Security Features in Microsoft Online Services Technical Overview

Thursday 29 July 2010

Security for Hosted Services

This security document contains a description of the technical and organizational measures designed to provide and enable security for Microsoft Online Services.

Security for the Hosting Environment

The Microsoft Online Services environment is composed of computers, operating systems, applications and services, networks, operations and monitoring equipment, and specialized hardware, along with the administrative and operations staff required to run and maintain the services. The environment also includes the physical operations centers that house the services and which themselves must be secured against malicious and accidental damage.

Key Architecture Design Points

Defense in Depth

Microsoft Online Services are designed to provide Defense in Depth, preventing the failure of any one level of security from compromising the security of the entire environment. The Defense in Depth layers include:

Filtering Routers

Filtering routers reject attempts to communicate to non-routable internet protocol (IP) addresses. This helps to prevent common attacks that use “drones” or “spiders” searching for vulnerable servers. Although relatively easy to block, these types of attacks remain a favorite method of hackers in search of weaker defenses.

Firewalls

Firewalls restrict data communication to known and authorized ports, protocols, and destination IP addresses. Firewalls also perform packet inspection, which helps to ensure that the actual contents of the packets contain data in the expected format and conform to the expected communication scheme.

Intrusion Detection Systems

The service uses network-based intrusion detection systems to perform real-time monitoring of incoming and outgoing traffic, looking for anomalies in the usual patterns for delivering services. The hosted environment is monitored 24x7 and generates immediate notification of detected inappropriate activity, which is then analyzed and corrective action is taken, if necessary. Intrusion Detection Systems performs protocol analysis and can be used to detect a variety of attacks and probes, such as port scans and attempts to communicate using inappropriate IP address ranges.

Windows Security Patch Management

Windows Security Patch management is an integral part of operations and is necessary to ensure systems are immune to known vulnerabilities. Microsoft Online Services utilizes Windows Server Update Services to manage the distribution and installation of Windows security patches.

Monitoring

Security is monitored with the aid of centralized monitoring, correlation, and analysis systems that proactively manage the large amount of information generated by devices within the environment, providing pertinent and timely monitoring and alerts.

Network Segmentation

At the interface with the public network, Microsoft uses special-purpose security devices for firewall, Network Address Translation and IP filtering functions. Functions at this layer include Denial of Service blocking, IDS, Secure Sockets Layer and initial access validation.

The back-end network is made up of partitioned Local Area Networks for Web and applications servers, data storage, and centralized administration. These servers are grouped into private address segments behind the load balancers.

Service Administration Access

Since all Microsoft Online Services data center deployments are “lights-out” managed, administrative access to the networks are conducted over 128-bit encrypted communication channels and require dual-factor authentication.

Physical Security

Physical security goes hand-in-hand with virtual or software-based security measures, and similar risk assessment and risk mitigation procedures apply to both.

Microsoft Online Services are delivered to customers through a network of global data centers, each designed to run 24 x 7, and each employing various measures to help protect operations from power failure, physical intrusion, and network outages. These data centers comply with industry standards for physical security and reliability; are managed, monitored, and administered by Microsoft operations staff; and are geographically dispersed.

Microsoft uses highly secured access mechanisms, limited to a very small number of operations personnel, who must regularly change their administrator access passwords. Data center access, and authority to open data center access tickets, is controlled by the network operations director in conjunction with local data center security practices.

Operations and Personnel Security

Design of the Services

Microsoft Online Services are designed to be run without routine access to customer data by Microsoft personnel. A limited number of Microsoft personnel may access customer information as described in the privacy statement, including to operate the service, as well as to respond to support requests and as part of incident response.

Incident Response

Limited Microsoft personnel may access personal information in response to an incident. Microsoft Online Services have personnel staffing a Network Operation Center 24 x 7. If the incident is a security incident, the procedures to follow in the event of a security incident are documented and made available to the Operations personnel. In the event of a security incident, a full communication plan has also been put in place.

Application-level Security

In addition to data center, network, and personnel security practices, Microsoft Online Services incorporates various security practices at the application layer to help ensure a more secure experience for all customers. This includes both how the application is developed and features within the application that are available to the administrators of the service.

Secure Application Design

Prior to their respective release, new applications and existing applications under change are reviewed for compliance to then current Security Development Lifecycles management and the Trustworthy Computing efforts exercised at Microsoft.

The reviews include threat models, code reviews and remediation plans. Testing of remediation is conducted prior to Release to Operations for deployment

Security Features

Microsoft Online Services includes many security options beyond the core operational technologies provided by the service. Collectively, they provide administrators with additional options to further help ensure data and privacy.

Rights and Roles (Authorization)

The service defines a set of access rights that are required for users and other entities to perform certain operations (e.g., Review or Share a message). Built in user roles are defined, with each role granted a certain set of access rights (e.g., the Systems Administrator role can review content from subordinate roles). Administrators can assign one or more user roles to a given user.

Every operation in the service has two steps of authorization enforcement:

Action Authorization: Checks if the user/component is permitted to perform the specified action
Resource Authorization: Checks if the user/component is permitted to access the specified resource

Auditing and Impersonation

All Microsoft administrative operations are audited. The audit trail can be viewed to determine the history of any particular change.

User-to-user Impersonation is supported in most cases so that — if a user’s credentials are known — an administrator can log on as that user and, as needed, be able to access the same data as the user being impersonated.

Fault-Tolerance & Redundancy

Microsoft Online Services are designed to be fault-tolerant and redundant. From geographically diverse data center deployments to clustered server farms, all aspects of the service provide for fault-tolerance and redundant service.

Service Redundancy

Each layer of the infrastructure is designed to continue operations in the event of failure, including redundant network devices at each layer and dual internet service providers at each data center. The network is monitored by the Network Operations Center 24x7x365 to detect any anomalies or potential network issues.

Data Center Redundancy

Microsoft data centers feature automated failover that can transfer operations to alternative, geographically separate data centers if this becomes necessary. Failover is transparent, requiring no intervention from customers while service is resumed.

Privacy

Microsoft regards personal information as private and will take reasonable and customary measures to appropriately handle personally identifiable information.

Personal information on the Microsoft Online Services will only be collected, processed, and transferred with the consent of the customer, including in compliance with our contractual obligations or and/or as required under applicable law.

Microsoft (including, for this purpose, all of our U.S. subsidiaries) is Safe Harbor certified with the U.S. Department of Commerce. This allows for legal transfer of data to Microsoft for processing from within European Union and countries with aligned data protection laws. For enterprise customers, Microsoft acts as the data processor and, to the extent of the Service’s capabilities, decisions regarding data usage are made by the data controller.