Something that is generally forgotten during times of migration and transition is cloud security and who is responsible for what.
The first step on any journey to any cloud is security and compliance. Microsoft meets a vast array of industry and country specific certifications including the ISO 27001, and specifically (for Australians) the Australian IRAP certification. A first point of call for discovery when considering designs on Azure is the Microsoft Azure trust center. There is a vast amount of information on specific items such as: Compliance, security, privacy, and transparency which is a very important item.
Microsoft has a disclosure site where they release information on their transparency to the authorities.
In Australia in the last year there have been 2,226 requests for information from the authorities. Do you know how many requests resulted in disclosing content? Zero. Generally on most occasions Microsoft simply gives subscriber data saying go talk to the customer. This is how most requests are handled.
As a consumer of cloud services it is important to know where Microsoft’s responsibility stops, and it becomes the customer or the partners responsibility. Microsoft is responsible for the foundation layer; physical and virtual security and segregation of your services.
- Application security
- Operating System Security
- Data Security
At Melbourne IT (my employer) we have partners such as Trend Micro who can help fill this gap. Trend Micro has a purpose built deep security product which can manage multiple clouds and has multiple security features. There are multiple ways to purchase your license, with the easiest being per server per month/minute.
Aaron Whittaker @aaronw2003