The Rimrock team is often asked, “Would Microsoft tell me if my data in Azure suffers a security breach?” The short answer? Yes. Microsoft defines a security incident in the Online Services as illegal or unauthorized access that results in the loss, disclosure or alteration of Customer Data. The goal of security incident management is to identify and remediate threats quickly, investigating thoroughly, and notifying affected parties.
The Shared Responsibility Model
Microsoft Azure services use a shared responsibility model. This means that both Microsoft (as the cloud services provider) and the customer are accountable for portions of cloud security. While Microsoft Azure does not monitor for or respond to security incidents within the customer’s area of responsibility, they do provide many tools, such as Azure Security Center, to help with issues that may arise. There is also an effort to help make every service as secure as possible by default. That is, it comes with a baseline, which is already designed to provide security for most common use cases.
The Security Incident Response Process
If a security incident does occur, all Microsoft employees are trained to identify and escalate it appropriately. A dedicated team of security specialists within the Microsoft Security Response Center (MSRC) performs security Incident Response for Azure. The team follows a 5-step Security Incident Lifecycle and structured Standard Operating Procedure (SOP) to Detect, Assess, Diagnose, Stabilize, and Close security incidents.
|1||Detect||First indication of an event investigation|
|2||Assess||An on-call incident response team member assesses the impact and severity of the event. Based on evidence, the assessment may or may not result in further escalation to the security response team.|
|3||Diagnose||Security response experts conduct the technical or forensic investigation, identify containment, mitigation, and workaround strategies. If the security team believes that customer data may have become exposed to an unlawful or unauthorized individual, parallel execution of the Customer Incident Notification process begins in parallel.|
|4||Stabilize, Recover||The incident response team creates a recovery plan to mitigate the issue. Crisis containment steps such as quarantining impacted systems may occur immediately and in parallel with diagnosis. Longer term mitigations may be planned which occur after the immediate risk has passed.|
|5||Close/Post Mortem||The incident response team creates a post-mortem that outlines the details of the incident, with the intention to revise policies, procedures, and processes to prevent a re-occurrence of the event.|
Customer Security Incident Notification
If during the investigation of a security event, Microsoft becomes aware that customer data has been accessed by an unlawful or unauthorized party, the security incident manager will immediately begin execution of the Customer Security Incident Notification Process. The security incident manager only needs reasonable suspicion that a reportable event has occurred to begin execution of this process. The goal of the customer security incident notification process is to provide impacted customers with accurate, actionable, and timely notice when their customer data has been breached.
Microsoft is subject to several obligations and commitments when it comes to protecting customer data. The Azure Security Response Team’s work can be distilled down to these 4 core operating principles:
1.Microsoft will let its customers know if their data has been lost, altered or disclosed because of unlawful or unauthorized activities.
2.Microsoft will inform you of a security incident with actionable, timely data.
3.Microsoft values transparency regarding lessons learned or other repair items learned from a breach
4.Microsoft is committed to customer privacy and operates security incident response accordingly.
Customers using Microsoft Online Services can count on the security incident management program that Microsoft has put in place. The five-stage process, the MSRC Azure Security Response team, and the team training exercises all demonstrate Microsoft’s dedication to protecting their customers and their data.