Professional Documents
Culture Documents
March | Version 1
Disclaimer
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the
date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a
commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of
publication. For the latest version of this document visit: http://www.microsoft.com/download/en/details.aspx?id=26647
This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO
THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of
this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means
(electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter
in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document
does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
Microsoft and Microsoft Azure are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or
other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Introduction 4
The paper also assumes that readers are familiar with Windows Azure basic
concepts, as they will not be covered in this paper. Links to reading materials that
cover these core concepts can be found here: http://www.windowsazure.com/en-
us/develop/net/other-resources/white-papers/ as well as through the Windows Azure
Trust Center www.windowsazure.com/trustcenter
on topics such as Service important to consider the whole services stack of the cloud service provider.
Many different organizations may be involved in providing infrastructure and
Agreement, Privacy application services, increasing the risk of misalignment. A disruption of any
Statement, Security one layer in the stack could compromise the delivery of the cloud service and
have disastrous impacts. As a result, customers should evaluate how their
Overview, Service Level
service provider operates, and understand the underlying infrastructure and
Agreements, and platforms of the service as well as the actual applications.
In the Windows Azure environment, the service is managed by the Microsoft
Customer Portal Terms
Server and Tools Business (STB) group, which provides the platform layer.
of Use. Customers provide and manage the application and data layer that sits on the
platform. The Microsoft Global Foundation Services (GFS) group provides the
physical infrastructure in which the platform runs and data is stored.
To learn more visit the
Windows Azure Legal
Page and the Windows
Azure Trust Center
www.windowsazure.com/tr
ustcenter
http://www.microsoft.com/
windowsazure/legal/
Microsofts ISO 27001 services (Compute, Storage, and Virtual Network) are ISO/IEC 27001:2005
(aka ISO 27001) certified and this work is planned for the remaining features
certifications enable
of the platform. Additionally, GFSs physical infrastructure in which all of
customers to evaluate how Windows Azure runs except for CDN are ISO 27001 certified.
Microsoft meets or exceeds Our security framework based on ISO 27001 enables customers to evaluate
how Microsoft meets or exceeds the security standards and implementation
the standards and
guidelines. ISO 27001 defines how to implement, monitor, maintain, and
implementation guidance. continually improve the Information Security Management System (ISMS). In
addition, the GFS infrastructure undergoes an annual American Institute of
Certified Public Accountants (AICPA) Statement of Auditing Standards (SAS)
No. 70 audits, which will be replaced with an AICPA Statement on Standards
for Attestation Engagements (SSAE) No. 16 audit and an International
Standards for Assurance Engagements (ISAE) No. 3402 audit. Planning for an
SSAE 16 audit of Windows Azure is underway.
The Information Security Policy, applicable to Windows Azure, also aligns with
ISO 27002, augmented with requirements specific to Windows Azure. ISO
27002 is not a certification but provides a suggested set of suitable controls
for the Information Security Management System.
exceeds such standards. access to this policy for any reason, the supervising Microsoft agent is
responsible for distributing the policy to them.
The public copy of the A customer-facing version of the Information Security Policy can be made
Windows Azure ISO available upon request. Customers and prospective customers must have a
Certification is available signed NDA or equivalent in order to receive a copy of the Information
here: ISO Certification Security Policy.
http://www.bsigroup.com/en/Assess Management Commitment to Information Security and Management
ment-and-certification-
services/Client- Responsibility is covered under the ISO 27001 standards, specifically
directory/CertificateClient-Directory- addressed in Clause 5 and Annex A, domain 6.1.1. For more information
Search-
review of the publicly available ISO standards we are certified against is
Results/?pg=1&licencenumber=IS+5
77753&searchkey=companyXeqXmic suggested.
rosoft
When reviewing the standard, one can take the ISO 27001 control or
clause, and review specifics, e.g. Management Commitment to
Information Security clause 5, from the ISO 27001 standard or the ISO
27002 advisory control 6.1.1 details:
Management responsibility..
Resources
Visit our Windows Azure Trust Center and/or Legal page and get:
The public copy of the Windows Azure ISO Certification is available here: ISO
Certification http://www.bsigroup.com/en/Assessment-and-certification-
services/Client-directory/CertificateClient-Directory-Search/
Control ID Description
Microsoft Response
In CCM1 (CCM Version R1.1. Final)
1
CCM content in columns 1 and 2 is 2011 Cloud Security Alliance, used with permission.
Control ID Description
Microsoft Response
In CCM (CCM Version R1.1. Final)
Third party service providers shall Windows Azure contractually requires that its
demonstrate compliance with subcontractors meet important privacy and security
information security and confidentiality, requirements.
CO-03
service definitions and delivery level
agreements included in third party Addressing security in third party agreements and third
Compliance -
contracts. Third party reports, records party service delivery management is covered under the
Third Party
and services shall undergo audit and ISO 27001 standards, specifically addressed in Annex A,
Audits
review, at planned intervals, to govern domains 6.2. and 10.2. For more information a review of
and maintain compliance with the service the publicly available ISO standards we are certified
delivery agreements. against is suggested.
Control ID Description
Microsoft Response
In CCM (CCM Version R1.1. Final)
Control ID Description
Microsoft Response
In CCM (CCM Version R1.1. Final)
Control ID Description
Microsoft Response
In CCM (CCM Version R1.1. Final)
Control ID Description
Microsoft Response
In CCM (CCM Version R1.1. Final)
Control ID Description
Microsoft Response
In CCM (CCM Version R1.1. Final)
Control ID Description
Microsoft Response
In CCM (CCM Version R1.1. Final)
Control ID Description
Microsoft Response
In CCM (CCM Version R1.1. Final)
FS-04 Ingress and egress to secure areas shall Public access, delivery, loading area and
be constrained and monitored by physical/environmental security is covered under the ISO
Facility physical access control mechanisms to 27001 standards, specifically addressed in Annex A, domain
Security - ensure that only authorized personnel 9. For more information review of the publicly available ISO
Secure Area are allowed access. standards we are certified against is suggested.
Authorization
For additional information also see FS-03
FS-05 Ingress and egress points such as Public access, delivery, loading area and
service areas and other points where physical/environmental security is covered under the ISO
Facility unauthorized personnel may enter the 27001 standards, specifically addressed in Annex A, domain
Security - premises shall be monitored, controlled 9. For more information review of the publicly available ISO
Unauthorized and, if possible, isolated from data standards we are certified against is suggested.
Persons Entry storage and processing facilities to
percent unauthorized data corruption, For additional information also see FS-03
compromise and loss.
Control ID Description
Microsoft Response
In CCM (CCM Version R1.1. Final)
FS-06 Authorization must be obtained prior to Microsoft asset and data protection procedures provide
relocation or transfer of hardware, prescriptive guidance around the protection of logical and
Facility software or data to an offsite premises. physical data and include instructions addressing relocation.
Security - Off- Customers control where their data is stored. For additional
Site details, see our Privacy Statement available at:
Authorization http://www.microsoft.com/windowsazure/legal/.
Control ID Description
Microsoft Response
In CCM (CCM Version R1.1. Final)
Pursuant to local laws, regulations, All Microsoft US-based full-time employees (FTE) are
HR-01
ethics and contractual constraints all required to successfully complete a standard background
employment candidates, contractors check as part of the hiring process. Background checks may
Human
and third parties will be subject to include but are not limited to review of information relating
Resources
background verification proportional to to a candidate's education, employment, and criminal
Security -
the data classification to be accessed, history.
Background
the business requirements and
Screening
acceptable risk.
Prior to granting individuals physical or All appropriate Microsoft employees take part in a Windows
logical access to facilities, systems or Azure sponsored security-training program, and are
data employees, contractors, third party recipients of periodic security awareness updates when
users and customers shall contractually applicable. Security education is an on-going process and is
agree and sign the terms and conditions conducted regularly in order to minimize risks. Microsoft
HR-02 of their employment or service contract, also has non-disclosure provisions in our employee
which must explicitly include the parties contracts.
Human responsibility for information security.
Resources All Windows Azure contractor staff and GFS staff are
Security - required to take any training determined to be appropriate
Employment to the services being provided and the role they perform.
Agreements
Roles and responsibilities as well as information security
awareness, education and training is covered under the ISO
27001 standards, specifically addressed in Annex A, domain
8. For more information review of the publicly available ISO
standards we are certified against is suggested.
Microsoft Corporate Human Resources Policy drives
Roles and responsibilities for following employee termination processes.
HR-03
performing employment termination or
change in employment procedures shall Termination or change of employment is covered under the
HR- Employee
be assigned, documented and ISO 27001 standards, specifically addressed in Annex A,
Termination
communicated. domain 8.3. For more information review of the publicly
available ISO standards we are certified against is suggested.
Control ID Description
Microsoft Response
In CCM (CCM Version R1.1. Final)
Control ID Description
Microsoft Response
In CCM (CCM Version R1.1. Final)
Control ID Description
Microsoft Response
In CCM (CCM Version R1.1. Final)
A formal disciplinary or sanction Windows Azure services staff suspected of committing breaches of
policy shall be established for security and/or violating the Information Security Policy equivalent
employees who have violated to a Microsoft Code of Conduct violation are subject to an
security policies and procedures. investigation process and appropriate disciplinary action up to and
Employees shall be made aware of including termination.
IS-06 what action might be taken in the Contracting staff suspected of committing breaches of security
event of a violation and stated as and/or violations of the Information Security Policy are subject to
Information such in the policies and formal investigation and action appropriate to the associated
Security - procedures. contract, which may include termination of such contracts.
Policy
Enforcement Human Resources is responsible for coordinating disciplinary
response.
Control ID Description
Microsoft Response
In CCM (CCM Version R1.1. Final)
Normal and privileged user access Windows Azure has adopted applicable corporate and
to applications, systems, databases, organizational security policies, including an Information Security
network configurations, and Policy. The policies have been approved, published and
sensitive data and functions shall communicated to Windows Azure personnel. The Information
be restricted and approved by Security Policy requires that access to Windows Azure assets to be
IS-08
management prior to access granted based on business justification, with the asset owner's
granted. authorization and limited based on "need-to-know" and "least-
Information
privilege" principles. In addition, the policy also addresses
Security -
requirements for access management lifecycle including access
User Access
provisioning, authentication, access authorization, removal of
Restriction /
access rights and periodic access reviews.
Authorization
Control ID Description
Microsoft Response
In CCM (CCM Version R1.1. Final)
All levels of user access shall be The Information Security Policy requires that access to Windows
reviewed by management at Azure assets to be granted based on business justification, with
planned intervals and documented. the asset owner's authorization and limited based on "need-to-
For access violations identified, know" and "least-privilege" principles. In addition, the policy also
remediation must follow addresses requirements for access management lifecycle including
documented access control policies access provisioning, authentication, access authorization, removal
and procedures. of access rights and periodic access reviews. Managers and owners
of applications and data are responsible for reviewing who has
IS-10 access on a periodic basis.
Information Customers control access by their own users and are responsible
Security - for ensuring appropriate review of such access.
User Access
Reviews Windows Azure customers register for the service by creating a
subscription through the Windows Azure Portal web site.
Customers manage applications and storage through their
subscription using the Windows Azure management portal.
Control ID Description
Microsoft Response
In CCM (CCM Version R1.1. Final)
Control ID Description
Microsoft Response
In CCM (CCM Version R1.1. Final)
Control ID Description
Microsoft Response
In CCM (CCM Version R1.1. Final)
Control ID Description
Microsoft Response
In CCM (CCM Version R1.1. Final)
Control ID Description
Microsoft Response
In CCM (CCM Version R1.1. Final)
IS-21 Ensure that all antivirus programs are The Windows Azure Security group responds to malicious
capable of detecting, removing, and events, including escalating and engaging specialized support
Information protecting against all known types of groups. A number of key security parameters are monitored to
Security - malicious or unauthorized software identify potentially malicious activity on the systems.
Anti-Virus / with antivirus signature updates at
Malicious least every 12 hours. Protection against malicious code is covered under the ISO
Software 27001 standards, specifically addressed in Annex A, domain
10.4. For more information review of the publicly available ISO
standards we are certified against is suggested.
IS-22 Policy, process and procedures shall Incident handling, management roles and responsibilities have
be established to triage security been defined for the Incident Engineer, Incident Manager,
Information related events and ensure timely and Communication Manager and the Feature teams.
Security - thorough incident management.
Incident Windows Azure Operations Managers are responsible for
Management overseeing investigation and resolution of security and privacy
incidents with support from other functions. Processes for
escalating and engaging other functions for investigating and
analyzing incidents are established.
Control ID Description
Microsoft Response
In CCM (CCM Version R1.1. Final)
Control ID Description
Microsoft Response
In CCM (CCM Version R1.1. Final)
Control ID Description
Microsoft Response
In CCM (CCM Version R1.1. Final)
Control ID Description
Microsoft Response
In CCM (CCM Version R1.1. Final)
Control ID Description
Microsoft Response
In CCM (CCM Version R1.1. Final)
Control ID Description
Microsoft Response
In CCM (CCM Version R1.1. Final)
Control ID Description
Microsoft Response
In CCM (CCM Version R1.1. Final)
Control ID Description
Microsoft Response
In CCM (CCM Version R1.1. Final)
Control ID Description
Microsoft Response
In CCM (CCM Version R1.1. Final)
Control ID Description
Microsoft Response
In CCM (CCM Version R1.1. Final)
Control ID Description
Microsoft Response
In CCM (CCM Version R1.1. Final)
Control ID Description
Microsoft Response
In CCM (CCM Version R1.1. Final)
Control ID Description
Microsoft Response
In CCM (CCM Version R1.1. Final)
A consistent unified framework for The Business Continuity Program Office maintains a
business continuity planning and plan framework that is consistent with industry and
development shall be established, Microsoft best practices that drives the continuity
documented and adopted to ensure all program at all levels.
business continuity plans are consistent in The framework includes:
addressing priorities for testing and Assignment of key resource responsibilities
maintenance and information security Notification, escalation and declaration processes
requirements. Requirements for business Recovery Time Objectives and Recovery Point
RS-03 continuity plans include the following: Objectives
Defined purpose and scope, aligned Continuity plans with documented procedures
Resiliency - with relevant dependencies Training program for preparing all appropriate
Business Continuity Accessible to and understood by those parties to execute the Continuity Plan
Planning who will use them A testing, maintenance, and revision process
Owned by a named person(s) who is Customers are responsible for deploying applications
responsible for their review, update and in multiple data centers for geo redundancy.
approval
Defined lines of communication, roles Information security aspects of business continuity
and responsibilities management is covered under the ISO 27001
Detailed recovery procedures, manual standards, specifically addressed in Annex A, domain
work-around and reference information 14.1. For more information review of the publicly
Method for plan invocation available ISO standards we are certified against is
suggested.
Recovery plans are validated on a regular basis per
industry best practices to ensure that solutions are
viable at time of event.
RS-04 Business continuity plans shall be subject
to test at planned intervals or upon
Testing, maintaining and re-assessing business
Resiliency - significant organizational or
continuity plans is covered under the ISO 27001
Business Continuity environmental changes to ensure
standards, specifically addressed in Annex A, domain
Testing continuing effectiveness.
14.1.5. For more information review of the publicly
available ISO standards we are certified against is
suggested.
Physical protection against damage from Environmental controls have been implemented to
natural causes and disasters as well as protect the data center including:
RS-05
deliberate attacks including fire, flood, Temperature control
atmospheric electrical discharge, solar Heating, Ventilation and Air Conditioning (HVAC)
Resiliency -
induced geomagnetic storm, wind, Fire detection and suppression systems
Environmental
earthquake, tsunami, explosion, nuclear Power Management systems
Risks
mishap, volcanic activity, biological
hazard, civil unrest, mudslide, tectonic Protecting against external and environmental
Control ID Description
Microsoft Response
In CCM (CCM Version R1.1. Final)
Control ID Description
Microsoft Response
In CCM (CCM Version R1.1. Final)
Control ID Description
Microsoft Response
In CCM (CCM Version R1.1. Final)
Control ID Description
Microsoft Response
In CCM (CCM Version R1.1. Final)
Control ID Description
Microsoft Response
In CCM (CCM Version R1.1. Final)
Control ID Description
Microsoft Response
In CCM (CCM Version R1.1. Final)
Control ID Description
Microsoft Response
In CCM (CCM Version R1.1. Final)
Control ID Description
Microsoft Response
In CCM (CCM Version R1.1. Final)