Microsoft Data Center Security

Recently, I heard quite a lot of questions regarding the security of Microsoft cloud data centers. In this article, we will briefly review the security model of data centers and dispel all the myths and conflicting rumors regarding the security of Microsoft cloud services.

In a few words, let me remind you that such a cloud or cloud computing is a way of providing computing power as a service that can be customized exactly to your requirements instantly upon request from anywhere in the world. Centuries ago, companies stopped creating electric energy themselves using complex heat engines, connecting to power plants. Returning to the global Internet computing environment, the cloud acts as a “power station” for computing.
')
Since the launch of MSN, in 1994, Microsoft creates and maintains online services. Today we support dozens of online services, some of which you probably know: Windows Live Hotmail, Live Search, Microsoft Dynamics CRM Online, Windows Azure and many others.

Regardless of where the client’s personal data is located (on a personal computer or online), or where your company stores valuable information (on a private server or on the Internet), Microsoft understands that all of these environments are for computing and storage. Information must provide security.

What does the Microsoft cloud environment consist of?

Microsoft cloud computing is a physical and logical infrastructure. The physical infrastructure includes physical facilities, such as servers, networks, and other various physical components. The logical infrastructure, regardless of whether it runs on physical or virtual equipment, consists of operating system entities, networks with routing and unstructured data stores.

Platform services include computing runtimes (such as IIS, .NET, SQL Server), storage for storing credentials (such as Active Directory and Windows Live ID), name servers (DNS), and other functions used by online services.

Applications running in Microsoft cloud data centers can be divided into 3 groups:

• Users and small businesses - Windows Live Messenger, Windows Live Hotmail, Live Search, XBOX LIVE, Microsoft Office Live, Windows Intune, etc.
• Corporate services - Microsoft Dynamics CRM Online, Exchange Online, SharePoint Online, Office Live Meeting, Office 365, etc.
• Development platforms - Windows Azure, SQL Azure, etc.

Standards as a security model

It's no secret that the main method of ensuring the security of any objects, whether it is a safe, a bank or a data center, is standardization. For example, domestic banks use the Russian STO BR IBBS standard, which, in fact, is an adapted ISO / IESIS 27001-2005 version for local specificity, which is now used by many international banks.

The Microsoft cloud is annually tested for compliance with PCI DSS , SOX and HIPAA standards, as well as internally verified for a year. The Microsoft cloud has passed ISO / IEC 27001: 2005 certification and SAS 70 Type 1 and II certification.

ISO / IESIS 27001-2005 Standard

The international standard “ Information Technologies - Security Techniques - Information Security Management Systems - Requirements ” was developed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) based on the British standard BS7799 . This standard is an addition to the ISO / IESIS 17799: 2005 standard “ Information technology - Security methods - Practical rules for managing information security ”.

The ISO 27001 standard defines information security as “confidentiality, integrity and availability; In addition, other properties may be included, such as authenticity, impossibility of non-repudiation, authenticity. ” It defines processes that provide businesses with the ability to establish, apply, revise, monitor and maintain an effective information security management system; establishes requirements for the development, implementation, operation, monitoring, analysis, support and improvement of the documented information security management system in the context of the organization’s existing business risks.

The information security management system based on the ISO 27001 standard allows:

• To make the majority of information assets the most understandable for company management.
• Identify major security threats to existing business processes.
• Calculate risks and make decisions based on the company's business goals.
• Ensure effective system management in critical situations
• Carry out the process of executing a security policy (find and fix weaknesses in the information security system)
• Clearly define personal responsibility
• Seek to reduce and optimize the cost of security support
• To make integration of the security subsystem into business processes and integration with ISO 9001: 2000 more accessible
• Focus on transparency and legal purity of business due to compliance with the standard

SAS 70 Standard

Currently, operational auditing in accordance with the SAS 70 standard is widely used by depository, clearing and processing organizations worldwide to increase customer confidence in internal systems and processes. For example, of the most well-known counterparties of the domestic accounting system abroad, the audit conclusion on SAS 70 already has SWIFT, Euroclear, Europay, VeriSign, etc.

The SAS 70 Operating Audit Standards (Statementon Auditing Standards (SAS) No. 70, Service Organizations), developed about 15 years ago by the American Investment Certified Accountants Institute (AICPA), are widely recognized by the international investment community. The audit of organizations working in the service sector, according to the SAS 70 standards, focuses on internal control issues, mainly on the application of information technology and related operational processes.

In today's globalized economy, service providers must demonstrate that they pay due attention to the reliability and security of processing their customer data. In addition, the internal audit reports on SAS 70 standards are included in the list of requirements of section 404 of the Sarbanes-Oxley Act, adopted in the United States in 2002, therefore the audit on the SAS 70 standard has become mandatory for companies in the United States and Canada. . And the presence of service organizations, which, among others, include depositories and clearing centers, the “Report on processing operations by organizations representing services” (Statementon Auditing Standards, SAS 70) has become a kind of calling card in the global financial market and, in general, the market of services - for shareholders, as well as customers and partners (primarily foreign ones).

Methodology as a security model

To create reliable and secure systems, it is necessary to take into account various requirements. In Microsoft, there is a special methodology SDL (Secure Development Lifecycle), which has been used for many years in the development of not only the company’s products, but also the products of its partners. This methodology allows to take into account various aspects at all stages of the life of the system, from design to support. More details can be found here .

Service Level Agreement (SLA)

Microsoft guarantees the availability of services and applications 99.9% of the time. This indicator is very high, and, in my opinion, the best in the market.

Dos attack

Many people ask the question: “What about the DOS attacks?” I decided to specifically focus on this issue a separate paragraph. To protect applications in the data center, specialized physical and logical devices are used, such as load balancers, firewalls and intrusion prevention devices. These devices allow you to prevent an attack before it gets to the client application.

I hope this article has helped you understand and realize the importance of the issue, as well as present the amount of work that we do daily in order to ensure the safe operation of the cloud.