Perhaps you noticed yourself but customers are asking more often how secure Microsoft clouds services are(Microsoft Azure, Office365 & Windows Intune)? Valid questions like “What- and where my corporate data is stored? How my corporate data is protected in Microsoft datacenters? What security controls in place and what about backup, disaster recovery and data retention policies? Do I have control on what data is going synced to the cloud?” And so we can still go on…
By informing customers and providing them guidelines and best practices it is more clear what the impact of using Microsoft cloud services is for their organizations. This will eliminate possible restraints (rightly or not), increases confidence of cloud service as platform & accelerates the adaption as such.
This post might help you to get better understanding on what terms and conditions Microsoft clouds services performed and enables you to inform your cloud security officer!
Q: What kind of security measures will be taken to protect the data from hackers and to prevent man-in-the-middle attack that targets the SSL?
A: Public certificate from trusted Global sign CA will be used with strong key (2048) protection. Passwords of accounts will be double hashed using SHA256 before sending them over the SSL tunnel. Intune servers at SKG don’t contain untrusted CA certificates, and Windows updates make sure the trusted CA list is up to date.
Q: Will there data to be stored on their cloud environment? If, yes what is their data retention & destruction procedure, back-up procedure and disaster recovery procedure?
A: Yes, data will be stored but it’s limited to only user account information. The following site lists the user account attributes which are synced by default (can be limited if needed): http://support.microsoft.com/kb/2256198/en-us Data is suspended after 30 days, and removed after 90 days.
Q: Which encryption algorithm will be used to provide the assurance that data placed on the cloud servers is protected from unauthorized disclosure?
A: Azure AD is fully encrypted. Traffic is encrypted using AES/SHA256.
Q: What cryptography or public key/ algorithm will be used to secure data being transmitted across a network and to verify the integrity, confidentiality and the security of the data by sender or receiver?
A: AES SHA256 Global sign certificate with 2048 key length.
Q: How is the access control implemented on their cloud environment to decrease the risk of unauthorized access to data and processing?
A: Physical and Personnel security are described in the attached document (page 3).
Intune provides 3 portals which are all secured using SSL. Sessions have an inactivity timeout—that is, after a period of no activity, the user’s session is ended, and the user must sign into the portal again.
Q: Do they have a system hardening statement ISO or ISAE3402?
A: Yes. System hardening is in place by using the following controls:
- · ISO/IEC 27001:2005
- · SSAE 16/ISAE 3402 (Service Organization Control [SOC] 1, SOC 2, SOC 3)
- · FISMA
- · PCI data security standard
Q: Will there a penetration test be carried out?
A: Microsoft conducts regular penetration testing to improve Windows Intune security controls and processes (http://www.microsoft.com/en-us/windowsintunetrust/security.aspx)
Top 10 Windows Intune Security Compliance & Control facts
- Microsoft Global Foundation Services: Windows Intune is hosted in Microsoft Global Foundation Services (GFS) data centers where the following security standards are applied:
- ISO/IEC 27001:2005 Audit and Certification
- SSAE 16/ISAE 3402 (Service Organization Control[SOC] 1, SOC 2, SOC 3)
- PCI data security standard
- HIPAA Business Associate Agreement (BAA)
- EU model clauses. In addition to being certified under EU Safe Harbor, Windows Intune is taking steps to enable all customers to sign the standard contractual clauses the EU creates (“EU model clauses”). EU model clauses address international transfers of data.
- Windows Intune uses Azure Active Directory as its authentication platform/repository.
- All Windows Intune (client) communications are secured by SSL
- Data protection: Windows Intune collects custome data only to provide and troubleshoot the service.Data the Windows Intune service collects includes:
- Device names and inventory data used to provide the service
- Administrator data, including the name, address, phone number and email address of the account owner and IT administrators (Microsoft uses this data to
provide information about new subscriptions, billing, and important updates about customers’ services, including security and other technical issues regarding the Windows Intune service.)
- Customer Data Location: Microsoft will not transfer Customer Data outside the selected geo(s) except where necessary for Microsoft to provide customer support, troubleshoot the service, or comply with legal requirements; or where customer configures an account to enable such transfer of Customer Data, including through the use of:
- Features that do not enable geo selection, such as Content Delivery Network (CDN) that provides a global caching service;
- Preview, beta, or other pre-release features that may store or transfer Customer Data to the United States regardless of deployment geo; or
- Windows Azure Active Directory (except for Access Control), which may transfer Active Directory Customer Data to the United States for European customers, or to the United States or Europe for Asian customers.
- Data locality: Microsoft has a regionalized data center strategy. The customer’s country or region, which the customer’s administrator inputs during initial setup of the services, determines the primary storage location for that customer’s data.
- Data disposition: Windows Intune indentifies 3 data states
- Warning state Their subscriptions initially go into a warning state during which they can continue to use the service and their data is available. They have 30 days to renew their subscriptions, and during this time they will receive notifications.
- Suspended state If after 30 days customers do not renew their subscription, they go into the suspended state. They still have rights to their data and can continue accessing the service, but they cannot enroll any new devices into the service.
- Retention period At the end of the Suspended state, customers can continue accessing their data for 90 days. If after 90 days customers do not renew their subscription, all data is removed within 30 days of the end of the retention period.