Microsoft's Approach to Keeping Your Data Safe in Azure Active Directory

Richard Hay, Senior Content Producer

September 6, 2017

3 Min Read
Cable with padlock

In a blog post that got a lot of attention on social media yesterday, Microsoft's Alex Simmons explained over on the Enterprise Mobility and Security blog how the company approaches security when it comes to your data on the companies Azure Active Directory service.

In this article Simmons explains the security approach from both a physical and software based perspective which work together and provides protection for your companies data that resides on Microsoft Azure.

The first step in security is controlling physical access to the data centers housing data in these services and the actual machines hosting the information:

"Microsoft’s datacenter personnel must pass a background check. All access to our datacenters is strictly regulated and every entry and exit are monitored. Within these datacenters, the critical Azure AD services that store customer data are located in special locked racks—their physical access is highly restricted and camera-monitored 24 hours a day. Furthermore, if one of these servers is decommissioned, all disks are logically and physically destroyed to avoid data leakage."

The next element of protecting that data is the authentication process to grant just-in-time access on the system to manage Azure AD services through a managed admin workstation:

"We limit the number of people who can access the Azure AD services, and even those who do have access permissions operate without these privileges day-to-day when they sign in. When they do need privileges to access the service, they need to pass a multi-factor authentication challenge using a smartcard to confirm their identity and submit a request. Once the request is approved, the users privileges are provisioned “just-in-time”. These privileges are also automatically removed after a fixed period of time and anyone needing more time must go through the request and approval process again."

The systems hosting Azure AD services are scanned in a near real time basis to watch for threats that might impact the security of the customer data:

-- Breach detection: We check for patterns that indicate breach. We keep adding to this set of detections regularly. We also use automated tests that trigger these patterns, so we are also checking if our breach detection logic is working correctly!

-- Penetration tests: These tests run all the time. These tests try to do all sorts of things to compromise our service, and we expect these tests to fail all the time. If they succeed, we know there is something wrong and can correct it immediately.

-- Audit: All administrative activity is logged. Any activity that is not anticipated (such as an admin creating accounts with privileges) causes alerts to be triggered that cause us to do deep inspection on that action to make sure it not abnormal.

In addition, all data at rest on these systems are encrypted using BitLocker plus the API connections into the services are all web-based using SSL and HTTPS. That API access to that data is token based and only grants access to that customers data.

Learn more at the Enterprise Mobility and Security blog.

----------

But, wait...there's probably more so be sure to follow me on Twitter and Google+.

----------------------------------

Looking for an awesome, no-nonsense technical conference for IT Pros, Devs, and Devops? Check out IT/Dev Connections!

Read more about:

Microsoft

About the Author

Richard Hay

Senior Content Producer, IT Pro Today (Informa Tech)

I served for 29 plus years in the U.S. Navy and retired as a Master Chief Petty Officer in November 2011. My work background in the Navy was telecommunications related so my hobby of computers fit well with what I did for the Navy. I consider myself a tech geek and enjoy most things in that arena.

My first website – AnotherWin95.com – came online in 1995. Back then I used GeoCities Web Hosting for it and WindowsObserver.com is the result of the work I have done on that site since 1995.

In January 2010 my community contributions were recognized by Microsoft when I received my first Most Valuable Professional (MVP) Award for the Windows Operating System. Since then I have been renewed as a Microsoft MVP each subsequent year since that initial award. I am also a member of the inaugural group of Windows Insider MVPs which began in 2016.

I previously hosted the Observed Tech PODCAST for 10 years and 317 episodes and now host a new podcast called Faith, Tech, and Space. 

I began contributing to Penton Technology websites in January 2015 and in April 2017 I was hired as the Senior Content Producer for Penton Technology which is now Informa Tech. In that role, I contribute to ITPro Today and cover operating systems, enterprise technology, and productivity.

https://twitter.com/winobs

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like