Windows Azure runs in data centers managed and operated by Microsoft Global Foundation Services (GFS). These geographically dispersed data centers comply with key industry standards, such as ISO/IEC 27001:2005, for security and reliability. They are managed, monitored, and administered by Microsoft operations staff that have years of experience in delivering the world’s largest online services with 24 x 7 continuity.
In addition to data center, network, and personnel security practices, Windows Azure incorporates security practices at the application and platform layers to enhance security for application developers and service administrators.
Standard Response to Request for Information: Security and Privacy
The Cloud Security Alliance published the Cloud Control Matrix (CCM) to support customers in the evaluation of cloud services. In response to this publication, Microsoft has created a white paper to outline how Windows Azure security controls map to the CCM controls framework, providing customers with in-depth information on Windows Azure security policies and procedures. Please see Windows Azure Cloud Security Alliance STAR submission for more information.
Microsoft conducts regular penetration testing to improve Windows Azure security controls and processes. We understand that security assessment is also an important part of our customers' application development and deployment. Therefore, we have established a policy for customers to carry out authorized penetration testing on their applications hosted in Windows Azure. Because such testing can be indistinguishable from a real attack, it is critical that customers conduct penetration testing only after obtaining approval in advance from Windows Azure Customer Support. Penetration testing must be conducted in accordance with our terms and conditions. Requests for penetration testing should be submitted with a minimum of 7-day advanced notice.
To learn more or to initiate penetration testing, please download the Penetration Testing Approval Form and then contact Windows Azure Customer Support.
Security Resources for Windows Azure
Technical Overview of the Security Features in the Windows Azure Platform
This document provides a summary of some of the technical and organizational security measures for Windows Azure.
Windows Azure Security Overview
This in-depth paper provides a detailed discussion of some of the security features and controls implemented in Windows Azure.
Security Best Practices for Developing Windows Azure Applications
This paper focuses on the recommended approaches for designing and developing secure applications for Windows Azure.
Windows Azure Data Security (Cleansing and Leakage)
This blog posting details procedures implemented in Windows Azure to prevent data leakage or exposure of customer data upon data deletion.
Windows Azure Security Notes
This document from the Patterns and Practices team provides solutions for securing common application scenarios on Windows Azure.
Crypto Services and Data Security in Windows Azure
This MSDN article provides an overview of cryptography concepts and related security in Windows Azure.
Windows Azure: Understanding Security Account Management in Windows Azure
Cloud computing relieves some of the security burden, but you still have an active role in managing access, securing communications and ensuring data protection. This TechNet article covers best practices for creating and managing administrative accounts, using certificates for authentication, and handling transitions when employees begin or terminate employment.
Securing and Authenticating a Service Bus Connection
This MSDN Library article discusses how to develop applications that use the Windows Azure Service Bus to perform secure connections.
Scenarios and Solutions Using Windows Azure Active Directory Access Control
This section of the MSDN Library contains articles that discuss how to use the Windows Azure Active Directory Access Control for securing web applications, single sign-on, user authorization, and more.
Security Guidelines for SQL Database
This paper provides an overview of security guidelines for customers who connect to SQL Database (formerly SQL Azure), and who build secure applications on SQL Database.
Business Continuity for Windows Azure
This MSDN article provides guidance on how to use Windows Azure to achieve business continuity and disaster recovery goals.
Business Continuity in SQL Database
This MSDN article describes the business continuity capabilities provided by SQL Database (formerly SQL Azure). The purpose of creating database backups is to enable you to recover from data loss caused by the failure of individual servers and devices, unwanted data modifications and deletions, and widespread loss of data center facilities.
Windows Azure Developer Center
This website provides a variety of developer resources for Windows Azure, including a list of additional whitepapers.