Technical Overview of the Security Features in the Windows Azure Platform
Last updated: April 2013
This document provides an overview of some of the technical and organizational measures designed to help provide and enable security for the Windows Azure platform (including Windows Azure, Windows Azure AppFabric, and SQL Azure).
Security for the Hosting Environment
The Windows Azure platform environment is composed of computers, operating systems, applications and services, networks, operations and monitoring equipment, and specialized hardware, along with the administrative and operations staff required to run and maintain the services. The environment also includes the physical operations centers that house the services and which themselves must be secured against malicious and accidental damage.
Key Architecture Design Points
The Windows Azure platform is designed to provide “Defense in Depth,” reducing the risk that failure of any one security mechanism will compromise the security of the entire environment. The Defense in Depth layers include:
- Filtering Routers: Filtering routers reject attempts to communicate between addresses and ports not configured as allowed. This helps to prevent common attacks that use “drones” or “zombies” searching for vulnerable servers. Although relatively easy to block, these types of attacks remain a favorite method of malicious attackers in search of vulnerabilities. Filtering routers also support configuring back end services to be accessible only from their corresponding front ends.
- Firewalls: Firewalls restrict data communication to (and from) known and authorized ports, protocols, and destination (and source) IP addresses.
- Cryptographic Protection of Messages: TLS with at least 128 bit cryptographic keys is used to protect control messages sent between Windows Azure datacenters and between clusters within a given datacenter. Customers have the option to enable encryption for traffic between end users and customer VMs.
- Software Security Patch Management: Security patch management is an integral part of operations to help protect systems from known vulnerabilities. The Windows Azure platform utilizes integrated deployment systems to manage the distribution and installation of security patches for Microsoft software.
- Monitoring: Security is monitored with the aid of centralized monitoring, correlation, and analysis systems that manage the large amount of information generated by devices within the environment, providing pertinent and timely monitoring and alerts.
- Network Segmentation: Microsoft uses a variety of technologies to create barriers for unauthorized traffic at key junctions to and within the datacenters, including firewalls, Network Address Translation boxes (load balancers), and filtering routers. The back-end network is made up of partitioned Local Area Networks for Web and applications servers, data storage, and centralized administration. These servers are grouped into private address segments protected by filtering routers.
Physical security goes hand-in-hand with software-based security measures, and similar risk assessment and risk mitigation procedures apply to both.
Windows Azure platform services are delivered to customers through a network of global datacenters, each designed to run 24 x 7, and each employing various measures to help protect operations from power failure, physical intrusion, and network outages. These datacenters are compliant with applicable industry standards for physical security and reliability; managed, monitored, and administered by Microsoft operations staff; and geographically dispersed.
Microsoft uses highly secured access mechanisms, limited to a small number of operations personnel, who must regularly change their administrator access passwords. Datacenter access, and authority to open datacenter access tickets, is controlled by the network operations director in conjunction with local datacenter security practices.
Operations and Personnel Security
Design of the Services
The Windows Azure platform is designed to be run without routine access to customer data by Microsoft personnel. A limited number of Microsoft personnel may access customer information as described in the Windows Azure Platform Privacy Statement.
Windows Azure platform services have operations personnel staffed 24 x 7. If the incident is a security incident, the documented procedures to follow in the event of such a security incident will be implemented by the Operations personnel. Also, a full communication plan is in place and will likewise be implemented in the event of a security incident.
Microsoft administrative operations are audited. The audit trail can be viewed to determine the history of changes.
In addition to datacenter, network, and personnel security practices, the Windows Azure platform incorporates various security practices at the application layer to help ensure a security-enhanced experience for all customers. This includes both how the application is developed and features within the application that are available to the administrators of the service.
Security-based Application Design
Prior to their respective release, new Microsoft applications and existing Microsoft applications under change are reviewed for compliance to then current Security Development Lifecycles management and the Trustworthy Computing efforts exercised at Microsoft.
The reviews include threat models, code reviews and remediation plans. Testing of remediation is conducted prior to Release to Operations for deployment.
The security of customer-provided applications is the responsibility of the customer, but Windows Azure compute provides optional sandboxing technology (in the form of running customer applications under a non-admin account on the server and running applications written in managed code in partial trust) to help limit the harm that can come from bugs in customer written applications and mandatory sandboxing (in the form of running applications on a virtual machine within a hypervisor enforced sandbox) to limit the harm to the infrastructure and other customers from such bugs.
Windows Azure provides virtual machines to customers, giving them access to most of the same security options available in Windows Server. Customers use SSL client certificates to control updates to their software and configuration.
Fault-Tolerance & Redundancy
Many aspects of the Windows Azure platform are designed to be fault-tolerant and redundant. This gives customers the ability to architect and deploy fault tolerant applications. Despite these steps, the Windows Azure platform is not guaranteed to be completely fault-tolerant, and developers using the Windows Azure platform should utilize additional safeguards where appropriate.
Each layer of the Windows Azure platform infrastructure is designed to continue operations in the event of failure, including redundant network devices at each layer and dual Internet service providers at each datacenter. Failover is in most cases automatic (requiring no human intervention), and the network is monitored by the Network Operations Center 24x7 to detect any anomalies or potential network issues.
The Windows Azure platform runs in multiple datacenters around the world. Customers can and are encouraged to export their data in Windows Azure SQL Database to multiple datacenters. In the event of a catastrophic failure involving an entire datacenter, a customer could deploy their application at a backup location.
Microsoft regards personal information as private and will take reasonable and customary measures to appropriately handle personally identifiable information.
Microsoft (including, for this purpose, all of our U.S. subsidiaries) is Safe Harbor certified with the U.S. Department of Commerce. This allows for legal transfer of data to Microsoft for processing from within European Union and countries with aligned data protection laws. Microsoft acts as the data processor and, to the extent of the Service’s capabilities, decisions regarding data usage are made by the data controller.
For information about specific data handling practices on the Windows Azure platform, please refer to the Windows Azure Platform Privacy Statement.
The Windows Azure platform, like other Microsoft services and products, is built in accordance with Microsoft Trustworthy Computing Initiative’s privacy guidelines.
Microsoft may modify the security measures described here to address evolving security threats, to implement new security technology and processes, or as warranted by other updates to the Windows Azure platform. Microsoft will provide electronic notice to Windows Azure platform customers at least 90 days before making security changes that would require an update to this document, unless legal requirements or urgent security or performance issues require Microsoft to act sooner (in which case Microsoft will notify customers as soon as practical).