 243: Do you require valid X MCIO contracts with specific carriers (FedEx, UPS, DHL) for shipping
shipping or work order and receiving physical hardware to datacenters.
PS-17.0, PS-
to be created to
17.3
authorize shipment of Shipping and processing orders are managed by the customer
client assets out of the through the Azure Import/Export service in the Azure Management
facility? Portal. Work orders are created and managed via a ticketing
If yes, what information system. For more information, please see
does the authorization https://azure.microsoft.com/en-
form capture? us/documentation/articles/storage-import-export-service/
(Please specify in the
comments box to the
right)
Q. 244: Do you track and log X If an asset is shipped, the shipping company selected by the
client asset shipping customer assumes the responsibility after handoff of the asset from
PS-17.1
details? the datacenter.
If yes, please provide
the details of
information logged.
(Please specify in the
comments box to the
right)
Q. 246: Do you utilize a courier X Entrance and exit to secure areas (including areas where
to transport client information processing and information systems are housed) are
PS-17.3
assets? protected by the design and implementation of electronic access
If yes, are the following control systems and mechanisms (such as card key access and/or
performed or obtained: biometrics technology) to prevent unauthorized access.
Additionally, access to secure areas (including those containing
information processing and information system facilities) is
controlled and isolated from public access areas (such as building
lobbies, delivery and loading areas) by electronic access control
systems and mechanisms (such as card key and/or biometrics
technology) and building design to prevent unauthorized access.
Q. 249: Do authorized X Pre-approved deliveries are received in a secure loading bay and
personnel (e.g., are monitored by authorized personnel. Loading bays are
PS-17.6
security) observe and physically isolated from information processing facilities.
monitor the on-site
packing and sealing of
trailers prior to
shipping?
If yes, please provide
name and title in the
comments section.
P A G E | 019
Microsoft Azure Responses to Motion Picture Association of America Common Guidelines
Q. 252: Upon receipt of client X Azure Import / Export Services provides a ticketing system to
assets, do you inspect submit physical media for processing at a designated Azure
PS-18.0
and compare to datacenter.
shipping documents
(e.g., packing slip,
manifest log) to ensure
that all items were
delivered and not
damaged?
Q. 253: Do you perform the X Azure Media Services provides a OData style REST API for
following processes interacting with the service. One of the primary entities in the
PS-18.1
immediately after system is the Asset entity which is used to hold the media files
assets are received: making up a single media asset. Each media file in the Asset entity
has an associated AssetFile entity representing that media file. Both
the Asset Entity and the AssetFile Entity have unique ID properties
that are generated by Media Services when they are created.
Q. 256: Do you ship client X Packaging to return client assets such as hard drives via Azure
assets using plain, non- Import / Export is provided by the customer.
PS-19.0
descript labeling?
Q. 257: Do you ship all client X Azure is not a content replication facility.
assets in closed/sealed
PS-20.0
containers, in locked
containers, shrink
wrapped, and also with
tamper-evident seals,
tapes, packaging, or
locks?
Q. 258: Do you ensure that X Applies to: segregation from driver cabin, locked and sealed cargo
PS-21.0 to package transportation area
PS-21.1 vehicles are locked at
all times and packages Azure contracts with third party carriers.
are kept out of clear
view? Which of the
following security
features do the vehicles
have in place:
Q. 259: For highly sensitive X Customers ingest media files into Assets using one of the various
content shipments, do methods discussed in the Uploading Media topic of the Azure
PS-21.2 to
you apply unnumbered Media Services documentation. It is recommended that customers
PS-21.3
seals to cargo doors? use the Storage Encryption feature of Azure Media Services to
encrypt their media files before uploading them to Azure Blob
Storage using the Azure Media Services APIs. This is done in such a
way that the key used to encrypt the media files is shared with
P A G E | 020
Microsoft Azure Responses to Motion Picture Association of America Common Guidelines
Once the Asset is created and the media files securely uploaded to
Azure Media Services, all of the operations on the content occur
under automation from actions initiated by or configured by the
account owner. For example, the asset owner could create a Job to
encode the Asset into a different media format. Or the asset owner
could publish an asset for streaming to end users. Account owners
can also query the current state of their assets in the system by
getting the list of assets in their account, querying the list of jobs in
the account (including the input and output assets), getting the
streaming locator and asset delivery policy associated with a given
asset (telling if the asset is published for streaming and if dynamic
encryption is applied).
Q. 259A: In addition, do you use X If a third-party individual is on a visitor request, they will be issued
security personnel to a paper badge and must be escorted throughout the facility. If a
PS-21.2 to
escort content to high third-party individual is given temporary access, their ID badge will
PS-21.3
risk areas? only give them access into rooms that they have approved access
into.
P A G E | 021
Microsoft Azure Responses to Motion Picture Association of America Common Guidelines
Digital Security
Q. 300: Are external networks X Microsoft Azure implements network access control and
(Internet, extranets, segregation through VLAN isolation, ACLs, load balancers and
DS-1.0
external partner) IP filters. External traffic to the customer Virtual Machine(s) is
segregated from the restricted to customer-enabled ports and protocols. Network
facility's internal filtering is implemented to prevent spoofed traffic and restrict
network with a incoming and outgoing traffic to trusted platform components.
firewall?
Microsoft Azure uses Network Address Translation (NAT) and
network segregation to separate customer traffic from
management traffic. Outbound network access is restricted and
limited to specific VM instances to support the requested tasks.
Q. 301: Are firewall rules X All firewall rules and ACLs are documented and reviewed on at
reviewed periodically least a quarterly basis. All changes are required to follow the
DS-1.1
and at least every six approved firewall rule change control process.
months?
Traffic flow policies are implemented on boundary protection
devices that deny traffic by default. These policies are reviewed
every month to determine any changes required.
Q. 302: Are firewalls configured X Azure employs boundary protection devices such as SQL DB
to deny all protocols by Gateways (SQL firewall), content gateways, application firewalls,
DS-1.2
default and enable only and denial-of-service safeguards to control communications at
specific permitted external and internal boundaries.
secure protocols to
access the WAN and Traffic flow policies are implemented on boundary protection
firewall? devices that deny traffic by default. These policies are reviewed
every month to determine any changes required.
Q. 302A: Are unencrypted X Unsecure protocols are blocked by default. All guest / VM ports
protocols such as are disabled by default. Host ports controlled by the Azure
DS-1.2
Telnet and FTP turned Fabric are unreachable by non-infrastructure components.
off or blocked at the
firewall?
Q. 303: Do you restrict remote X Remote access to the Microsoft Azure environment is enabled
management of only to authorized personnel from predefined networks and
DS-1.6
firewalls from any boundary devices (e.g., Microsoft Azure load balancers) that
external interfaces? implement multifactor authentication. Remote access sessions
are continuously monitored using automated mechanisms that
provide alerts on specific security events.
Q. 304: Do you place externally As a cloud platform service, Azure does not use a DMZ.
accessible servers (i.e.,
DS-1.3
web server) on the
DMZ?
P A G E | 022
Microsoft Azure Responses to Motion Picture Association of America Common Guidelines
Q. 304A: Do firewall rules As a cloud platform service, Azure does not use a DMZ.
prevent access to
DS-1.3
internal networks from
the DMZ?
Q. 305: Do you have a patch X Azure component teams receive notifications of potential
management program vulnerabilities and the latest software updates from the
DS-1.4
to ensure that systems Microsoft Security Response Center (MSRC) and MCIO. The
are up-to-date on component teams analyze software update relevance to the
patches and Azure production environment and review the associated
maintenance releases? vulnerabilities based on their criticality. Software updates are
released through the monthly OS release cycle using change
and release management procedures. Emergency out-of-band
security software updates (0-day & Software Security Incident
Response Process - SSIRP updates) are deployed as quickly as
possible. If customers use the default "Auto Upgrade" option,
software updates will be applied their VMs automatically.
Otherwise, customers have the option to upgrade to the latest
OS image through the portal. In case of a VM role, customers
are responsible for evaluating and updating their VMs.
Q. 305A: If you answered, “Yes” X Please see response to Question 305 above.
to question 305, does
DS-1.4
this include network
infrastructure devices
(i.e., routers, switches,
firewalls)?
Q. 306: Do you have a process X Operational Security Assurance (OSA) is a framework that
to implement baseline incorporates the knowledge gained through a variety of
DS-1.5
security requirements capabilities that are unique to Microsoft, including the
DS-6.9 and configurations for Microsoft Security Development Lifecycle (SDL), the Microsoft
networking and Security Response Center program, and deep awareness of the
DS-1.12
computing equipment cybersecurity threat landscape. OSA combines this knowledge
including firewalls, with the experience of running hundreds of thousands of
routers, switches, servers in data centers around the world. Microsoft uses OSA
servers, workstations, to minimize risk by ensuring that ongoing operational activities
and mobile computing follow rigorous security guidelines and by validating that
devices? guidelines are actually being followed effectively. When issues
arise, a feedback loop helps ensure that future revisions of OSA
contain mitigations to address them.
P A G E | 023
Microsoft Azure Responses to Motion Picture Association of America Common Guidelines
Q. 307: Do you secure backups X Backups of key platform components, internal certificates,
of network secrets, user-level information and system documentation are
DS-1.7
infrastructure / SAN / performed regularly and stored in fault tolerant (isolated)
NAS devices and facilities. Backups are monitored for failures and resolved
servers to a central through documented incident handling procedures.
server on the internal Restoration tests are conducted every 6 months.
network?
Q. 308: Do you have a X Microsoft Azure subscribes to MSRC/OSSC monthly patch
vulnerability notifications and scans for vulnerabilities at least quarterly.
DS-1.8 to
management process Identified vulnerabilities are evaluated and remediated per
DS-1.9
to cyclically identify, established timeline based on the level of risk.
DS-15.9 classify, remediate, and
mitigate security Vulnerability assessment and scanning tools are specifically
vulnerabilities on designed to operate in virtualized environments. Procedures
networking and have been established and implemented to scan for
computing devices, and vulnerabilities on MCIO-managed hosts in the scope boundary.
applications? MCIO implements vulnerability scanning on server operating
systems, databases, and network devices. The vulnerability
scans are performed on a quarterly basis at minimum.
Q. 308A: How often are internal Microsoft Azure subscribes to MSRC/OSSC monthly patch
vulnerabilities scans notifications and scans for vulnerabilities at least quarterly.
DS-1.8 to
conducted? What is the Identified vulnerabilities are evaluated and remediated per
DS-1.9
interval between tests established timeline based on the level of risk.
DS-15.9 or vulnerability
management cycles? Vulnerability assessment and scanning tools are specifically
(Please specify in the designed to operate in virtualized environments. Procedures
comments box to the have been established and implemented to scan for
right) vulnerabilities on MCIO-managed hosts in the scope boundary.
MCIO implements vulnerability scanning on server operating
systems, databases, and network devices. The vulnerability
scans are performed on a quarterly basis at minimum.
Q. 308B: How often are external Azure contracts with independent assessors to perform
vulnerabilities scans penetration testing of the Microsoft Azure boundary. Red Team
DS-1.8 to
conducted? What is the exercises are also routinely performed and results used to
DS-1.9
interval between tests make security improvements.
DS-15.9 or vulnerability
management cycles?
(Please specify in the
comments box to the
right)
P A G E | 024
Microsoft Azure Responses to Motion Picture Association of America Common Guidelines
Q. 308C: How often are internal The Microsoft Azure trustworthy foundation concept ensures
penetration tests application security through a process of continuous security
DS-1.8 to
performed by improvement with its Security Development Lifecycle (SDL) and
DS-1.9
independent third Operational Security Assurance (OSA) programs using both
DS-15.9 parties? Prevent Breach and Assume Breach security postures.
(Please specify in the
comments box to the Prevent Breach works through the use of ongoing threat
right) modeling, code review and security testing. Assume Breach
employs Red Team exercises, live site penetration testing and
centralized security logging and monitoring to identify and
address potential gaps, test security response plans, reduce
exposure to attack and reduce access from a compromised
system, periodic post-breach assessment and clean state.
Q. 308D: How often are external Azure contracts with independent assessors to perform penetration
penetration tests testing of the Microsoft Azure boundary. Red Team exercises are
DS-1.8 to
performed by also routinely performed and results used to make security
DS-1.9
independent third improvements.
DS-15.9 parties? (Please specify
in the comments box to
the right)
Q. 309: Do WAN, extranet, or X Customers are accountable for configuring secure private network
other site-to-site data connections to their Azure subscription environment, such as using
DS-1.10
circuits utilize private IPsec for VPNs and ExpressRoute.
connections and
employ encryption of All Azure WAN and site-to-site infrastructure networks are isolated
data in transit? and encrypted using either TLS or IPsec.
Q. 310: Do you segment and X For the Azure infrastructure, production and non-production are
isolate networks physically and logically separated. Microsoft Azure employs
DS-3.0
containing content and network-based and host-based boundary protection devices such
DS-14.1 production data from as firewalls, load balancers, IP Filters, and front-end components.
other networks (office These devices use mechanisms such as VLAN isolation, NAT and
data, administrative, packet filtering to separate customer traffic from management
DMZ, Internet, traffic.
extranets, etc.)?
Q. 311: Have you implemented X Applies to: blocks malicious software, identifies phishing e-mails
e-mail content filtering and spam, blocks e-mails from blacklisted domains, restricts file
DS-2.1
to block malicious sizes
software and program
types, identify potential Microsoft corporate email systems are protected by anti-malware /
phishing e-mails and anti-spam solutions, and constantly updates signatures and
spam, block e-mails profiles based on CERT and MSRC information.
from blacklisted
domains, and restrict Customers can use Office 365 for email with their Azure
file sizes? subscription, which also offers anti-malware / anti-spam
capabilities. If customers deploy their own email solution within
P A G E | 025
Microsoft Azure Responses to Motion Picture Association of America Common Guidelines
P A G E | 026
Microsoft Azure Responses to Motion Picture Association of America Common Guidelines
Q. 318: Do you employ layer 3 X Microsoft Azure controls physical access to diagnostic and
switches, strong configuration ports through physical data center controls.
DS-3.4 to
authentication for Diagnostic and configuration ports are only accessible by
3.5
management interfaces arrangement between service/asset owner and hardware/software
to switches, and have support personnel requiring access. Ports, services, and similar
logging turned on the facilities installed on a computer or network facility, which are not
switches? specifically required for business functionality, are disabled or
removed.
Q. 319: Do you employ hubs or X Microsoft Azure controls physical access to diagnostic and
repeaters? configuration ports through physical data center controls.
DS-3.4 to
Diagnostic and configuration ports are only accessible by
3.5
arrangement between service/asset owner and hardware/software
support personnel requiring access. Ports, services, and similar
facilities installed on a computer or network facility, which are not
specifically required for business functionality, are disabled or
removed.
Q. 320: Do you prohibit dual- X For the Azure infrastructure, production and non-production are
homed networking physically and logically separated. Microsoft Azure employs
DS-3.5
(physical networked network-based and host-based boundary protection devices such
bridging) on computer as firewalls, load balancers, IP filters, and front-end components.
systems within the These devices use mechanisms such as VLAN isolation, NAT and
content/production packet filtering to separate customer traffic from management
network? traffic.
Q. 322A: If you are using SMTP, X Please see response to Question #322 above.
are you using SMTP v3
DS-3.7
with secure or difficult
to guess community
strings?
Q. 323: Do you run wireless X Azure does not permit or allow wireless connections in the
networks? production network environment. Internal security teams regularly
DS-4.1 to
(If yes, describe the scan for rogue wireless signals, and on a quarterly basis rogue
DS-4.2
security protocols that signals are investigated and removed.
are used to secure the
wireless networks, in
P A G E | 027
Microsoft Azure Responses to Motion Picture Association of America Common Guidelines
Q. 324: Do you designate X Datacenter Services Team and Data Center Logistics teams attach
specific systems for the device to the Azure Import/Export servers in the datacenter
DS-5.0
loading and extracting and notify the requestor. These are specifically designated storage
data from systems that access points.
store content data?
Q. 324A: Do you maintain an X This is a customer control, as content verification should be carried
access control list with out after migration using Azure Import/Export services.
DS-5.0
specific source and
destinations systems?
Q. 325: Do you restrict X Applies to: mass storage, external storage, mobile storage devices,
input/output (with the optical media burners
DS-5.1
exception of systems
used for content I/O) of MCIO implements controls on the use of removable media within
mass storage, external the Azure in-scope boundaries. Customer content is not accessible
storage, and mobile via removable media.
storage devices (e.g.,
USB, FireWire,
Thunderbolt, SATA,
SCSI, etc.) and optical
media burners (e.g.,
DVD, Blu-Ray, CD, etc.)
on all systems that
handle or store
content?
Q. 326: Do you use antivirus, X MCIO-managed hosts within the in-scope boundary are scanned to
antispam, or endpoint validate anti-virus clients are installed and current signature-
DS-6.0 to
software? definition files exist.
DS-6.4
(If yes, describe the
antivirus programs or All Azure VMs have Azure Anti-Malware installed by default.
systems in place, in the (https://azure.microsoft.com/en-us/blog/microsoft-antimalware-
comments box to the for-azure-cloud-services-and-virtual-machines/) Customers may
right) install other anti-virus or intrusion prevention solutions as-needed
for their businesses.
Q. 327: Do you restrict users X Customers are responsible for ensuring the security of their
from having local endpoints used to access Azure.
DS-6.5
administrative rights
on their machines, However, all systems used to manage or access the Azure test or
unless industry production environments have been hardened according to
software requires local industry best-practices
administrative rights to (http://download.microsoft.com/download/7/0/E/70E3858E-8764-
run the software? 4233-A00F-
49A3C6C3143C/Security_Management_in_Microsoft_Azure-
11062014.pdf), and have restricted access policies to prevent
unauthorized use.
P A G E | 028
Microsoft Azure Responses to Motion Picture Association of America Common Guidelines
Q. 329: Do you require devices X Customers are responsible for encrypting their VMs or client
that handle content to devices that access their Azure environment.
DS-6.7
encrypt the data? (If
yes, please provide All Microsoft development and management systems that access
details in the Azure infrastructure are encrypted using BitLocker AES-256.
comments box)
Q. 329A: In addition, do you X Microsoft uses Active Directory Group Policies to manage all
have remote-kill connected developer or support systems, in addition to the secure
DS-6.7
software to perform configurations mentioned in item 327 above. Microsoft System
remote wiping of data Center provides the ability to remotely manage and re-image client
on devices? machines as-needed.
Q. 332A: If there been any X Network diagrams are kept up to date as part of the ongoing
significant changes compliance programs including SOC, ISO, PCI, and FedRAMP.
DS-6.12
made to the network
infrastructure recently,
is the documentation
up to date?
P A G E | 029
Microsoft Azure Responses to Motion Picture Association of America Common Guidelines
Q. 333: Do you have policies X Azure enforces existing ISMS policies regarding FTE and contractor
and procedures for access to the Azure system components, verification of access
DS-7.0
managing of user, control effectiveness, providing JIT administrative access and
administrator, and revoking access when no longer needed, and ensuring staff
service accounts? accessing the Azure platform environment have a business need.
P A G E | 030
Microsoft Azure Responses to Motion Picture Association of America Common Guidelines
P A G E | 031
Microsoft Azure Responses to Motion Picture Association of America Common Guidelines
P A G E | 032
Microsoft Azure Responses to Motion Picture Association of America Common Guidelines
Q. 342A: Are there any systems X Password policies are enforced via Active Directory Group Policies,
that do not meet the and are applied on a worldwide basis.
DS-8.1
above password
requirements?
(Please specify in the
comments box to the
right)
Q. 343: Have you implemented X Physical / infrastructure servers (hosts) are headless and do not
password-protected support local logon. Remote configuration of hardware is managed
DS-8.3
screensavers or screen- by the Azure Fabric Controllers.
lock software for
servers and Workstations used to manage Azure Production infrastructure
workstations? follow industry best-practices for operating system hardening,
application control, and AD group policy enforcement for secure
configuration. [see
http://download.microsoft.com/download/7/0/E/70E3858E-8764-
4233-A00F-
49A3C6C3143C/Security_Management_in_Microsoft_Azure-
11062014.pdf]
Q. 344: Do you have a layered X Azure provides multiple levels of network segregation and
authentication strategy authentication for access control. Customers are responsible for
DS-8.4
(multi-factor configuring access control and security for their Virtual Network
authentication, identity deployments.
and access
management system, Each Azure cluster is logically segregated using several VLANs to
single sign on system, separate customer traffic from the rest of the Azure network.
identity federation
standards) for WAN
and LAN / Internal
Network access?
Q. 345: Have you implemented X Microsoft Azure Diagnostics enables collection of diagnostic data
logging for security from an application running in Microsoft Azure. Diagnostic data
DS-9.0
events? may be used for debugging and troubleshooting, measuring
performance, monitoring resource usage, traffic analysis and
If yes, please describe capacity planning, and auditing. After the diagnostic data is
what systems and what collected it can be transferred to a Microsoft Azure storage
kinds of events are account for persistence. Transfers can either be scheduled or on-
logged? demand. Azure Diagnostics is configured using an XML
(Please specify in the configuration file.
comments box to the
right) The Azure Threat Management Team utilizes a variety of tools to
monitor system events. Azure Access Control Service (ACS) is used
to retrieve Windows security event logs from:
IaaS servers
Domain controllers in the MCIO-Managed domains
supporting the IaaS Security Authorization boundary.
P A G E | 033
Microsoft Azure Responses to Motion Picture Association of America Common Guidelines
P A G E | 034
Microsoft Azure Responses to Motion Picture Association of America Common Guidelines
P A G E | 035
Microsoft Azure Responses to Motion Picture Association of America Common Guidelines
P A G E | 036
Microsoft Azure Responses to Motion Picture Association of America Common Guidelines
Q. 355: Do you encrypt content X Microsoft Azure does not automatically encrypt tenant data in
data on hard drives? storage. However, there are tools within Azure and third-party
DS-11.1
If yes, how and what tools that allow encryption of data in Azure storage. Customers
kind of encryption? (file may implement encryption at-rest using .NET cryptographic
and folder, partition, services.
full disk, AES128,
AES256, etc.) For customers using Virtual Machines, additional options are
(Please specify in the available, including the Encrypting File System in Windows Server
comments box to the 2008 R2 (and above), Azure Rights Management Services, as well as
right) Transparent Data Encryption (TDE) in SQL Server 2008 R2 (and
above).
P A G E | 037
Microsoft Azure Responses to Motion Picture Association of America Common Guidelines
information is logged?
How often are the logs
reviewed? What is the
retention period of the
logs?
(Please specify in the
comments box to the
right)
Q. 363: Do your content X Customers may configure Azure to enable encryption-in-transit by
transfer systems configuring HTTPS endpoints. Customers using Virtual Machines
DS-13.0
employ strong who wish to encrypt traffic between Web clients and Web servers
encryption (e.g., in their VMs can implement TLS. Other enhancements to network
AES128, AES256 or traffic security include using IPsec VPNs or ExpressRoute to encrypt
better)? direct communications between the customer’s datacenter and
Microsoft Azure.
P A G E | 038
Microsoft Azure Responses to Motion Picture Association of America Common Guidelines
Q. 367A: Do you use ACLs to X Azure customers are entirely responsible for protection and
restrict data traffic to encryption of their e-commerce transactions, however, Azure
DS-14.2, DS-
and from the DMZ? ensures critical communications such as calls to the API or intra-
15.3
Azure communication are encrypted, authenticated, and integrity
controlled via protocols such as SSL. Customers can optionally
configure SSL/TLS for defense-in-depth on their Virtual Networks.
Storage REST APIs over HTTPS can also be used to interact with
Azure Storage and SQL Database. When populating data into SQL
Database, you can encrypt information before it is copied over.
Note that data only remains encrypted until it is used and placed in
memory on the SQL Database compute node, at which point it
exists in an unencrypted state.
Q. 368: Do you have a process X Microsoft uses best practice procedures and a wiping solution that
to remove content from is NIST 800-88 compliant. For hard drives that can’t be wiped we
DS-14.3 to
content transfer use a destruction process that destroys it (i.e. shredding) and
DS-14.4
devices/systems renders the recovery of information impossible (e.g., disintegrate,
immediately after shred, pulverize, or incinerate). The appropriate means of disposal
successful transmission is determined by the asset type. Records of the destruction are
or receipt? retained. All Microsoft Azure services utilize approved media
storage and disposal management services. Paper documents are
destroyed by approved means at the pre-determined end-of-life
cycle.
Q. 368A: Are automatic X This is a customer responsibility. DRM and DLP tools are available
notifications sent to from Microsoft and third parties to implement content tracking,
DS-14.3 to
production but Azure does not provide these by default.
DS-14.4
coordinators upon
outbound content Content access can be logged using Azure monitoring systems.
transmissions?
Q. 369: Do you set access to X This is a customer responsibility. Azure does not control access to
content on internal or customer content stored in a subscription.
DS-15.7
external portals to
expire automatically at Content policies should be managed according to the customer's
predefined intervals? ISMS.
Q. 370: Do you have a process X Microsoft does not maintain any standing access to customer data
to review file and or resources.
DS-15.2
directory permissions
at least quarterly to Azure employs a defense in depth strategy for boundary
ensure that access is protection, including secure segmentation of network
restricted to only those environments through several methods including VLAN
that require it? segmentation, ACL restrictions and encrypted communications for
remote connectivity.
P A G E | 039
Microsoft Azure Responses to Motion Picture Association of America Common Guidelines
Segregation of duties
Q. 371: Have you implemented X Applies to: client web portal, content transfer systems, key
multi-factor generation, e-mail, remote access, other (please specify below)
DS-15.4
authentication for the
following systems Any service or application within Azure can be enabled with Azure
Multifactor Authentication (MFA), which provides additional
mechanisms for identity verification and monitoring through Active
Directory.
Q. 372: Do web portals employ X Customers may configure Azure to enable encryption-in-transit to
HTTPS? the Azure Management Portal by configuring HTTPS endpoints.
DS-15.5
Microsoft Azure requires TLS encryption by default and does not
store passwords or credentials in plaintext.
Q. 373: Do web portals avoid X The Microsoft Azure trustworthy foundation concept ensures
the use of persistent application security through a process of continuous security
DS-15.6
cookies or cookies that improvement with its Security Development Lifecycle (SDL) and
store credentials in Operational Security Assurance (OSA) programs using both Prevent
plaintext? Breach and Assume Breach security postures. This methodology is
applied across all Azure systems and tools, including customer
interfaces and portals.
P A G E | 040
Microsoft Azure Responses to Motion Picture Association of America Common Guidelines
Microsoft Azure Home – general information and links about Microsoft Azure
o http://azure.microsoft.com
Microsoft Azure Developer Center – developer guidance and information
o http://msdn.microsoft.com/en-us/azure/default.aspx
Security Best Practices For Developing Microsoft Azure Applications (white paper)
o http://download.microsoft.com/download/7/3/E/73E4EE93-559F-4D0F-A6FC-
7FEC5F1542D1/SecurityBestPracticesWindowsAzureApps.docx
Microsoft’s Security Development Lifecycle (SDL)
o http://www.microsoft.com/security/sdl/
Microsoft Cloud Infrastructure and Operations group
o http://www.microsoft.com/en-us/server-cloud/cloud-os/global-datacenters.aspx
Microsoft Security Response Center [where Microsoft security vulnerabilities, including
issues with Microsoft Azure, can be reported]
o http://www.microsoft.com/security/msrc/default.aspx
o Or via email to secure@microsoft.com.
Service Trust Portal
o https://www.microsoft.com/en-us/TrustCenter/STP/default.aspx
P A G E | 041