Standard Responseto Requestfor Information Windows Azure Security Privacy

Standard Response to Request for Information
>Security and Privacy
March | Version 1
Disclaimer
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the
date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a
commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of
publication. For the latest version of this document visit: http://www.microsoft.com/download/en/details.aspx?id=26647
This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO
THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of
this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means
(electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter
in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document
does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
2011 Microsoft Corporation. All rights reserved.
Microsoft and Microsoft Azure are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or
other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Standard Response to RFI- Security and Privacy | Page 2

Table of Contents
Page
Introduction 4
How Windows Azure is Delivered: The Services Stack 5
ISO Certifications that Align with Windows Azure Controls 6-8
Microsoft Response by Cloud Control Matrix ID: 9 - 50
Compliance CO-01 through CO-06 9 - 11
Data Governance DG-01 through DG-08 12 - 15
Facility FS-01 through FS-08 16 - 18
Human Resources HR-01 through HR-03 19
Information Security IS-01 through IS-34 20 - 34
Legal LG-01 through LG-02 34 - 35
Operations OP-01 through OP-04 35 - 36
Risk Management RI-01 through RI-05 37 - 38
Release Management RM-01 through RM-05 39 - 40
Resiliency RS-01 through RS-08 41 - 43
Security Architecture SA-01 through SA-15 44 50

The Cloud Security Alliance
Introduction
(CSA) is a not-for-profit
Computing in the cloud raises questions about security, data protection, privacy
organization promoting the
and data ownership. Windows Azure is hosted in Microsoft data centers
use of best practices for around the world, and is designed to offer the performance, scalability, security,
and service levels business customers expect. We have applied state-of-the-art
security assurance within technology, and processes to maintain consistent and reliable access, security
and privacy for every user. Windows Azure has built-in capabilities for compliance
Cloud Computing.
with a wide range of regulations and privacy mandates.
In this document we provide our customers with a detailed overview of how

The Cloud Security Alliance Windows Azure core services (see Scope section below) fulfills the security,
privacy, compliance, and risk management requirements as defined in the Cloud
published the Cloud Control Security Alliance (CSA) Cloud Control Matrix (CCM). Note that this document is
intended to provide information on how Windows Azure operates: Customers
Matrix to support
have a responsibility to control and maintain their environment once the service
consumers in the evaluation has been provisioned (i.e., user access management and appropriate policies and
procedures in accordance with their regulatory requirements).
of cloud services and to
Scope
identify questions prudent
The focal point of this whitepaper is the Windows Azure operating system as an
to have answered before online service platform component. The whitepaper is scoped to Windows Azure
core services: Compute, (web, worker, and virtual machine roles ) Storage, and
moving to cloud Virtual Network, and it does not provide detailed coverage of other Windows
Azure features such as SQL Azure, Service Bus, Marketplace, Content Delivery
services. In response to
Network, etc.
this publication, Windows
Security requirements for the cloud: the Cloud Control Matrix
Azure has created this
The Cloud Control Matrix (CCM) is published by a not-for -profit, member-driven
document to outline how we organization of leading industry practitioners focused on helping customers make
the right decisions when moving to the cloud. The matrix provides a detailed
meet the suggested understanding of security and privacy, concepts and principles that are aligned to
the Cloud Security Alliance guidance in 13 domains.
principles and mapped
Microsoft has published a detailed overview of our capabilities for the CCM
them to the ISO requirements in this document. With this standard Request for Information (RFI)
response we would like to illustrate and empower customers with in-depth
certification. information to evaluate different offerings in the market place today.
Introducing Windows Azure

Learn more: Windows Azure is a cloud services operating system that serves as the
https://cloudsecurityalliance.or development, service hosting, and service management environment for the
g Windows Azure platform. Windows Azure provides developers with on-demand
compute, storage, networking, and content delivery capabilities to host, scale,
and manage Web applications on the Internet through Microsoft datacenters. With
Windows Azure, Microsoft hosts data and programs belonging to customers.
Windows Azure must therefore address information security challenges above and
beyond traditional on- or off-premises IT scenarios. This document describes the
array of controls Windows Azure has implemented in relation to the CSA CCM and
also mapped to our ISO 27001 Certification. More details behind the ISO

Certification can be found in the Windows Azure blog post here:
http://blogs.msdn.com/b/windowsazure/archive/2011/12/19/windows-azure-
achieves-is0-27001-certification-from-the-british-standards-institute.aspx .
The paper also assumes that readers are familiar with Windows Azure basic
concepts, as they will not be covered in this paper. Links to reading materials that
cover these core concepts can be found here: http://www.windowsazure.com/en-
us/develop/net/other-resources/white-papers/ as well as through the Windows Azure
Trust Center www.windowsazure.com/trustcenter
How Windows Azure is Delivered:

The Windows Azure
legal page offers

The Services Stack
additional information When evaluating the control environment in a cloud computing offering, it is
on topics such as Service important to consider the whole services stack of the cloud service provider.
Many different organizations may be involved in providing infrastructure and
Agreement, Privacy application services, increasing the risk of misalignment. A disruption of any
Statement, Security one layer in the stack could compromise the delivery of the cloud service and
have disastrous impacts. As a result, customers should evaluate how their
Overview, Service Level
service provider operates, and understand the underlying infrastructure and
Agreements, and platforms of the service as well as the actual applications.
In the Windows Azure environment, the service is managed by the Microsoft
Customer Portal Terms
Server and Tools Business (STB) group, which provides the platform layer.
of Use. Customers provide and manage the application and data layer that sits on the
platform. The Microsoft Global Foundation Services (GFS) group provides the
physical infrastructure in which the platform runs and data is stored.
To learn more visit the
Windows Azure Legal
Page and the Windows
Azure Trust Center
www.windowsazure.com/tr
ustcenter
http://www.microsoft.com/
windowsazure/legal/

ISO Based Controls for the
Windows Azure Services Stack
Both Windows Azure and the underlying Global Foundation Services
infrastructure employ security frameworks based on the International
Standards Organization 27000 family of standards. Windows Azure core
Microsofts ISO 27001 services (Compute, Storage, and Virtual Network) are ISO/IEC 27001:2005
(aka ISO 27001) certified and this work is planned for the remaining features
certifications enable
of the platform. Additionally, GFSs physical infrastructure in which all of
customers to evaluate how Windows Azure runs except for CDN are ISO 27001 certified.
Microsoft meets or exceeds Our security framework based on ISO 27001 enables customers to evaluate
how Microsoft meets or exceeds the security standards and implementation
the standards and
guidelines. ISO 27001 defines how to implement, monitor, maintain, and
implementation guidance. continually improve the Information Security Management System (ISMS). In
addition, the GFS infrastructure undergoes an annual American Institute of
Certified Public Accountants (AICPA) Statement of Auditing Standards (SAS)
No. 70 audits, which will be replaced with an AICPA Statement on Standards
for Attestation Engagements (SSAE) No. 16 audit and an International
Standards for Assurance Engagements (ISAE) No. 3402 audit. Planning for an
SSAE 16 audit of Windows Azure is underway.
The Information Security Policy, applicable to Windows Azure, also aligns with
ISO 27002, augmented with requirements specific to Windows Azure. ISO
27002 is not a certification but provides a suggested set of suitable controls
for the Information Security Management System.
How to read CSA requirements and Microsofts response

On the following pages, we have mapped our security practices to the
guidance provided by the CCM. The first two columns, headed Control ID
in CCM and Description, consist of content directly from the CCM
identifying relevant controls1. The third column, headed Microsoft
Response consists of:
1) A short explanation of how Windows Azure controls satisfy the Cloud

Security Alliance recommendation.
2) A reference to the ISO 27001 controls attested to by the Microsoft Global
Foundation Services (GFS) and/or Windows Azure ISO 27001 certifications,
where relevant
Example:
The Cloud Security Alliance Cloud Control Matrix, ID IS-O2 states:
Executive and line management shall take formal action to support
information security through clear documented direction, commitment,
explicit assignment and verification of assignment execution.
Microsofts Response:
Each management-endorsed version of the Information Security Policy and
all subsequent updates are distributed to all relevant stakeholders. The
Information Security Policy is made available to all new and existing Windows
Azure employees for review. All Windows Azure employees represent that

they have reviewed, and agree to adhere to, all policies within the
The fact that Windows Azure Information Security Policy documents.
(1) CCM content in columns 1 and 2 is 2011 Cloud Security Alliance,

core services are certified to
used with permission.
ISO 27001 means that we
have been able to meet the
external auditors Microsofts Response (continued):
expectations that our

All windows Azure Contractor Staff agree to adhere to the relevant policies
environment meets or
within the Information Security Policy. Should one of these parties not have
exceeds such standards. access to this policy for any reason, the supervising Microsoft agent is
responsible for distributing the policy to them.
The public copy of the A customer-facing version of the Information Security Policy can be made
Windows Azure ISO available upon request. Customers and prospective customers must have a
Certification is available signed NDA or equivalent in order to receive a copy of the Information
here: ISO Certification Security Policy.
http://www.bsigroup.com/en/Assess Management Commitment to Information Security and Management
ment-and-certification-
services/Client- Responsibility is covered under the ISO 27001 standards, specifically
directory/CertificateClient-Directory- addressed in Clause 5 and Annex A, domain 6.1.1. For more information
Search-
review of the publicly available ISO standards we are certified against is
Results/?pg=1&licencenumber=IS+5
77753&searchkey=companyXeqXmic suggested.
rosoft
Instructions for more information and guidance:

A review of the ISO 27001 and ISO 27002 publicly available standards is
highly recommended. ISO Standards are available for purchase at the
International Organization for Standardization website:
http://www.iso.org/iso/iso_catalogue. These ISO standards provide deep
detail and guidance.

Example:
When reviewing the standard, one can take the ISO 27001 control or
clause, and review specifics, e.g. Management Commitment to
Information Security clause 5, from the ISO 27001 standard or the ISO
27002 advisory control 6.1.1 details:
Management responsibility..
Resources
Visit our Windows Azure Trust Center and/or Legal page and get:
Service Agreement and Use Rights

Privacy Statement
Security Overview
Service Level Agreements
Legal page link: www.windowsazure.com/trustcenter

Legal page link: http://www.microsoft.com/windowsazure/legal/
The public copy of the Windows Azure ISO Certification is available here: ISO
Certification http://www.bsigroup.com/en/Assessment-and-certification-
services/Client-directory/CertificateClient-Directory-Search/

Windows Azure Response in the Context of CSA Cloud Control
Matrix
Controls CO-01 through CO-02
Control ID Description
Microsoft Response
In CCM1 (CCM Version R1.1. Final)
Our goals are to operate our services with security as

a key principle, and to give you accurate assurances
about our security. We have implemented and will
maintain reasonable and appropriate technical and
organizational measures, internal controls, and
information security routines intended to help protect
customer data against accidental loss, destruction, or
alteration; unauthorized disclosure or access; or
Audit plans, activities and operational
unlawful destruction. Each year, we undergo third-
action items focusing on data duplication,
party audits by internationally recognized auditors to
access, and data boundary limitations shall
validate that we have independent attestation of
be designed to minimize the risk of
compliance with our policies and procedures for
business process disruption. Audit
security, privacy, continuity and compliance.
activities must be planned and agreed
upon in advance by stakeholders.
ISO 27001 certifications for Windows Azure and
Global Foundation Services (which runs the physical
infrastructure) can be found on the website of our
CO-01 external ISO auditor, the BSI Group. Additional audit
information is available under NDA upon request by
Compliance - prospective customers.
Audit
Planning Windows Azure independent audit reports and
certifications are shared with customers in lieu of
allowing individual customer audits. These
certifications and attestations accurately represent
how we obtain and meet our security and compliance
objectives and serve as a practical mechanism to
validate our promises for all customers.
For security and operational reasons, Windows Azure

does not allow our customers to perform their own
audits on Microsofts Windows Azure platform
service, although customers are allowed to perform
non- invasive penetration testing of their own
application with prior approval.
Monitor and review the Information Security

Management System (ISMS) is covered under the ISO
27001 standards, specifically addressed in Clause
1
CCM content in columns 1 and 2 is 2011 Cloud Security Alliance, used with permission.

4.2.3. For more information review of the publicly
available ISO standards we are certified against is
suggested.
Independent reviews and assessments

shall be performed at least annually, or at
CO-02
planned intervals, to ensure the
organization is compliant with policies,
Compliance - For more information see CO-01
procedures, standards and applicable
Independent
regulatory requirements (i.e.,
Audits
internal/external audits, certifications,
vulnerability and penetration testing)

Matrix
Controls CO-03 through CO-05
Microsoft Response
In CCM (CCM Version R1.1. Final)
Third party service providers shall Windows Azure contractually requires that its
demonstrate compliance with subcontractors meet important privacy and security
information security and confidentiality, requirements.
CO-03
service definitions and delivery level
agreements included in third party Addressing security in third party agreements and third
Compliance -
contracts. Third party reports, records party service delivery management is covered under the
Third Party
and services shall undergo audit and ISO 27001 standards, specifically addressed in Annex A,
Audits
review, at planned intervals, to govern domains 6.2. and 10.2. For more information a review of
and maintain compliance with the service the publicly available ISO standards we are certified
delivery agreements. against is suggested.

Microsoft maintains contacts with external parties such as
regulatory bodies, service providers, Risk Management
organizations, and industry forums to ensure appropriate
Liaisons and points of contact with local
action can be quickly taken and advice obtained when
authorities shall be maintained in
necessary. Microsoft has a dedicated team for most
CO-04 accordance with business and customer
contacts with law enforcement. Roles and responsibilities
requirements and compliance with
for managing and maintaining these relationships are
Compliance - legislative, regulatory, and contractual
defined.
Contact / requirements. Data, objects,
Authority applications, infrastructure and hardware
Contact with authorities and contact with special interest
Maintenance may be assigned legislative domain and
groups is covered under the ISO 27001 standards,
jurisdiction to facilitate proper
specifically addressed in Annex A, domains 6.1.6 and
compliance points of contact.
suggested.
Windows Azure complies with all data protection and
privacy laws generally applicable to Microsofts provision
of the Windows Azure service. Additional information can
be found in our service agreements.
Statutory, regulatory, and contractual

Windows Azure has an established process for identifying
requirements shall be defined for all
and implementing changes to services in response to
elements of the information system. The
changes in applicable statutes and regulations, which are
organization's approach to meet known
CO-05 reviewed annually during our ISO 27001 audit. In addition,
requirements, and adapt to new
Windows Azure purchasing portal limits the ability to
mandates shall be explicitly defined,
Compliance - create new accounts in jurisdictions that are outside of
documented, and kept up to date for
Information Windows Azure scope of support.
each information system element in the
System
organization. Information system
Regulatory Customers are responsible for compliance with laws and
elements may include data, objects,
Mapping regulations specific to their industry or particular use of
applications, infrastructure and
Windows Azure.
hardware. Each element may be assigned
a legislative domain and jurisdiction to
Establish the ISMS, management review of the ISMS and
facilitate proper compliance mapping.
compliance with legal requirements is covered under the
ISO 27001 standards, specifically addressed in Clauses
4.2.1 and 7.3 as well as in Annex A, domain 15.1. For
more information review of the publicly available ISO
standards we are certified against is suggested.

Matrix
Control CO-06
Microsoft Response

All employees and contingent staff are required to follow
applicable intellectual property laws and Microsoft
maintains responsibility for use of proprietary software
within the legislative jurisdictions and contractual
constraints governing the organization.
In addition, Windows Azure has procedures to ensure

adherence to the Digital Millennium Copyright Act
takedown requirements as well as similar legislation on
the service.
Microsoft will acquire no rights in Customer Data and will

not use or disclose Customer Data for any purpose other
than stated below.
Customer Data will be used only to provide Customer the

Windows Azure services. This may include
Policy, process and procedure shall be troubleshooting aimed at preventing, detecting and
CO-06
established and implemented to repairing problems affecting the operation of the services
safeguard intellectual property and the and the improvement of features that involve the
Compliance -
use of proprietary software within the detection of, and protection against, emerging and
Intellectual
legislative jurisdiction and contractual evolving threats to the user (such as malware or spam).
Property
constraints governing the organization.
Microsoft will not disclose Customer Data to a third party
(including law enforcement, other government entity, or
civil litigant; excluding our subcontractors) except as
Customer directs or unless required by law. Should a
third party contact Microsoft with a demand for Customer
Data, Microsoft will attempt to redirect the third party to
request it directly from Customer. As part of that,
Microsoft may provide Customers basic contact
information to the third party. If compelled to disclose
Customer Data to a third party, Microsoft will use
commercially reasonable efforts to notify Customer in
advance of a disclosure unless legally prohibited.
Establish the ISMS is covered under the ISO 27001

standards, specifically addressed in Clause 4.2.1 for more
information review of the publicly available ISO standards
we are certified against is suggested.

Matrix
Controls DG-01 through DG-02
Microsoft Response
Windows Azure has implemented a formal policy that

requires assets (the definition of asset includes data and
hardware) used to provide Window Azure services to be
accounted for and have a designated asset owner. Asset
DG-01
owners are responsible for maintaining up-to-date
All data shall be designated with
information regarding their assets. Customers are
Data stewardship with assigned
responsible for being the steward of their own data.
Governance - responsibilities defined, documented and
Ownership / communicated.
Allocation of information security responsibilities and
Stewardship
ownership of assets is covered under the ISO 27001
standards, specifically addressed in Annex A, domains 6.1.3
and 7.1.2. For more information review of the publicly
available ISO standards we are certified against is suggested.
Windows Azure classifies data according to the Windows
Data, and objects containing data, shall Azure data classification scheme and then implements a
be assigned a classification based on standard set of Security and Privacy attributes. Microsoft
DG-02 data type, jurisdiction of origin, does not classify data uploaded and stored by customers in
jurisdiction domiciled, context, legal Windows Azure but treats all Customer Data in accordance
Data constraints, contractual constraints, with the commitment outlined in CO-06.
Governance - value, sensitivity, criticality to the
Classification organization and third party obligation Information classification is covered under the ISO 27001
for retention and prevention of standards, specifically addressed in Annex A, domain 7.2.
unauthorized disclosure or misuse. For more information review of the publicly available ISO

Matrix
Microsoft Response
Windows Azure classifies data according to the Windows

DG-03
Policies and procedures shall be Azure data classification scheme and then implements a
established for labeling, handling and standard set of Security and Privacy attributes.
Data
security of data and objects which
Governance -
contain data. Mechanisms for label Information classification, labeling and handling is covered
Handling /
inheritance shall be implemented for under the ISO 27001 standards, specifically addressed in
Labeling /
objects that act as aggregate containers Annex A, domain 7.2. For more information review of the
Security
for data. publicly available ISO standards we are certified against is
Policy
suggested.
Data retention policies and procedures are defined and
maintained in accordance to regulatory, statutory,
contractual or business requirements. The Windows Azure
backup and redundancy program undergoes an annual
review and validation.
Windows Azure backs up infrastructure data regularly and

validates restoration of data periodically for disaster
Policies and procedures for data
recovery purposes.
retention and storage shall be
DG-04
established and backup or redundancy
Windows Azure includes replication features detailed below
mechanisms implemented to ensure
Data to help prevent loss of customer data in the event of failures
compliance with regulatory, statutory,
Governance - within a Microsoft data center. Customers are responsible
contractual or business requirements.
Retention for taking additional steps to provide added fault tolerance,
Testing the recovery of disk or tape
Policy such as creating historical backups of customer data, storing
backups must be implemented at
backups of customer data off the platform, deploying
planned intervals.
redundant compute instances within and across data
centers, or backing up state and data within a virtual
machine.
Information back-up is covered under the ISO 27001

standards, specifically addressed in Annex A, domain 10.5.1.
For more information review of the publicly available ISO

Matrix
Microsoft Response
Microsoft uses best practice procedures and a wiping

solution that is NIST 800-88 compliant. For hard drives that
cant be wiped we use a destruction process that destroys it
(i.e. shredding) and renders the recovery of information
impossible (e.g., disintegrate, shred, pulverize, or
incinerate). The appropriate means of disposal is determined
DG-05 Policies and procedures shall be
by the asset type. Records of the destruction are retained.
established and mechanisms
Data implemented for the secure disposal and
All Windows Azure services utilize approved media storage
Governance - complete removal of data from all
and disposal management services. Paper documents are
Secure storage media, ensuring data is not
destroyed by approved means at the pre-determined end-
Disposal recoverable by any computer forensic
of-life cycle.
means.
Secure disposal or re-use of equipment and disposal of

media is covered under the ISO 27001 standards,
10.7.2. For more information review of the publicly available
ISO standards we are certified against is suggested.
Microsoft applies the segregation of duty principle to ensure
that access to test and production environments are
restricted according to policy.
Movement or copying of Customer Data out of the

DG-06 production environment into a non-production environment
is expressly prohibited except where customer consent is
Data obtained, where necessary for troubleshooting the service,
Production data shall not be replicated or
Governance - or at the directive of Microsofts legal or investigative
used in non-production environments.
Non- department.
Production
Data Separation of development, test and operation facilities and
protection of system test data is covered under the ISO
27001 standards, specifically addressed in Annex A,
domains 10.1.4 and 12.4.2. For more information review of
the publicly available ISO standards we are certified against
is suggested.

Matrix
Microsoft Response
Logical and physical controls are implemented in Windows

Azure environments. This is explored in great depth in the
DG-07 Windows Azure Security Overview whitepaper located here:
http://go.microsoft.com/?linkid=9740388
Data Security mechanisms shall be
Governance - implemented to prevent data leakage. Information leakage is covered under the ISO 27001
Information standards, specifically addressed in Annex A, domain 10.4.1,
Leakage 10.10.2, 10.10.3, 10.10.4 and A.12.6. For more information
review of the publicly available ISO standards we are certified
against is suggested.
Risk assessments associated with data
governance requirements shall be
Windows Azure performs an annual risk assessment. The
conducted at planned intervals
assessment includes:
considering the following:
DG-08 Evaluation of the Confidentiality, Integrity and Availability

Awareness of where sensitive data is
impact on assets. Assets include but are not limited to data,
stored and transmitted across
Data software, and hardware.
applications, databases, servers and
Governance -
network infrastructure.
Risk Establish the ISMS and Information classification and asset
Compliance with defined retention
Assessments management is covered under the ISO 27001 standards,
periods and end-of-life disposal
specifically addressed in Clause 4.2.1 and Annex A, domain
requirements.
7.2. For more information review of the publicly available ISO
Data classification and protection
from unauthorized use, access, loss,
destruction, and falsification

Matrix
Controls FS-01 through FS-02
Microsoft Response
Access to all Microsoft buildings is controlled, and access is

restricted to those with card reader (swiping the card reader
with an authorized ID badge) or biometrics for entry into
Data Centers. Front desk personnel are required to positively
identify Full-Time Employees (FTEs) or authorized
FS-01 Contractors without ID cards. Staff must wear identity
Policies and procedures shall be
badges at all times, and are required to challenge or report
established for maintaining a safe and
Facility individuals without badges. All guests are required to wear
secure working environment in offices,
Security - guest badges and be escorted by authorized Microsoft
rooms, facilities and secure areas.
Policy personnel.
Securing offices, rooms, and facilities is covered under the

ISO 27001 standards, specifically addressed in Annex A,
domain 9.1.3. For more information review of the publicly
Access is restricted by job function so that only essential
personnel receive authorization to manage Windows Azure
services. Physical access authorization utilizes multiple
authentication and security processes: badge and smartcard,
biometric scanners, on-premises security officers,
continuous video surveillance, and two-factor authentication
for physical access to the data center environment.
In addition to the physical entry controls that are installed

on various doors within the data center, the Microsoft Data
FS-02 Center Management organization has implemented
Physical access to information assets and operational procedures to restrict physical access to
Facility functions by users and support authorized employees, contractors and visitors:
Security - personnel shall be restricted.
User Access Authorization to grant temporary or permanent access to
Microsoft data centers is limited to authorized staff. The
requests and corresponding authorization decisions are
tracked using a ticketing/access system.
Badges are issued to personnel requiring access after
verification of identification.
The Microsoft Data Center Management organization
performs a regular access list review. As a result of this
audit, the appropriate actions are taken after the review.
Physical and environmental security is covered under the

domain 9. For more information review of the publicly

Matrix
Microsoft Response
Data center buildings are nondescript and do not advertise

that Microsoft Data Center hosting services are provided at
the location. Access to the data center facilities is restricted.
The main interior or reception areas have electronic card
access control devices on the perimeter door(s), which
Physical security perimeters (fences, restrict access to the interior facilities. Rooms within the
FS-03
walls, barriers, guards, gates, electronic Microsoft Data Center that contain critical systems (servers,
surveillance, physical authentication generators, electrical panels, network equipment, etc.) are
Facility
mechanisms, reception desks and either restricted through various security mechanisms such
Security -
security patrols) shall be implemented as electronic card access control, keyed lock, ant tailgating
Controlled
to safeguard sensitive data and and/or biometric devices.
Access Points
information systems.
Physical security perimeter and environmental security is
covered under the ISO 27001 standards, specifically
addressed in Annex A, domain 9. For more information
FS-04 Ingress and egress to secure areas shall Public access, delivery, loading area and
be constrained and monitored by physical/environmental security is covered under the ISO
Facility physical access control mechanisms to 27001 standards, specifically addressed in Annex A, domain
Security - ensure that only authorized personnel 9. For more information review of the publicly available ISO
Secure Area are allowed access. standards we are certified against is suggested.
Authorization
For additional information also see FS-03
FS-05 Ingress and egress points such as Public access, delivery, loading area and
service areas and other points where physical/environmental security is covered under the ISO
Facility unauthorized personnel may enter the 27001 standards, specifically addressed in Annex A, domain
Security - premises shall be monitored, controlled 9. For more information review of the publicly available ISO
Unauthorized and, if possible, isolated from data standards we are certified against is suggested.
Persons Entry storage and processing facilities to
percent unauthorized data corruption, For additional information also see FS-03
compromise and loss.

Matrix
Microsoft Response
FS-06 Authorization must be obtained prior to Microsoft asset and data protection procedures provide
relocation or transfer of hardware, prescriptive guidance around the protection of logical and
Facility software or data to an offsite premises. physical data and include instructions addressing relocation.
Security - Off- Customers control where their data is stored. For additional
Site details, see our Privacy Statement available at:
Authorization http://www.microsoft.com/windowsazure/legal/.
Removal of Property and change management is covered

under the ISO 27001 standards, specifically addressed in
Annex A, domains 9.2.7 and 10.1.2. For more information
FS-07 Policies and procedures shall be Microsoft's asset management policy and acceptable use
established for securing and asset standards were developed and implemented for Windows
Facility management for the use and secure Azure technology assets, infrastructure components and
Security - Off- disposal of equipment maintained and services technologies.
Site used outside the organization's
Equipment premise. A customer facing version of the Information Security Policy
can be made available upon request. Customers and
prospective customers must have a signed NDA or
equivalent in order to receive a copy of the Information
Security Policy.
Security of equipment off-premises is covered under the

A complete inventory of critical assets Windows Azure has implemented a formal policy that
shall be maintained with ownership requires assets used to provide Windows Azure services to
defined and documented. be accounted for and have a designated asset owner. An
inventory of major hardware assets in the Windows Azure
FS-08
environment is maintained. Asset owners are responsible for
maintaining up-to-date information regarding their assets
Facility
within the asset inventory including owner or any associated
Security -
agent, location, and security classification. Asset owners are
Asset
also responsible for classifying and maintaining the
Management
protection of their assets in accordance with the standards.
Regular audits occur to verify inventory.
Asset management is covered under the ISO 27001

standards, specifically addressed in Annex A, domain 7. For
more information review of the publicly available ISO

Matrix
Controls HR-01 through HR-03
Microsoft Response
Pursuant to local laws, regulations, All Microsoft US-based full-time employees (FTE) are
HR-01
ethics and contractual constraints all required to successfully complete a standard background
employment candidates, contractors check as part of the hiring process. Background checks may
Human
and third parties will be subject to include but are not limited to review of information relating
Resources
background verification proportional to to a candidate's education, employment, and criminal
Security -
the data classification to be accessed, history.
Background
the business requirements and
Screening
acceptable risk.
Prior to granting individuals physical or All appropriate Microsoft employees take part in a Windows
logical access to facilities, systems or Azure sponsored security-training program, and are
data employees, contractors, third party recipients of periodic security awareness updates when
users and customers shall contractually applicable. Security education is an on-going process and is
agree and sign the terms and conditions conducted regularly in order to minimize risks. Microsoft
HR-02 of their employment or service contract, also has non-disclosure provisions in our employee
which must explicitly include the parties contracts.
Human responsibility for information security.
Resources All Windows Azure contractor staff and GFS staff are
Security - required to take any training determined to be appropriate
Employment to the services being provided and the role they perform.
Agreements
Roles and responsibilities as well as information security
awareness, education and training is covered under the ISO
27001 standards, specifically addressed in Annex A, domain
8. For more information review of the publicly available ISO
Microsoft Corporate Human Resources Policy drives
Roles and responsibilities for following employee termination processes.
HR-03
performing employment termination or
change in employment procedures shall Termination or change of employment is covered under the
HR- Employee
be assigned, documented and ISO 27001 standards, specifically addressed in Annex A,
Termination
communicated. domain 8.3. For more information review of the publicly

Matrix
Controls IS-01 through IS-02
Microsoft Response
An Information Security Management

Program (ISMP) has been developed,
documented, approved, and
implemented that includes
administrative, technical, and physical
An overall ISMS for Windows Azure has been designed and
safeguards to protect assets and data
implemented to address industry best practices around
from loss, misuse, unauthorized
security and privacy.
access, disclosure, alteration, and
destruction. The security program
A customer facing version of the Information Security Policy
IS-01 should address, but not be limited to,
the following areas insofar as they
Information relate to the characteristics of the
Security - business:
Security Policy.
Management Risk management
Program Security policy
Establishing and managing the ISMS and Organization of
Organization of information security
information security is covered under the ISO 27001
Asset management
standards, specifically addressed in Clause 4.2 and Annex A,
Human resources security
domain 6. For more information review of the publicly
Physical and environmental security
Communications and operations
management
Access control
Information systems acquisition,
development, and maintenance
Each management-endorsed version of the Information
Security Policy and all subsequent updates are distributed to
all relevant stakeholders. The Information Security Policy is
made available to all new and existing Windows Azure
employees for review. All Windows Azure employees
IS-02
Executive and line management shall represent that they have reviewed, and agree to adhere to,
take formal action to support all policies within the Information Security Policy documents.
Information
information security through clear All Windows Azure Contractor Staff agree to adhere to the
Security -
documented direction, commitment, relevant policies within the Information Security Policy.
Management
explicit assignment and verification of
Support /
assignment execution A customer facing version of the Information Security Policy
Involvement
Security Policy.

Management commitment to information security and
management responsibility is covered under the ISO 27001
standards, specifically addressed in Clause 5 and Annex A,

Matrix
Control IS-03 through IS-05
Microsoft Response
Management shall approve a formal

information security policy document which
shall be communicated and published to For more information see IS-02
employees, contractors and other relevant
IS-03 external parties. The Information Security Information security policy document is covered under
Policy shall establish the direction of the the ISO 27001 standards, specifically addressed in Annex
Information organization and align to best practices, A, domain 5.1.1, for more information review of the
Security - regulatory, federal/state and international publicly available ISO standards we are certified against is
Policy laws where applicable. The Information suggested.
Security policy shall be supported by a
strategic plan and a security program with
well-defined roles and responsibilities for
leadership and officer roles.
Baseline security requirements shall be
As part of the overall ISMS framework baseline security
established and applied to the design and
requirements are constantly being reviewed, improved
implementation of (developed or purchased)
IS-04 and implemented.
applications, databases, systems, and
network infrastructure and information
Information Information systems acquisition, development
processing that comply with policies,
Security - maintenance and security requirements of information
standards and applicable regulatory
Baseline systems is covered under the ISO 27001 standards,
requirements. Compliance with security
Requirements specifically addressed in Annex A, domain 12. For more
baseline requirements must be reassessed
at least annually or upon significant
changes.

The Windows Azure Information Security Policy
undergoes a formal review and update process at a
regularly scheduled interval not to exceed 1 year. In the
IS-05 event a significant change is required in the security
Management shall review the information
requirements, it may be reviewed and updated outside of
security policy at planned intervals or as a
Information the regular schedule.
result of changes to the organization to
Security -
ensure its continuing effectiveness and
Policy Review of the information security policy is covered
accuracy.
Reviews under the ISO 27001 standards, specifically addressed in
Annex A, domain 5.1.2. For more information review of
the publicly available ISO standards we are certified

Matrix
Microsoft Response
A formal disciplinary or sanction Windows Azure services staff suspected of committing breaches of
policy shall be established for security and/or violating the Information Security Policy equivalent
employees who have violated to a Microsoft Code of Conduct violation are subject to an
security policies and procedures. investigation process and appropriate disciplinary action up to and
Employees shall be made aware of including termination.
IS-06 what action might be taken in the Contracting staff suspected of committing breaches of security
event of a violation and stated as and/or violations of the Information Security Policy are subject to
Information such in the policies and formal investigation and action appropriate to the associated
Security - procedures. contract, which may include termination of such contracts.
Policy
Enforcement Human Resources is responsible for coordinating disciplinary
response.
Information security awareness, education, training and

disciplinary process is covered under the ISO 27001 standards,
specifically addressed in Annex A, domains 8.2.2 and 8.2.3. For
more information review of the publicly available ISO standards we
are certified against is suggested.
User access policies and Windows Azure has adopted applicable corporate and
procedures shall be documented, organizational security policies, including an Information Security
approved and implemented for Policy. The policies have been approved, published and
granting and revoking normal and communicated to Windows Azure. The Information Security Policy
privileged access to applications, requires that access to Windows Azure assets to be granted based
IS-07 databases, and server and on business justification, with the asset owner's authorization and
network infrastructure in limited based on "need-to-know" and "least-privilege" principles. In
Information accordance with business, addition, the policy also addresses requirements for access
Security - security, compliance and service management lifecycle including access provisioning, authentication,
User Access level agreement (SLA) access authorization, removal of access rights and periodic access
Policy requirements. reviews.
Access control is covered under the ISO 27001 standards,

specifically addressed in Annex A, domain 11. For more information

Matrix
Microsoft Response
Normal and privileged user access Windows Azure has adopted applicable corporate and
to applications, systems, databases, organizational security policies, including an Information Security
network configurations, and Policy. The policies have been approved, published and
sensitive data and functions shall communicated to Windows Azure personnel. The Information
be restricted and approved by Security Policy requires that access to Windows Azure assets to be
IS-08
management prior to access granted based on business justification, with the asset owner's
granted. authorization and limited based on "need-to-know" and "least-
Information
privilege" principles. In addition, the policy also addresses
Security -
requirements for access management lifecycle including access
User Access
provisioning, authentication, access authorization, removal of
Restriction /
access rights and periodic access reviews.
Authorization
User access management and privilege management is covered

under the ISO 27001 standards, specifically addressed in Annex A,
domain 11.2. For more information review of the publicly available
Timely de-provisioning, revocation Managers, owners of applications and data are responsible for
or modification of user access to reviewing who has access on a periodic basis. Regular access
the organizations systems, review audits occur to validate appropriate access provisioning
information assets and data shall has occurred.
IS-09
be implemented upon any change
in status of employees, contractors, In Windows Azure environment, Customers are responsible for
Information
customers, business partners or managing access to the applications customers host on Windows
Security -
third parties. Any change in status Azure.
User Access
is intended to include termination
Revocation
of employment, contract or Removal of access rights is covered under the ISO 27001
agreement, change of employment standards, specifically addressed in Annex A, domain 8.3.3. For
or transfer within the organization. more information review of the publicly available ISO standards we

Matrix
Microsoft Response
All levels of user access shall be The Information Security Policy requires that access to Windows
reviewed by management at Azure assets to be granted based on business justification, with
planned intervals and documented. the asset owner's authorization and limited based on "need-to-
For access violations identified, know" and "least-privilege" principles. In addition, the policy also
remediation must follow addresses requirements for access management lifecycle including
documented access control policies access provisioning, authentication, access authorization, removal
and procedures. of access rights and periodic access reviews. Managers and owners
of applications and data are responsible for reviewing who has
IS-10 access on a periodic basis.
Information Customers control access by their own users and are responsible
Security - for ensuring appropriate review of such access.
User Access
Reviews Windows Azure customers register for the service by creating a
subscription through the Windows Azure Portal web site.
Customers manage applications and storage through their
subscription using the Windows Azure management portal.
User access management and privilege management is covered

under the ISO 27001 standards, specifically addressed in Annex A,
domain 11.2. For more information review of the publicly available
A security awareness training All appropriate Microsoft staff take part in a Windows Azure
program shall be established for all and/or GFS sponsored security-training program, and are
contractors, third party users and recipients of periodic security awareness updates when applicable.
employees of the organization and Security education is an on-going process and is conducted
mandated when appropriate. All regularly in order to minimize risks. An example of an internal
IS-11 individuals with access to training is Microsoft Security 101. Microsoft also has non-
organizational data shall receive disclosure provisions in our employee contracts.
Information appropriate awareness training and
Security - regular updates in organizational All Windows Azure and/or GFS staff are required to take training
Training / procedures, process and policies, determined to be appropriate to the services being provided and
Awareness relating to their function relative to the role they perform.
the organization.
Information security awareness, education and training is
covered under the ISO 27001 standards, specifically addressed in
Annex A, domain 8.2. For more information review of the publicly

Matrix
Microsoft Response
Microsoft is a member of several industry organizations and both

IS-12 Industry security
attends and provides speakers to such events and organizations.
knowledge and
Microsoft additionally holds several internal trainings.
Information benchmarking through
Security - networking, specialist
Contact with special interest groups is covered under the ISO 27001
Industry security forums, and
standards, specifically addressed in Annex A, domain 6.1.7. For more
Knowledge / professional associations
information review of the publicly available ISO standards we are
Benchmarking shall be maintained.
certified against is suggested.
The Information Security Policy exists in order to provide Windows Azure
Staff and Contractor Staff with a current set of clear and concise
Information Security Policies including their roles and responsibilities
related to information assets and security. These policies provide
IS-13 Roles and responsibilities direction for the appropriate protection of Windows Azure. The
of contractors, employees Information Security Policy has been created as a component of an
Information and third party users shall overall Information Security Management System (ISMS) for the Windows
Security - be documented as they Azure. The Policy has been reviewed, approved, and is endorsed by
Roles/ relate to information assets Windows Azure management.
Responsibilities and security.
Roles and responsibilities of contractors, employees and third party
users is covered under the ISO 27001 standards, specifically addressed
in Annex A, domain 8.1. For more information review of the publicly
Each management-endorsed version of the Information Security Policy
and all subsequent updates are distributed to all relevant stakeholders.
The Information Security Policy is made available to all new and existing
Staff for review. All Windows Azure Staff represent that they have
Managers are responsible reviewed, and agree to adhere to, all policies within the Policy
IS-14
for maintaining awareness documents. All Windows Azure Contractor Staff agree to adhere to the
of and complying with relevant policies within the Policy. Should one of these parties not have
Information
security policies, access to this policy for any reason, the supervising Microsoft agent is
Security -
procedures and standards responsible for distributing the policy to them.
Management
that are relevant to their
Oversight
area of responsibility. Management responsibility and management commitment to
information security and responsibilities is covered under the ISO
27001 standards, specifically addressed in Clause 5 and Annex A,
domain 6.1. For more information review of the publicly available ISO

Matrix
Microsoft Response
Segregation of duties is established on critical functions within the

Policies, process and
Windows Azure environment to minimize the risk of unintentional or
procedures shall be
unauthorized access or change to production systems. Duties and
implemented to enforce and
responsibilities are segregated and defined between Windows Azure
assure proper segregation of
IS-15 operation teams. Asset owners/custodians approve different accesses
duties. In those events where
and privileges in the production environment.
user-role conflict of interest
Information
constraint exists, technical
Security - Segregation of duties is implemented in Windows Azures environments
controls shall be in place to
Segregation of in order to minimize the potential of fraud, misuse, or error
mitigate any risks arising
Duties
from unauthorized or
Segregation of duties is covered under the ISO 27001 standards,
unintentional modification or
specifically addressed in Annex A, domain 10.1.3. For more information
misuse of the organization's
information assets.
suggested.
All appropriate Microsoft employees take part in a Windows Azure
Users shall be made aware of
and/or GFS security-training program, and are recipients of periodic
their responsibilities for:
security awareness updates when applicable. Security education is an
Maintaining awareness
on-going process and is conducted at minimum annually in order to
and compliance with
minimize risks.
IS-16 published security policies,
procedures, standards and
All appropriate Windows Azure and GFS contractor staff are required to
Information applicable regulatory
take any training determined to be appropriate to the services being
Security - User requirements
provided and the role they perform.
Responsibility Maintaining a safe and
secure working environment
User responsibilities is covered under the ISO 27001 standards,
Leaving unattended
specifically addressed in Annex A, domain 11.3. For more information
equipment in a secure
manner
suggested.
Policies and procedures shall
Technical and procedurals controls are part of Microsoft's policies
be established for clearing
IS-17 including areas such as defined session time-out requirements.
visible documents containing
sensitive data when a
Information User responsibilities is covered under the ISO 27001 standards,
workspace is unattended
Security specifically addressed in Annex A, domain 11.3. For more information
and enforcement of
Workspace review of the publicly available ISO standards we are certified against is
workstation session logout
suggested.
for a period of inactivity.

Matrix
Microsoft Response
Microsoft restricts access to customer data. Customer may

implement encryption of customer data within the customers
application. Customers may encrypt data stored in XStore.
Microsoft provides customers the option of encrypting
IS-18 implemented for encrypting sensitive
customer data transmitted to and from Microsoft data centers
data in storage (e.g., file servers,
over public networks. Microsoft uses private networks with
Information databases, and end-user
encryption for replication of non-public customer data between
Security - workstations) and data in
Microsoft data centers.
Encryption transmission (e.g., system interfaces,
over public networks, and electronic
Exchange of information is covered under the ISO 27001
messaging).
standards, specifically addressed in Annex A, domain 10.8. For
more information review of the publicly available ISO standards
Microsoft has policies, procedures, and mechanisms
established for effective key management to support encryption
IS-19 Policies and procedures shall be
of data in storage and in transmission for the key components
of the Windows Azure service.
Information implemented for effective key
Security - management to support encryption
Media Handling is covered under the ISO 27001 standards,
Encryption Key of data in storage and in
specifically addressed in Annex A, domain 12.3.2. For more
Management transmission.
information review of the publicly available ISO standards we

Matrix Control IS-20
Microsoft Response
Windows Azure component teams get notifications of potential

vulnerabilities and the latest software updates from the Microsoft
Security Response Center (MSRC) and GFS. The component teams
analyze software updates relevance to Windows Azure production
environment and review the associated vulnerabilities based on
their criticality. Software updates are released through the monthly
OS release cycle using change and release management
procedures. Emergency out-of-band security software updates (0-
day & Software Security Incident Response Process - SSIRP
updates) are deployed as quickly as possible. If customers use the
established and mechanism
IS-20 default "Auto Upgrade" option, software updates will be applied
implemented for vulnerability and
their VMs automatically. Otherwise, customers have the option to
patch management, ensuring that
Information upgrade to the latest OS image through the portal. In case of a VM
application, system, and network
Security - role, customers are responsible for evaluating and updating their
device vulnerabilities are evaluated
Vulnerability VMs.
and Contractor-supplied security
/ Patch
patches applied in a timely manner
Management Microsofts Security Response Center (MSRC) regularly monitors
taking a risk-based approach for
external security vulnerability awareness sites. As part of the
prioritizing critical patches.
routine vulnerability management process, Windows Azure
evaluates our exposure to these vulnerabilities and leads action
across Microsoft Server and Tools Business (STB) to mitigate risks
when necessary.
Control of technical vulnerabilities is covered under the ISO

27001 standards, specifically addressed in Annex A, domain 12.6.
For more information review of the publicly available ISO standards

Matrix
Microsoft Response
IS-21 Ensure that all antivirus programs are The Windows Azure Security group responds to malicious
capable of detecting, removing, and events, including escalating and engaging specialized support
Information protecting against all known types of groups. A number of key security parameters are monitored to
Security - malicious or unauthorized software identify potentially malicious activity on the systems.
Anti-Virus / with antivirus signature updates at
Malicious least every 12 hours. Protection against malicious code is covered under the ISO
Software 27001 standards, specifically addressed in Annex A, domain
IS-22 Policy, process and procedures shall Incident handling, management roles and responsibilities have
be established to triage security been defined for the Incident Engineer, Incident Manager,
Information related events and ensure timely and Communication Manager and the Feature teams.
Security - thorough incident management.
Incident Windows Azure Operations Managers are responsible for
Management overseeing investigation and resolution of security and privacy
incidents with support from other functions. Processes for
escalating and engaging other functions for investigating and
analyzing incidents are established.
An escalation and communication plan to notify Privacy, Legal

or Executive Management in the event of a security incident has
been established.
Our process consists of the following steps: Identification,

containment, eradication, recovery, and lessons learned.
Security incident response plans are covered under the ISO


Matrix
Control IS-23
Microsoft Response
Windows Azure has developed robust processes to facilitate

a coordinated response to incidents if one was to occur. A
security event may include, among other things
unauthorized access resulting in loss, disclosure or
alteration of data.
The Windows Azure Incident Response process follows the

following phases:
Identification System and security alerts may be

harvested, correlated, and analyzed. Events are investigated
by Microsoft operational and security organizations. If an
event indicates a security issue, the incident is assigned a
severity classification and appropriately escalated within
Microsoft. This escalation will include product, security, and
Contractors, employees and third party engineering specialists.
users shall be made aware of their Containment The escalation team evaluates the scope
IS-23 responsibility to report all information and impact of an incident. The immediate priority of the
security events in a timely manner. escalation team is to ensure the incident is contained and
Information Information security events shall be data is safe. The escalation team forms the response,
Security - reported through predefined performs appropriate testing, and implements changes. In
Incident communications channels in a prompt the case where in-depth investigation is required, content is
Reporting and expedient manner in compliance collected from the subject systems using best-of-breed
with statutory, regulatory and contractual forensic software and industry best practices.
requirements. Eradication After the situation is contained, the
escalation team moves toward eradicating any damage
caused by the security breach, and identifies the root cause
for why the security issue occurred. If vulnerability is
determined, the escalation team reports the issue to product
engineering.
Recovery During recovery, software or configuration
updates are applied to the system and services are returned
to a full working capacity.
Lessons Learned Each security incident is analyzed to
ensure the appropriate mitigations applied to protect against
future reoccurrence.
If Windows Azure personnel determine that a customers

data was breached or otherwise subject to unauthorized
access, the customer will be notified.

Reporting security weaknesses and responsibilities and
procedures is covered under the ISO 27001 standards,
specifically addressed in Annex A, domains 13.1.2 and 13.2.

Matrix
Microsoft Response
As part of the 'containment' step in our Security Incident

In the event a follow-up action Response Process, the immediate priority of the escalation
IS-24
concerning a person or organization team is to ensure the incident is contained and data is safe.
after an information security incident The escalation team forms the response, performs
Information
requires legal action proper forensic appropriate testing, and implements changes.
Security -
procedures including chain of custody
Incident
shall be required for collection, Security incident response plans and collection of evidence
Response
retention, and presentation of evidence is covered under the ISO 27001 standards, specifically
Legal
to support potential legal action subject addressed in Annex A, domain 13.2. For more information
Preparation
to the relevant jurisdiction. review of the publicly available ISO standards we are certified
Information security incidents are classified into severity
levels and processed according to the severity level. Regular
IS-25
reporting of incidents is carried out for management
Mechanisms shall be put in place to reporting.
Information
monitor and quantify the types,
Security -
volumes, and costs of information Management information security incidents and learning
Incident
security incidents. from information security incidents is covered under the ISO
Response
Metrics
13.2. For more information review of the publicly available
Customer Data will be used only to provide customer the
Windows Azure service. This may include troubleshooting
aimed at preventing, detecting and repairing problems
affecting the operation of the services and the improvement
of features that involve the detection of, and protection
against, emerging and evolving threats to the user (such as
IS-26
malware or spam).
Information
established for the acceptable use of More information on Microsofts commitment around use of
Security -
information assets. customer data can be found in the Privacy Statement and
Acceptable
Online Services Use Rights available at:
Use
http://www.microsoft.com/windowsazure/legal/.
Acceptable use is covered under the ISO 27001 standards,


Matrix
Microsoft Response
Employees, contractors and third party users are formally

notified to destroy or return, as applicable, any physical
materials that Microsoft has provided to them during the
term of employment or the period of Contractor agreement
Employees, contractors and third party
IS-27 and any electronic media must be removed from Contractor
users must return all assets owned by
or third party infrastructure. Microsoft may also conduct an
the organization within a defined and
Information audit to make sure data is removed in an appropriate
documented time frame once the
Security - manner.
employment, contract or agreement has
Asset Returns
been terminated.
Return of assets is covered under the ISO 27001 standards,
Electronic commerce (e-commerce)

IS-28
related data traversing public networks
shall be appropriately classified and
Information
protected from fraudulent activity, Windows Azure does not provide e-commerce solutions.
Security -
unauthorized disclosure or modification
eCommerce
in such a manner to prevent contract
Transactions
dispute and compromise of data.
Access to information systems audit tools are restricted to

authorized personnel within Windows Azure.
IS-29 Access to, and use of, audit tools that
interact with the organizations A delegated management model enables administrators to
Information information systems shall be have only the access they need to perform specific tasks,
Security - appropriately segmented and restricted reducing the potential for error and allowing access to
Audit Tools to prevent compromise and misuse of systems and functions strictly on an as-needed basis.
Access log data. Windows Azure has formal monitoring processes to include
frequency of review for Standard Operating Procedures and
review oversight processes and procedures.

Protection of information systems audit tools and protection
of log information is covered under the ISO 27001
standards, specifically addressed in Annex A, domains 15.3.2
and 10.10.3. For more information review of the publicly

Matrix
Microsoft Response
Access control policy is a component of overall policies and

undergoes a formal review and update process. Access to
Windows Azures assets is granted based upon business
requirements and with the asset owners authorization.
Additionally:
Access to assets is granted based upon need-to-know and

least-privilege principles.
Where feasible, role-based access controls are used to allocate
logical access to a specific job function or area of responsibility,
rather than to an individual.
IS-30
Physical and logical access control policies are consistent with
User access to diagnostic and standards.
Information
configuration ports shall be
Security -
restricted to authorized individuals Windows Azure controls physical access to diagnostic and
Diagnostic /
and applications. configuration ports through physical data center controls.
Configuration
Diagnostic and configuration ports are only accessible by
Ports Access
arrangement between service/asset owner and
hardware/software support personnel requiring access. Ports,
services, and similar facilities installed on a computer or network
facility, which are not specifically required for business
functionality, are disabled or removed.
"Network controls access controls is covered under the ISO

10.6.1, 11.1.1, and 11.4.4. For more information review of the
publicly available ISO standards we are certified against is
suggested.
Capacity management: Proactive monitoring continuously
measures the performance of key subsystems of the Windows
Azure services platform against the established boundaries for
IS-31
Network and infrastructure service acceptable service performance and availability. When a
level agreements (in-house or threshold is reached or an irregular event occurs, the monitoring
Information
outsourced) shall clearly document system generates warnings so that operations staff can address
Security -
security controls, capacity and the threshold or event. System performance and capacity
Network /
service levels, and business or utilization is proactively planned to optimize the environment.
Infrastructure
customer requirements.
Services
The main underlying network infrastructure is currently
managed by GFS. SLAs to service providers or equipment
manufacturers are qualified by GFS's ISO 27001 certification.

Addressing security in third party agreements and security of
network services is covered under the ISO 27001 standards,
specifically addressed in Annex A, domains 6.2.3 and 10.6.2. For
more information review of the publicly available ISO standards

Matrix
Controls IS-32 through LG-01
Microsoft Response
Windows Azure teams and personnel are required to adhere to

applicable policies, which do not permit mobile computing
established and measures
devices to the production environment, unless those devices
implemented to strictly limit access
IS-32 have been approved for use by Windows Azure Management.
to sensitive data from portable and
Mobile computing access points are required to adhere with the
mobile devices, such as laptops, cell
Information wireless device security requirements.
phones, and personal digital
Security -
assistants (PDAs), which are
Portable / Access control to mobile computing and communications is
generally higher-risk than non-
Mobile Devices covered under the ISO 27001 standards, specifically addressed
portable devices (e.g., desktop
in Annex A, domain 11.7.1. For more information review of the
computers at the organizations
facilities).
suggested.
Windows Azure source code libraries are limited to authorized
personnel. Where feasible, source code libraries maintain
separate project work spaces for independent projects.
Windows Azure and Windows Azure Contractors are granted
IS-33 Access to application, program or access only to those work spaces which they need access to
object source code shall be restricted perform their duties. Source code libraries enforce control over
Information to authorized personnel on a need to changes to source code by requiring a review from designated
Security - know basis. Records shall be reviewers prior to submission. An audit log detailing
Source Code maintained regarding the individual modifications to the source code library is maintained.
Access granted access, reason for access
Restriction and version of source code exposed. Access control and access control to program source code is
covered under the ISO 27001 standards, specifically addressed
in Annex A, domains 11 and 12.4.3. For more information
IS-34 Utility programs undergo changes and the release management
Utility programs capable of process and are restricted to authorized personnel only.
Information potentially overriding system, object,
Security - network, virtual machine and User authentication for external connections is covered under
Utility application controls shall be the ISO 27001 standards, specifically addressed in Annex A,
Programs restricted. domain 11.4.2. For more information, review of the publically
Access available ISO standards we are certified against is suggested.
Requirements for non-disclosure or Microsoft Legal and Human Resources maintain policies and
LG-01
confidentiality agreements reflecting procedures defining the implementation and execution of non-
the organization's needs for the disclosure and confidentiality agreements.
Legal - Non-
protection of data and operational
Disclosure
details shall be identified, Confidentiality agreements and non-disclosure agreements is
Agreements
documented and reviewed at covered under the ISO 27001 standards, specifically addressed

planned intervals. in Annex A, domain 6.1.5. For more information review of the
suggested.

Matrix
Controls LG-02 through OP-01
Microsoft Response
Third party agreements that directly, or

indirectly, impact the organizations Windows Azure services standards specify that the Windows
information assets or data are required Azure Risk Management organization approves certain
to include explicit coverage of all exchanges with parties outside of Windows Azure services.
relevant security requirements. This As part of this process, the Windows Azure Risk
includes agreements involving Management organization ensures that exchanges of
LG-02
processing, accessing, communicating, sensitive assets with non-Microsoft parties are made only in
hosting or managing the organization's connection with a formal procedure. Third party agreements
Legal - Third
information assets, or adding or include proper security requirements in the contracts.
Party
terminating services or products to
Agreements
existing information. Assets agreements Addressing security in third party agreements is covered
provisions shall include security (e.g., under the ISO 27001 standards, specifically addressed in
encryption, access controls, and leakage Annex A, domain 6.2.3. For more information review of the
prevention) and integrity controls for publicly available ISO standards we are certified against is
data exchanged to prevent improper suggested.
disclosure, alteration or destruction.
Consistent with Microsoft policy, hiring managers define job
requirements prior to recruiting, interviewing, and hiring.
Job requirements include the primary responsibilities and
tasks involved in the job, background characteristics needed
to perform the job, and personal characteristics required.
OP-01 Once the requirements are determined, managers create a
job description, which is a profile of the job and is used to
established and made available for all
Operations identify potential candidates. When viable candidates are
personnel to adequately support
Management - identified, the interview process begins to evaluate
services operations role.
Policy candidates and to make an appropriate hiring decision.
Information security policy is covered under the ISO 27001

standards, specifically addressed in Annex A, domain 5.1.

Matrix
Controls OP-02 through OP-04
Microsoft Response
Standard Operating Procedures are formally documented

and approved by Windows Azure management. The standard
operating procedures are reviewed at least once per year.
Microsoft Windows Azure makes available comprehensive
Information system documentation
guidance, help, training and troubleshooting materials as
(e.g., administrator and user guides,
part of Windows Azure service. The Window Azure's
OP-02 architecture diagrams, etc.) shall be
documentation is stored in central located sites.
made available to authorized personnel
Operations to ensure the following:
Access to system documentation is restricted to the
Management - Configuring, installing, and
respective Windows Azure teams based on their job roles.
Documentation operating the information system
Effectively using the systems
Documented operating procedures and security of system
security features
documentation is covered under the ISO 27001 standards,
10.7.4. For more information review of the publicly available
Windows Azure has the following operational processes in
place: proactive capacity management based on defined
The availability, quality, and adequate
thresholds or events; hardware and software subsystem
OP-03 capacity and resources shall be
monitoring for acceptable service performance and
planned, prepared, and measured to
availability, service utilization, storage utilization and
Operations deliver the required system
network latency. Customers are responsible for monitoring
Management - performance in accordance with
and planning the capacity needs of their applications.
Capacity / regulatory, contractual and business
Resource requirements. Projections of future
Capacity management is covered under the ISO 27001
Planning capacity requirements shall be made to
mitigate the risk of system overload.
A process for the development and maintenance of a
Services Continuity Management (SCM) is in place for the
Windows Azure environment. The process contains a
strategy for the recovery of Windows Azure assets and the
OP-04
resumption of key Windows Azure business processes. The
continuity solution reflects security, compliance and privacy
Operations established for equipment maintenance
requirements of the service production environment at the
Management - ensuring continuity and availability of
alternate site. Customers are responsible for deploying their
Equipment operations.
applications in multiple locations for geo-redundancy.
Maintenance
Equipment maintenance is covered under the ISO 27001



Matrix
Controls RI-01 through RI-03
Microsoft Response
The ISO Plan, Do, Check, Act process is used by Windows

Azure services to continually maintain and improve the risk
RI-01 management framework.
Organizations shall develop and
maintain an enterprise risk
Risk Establishing the ISMS and risk management framework is
management framework to manage
Management - covered under the ISO 27001 standards, specifically
risk to an acceptable level.
Program addressed in domain 4.2.1. For more information review of
is suggested.
Windows Azure Risk Management organization bases the
Aligned with the enterprise-wide risk assessment framework on the ISO27001 standards. An
framework. Formal risk assessments integrated part of the methodology is the Risk Assessment
shall be performed at least annually, or process. The Risk Assessment Assess phase begins with
at planned intervals, determining the identifying risks, establishing a risk level by determining the
RI-02 likelihood and impact of all identified likelihood of occurrence and impact, and finally, identifying
risks, using qualitative and quantitative controls and safeguards that reduce the impact of the risk to
Risk methods. The likelihood and impact an acceptable level. According measures, recommendations
Management - associated with inherent and residual and controls are put in place to mitigate the risks to the
Assessments risk should be determined extent possible.
independently, considering all risk
categories (e.g., audit results, threat Establishing and managing the ISMS is covered under the
and vulnerability analysis, and ISO 27001 standards, specifically addressed in Clause 4.2.
regulatory compliance). For more information review of the publicly available ISO
Windows Azure Risk Management organization bases the
risk assessment framework on the ISO27001 standards. An
integrated part of the methodology is the Risk Assessment
process.
The Risk Assessment Assess phase begins with identifying

RI-03 Risks shall be mitigated to an
risks, establishing a risk level by determining the likelihood
acceptable level. Acceptance levels
of occurrence and impact, and finally, identifying controls
Risk based on risk criteria shall be
and safeguards that reduce the impact of the risk to an
Management - established and documented in
acceptable level. According measures, recommendations and
Mitigation / accordance with reasonable resolution
controls are put in place to mitigate the risks to the extent
Acceptance time frames and executive approval.
possible.
Establishing and managing the ISMS is covered under the

ISO 27001 standards, specifically addressed in Clause 4.2.

Matrix
Controls RI-04 through RI-05
Microsoft Response
Decisions to update policies and procedures are based on

the risk assessment reports. Risk Assessments are regularly
RI-04
reviewed based on periodicity and changes emerging to the
Risk assessment results shall include
risk landscape.
Risk updates to security policies,
Management - procedures, standards and controls to
Establishing the ISMS and risk management framework is
Business / ensure they remain relevant and
Policy Change effective.
addressed in Clause 4.2.1. For more information review of
Impacts
is suggested.
Access control policy is a component of overall policies and
undergoes a formal review and update process.
Access to Windows Azure services assets is granted based
upon business requirements and with the asset owners
The identification, assessment, and
authorization. Additionally:
prioritization of risks posed by
business processes requiring third
Access to assets is granted based upon need-to-know and
RI-05 party access to the organization's
least-privilege principles.
information systems and data shall be
Where feasible, role-based access controls are used to
Risk followed by coordinated application of
allocate logical access to a specific job function or area of
Management - resources to minimize, monitor, and
responsibility, rather than to an individual.
Third Party measure likelihood and impact of
Physical and logical access control policies are consistent
Access unauthorized or inappropriate access.
with standards.
Compensating controls derived from
the risk analysis shall be implemented
Identification of risks related to external parties and access
prior to provisioning access.
control is covered under the ISO 27001 standards,
specifically addressed in Annex A, domains 6.2.1 and 11.

Matrix Controls RM-01 through RM-02
Microsoft Response
Windows Azure has established software development

and release management processes to control
implementation of major changes including:
The identification and documentation of the planned
change
Identification of business goals, priorities and
scenarios during product planning
RM-01 Specification of feature/component design
Policies and procedures shall be established
Operational readiness review based on a pre-defined
for management authorization for
Release criteria/check-list to assess overall risk/impact
development or acquisition of new
Management - Testing, authorization and change management
applications, systems, databases,
New based on entry/exit criteria for DEV (development), INT
infrastructure, services, operations, and
Development / (Integration Testing), STAGE (Pre-production) and
facilities.
Acquisition PROD (production) environments as appropriate
Customers are responsible for applications hosted by
customers in Windows Azure.
Change management is covered under the ISO 27001

standards, specifically addressed in Annex A,
domain10.1.2. For more information review of the
publicly available ISO standards we are certified against
is suggested.
RM-02 Changes to the production environment

shall be documented, tested and approved
Release prior to implementation. Production
For more information see RM -01.
Management - software and hardware changes may include
Production applications, systems, databases and
Changes network devices requiring patches, service
packs, and other updates and modifications.

Matrix Controls RM-03 through RM-05
Microsoft Response
A program for the systematic monitoring and

Changes to the underlying operating systems (OS)
evaluation to ensure that standards of quality
within the Windows Azure platform are reviewed and
are being met shall be established for all
tested, at a minimum, for their quality, performance,
software developed by the organization.
impact on other systems, recovery objectives and
Quality evaluation and acceptance criteria for
security features before they are moved into
RM-03 information systems, upgrades, and new
production.
versions shall be established, documented and
Release tests of the system(s) shall be carried out both
Changes are tested in various test environments and
Management during development and prior to acceptance to
signed off prior to deployment into production.
- Quality maintain security. Management shall have a
Testing clear oversight capacity in the quality testing
Security in development and support processes is
process with the final product being certified
as "fit for purpose" (the product should be
addressed in Annex A, domains 12.5. For more
suitable for the intended purpose) and "right
information review of the publicly available ISO
first time" (mistakes should be eliminated)
prior to release.
Microsoft applies Security Development Lifecycle, a
software security assurance process, to design,
develop, and implement Windows Azure services.
Security Development Lifecycle helps to ensure that
A program for the systematic monitoring and communication and collaboration services are highly
evaluation to ensure that standards of quality securedeven at the foundation level. Through
are being met shall be established for all controls like Establish Design Requirements, Analyze
outsourced software development. The Attack Surface, and Threat Modeling, Security
development of all outsourced software shall Development Lifecycle helps Microsoft identify:
be supervised and monitored by the Potential threats while running a service, Exposed
RM-04 organization and must include security aspects of the service that are open to attack.
requirements, independent security review of If potential threats are identified at Design,
Release the outsourced environment by a certified Development, or Implementation phases, Microsoft can
Management individual, certified security training for minimize the probability of attacks by restricting
- Outsourced outsourced software developers, and code services or eliminating unnecessary functions. After
Development reviews. Certification for the purposes of this eliminating the unnecessary functions, Microsoft
control shall be defined as either an ISO/IEC reduces these potential threats in the Verification phase
17024 accredited certification or a legally by fully testing the controls in the Design phase. More
recognized license or certification in the information can be found in:
legislative jurisdiction the organization http://www.microsoft.com/security/sdl/
outsourcing the development has chosen as its
domicile. Security in development and support processes is
addressed in Annex A, domains 12.5. For more
RM-05 Policies and procedures shall be established All changes into production go through the Change

and mechanisms implemented to restrict the Management process described in RM-01.
Release installation of unauthorized software.
Management
Unauthorized
Software
Installations

Matrix Controls RS-01 through R1-02
Microsoft Response
An Enterprise Business Continuity Management

(EBCM) framework has been established for Microsoft
and applied to individual business units including the
Policy, process and procedures defining Server and Tools Business (STB) under which Windows
business continuity and disaster recovery shall Azure falls. The designated STB Business Continuity
be put in place to minimize the impact of a Program Office (BCPO) works with Windows Azure
realized risk event on the organization to an management to identify critical processes and assess
acceptable level and facilitate recovery of risks. The STB BCPO provides guidance to the
information assets (which may be the result Windows Azure teams on EBCM framework and BCM
of, for example, natural disasters, accidents, roadmap, which includes the following components:
equipment failures, and deliberate actions) Governance;
RS-01
through a combination of preventive and Impact Tolerance;
recovery controls, in accordance with Business Impact Analysis;
Resiliency -
regulatory, statutory, contractual, and Dependencies Analysis (Non-Technical and
Management
business requirements and consistent with Technical);
Program
industry standards. This Resiliency Strategies;
management program shall be communicated Planning;
to all organizational participants with a need Testing; and
to know basis prior to adoption and shall also Training and Awareness.
be published, hosted, stored, recorded and
disseminated to multiple facilities which must Information security aspects of business continuity
be accessible in the event of an incident. management is covered under the ISO 27001
standards, specifically addressed in Annex A, domain
14.1. For more information review of the publicly
suggested.
There shall be a defined and documented
method for determining the impact of any A Business Impact Analysis is performed and
RS-02
disruption to the organization which must reviewed at appropriate intervals. The analysis
incorporate the following: includes:
Resiliency -
Identify critical products and services
Impact Analysis
Identify all dependencies, including The identification of threats relevant to the
processes, applications, business partners and Windows Azure business environment and process.

third party service providers An assessment of the identified threats including
Understand threats to critical products and potential impact and expected damage.
services A management endorsed strategy for the mitigation
Determine impacts resulting from planned of significant threats identified, and for the recovery
or unplanned disruptions and how these vary of critical business processes
over time
Establish the maximum tolerable period for Business Impact Assessment, Dependency Analysis
disruption and Risk Assessments are performed /updated at
Establish priorities for recovery least on annual basis. Customers are responsible for
Establish recovery time objectives for performing impact analysis for their applications and
resumption of critical products and services design to meet their Recovery Time Objective
within their maximum tolerable period of (RTO)/Recovery Point Objective requirements.
disruption
Estimate the resources required for Information security aspects of business continuity
resumption management is covered under the ISO 27001
14.1. For more information review of the publicly
suggested.

Matrix
Controls RS-03 through R1-05
Microsoft Response
A consistent unified framework for The Business Continuity Program Office maintains a
business continuity planning and plan framework that is consistent with industry and
development shall be established, Microsoft best practices that drives the continuity
documented and adopted to ensure all program at all levels.
business continuity plans are consistent in The framework includes:
addressing priorities for testing and Assignment of key resource responsibilities
maintenance and information security Notification, escalation and declaration processes
requirements. Requirements for business Recovery Time Objectives and Recovery Point
RS-03 continuity plans include the following: Objectives
Defined purpose and scope, aligned Continuity plans with documented procedures
Resiliency - with relevant dependencies Training program for preparing all appropriate
Business Continuity Accessible to and understood by those parties to execute the Continuity Plan
Planning who will use them A testing, maintenance, and revision process
Owned by a named person(s) who is Customers are responsible for deploying applications
responsible for their review, update and in multiple data centers for geo redundancy.
approval
Defined lines of communication, roles Information security aspects of business continuity
and responsibilities management is covered under the ISO 27001
Detailed recovery procedures, manual standards, specifically addressed in Annex A, domain
work-around and reference information 14.1. For more information review of the publicly
Method for plan invocation available ISO standards we are certified against is
suggested.
Recovery plans are validated on a regular basis per
industry best practices to ensure that solutions are
viable at time of event.
RS-04 Business continuity plans shall be subject
to test at planned intervals or upon
Testing, maintaining and re-assessing business
Resiliency - significant organizational or
continuity plans is covered under the ISO 27001
Business Continuity environmental changes to ensure
Testing continuing effectiveness.
suggested.
Physical protection against damage from Environmental controls have been implemented to
natural causes and disasters as well as protect the data center including:
RS-05
deliberate attacks including fire, flood, Temperature control
atmospheric electrical discharge, solar Heating, Ventilation and Air Conditioning (HVAC)
Resiliency -
induced geomagnetic storm, wind, Fire detection and suppression systems
Environmental
earthquake, tsunami, explosion, nuclear Power Management systems
Risks
mishap, volcanic activity, biological
hazard, civil unrest, mudslide, tectonic Protecting against external and environmental

activity, and other forms of natural or threats is covered under the ISO 27001 standards,
man-made disaster shall be anticipated, specifically addressed in Annex A, domain 9.1.4. For
designed and countermeasures applied. more information review of the publicly available ISO

Matrix
Controls RS-06 through R1-08
Microsoft Response
Windows Azure services equipment is placed in

environments which have been engineered to be
To reduce the risks from environmental protective from theft and environmental risks such as
threats, hazards and opportunities for fire, smoke, water, dust, vibration, earthquake, and
RS-06 unauthorized access equipment shall electrical interference.
be located away from locations subject
Resiliency - to high probability environmental risks Protecting against external and environmental threats
Equipment Location and supplemented by redundant and equipment siting protection is covered under the
equipment located a reasonable ISO 27001 standards, specifically addressed in Annex
distance. A, domains 9.1.4 and 9.2.1. For more information
review of the publicly available ISO standards we are
The data centers have dedicated 24x7 uninterruptible
power supply (UPS) and emergency power support,
which may include generators. Regular maintenance
and testing is conducted for both the UPS and
generators. Data centers have made arrangements for
emergency fuel delivery.
The data center has a dedicated Facility Operations
Center to monitor the following:
Power systems, including all critical electrical
components generators, transfer switch, main
switchgear, power management module and
uninterruptible power supply equipment.
RS-07 Security mechanisms and redundancies The Heating, Ventilation and Air Conditioning (HVAC)
shall be implemented to protect system, which controls and monitors space temperature
Resiliency - equipment from utility service outages and humidity within the data centers, space
Equipment Power (e.g., power failures, network pressurization and outside air intake.
Failures disruptions, etc.). Fire Detection and Suppression systems exist at all data
centers.
Additionally, portable fire extinguishers are available at
various locations in the data center. Routine
maintenance is performed on facility and environmental
protection equipment.
Protecting against external and environmental threats

and supporting utilities is covered under the ISO
27001 standards, specifically addressed in Annex A,
domains 9.1.4 and 9.2.2. For more information review
of the publicly available ISO standards we are certified

Cabling security and supporting utilities is covered
Telecommunications equipment,
under the ISO 27001 standards, specifically addressed
RS-08 cabling and relays transecting data or
in Annex A, domains 9.2.3 and 9.2.2. For more
supporting services shall be protected
Resiliency - Power / from interception or damage and
Telecommunications designed with redundancies, alternative
power source and alternative routing.
For more information see RS-07

Matrix
Control SA-01 through SA-02
Microsoft Response
Prior to engaging in Windows Azure Services,

customers are required to review and agree to a
service agreement, which includes online service use
SA-01 rights (including an acceptable policy), the Windows
Prior to granting customers access to data, Azure Platform Privacy Statement and Technical
Security assets and information systems, all identified Overview of the Security Features in Windows Azure
Architecture security, contractual and regulatory Platform.
- Customer requirements for customer access shall be
Access addressed and remediated. Identification of risks related to external parties and
Requirements access control policy is covered under the ISO 27001
standards, specifically addressed in Annex A, domains
6.2.2 and 11.1.1. For more information review of the
publicly available ISO standards we are certified
Implement and enforce (through automation) Password policies for corporate domain accounts are
user credential and password controls for managed through Microsoft corporate Active Directory
applications, databases and server and network policy that specifies minimum requirements for
infrastructure, requiring the following minimum password length, complexity and expiry. The
standards: temporary passwords are communicated to the users
SA-02 User identity verification prior to password using MSIT established processes.
resets.
Security If password reset initiated by personnel other All services and infrastructure must at a minimum
Architecture than user (i.e., administrator), password must meet MSIT requirements but an internal organization
- User ID be immediately changed by user upon first use. can increase the strength past this standard, on their
Credentials Timely access revocation for terminated own discretion and to meet their security needs.
users.
Remove/disable inactive user accounts at Customers are responsible for keeping passwords
least every 90 days. from being disclosed to unauthorized parties and for
Unique user IDs and disallow group, shared, choosing passwords with sufficient entropy as to be
or generic accounts and passwords. effectively non-guessable.

Password expiration at least every 90 days.
Minimum password length of at least seven User password management and user registration is
(7) characters. covered under the ISO 27001 standards, specifically
Strong passwords containing both numeric addressed in Annex A, domains 11.2.1 and 11.2.3. For
and alphabetic characters. more information review of the publicly available ISO
Allow password re-use after the last four (4) standards we are certified against is suggested.
passwords used.
User ID lockout after not more than six (6)
attempts.
User ID lockout duration to a minimum of 30
minutes or until administrator enables the user
ID.
Re-enter password to reactivate terminal
after session idle time for more than 15
minutes.
Maintain user activity logs for privileged
access.

Matrix
Controls SA-03 through SA-04
Microsoft Response
To minimize the risks associated with the exchange

of assets between organizations, exchanges between
internal or external organizations are completed in a
Policies and procedures shall be established
predefined manner and access to the Windows Azure
and mechanisms implemented to ensure
production environments by staff and Contractor
SA-03 security (e.g., encryption, access controls, and
staff is tightly controlled.
leakage prevention) and integrity of data
Security exchanged between one or more system
Architecture - interfaces, jurisdictions, or with a third party
Information exchange policies and procedures and
Data Security / shared services provider to prevent improper
information leakage is covered under the ISO 27001
Integrity disclosure, alteration or destruction complying
with legislative, regulatory, and contractual
domains 10.8.1 and 12.5.4. For more information
requirements.
Security Development Lifecycle: Microsoft applies

Security Development Lifecycle, a software security
assurance process, to design, develop, and
implement Windows Azure services. Security
Development Lifecycle helps to ensure that
communication and collaboration services are highly
securedeven at the foundation level. Through
controls like Establish Design Requirements, Analyze
Attack Surface, and Threat Modeling, Security
Development Lifecycle helps Microsoft identify:
SA-04 Potential threats while running a service, Exposed
Applications shall be designed in accordance
aspects of the service that are open to attack.
with industry accepted security standards (i.e.,
Security
OWASP for web applications) and complies
Architecture - If potential threats are identified at Design,
with applicable regulatory and business
Application Development, or Implementation phases, Microsoft
requirements.
Security can minimize the probability of attacks by restricting
services or eliminating unnecessary functions. After
eliminating the unnecessary functions, Microsoft
reduces these potential threats in the Verification
phase by fully testing the controls in the Design
phase. More information can be found in:
http://www.microsoft.com/security/sdl/
Control of technical vulnerabilities is covered under

the ISO 27001 standards, specifically addressed in
Annex A, domain 12.6.1. For more information


Matrix
Controls SA-05 through SA-06
Microsoft Response
Windows Azure defines acceptable standards to

ensure that data inputs to application systems are
accurate and within the expected range of values.
Where appropriate, data inputs should be sanitized
or otherwise rendered safe before being inputted to
an application system.
Internal processing controls are implemented

within the Windows Azure environment in order to
limit the risks of processing errors. Internal
processing controls exist in applications, as well as
in the processing environment. Examples of
internal processing controls include, but are not
limited to, the use of hash totals, and checksums
etc.
SA-05 Data input and output integrity routines (i.e.,
reconciliation and edit checks) shall be
Microsoft applies Security Development Lifecycle, a
Security implemented for application interfaces and
software security assurance process, to design,
Architecture - databases to prevent manual or systematic
develop, and implement Windows Azure services.
Data Integrity processing errors or corruption of data.
Security Development Lifecycle helps to ensure that
communication and collaboration services are
highly securedeven at the foundation level.
Through controls like Establish Design
Requirements, Analyze Attack Surface, and Threat
Modeling, Security Development Lifecycle helps
Microsoft identify: Potential threats while running a
service, Exposed aspects of the service that are
open to attack.
Correct processing in applications is covered

under the ISO 27001 standards, specifically
addressed in Annex A, domain 12.2. For more
SA-06 Windows Azure maintains logical and physical
separation between the DEV (development), INT
Security Production and non-production environments (Integration Testing), STAGE (Pre-production) and
Architecture - shall be separated to prevent unauthorized PROD (production) environments.
Production / access or changes to information assets.
Non-Production While each environment may have its own
Environments standards for operating, a formalized procedure

exists for the exchange of Assets between
environments. These procedures adhere to all
relevant privacy requirements and Services
Standards.
Separation of development, test and operational

facilities is covered under the ISO 27001
domain 10.1.4. For more information review of the
publicly available ISO standards we are certified

Matrix Controls SA-07 through SA-08
Microsoft Response
Access to the Windows Azure production environments by

staff and contractors is tightly controlled.
Multi-factor authentication is required

Terminal Services servers are configured to use the high
for all remote user access.
encryption setting.
SA-07 What forms of authentication are used
Windows Azure requires 2 Factor Authentication to
for operations requiring high assurance?
access networking level components (RSA, SecurID) and
Security This may include login to management
users connecting to the Microsoft Corporate Network
Architecture - interfaces, key creation, access to
remotely (and then to Azure) use Direct Access which
Remote User multiple-user accounts, firewall
relies on 2 Factor Authentication to setup.
Multi-Factor configuration, remote access, etc.
Authentication Is two-factor authentication used to
Microsoft User authentication for external connections
manage critical components within the
is covered under the ISO 27001 standards, specifically
infrastructure, such as firewalls, etc.?
addressed in Annex A, domain 11.4.2. For more
Network environments shall be designed
and configured to restrict connections The networks within the Windows Azure data centers are
between trusted and untrusted networks designed to have multiple separate network segments.
and reviewed at planned intervals, This segmentation helps to provide separation of critical,
SA-08 documenting the business justification back-end servers and storage devices from the public-
for use of all services, protocols, and facing interfaces.
Security ports allowed, including rationale or
Architecture - compensating controls implemented for Segregation in networks is covered under the ISO 27001
Network Security those protocols considered to be standards, specifically addressed in Annex A, domain
insecure. Network architecture diagrams 11.4.5. For more information review of the publicly
must clearly identify high-risk available ISO standards we are certified against is
environments and data flows that may suggested.
have regulatory compliance impacts.

Matrix
Control SA-09
Microsoft Response
The networks within the Windows Azure data centers are

designed to have multiple separate network segments.
This segmentation helps to provide separation of critical,
System and network environments are back-end servers and storage devices from the public-
separated by firewalls to ensure the facing interfaces. Customer access to services provided
following requirements are adhered to: over the Internet originates from users Internet-enabled
SA-09 Business and customer requirements locations and ends at a Microsoft data center. Networks
Security requirements are logically separated wherever necessary depending on
Security Compliance with legislative, the trust bounties. Network ACLs and filters are
Architecture - regulatory, and contractual requirements incorporated to segregate the traffic among the network
Segmentation Separation of production and non- segments.
production environments
Preserve protection and isolation of Security of network services is covered under the ISO
sensitive data 27001 standards, specifically addressed in Annex A,
suggested.

Microsoft Response

implemented to protect wireless network
environments, including the following: Protection of wireless devices are part of regular network
Perimeter firewalls implemented and management security practices which include monitoring.
configured to restrict unauthorized traffic Wireless devices are encrypted.
Security settings enabled with strong
SA-10
encryption for authentication and Access from a wireless network on customer premise to the
transmission, replacing Contractor Windows Azure environment must be secured by the
Security
default settings (e.g., encryption keys, customer.
Architecture -
passwords, SNMP community strings,
Wireless
etc.). Network security management is covered under the ISO
Security
Logical and physical user access to 27001 standards, specifically addressed in Annex A,
wireless network devices restricted to domain 10.6. For more information review of the publicly
authorized personnel available ISO standards we are certified against is
The capability to detect the presence suggested.
of unauthorized (rogue) wireless network
devices for a timely disconnect from the
network
Several technical controls are in place for controlling
networks:
- Networks within Windows Azure are segregated via VLANs
- The corporate network is segregated from Windows Azure
environment.
Access to systems with shared network - Logging and monitoring is performed on critical network
infrastructure shall be restricted to devices
SA-11
authorized personnel in accordance with - Critical communications such as calls to the API or intra-
security policies, procedures and Windows Azure communication is encrypted, authenticated,
Security
standards. Networks shared with external and integrity controlled via protocols such as SSL
Architecture -
entities shall have a documented plan
Shared
detailing the compensating controls used In addition, these controls are internally assessed for
Networks
to separate network traffic between compliance with Windows Azure policies and standards.
organizations.
Network security management and user access
management is covered under the ISO 27001 standards,
specifically addressed in Annex A, domains 10.6 and 11.2.

Microsoft Response
An external accurate, externally agreed

upon, time source shall be used to
In order to both increase the security of Windows Azure, and
synchronize the system clocks of all
to provide accurate reporting detail in event logging and
relevant information processing
monitoring processes and records, all services use
systems within the organization or
consistent clock setting standards (e.g. PST, GMT, UTC etc.).
explicitly defined security domain to
When possible, Windows Azure server clocks are
SA-12 facilitate tracing and reconstitution of
synchronized through the Network Time Protocol which
activity timelines. Note: specific legal
hosts a central time source for standardization and
Security jurisdictions and orbital storage and
reference, in order to maintain accurate time throughout the
Architecture - relay platforms (US GPS & EU Galileo
Windows Azure environments.
Clock Satellite Network) may mandate a
Synchronization reference clock that differs in
Clock synchronization is covered under the ISO 27001
synchronization with the organizations
domicile time reference, in this event
the jurisdiction or platform is treated
as an explicitly defined security
suggested.
domain.
Automated equipment identification

SA-13
shall be used as a method of Equipment identification in networks is covered under the
connection authentication. Location- ISO 27001 standards, specifically addressed in Annex A,
Security
aware technologies may be used to domain 11.4.3. For more information review of the publicly
Architecture -
validate connection authentication available ISO standards we are certified against is
Equipment
integrity based on known equipment suggested.
Identification
location.
Audit logs recording privileged user
access activities, authorized and
unauthorized access attempts, system
exceptions, and information security
SA-14 events shall be retained, complying Access to logs is restricted and defined by policy and logs
with applicable policies and are reviewed on a regular basis.
Security regulations. Audit logs shall be
Architecture - reviewed at least daily and file integrity Audit logging is covered under the ISO 27001 standards,
Audit Logging / (host) and network intrusion detection specifically addressed in Annex A, domain 10.10.1. For
Intrusion (IDS) tools implemented to help more information review of the publicly available ISO
Detection facilitate timely detection, investigation standards we are certified against is suggested.
by root cause analysis and response to
incidents. Physical and logical user
access to audit logs shall be restricted
to authorized personnel.

Mobile code shall be authorized before For releases requiring SDL review, SDL releases are tracked
SA-15 its installation and use, and the in SDLtrack and signed off.
configuration shall ensure that the
Security authorized mobile code operates Controls against mobile code is covered under the ISO
Architecture - according to a clearly defined security 27001 standards, specifically addressed in Annex A, domain
Mobile Code policy. All unauthorized mobile code 10.4.2. For more information review of the publicly available
shall be prevented from executing. ISO standards we are certified against is suggested.

Standard Responseto Requestfor Information Windows Azure Security Privacy

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Standard Responseto Requestfor Information Windows Azure Security Privacy

Uploaded by

Copyright:

Available Formats

Standard Response to Request for Information

>Security and Privacy

2011 Microsoft Corporation. All rights reserved.

Standard Response to RFI- Security and Privacy | Page 2

How Windows Azure is Delivered: The Services Stack 5

ISO Certifications that Align with Windows Azure Controls 6-8

Microsoft Response by Cloud Control Matrix ID: 9 - 50

Compliance CO-01 through CO-06 9 - 11

Data Governance DG-01 through DG-08 12 - 15

Facility FS-01 through FS-08 16 - 18

Human Resources HR-01 through HR-03 19

Information Security IS-01 through IS-34 20 - 34

Legal LG-01 through LG-02 34 - 35

Operations OP-01 through OP-04 35 - 36

Risk Management RI-01 through RI-05 37 - 38

Release Management RM-01 through RM-05 39 - 40

Resiliency RS-01 through RS-08 41 - 43

Security Architecture SA-01 through SA-15 44 50

Standard Response to RFI- Security and Privacy | Page 3

In this document we provide our customers with a detailed overview of how

Introducing Windows Azure

Standard Response to RFI- Security and Privacy | Page 4

How Windows Azure is Delivered:

legal page offers

Standard Response to RFI- Security and Privacy | Page 5

How to read CSA requirements and Microsofts response

1) A short explanation of how Windows Azure controls satisfy the Cloud

Standard Response to RFI- Security and Privacy | Page 6

(1) CCM content in columns 1 and 2 is 2011 Cloud Security Alliance,

have been able to meet the

external auditors Microsofts Response (continued):

expectations that our

Instructions for more information and guidance:

Standard Response to RFI- Security and Privacy | Page 7

Service Agreement and Use Rights

Legal page link: www.windowsazure.com/trustcenter

Standard Response to RFI- Security and Privacy | Page 8

Our goals are to operate our services with security as

For security and operational reasons, Windows Azure

Monitor and review the Information Security

Standard Response to RFI- Security and Privacy | Page 9

Independent reviews and assessments

Windows Azure Response in the Context of CSA Cloud Control

Standard Response to RFI- Security and Privacy | Page 10

Statutory, regulatory, and contractual

Windows Azure Response in the Context of CSA Cloud Control

Standard Response to RFI- Security and Privacy | Page 11

In addition, Windows Azure has procedures to ensure

Microsoft will acquire no rights in Customer Data and will

Customer Data will be used only to provide Customer the

Establish the ISMS is covered under the ISO 27001

Standard Response to RFI- Security and Privacy | Page 12

Windows Azure has implemented a formal policy that

Standard Response to RFI- Security and Privacy | Page 13

Windows Azure classifies data according to the Windows

Windows Azure backs up infrastructure data regularly and

Information back-up is covered under the ISO 27001

Standard Response to RFI- Security and Privacy | Page 14

Microsoft uses best practice procedures and a wiping

Secure disposal or re-use of equipment and disposal of

Movement or copying of Customer Data out of the

Standard Response to RFI- Security and Privacy | Page 15

Logical and physical controls are implemented in Windows