Network security overview
How do Microsoft online services secure the network boundary?
Microsoft online services employ multiple strategies for securing its network boundary, including automated detection and prevention of network-based attacks, specialized firewall devices, and Exchange Online Protection (EOP) for anti-spam and anti-malware protection. In addition, Microsoft online services separate their production environments into logically isolated network segments, with only necessary communication permitted between segments. Network traffic is secured using additional network firewalls at boundary points to help detect, prevent, and mitigate network attacks.
How do Microsoft online services defend against DDoS attacks?
Microsoft's large internet presence insulates it from the negative effects of many distributed denial-of-service (DDoS) attacks. Distributed instances of each Microsoft online service and multiple routes to each service limit the impact of DDoS attacks against the system. This redundancy improves Microsoft online services' ability to absorb DDoS attacks and increases the amount of time available to detect and mitigate DDoS attacks before they impact service availability.
In addition to Microsoft's redundant system architecture, Microsoft uses sophisticated detection and mitigation tools to respond to DDoS attacks. Special-purpose firewalls monitor and drop unwanted traffic before it crosses the boundary into the network, reducing stress on systems located inside the network boundary. To further protect our cloud services, Microsoft utilizes a DDoS defense system deployed as part of Microsoft Azure. The Azure DDoS defense system is designed to withstand attacks from the outside and from other Azure tenants.
Related external regulations & certifications
Microsoft's online services are regularly audited for compliance with external regulations and certifications. Refer to the following table for validation of controls related to network security.
Azure and Dynamics 365
| External audits | Section | Latest report date |
|---|---|---|
| SOC 1 SOC 2 SOC 3 |
VM-1: Security event logging VM-3: Intrusion detection and monitoring VM-4: Malicious events investigation VM-6: Vulnerability scanning VM-7: Network device configuration VM-8: Penetration testing VM-9: Network device security event logging VM-13: Network device vulnerability mitigation |
May 20, 2024 |
Microsoft 365
| External audits | Section | Latest report date |
|---|---|---|
| FedRAMP | SC-5: Denial of service protection SC-7: Boundary protection SI-2: Flaw remediation SI-3: Malicious code protection SI-8: Spam protection |
August 21, 2024 |
| SOC 1 | CA-27: Vulnerability Scanning | August 1, 2024 |
| SOC 2 | CA-27: Vulnerability Scanning CA-45: Anti-malware |
January 23, 2024 |