Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Microsoft’s approach to securing data relies on the understanding of the shared responsibility in the cloud model.
| Microsoft |
|---|
| Microsoft cloud services are built on a foundation of trust and security. Microsoft enables the best in breed security controls, monitoring, and protections to ensure that when you come to the cloud it's trustworthy. |
The security of your Microsoft cloud service is an operational partnership between Microsoft and you.
| You |
|---|
| You own your data and all user identities. You're responsible for protecting them, the security of your on-premises resources, and the security of cloud components you control (varies by service). |
| Responsibility | On-premises | IaaS | PaaS | SaaS |
|---|---|---|---|---|
| Customer data | ■ | ■ | ■ | ■ |
| Configurations and settings | ■ | ■ | ■ | ■ |
| Identities and users | ■ | ■ | ■ | ■ |
| Client devices | ■ | ■ | ■ | ◩ |
| Applications | ■ | ■ | ◩ | ◩ |
| Network controls | ■ | ■ | ◩ | ☐ |
| Operating system | ■ | ■ | ☐ | ☐ |
| Physical hosts | ■ | ☐ | ☐ | ☐ |
| Physical network | ■ | ☐ | ☐ | ☐ |
| Physical data center | ■ | ☐ | ☐ | ☐ |
■ Customer ◩ Shared ☐ Microsoft
Microsoft commitment to secure solutions
Microsoft cloud services are built on a foundation of trust and security. Microsoft enables the best-in-breed security controls, monitoring, and protections to ensure that when you come to the cloud, it’s trustworthy. Microsoft uses the best development and operation practices outlined in the Microsoft Security Development Lifecycle (SDL) and Microsoft Operational Security Assurance (OSA). Microsoft developers must validate that source code, documentation, configurations, and dependencies don't cause unintended side effects. For more information, see Security development and operations overview.
The data security section in the Microsoft Products and Services Data Protection Addendum (DPA) describes the security practices and policies adopted by Microsoft online services.
Shared responsibility and customer responsibilities
To ensure your data is secure and your privacy controls are addressed, follow these best practices when deploying into Azure:
Protecting your data also requires that all aspects of your security and compliance program include your cloud infrastructure and data. The following guidance can help you secure your deployment.
Microsoft Purview for data governance and inventory discovery
Ensure that your data stored in the cloud, hybrid, and on-premises is classified and cataloged. This action reflects one of the most essential elements of a security model. Microsoft Purview can help you assess and inventory your network.
Microsoft Purview can connect to and classify the following services used in Microsoft for Sustainability:
Microsoft Defender for Cloud protects your deployment
You can use Defender for Cloud to protect Microsoft for Sustainability. Defender for Cloud provides Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP) for all of your Azure, on-premises, and multicloud (Amazon AWS and Google GCP) resources. Defender for Cloud fills three vital needs as you manage the security of your resources and workloads in the cloud and on-premises:
- Defender for Cloud secure score: Continually assesses your security posture so you can track new security opportunities and precisely report on the progress of your security efforts.
- Defender for Cloud recommendations: Secures your workloads with step-by-step actions that protect your workloads from known security risks.
- Defender for Cloud alerts: Defends your workloads in real-time so you can react immediately and prevent security events from developing.
Defender for Cloud can protect the following elements of Microsoft for Sustainability:
- Teams and Office 365
- Microsoft Power BI
- Dynamics 365
- Identity and Microsoft Entra ID integration
- Microsoft Sentinel
Microsoft Sentinel cloud-based security operations
Microsoft Sentinel brings together signals from Microsoft Purview, Defender for Cloud, and data logs across your environment.
You can integrate the following Microsoft for Sustainability services into Microsoft Sentinel. This integration provides a full view of your security information and event management (SIEM) and security orchestration, automation, and response (SOAR) solution.
- Microsoft Purview
- Power Apps logging
- Dynamics 365 continuous threat monitoring
- Microsoft Entra ID
- Other data sources
For guidance on deploying, managing, and using Microsoft Sentinel, see Best practices for Microsoft Sentinel.
Configuring your auditable logs in Office 365 gives you a richer view of your data. Microsoft provides an extensive set of logging and audit capabilities that are included in the Microsoft Purview compliance portal. You can enable logging and monitoring for each service capability:
- Power Apps activity logging
- Power Automate activity logging
- Data loss prevention activity logging
- Dynamics 365 auditing
- Microsoft Dataverse and model-driven apps activity logging
- Microsoft Teams logging