The concept of the cloud and Azure security questions are things that we deal with daily. We still see fear and concerns across all levels of the business. Security’s the biggest blocker not just for Azure adoption but for cloud adoption. Things are changing. More companies are making the move to the security of Azure.
A recent report from Capgemini reveals several friction points slowing the adoption of Microsoft Azure. Forty percent said “fear of security breaches,” another 52% said “data sovereignty” and compliance issues combined to make them apprehensive.
In the case of Microsoft Azure, these concerns are largely unfounded. Microsoft Azure offers an enormous range of compliance options and highly secure and responsible data practices. That is not to say you should go to the cloud without doing your due diligence first. As is often the case, industry-specific standards vary, and you should always evaluate the law and how it applies to you.
Often, Azure only offers partial compliance, or only on a specific set of services. This means it will be up to you to fill the gaps. Microsoft believes that security, privacy, and compliance for its enterprise cloud services are a shared responsibility. Microsoft helps reduce the security and compliance burden for customers by providing trustworthy enterprise cloud services, while also offering the security capabilities and flexibility customers need to use the services in accordance with their own standards.
Visit the Azure Trust Center for insight to Microsoft’s Azure security model. Below you’ll also find answers to the top 10 questions that I’ve encountered in the field as a consultant, performing Microsoft Azure assessments.
Azure Security Questions
Who controls policies? Do we set those or do we conform to Microsoft?
PaaS: Refers to the platform that Azure and SQL Azure services run on (storage, network, compute infrastructures, etc.). Policy controls are handled by Microsoft
IaaS: Policy controls are managed by the customer’s IT teams for VMs and the applications hosted on VMs. Underlying PaaS is managed by Microsoft.
SaaS: Policy controls are handled by Microsoft.
IT only delivered about 80 of 200+ patches last month. How do we manage that type of change in the cloud when Microsoft manages patching and environment concerns?
PaaS: All patch management is handled by Microsoft in a way that should not affect services being hosted and in most cases are bound by an SLA.
IaaS: Patch management is still managed by IT for VMs. Underlying PaaS is managed by Microsoft.
SaaS: In this case, patch management is handled by Microsoft.
Are passwords exposed with Password Sync?
At no point is the actual password synchronized between your on-premises environment and the cloud. It’s a secure key derived from a hash of a hash of the password being synced. All communications are also encrypted because the communication happens over SSL.
What are security trade-offs of ADFS vs Directory Synchronization with Password Sync?
With AD FS, you can increase compliance capabilities and control who’s allowed to authenticate using Client Access Policies. ; this isn’t possible with Password Sync.
ADFS handles authentication with local AD services whereas Azure AD handles authentication requests when password sync in enabled.
Where is the data? Is it shared? Cross-pollinated? Where are those three copies? Which Datacenters?
Microsoft seeks to give Azure customers control over where their customer data is stored.
Microsoft will not store customer data outside the customer-specified geography except for the following regional services:
•Cloud Services, which backup web and worker role software deployment packages to the United States regardless of the deployment geography.
•Azure RemoteApp, which may store end usernames and device IP addresses globally, depending on where the end user accesses the service.
How is data protected?
You control who has access to your customer data. Strong authentication, including the use of multi-factor authentication, helps limit access to authorized personnel only. Microsoft and third parties perform sample audits to attest that access is only for appropriate business purposes. You can also encrypt your data to ensure that no unauthorized access occurs.
Microsoft customer support and operations personnel may access customer data remotely to provide customer support, troubleshoot the service, or comply with legal requirements. They adhere to stringent privacy practices to safeguard customer data. Also, they impose strict requirements around legal demands for customer data.
How is security and auditing handled?
•It is ultimately your obligation to comply with your regulatory requirements. Microsoft will provide you with information to help you do so.
•Microsoft does commit to compliance with data protection and privacy laws generally applicable to IT service providers.
•If you are subject to industry or jurisdictional requirements and you will need to make your own assessment of your ability to comply.
•Microsoft’s will share independent audits and certifications, and as a result, keep you comfortable.
How are subpoenas & legal demands for customer data handled?
•Microsoft believes that customers should control their own data, whether stored on-premises or in a cloud service.
•Microsoft will never disclose Azure customer data to a government except as you direct or where required by law.
•Should a third party contact Microsoft with a demand for Customer Data, they will attempt to redirect the request directly to you.
•If compelled to disclose Customer Data to a third party, you will be promptly notified and provided a copy of the demand, because, we want to determine if you are legally prohibited from doing so
•Microsoft does not provide any government with direct or unfettered access to customer data.
•Microsoft releases only specific data mandated by the relevant legal demand.
•You can encrypt your data, therefore, you will ensure that no unauthorized access occurs
Who do we call for support if something goes wrong?
•Microsoft has support options available within the portals of Windows Azure and Office 365. So, they are available in the form of a support request system where incidents can be opened online
•There are also options to contact Microsoft Support via telephone and under your EA support agreement
•Especially relevant is that Oakwood also has Managed Services offerings available for support
In terms of SLAs, what do we get if the active directory goes down?
Because service is deemed unavailable if the service fails to respond due to circumstances within Microsoft’s control.
Each service has its own SLA. First of all, an SLA talks about the percentage of uptime for a particular service, say 99.9%. Therefore, that equates up to 45 minutes of downtime in a month per service. As a result, it may happen all at once. It may happen at your peak time.
Review our case studies and engagements where we helped companies just like yours solve a variety of business needs.
Since 1981, Oakwood has been helping companies of all sizes, across all industries, solve their business problems. We bring world-class consultants to architect, design and deploy technology solutions to move your company forward. Our proven approach guarantees better business outcomes. With flexible engagement options, your project is delivered on-time and on budget. 11,000 satisfied clients can’t be wrong.