Datacenter security overview

How does Microsoft host its online services?

Microsoft delivers more than 200 cloud services, including enterprise services such as Microsoft Azure, Microsoft 365, and Microsoft Dynamics 365, to customers 24x7x365. These services are hosted in Microsoft's cloud infrastructure composed of globally distributed datacenters, edge computing nodes, and service operations centers. They are supported and connected by one of the world's largest global networks, with an extensive fiber footprint.

The datacenters that power our cloud offerings focus on high reliability, operational excellence, cost-effectiveness, environmental sustainability, and a trustworthy online experience for customers and partners worldwide. Microsoft regularly tests our datacenter security through both internal and third-party audits. As a result, the most highly regulated organizations in the world trust the Microsoft cloud, which is compliant with more certifications than any other cloud service provider.

How does Microsoft protect its datacenters from unauthorized access?

Access to physical datacenter facilities is tightly controlled by outer and inner perimeters with increasing security at each level, including perimeter fencing, security officers, locked server racks, integrated alarm systems, around-the-clock video surveillance by the operations center, and multi-factor access control. Only required personnel are authorized to access Microsoft datacenters. Logical access to Microsoft 365 infrastructure, including customer data, is prohibited from within Microsoft datacenters.

Our Security Operations Centers use video surveillance along with integrated electronic access control systems to monitor datacenter sites and facilities. Cameras are strategically positioned for effective coverage of the facility perimeter, entrances, shipping bays, server cages, interior aisles, and other sensitive security points of interest. As part of our multi-layered security posture, any unauthorized entry attempts detected by the integrated security systems generate alerts to security personnel for immediate response and remediation.

How does Microsoft protect its datacenters from environmental hazards?

Microsoft employs a variety of safeguards to protect against environmental threats to datacenter availability. Datacenter sites are strategically selected to minimize risk from a variety of factors, including floods, earthquakes, hurricanes, and other natural disasters. Our datacenters use climate control to monitor and maintain optimized conditioned spaces for staff, equipment, and hardware. Fire detection and suppression systems and water sensors help to detect and prevent fire and water damage to equipment.

Disasters are unpredictable, but Microsoft datacenters and operations personnel prepare for disasters to provide continuity of operations should unexpected events occur. Resilient architecture and up-to-date tested continuity plans mitigate potential damage and promote swift recovery of datacenter operations. Crisis management plans provide clarity on roles, responsibilities, and mitigation activities before, during, and after a crisis. The roles and contacts defined in these plans facilitate effective escalation up the chain of command during crisis situations.

How does Microsoft verify the effectiveness of datacenter security?

We understand that for our customers to fully realize the benefits of the cloud, they must be able to trust their cloud service provider. Our infrastructure and suite of cloud services are built from the ground up to address the rigorous security and privacy requirements of our customers. We help our customers comply with national, regional, and industry-specific requirements governing the collection and use of individuals' data by providing the most comprehensive set of compliance offerings of any cloud service provider.

Our cloud infrastructure and offerings meet a broad set of international and industry-specific compliance standards, such as ISO, HIPAA, FedRAMP, and SOC, as well as country-specific standards, like Australia's IRAP, UK's G-Cloud, and Singapore's MTCS. Rigorous, third-party audits verify our adherence to the strict security controls these standards mandate. Audit reports for our datacenter infrastructure and cloud offerings are available at the Microsoft Service Trust Portal.

Microsoft's online services are regularly audited for compliance with external regulations and certifications. Refer to the following table for validation of controls related to datacenter security.

External audits Section Latest report date
ISO 27001/27002 (Azure)

Statement of Applicability
Certificate
A.11: Physical and environmental security June 21, 2022
SOC 1 (Azure) PE-1: Datacenter physical access provisioning
PE-2: Datacenter security verification
PE-3: Datacenter user access review
PE-4: Datacenter physical access mechanisms
PE-5: Datacenter physical surveillance monitoring
PE-6: Datacenter critical environment maintenance
PE-7: Datacenter environmental controls
PE-8: Datacenter incident response
May 6, 2022
SOC 2 (Azure) PE-1: Datacenter physical access provisioning
PE-2: Datacenter security verification
PE-3: Datacenter user access review
PE-4: Datacenter physical access mechanisms
PE-5: Datacenter physical surveillance monitoring
PE-6: Datacenter critical environment maintenance
PE-7: Datacenter environmental controls
PE-8: Datacenter incident response
May 6, 2022

Resources