• Azure Security

As enterprises adopt public and hybrid cloud solutions, they do extensive due diligence on their providers’ security policies, operations, and systems. Confidential data is the lifeblood of any company, and many industry companies are also bound by extensive regulations regarding the use, transmission, and storage of Customer Data.

Microsoft Azure operated by 21Vianet provides businesses with the data security and privacy, control, and transparency they require. Security and privacy are embedded in the Azure platform, using the Security Development Lifecycle (SDL), from initial planning through solution launch, as well as the upgrades we continue to make. Security Management Process provides security guidelines for our operational processes, and Microsoft Azure Operated by 21Vianet Privacy Statement governs how we build and operate the services.

Get an overview of Azure

Azure uses multiple safeguards to protect customer and enterprise data. These security practices and technologies include:

Identity and access management

Identity and access management

  • Helps ensure that only authorized users can access your environments, data, and applications.
  • Offers multi-factor authentication for highly secure sign-in, including specialized administrative access through Azure Active Directory Privileged Identity Management.
  • Performs authentication, authorization, and access control through industry-standard protocols to help developers integrate identity management into their apps across different platforms, and to build mobile and web apps that integrate with Microsoft and third-party APIs with OAuth 2.0.
  • Works as a standalone cloud directory for your organization or can be integrated with your on-premises Active Directory with directory sync and single sign-on (SSO).Allows federated applications to support user provisioning and password vaulting.

Azure Multi-Factor Authentication

  • Requires users to verify their sign-ins via mobile app, phone call, or text message.
  • Azure Active Directory Premium edition adds Multi-Factor Authentication custom greetings, fraud alert, security reports, one-time bypass, blocking/unblocking of users, customizable caller ID for authentication phone calls, and more.

Learn more about Azure Multi-Factor Authentication

Encryption – Azure uses industry-standard protocols to encrypt Customer Data as it travels between devices and Azure datacenters,crosses between datacenters.

  • Protection for data in transit and at rest, including encryption for data, files, applications, services, communications, and drives
  • Support for and use of numerous encryption mechanisms, including SSL/TLS, IPsec, and AES.
  • Configuration support on VHDs that contain sensitive information.
  • Access to data by Azure support personnel requires your explicit permission and is granted on a “just in time” basis that is logged and audited, then revoked after completion of the engagement.

Azure Key Vault service

Secure key management is essential to protecting data in the cloud. Azure Key Vault enables Azure subscribers to safeguard and control cryptographic keys and other secrets used by cloud apps and services.

  • Encrypt keys and small secrets like passwords using keys in Hardware Security Modules (HSMs).
  • Import or generate your keys in HSMs certified to FIPS 140-2 level 2 standards for added assurance, so that your keys stay within the HSM boundary.
  • Simplify and automate tasks for SSL/TLS certificates, enroll and automatically renew certificates from supported Public Certification Authority's (CA).
  • Provision and deploy new Vaults and Keys in minutes without waiting for procurement, hardware or IT and centrally manage keys, secrets, and policies.
  • Maintain control over encrypted data—grant and revoke key use by your own and third-party applications as needed.
  • Segregate key management duties to enable developers to easily manage keys used for dev/test and migrate seamlessly to production keys managed by security operations.
  • Rapidly scale to meet the cryptographic needs of your cloud applications and match peak demand.

Learn more about Azure Key Vault

Data and storage security features

  • You can encrypt your data before putting it into Azure, and you can store keys in your on-premises datacenter.
  • Client-side encryption for Azure Blob storage enables you to completely control the keys. The storage service never sees the keys and is incapable of decrypting the data. Azure Storage automatically encrypts your data prior to persisting to storage and decrypts prior to retrieval.
    Learn more about Azure Storage Service Encryption
  • Storage Account Keys, Shared Access Signatures, management certificates, and other keys are unique to each Azure tenant.
    Learn more about Azure storage security and encryption best practices

Secure networks – Azure infrastructure relies on security practices and technologies to connect virtual machines to each other and to on-premises datacenters, while blocking unauthorized traffic. Azure Virtual Networks extend your on-premises network to the cloud via a site-to-site virtual private network (VPN). You can also use ExpressRoute to create a cross-premises connection when needing a private network connection.

Learn more about Azure network security

Physical infrastructure security-Microsoft Azure operated by 21Vianet is physically and logically entirely isolated from Microsoft Cloud services in other regions of the world, which is protected by layers of defense-in-depth security that include perimeter fencing, video cameras, security personnel, secure entrances, and real-time communications networks. The defense-in-depth security is in use throughout every area of the facility, including each physical server unit.

Threat management – Microsoft Antimalwareprotects Azure services and virtual machineswhich Supports deployment of third-party security solutions within your subscriptions, such as web application firewalls, network firewalls, antimalware, intrusion detection and prevention systems (IDS/IPS), and more. 21Vianet also uses intrusion detection, denial-of-service (DDoS) attack prevention, penetration testing, data analytics, and machine learning to constantly strengthen its defense and reduce risks.

Security Controls and Capabilities - Azure delivers a trusted foundation on which customers can design, build and manage their own secure cloud applications and infrastructure.

  • Patching. Integrated deployment systems manage the distribution and installation of security patches. Customers can apply similar patch management processes for Virtual Machines deployed in Azure.
  • Zero standing privileges. Access to Customer Data by our operations and support personnel is denied by default. When granted, access is carefully managed and logged. Datacenter access to the systems that store Customer Data is strictly controlled via lock box processes.

Azure prevents unauthorized and unintentional transfer of information between deployments in a multitenant architecture, using virtual local area network (VLAN) isolation, access control lists (ACLs), load balancers, and IP filters, along with traffic flow policies; network address translation (NAT) separates internal network traffic from external traffic.

Azure Fabric Controller

  • Allocates infrastructure resources to tenant workloads and manages unidirectional communications from the host to VMs.
  • Azure storage security and encryption best practices
  • Uses the Azure hypervisor to enforce memory and process separation between VMs and securely route network traffic to guest OS tenants. Azure also implements isolation for tenants, storage, and virtual networks.

Network Security Groups (NSG)

Compliance – We comply with both international and industry-specific compliance standards and participate in rigorous third-party audits, which verify our security controls.

Security Incident and Abuse Reporting – To report suspected security issues or abuse of Azure, please contact Azure Customer Support.

Penetration testing – We conduct regular penetration testing to improve Azure security controls and processes.

Customers maintain full ownership and control over their own Customer Data. We are a leader in providing transparency about our privacy practices—one reason that Microsoft Azure operated by 21Vianet has implemented the rigorous set of physical, logical, process and management controls.

Notes: ①The Microsoft Antimalware Client and Service is installed by default in a disabled state in all Cloud Services. The Microsoft Antimalware Client and Service is not installed by default in the Virtual Machines platform; it is available as an optional security extension.