Datacenter threat, vulnerability, and risk assessment

Microsoft delivers more than 200 cloud services to customers 24x7x365. Some examples are enterprise services such as Microsoft Azure, Microsoft 365, Microsoft Dynamics, and consumer services such as Bing, MSN,, Skype, and Xbox Live. These services are hosted in Microsoft's cloud infrastructure: globally distributed datacenters, edge computing nodes, and service operations centers, and one of the world's largest global networks; with an extensive fiber footprint connecting them all. Since opening the first datacenter in 1989, Microsoft has invested billions of dollars in our infrastructure and remains focused on delivering reliable, scalable, and security-enhanced online services, while efficiently managing operations and costs as services grow.

Microsoft cloud services are built on a foundation of trust and security, with a priority focus on protecting customer data and applications in the cloud with state-of-the-art technology, processes, and encryption. Customer data is stored in Microsoft datacenters that are geographically distributed and protected by layers of in-depth logical and physical security measures. Microsoft datacenters are designed and operated to protect services and data from harm by natural disasters, environmental threats, or unauthorized access.

Threat, vulnerability, and risk assessment methodology

The Threat, Vulnerability, and Risk Assessment (TVRA) program helps you understand how Microsoft identifies and mitigates the impact of physical and environmental threats to Microsoft datacenters. Microsoft is committed to continually updating its risk assessments and methodologies for improvements and as conditions change. As a result, TVRA analyses and conclusions are subject to change and the reports are considered point-in-time.

Microsoft facilitates the TVRA process following these steps:

TVRA process flow.

Risk identification

TVRAs consider a wide range of threat scenarios arising from natural and human-created (including accidental) hazards. The results will vary depending on datacenter location, design, scope of services, and other factors. The TVRA selects the threat scenarios to highlight in the TVRA document based on customer requirements, an independent country, city, and site-level assessment of the risk environment provided by 3rd-party and 1st-party risk information. For regions that have multiple datacenters, TVRA ratings are aggregated to ensure a holistic view of the physical and environmental threats, vulnerabilities, and risks for the locations being assessed.

Types of threat scenarios assessed for datacenter TVRAs include:

  • External threats: incidents resulting from external intentional or accidental human activities. For example, civil disorder, terrorism, criminal activity, external theft, improvised explosive devices, armed attacks, arson, unauthorized entry, and airplane crashes.
  • Internal threats: incidents resulting from internal intentional or accidental human activities. For example, internal theft and sabotage.
  • Natural hazards: a natural process or phenomenon that could negatively impact datacenters. For example, tropical storms, cyclones, floods, landslides, drought, wildfire, earthquakes, volcanic activity, and severe storms with lightning, hail, strong winds, or heavy rain.
  • Environmental threats: environmental conditions that could negatively impact datacenters. For example, water stress, heat stress, and pandemics.

Risk analysis

Threats are evaluated based on an assessment of their inherent risk; inherent risk is calculated as a function of inherent impact of a threat and inherent likelihood of the threat occurrence in the absence of management action and controls. These assessments are informed by both internal subject-matter expert (SME) feedback and using external risk indices.

Residual risk

Residual risk is determined as a measure of remaining risk levels after consideration of control effectiveness. Control effectiveness is evaluated as a measure of current management actions and controls designed to prevent or detect threats while assessing the likelihood that the controls will have their desired effect as designed and implemented. These assessments are informed by an aggregation of internal SME feedback on control effectiveness for the datacenter locations addressed in the TVRA.


Once the assessment is completed, a TVRA report is generated for management approval and to support our overall efforts related to risk management.