Protect: Establish security controls to protect your data

By Microsoft

07/06/2017

Protecting your data

Data security is a complex area. There are many types of risk to identify and consider—ranging from physical intrusion or rogue employees to accidental loss or hackers. Building risk management plans and taking risk mitigation steps, such as password protection, audit logs and encryption, can help you ensure compliance.

The Microsoft cloud is specifically built to help you understand risks and to defend against them, and is more secure than on-premises computing environments in many ways. For example, our datacenters are certified to internationally recognised security standards; protected by 24-hour physical surveillance; and have strict access controls.

How we secure our cloud infrastructure is only part of a comprehensive security solution and each of our products, either in the cloud or on-premises, have security features to help you secure your data.

Azure

The following Azure services and tools will help you protect personal data in your cloud environment:

Azure Security Center provides you with visibility and control over the security of your Azure resources. It continuously monitors your resources and provides helpful security recommendations. It enables you to define policies for your Azure subscriptions and resource groups based on your company’s security requirements, the types of applications that you use and the sensitivity of your data. It also uses policy-driven security recommendations to guide service owners through the process of implementing needed controls—for example, enabling antimalware or disk encryption for your resources. Security Center also helps you rapidly deploy security services and appliances from Microsoft and partners to strengthen the protection of your cloud environment.
Data encryption in Azure secures your data at rest and in transit. You can, for example, automatically encrypt your data when it is written to Azure Storage using Storage Service Encryption. Additionally, you can use Azure Disk Encryption to encrypt operating systems and data disks used by Windows and Linux virtual machines. Data is protected in transit between an application and Azure so that it always remains highly secure.
Azure Key Vault enables you to safeguard your cryptographic keys, certificates, and passwords that help protect your data. Key Vault uses hardware security modules (HSMs) and is designed so that you maintain control of your keys and therefore your data, including ensuring that Microsoft cannot see or extract your keys. You can monitor and audit use of your stored keys with Azure logging, and import your logs into Azure HDInsight or your security information and event management (SIEM) system for additional analysis and threat detection.
Microsoft Antimalware for Azure Cloud Services and Virtual Machines is a free real-time protection capability that helps you identify and remove viruses, spyware, and other malicious software that target data theft, with configurable alerts that let you know when known malicious or unwanted software attempts to install itself or run on your Azure systems.

Dynamics 365

You can use the security concepts for Dynamics 365 to protect the data integrity and privacy in a Dynamics 365 organisation. You can combine business units, role-based security, record-based security and field-based security to define the overall access to information that users have in your Dynamics 365 organisation.

Role-based security in Dynamics 365 allows you to group together a set of privileges that limit the tasks that can be performed by a given user. This is an important capability, especially when people change roles within an organisation.
Record-based security in Dynamics 365 allows you to restrict access to specific records.
Field-level security in Dynamics 365 allows you to restrict access to specific high-impact fields, such as personally identifiable information.

Enterprise Mobility + Security (EMS)

In the majority of data breaches, attackers gain corporate network access through weak, default or stolen user credentials. Our security approach starts with identity protection at the front door with risk-based conditional access.

Azure Active Directory (Azure AD) in Enterprise Mobility + Security helps you protect your organisation at the access level by managing and protecting your identities— including your privileged and non-privileged identities. Azure AD provides one protected common identity for accessing thousands of apps. Azure AD Premium features MultiFactor Authentication (MFA), which is access control based on device health, user location, identity and sign-in risk, and holistic security reports, audits and alerts. Azure AD Privileged Identity Management (PIM) helps discover, restrict and monitor privileged identities and their access to resources through a security wizard, reviews and alerts. This enables scenarios such as time-limited “just in time” and “just enough administration” access.

Enterprise Mobility + Security provides deep visibility into user, device and data activity on-premises and in the cloud and helps you protect your data with strong controls and enforcement.

Azure Information Protection helps extend control over your data throughout the complete data lifecycle—from creation to storage on-premises and in cloud services, to sharing internally or externally, to monitoring the distribution of files and finally to responding to unexpected activities.
Cloud App Security provides deep visibility and strong data controls for the software as a service (SaaS) and cloud apps your employees are using, so you can gain complete context and start controlling data with granular-level policies.
Microsoft Intune provides mobile device management, mobile application management and PC management capabilities from the cloud. Using Intune, you can provide your employees with access to corporate applications, data and resources from virtually anywhere on almost any device, while helping to keep corporate information highly secure.

Office and Office 365

The Office 365 platform incorporates security at every level, from application development to physical datacenters to end-user access. Office 365 applications include both built-in security features that simplify the process of protecting data and the flexibility for you to configure, manage and integrate security in ways that make sense for your unique business needs. The Office 365 compliance framework has over 1,000 controls that enable us to keep Office 365 up to date with evolving industry standards, including over 50 certifications or attestations.

Many security controls are available by default. SharePoint and OneDrive for Business, for instance, both use encryption for data in transit and at rest. In addition, you may configure and deploy digital certificates to obfuscate personal data and you can use Office Access controls to grant and restrict access to personal data.

Office 365 offers other features that help you safeguard data and identify when a data breach occurs:

Secure Score gives you insights into your security position and what features are available to reduce risk while balancing productivity and security.
Advanced Threat Protection (ATP) for Exchange Online helps protect your email against new, sophisticated malware attacks in real time. It also allows you to create policies that help prevent your users from accessing malicious attachments or malicious websites linked through email. ATP for Exchange Online includes protection against unknown malware and viruses, time-of-click protection against malicious URLs and rich reporting and URL trace capabilities.
Information Rights Management (IRM) helps you and your users prevent sensitive information from being printed, forwarded, saved, edited or copied by unauthorised individuals. With IRM in SharePoint Online, you can limit the actions that users can take on files that have been downloaded from lists or libraries, such as printing copies of the files or copying text from them. With IRM in Exchange Online, you can help prevent sensitive information in email messages and attachments from leaking via email, online and offline.
Mobile Device Management (MDM) for Office 365 lets you set up policies and rules to help secure and manage your users’ enrolled iPhones, iPads, Android devices and Windows phones. For example, you can remotely wipe a device and view detailed device reports. Office 365 also uses multi-factor authentication to help provide extra security.

SQL Server and Azure SQL Database

SQL Server and Azure SQL Database provide controls for managing database access and authorisation at several levels:

Azure SQL Database firewall limits access to individual databases within your Azure SQL Database server by restricting access exclusively to authorised connections. You can create firewall rules at the server and database levels, specifying IP ranges that are approved to connect.
SQL Server authentication helps you ensure that only authorised users with valid credentials can access your database server. SQL Server supports both Windows authentication and SQL Server logins. Windows authentication offers integrated security and is recommended as the more secure option, where the authentication process is entirely encrypted. Azure SQL Database supports Azure Active Directory authentication, which offers a single sign-on capability and is supported for managed and integrated domains.
SQL Server authorisation enables you to manage permissions according to the principle of least privilege. SQL Server and SQL Database use role-based security, which supports granular control of data permissions via the management of role memberships and object-level permissions.
Dynamic data masking (DDM) is a built-in capability that can be used to limit sensitive data exposure by masking the data when accessed by non-privileged users or applications. Designated data fields are masked in query results on the fly, while the data in the database remains unchanged. DDM is simple to configure and requires no changes to the application. For users of Azure SQL Database, dynamic data masking can automatically discover potentially sensitive data and suggest the appropriate masks to be applied.
Row-level security (RLS) is an additional built-in capability that enables SQL Server and SQL Database customers to implement restrictions on data row access. RLS can be used to enable fine-grained access over rows in a database table, for greater control over which users can access which data. Since the access restriction logic is located in the database tier, this capability greatly simplifies the design and implementation of application security.

SQL Server and SQL Database provide a powerful set of built-in capabilities that safeguard data and identify when a data breach occurs:

Transparent data encryption protects data at rest by encrypting the database, associated backups and transaction log files at the physical storage layer. This encryption is transparent to the application, and uses hardware acceleration to improve performance.
Transport Layer Security (TLS) provides protection of data in transit on SQL Database connections.
Always Encrypted is an industry-first feature that is designed to protect highly sensitive data in SQL Server and SQL Database. Always Encrypted allows clients to encrypt sensitive data inside client applications and never reveal the encryption keys to the database engine. The mechanism is transparent to applications, as encryption and decryption of data is done transparently in an Always Encrypted–enabled client driver.
Auditing for SQL Database and SQL Server audit track database events and write them to an audit log. Auditing enables you to understand ongoing database activities, as well as analyse and investigate historical activity to identify potential threats or suspected abuse and security violations.
SQL Database Threat Detection detects anomalous database activities indicating potential security threats to the database. Threat Detection uses an advanced set of algorithms to continuously learn and profile application behaviour, and notifies immediately upon detection of an unusual or suspicious activity. Threat Detection can help you meet the data breach notification requirement of the GDPR.

Windows and Windows Server

Windows 10 and Windows Server 2016 include industry-leading encryption, antimalware technologies and identity and access solutions that enable you to move from passwords to more secure forms of authentication:

Windows Hello is a convenient, enterprise-grade alternative to passwords that uses a natural (biometrics) or familiar (PIN) method to validate identity, providing the security benefits of smartcards without the need for additional peripherals.
Windows Defender Antivirus is a robust antimalware solution that works right out of the box to help you stay protected. Windows Defender Antivirus is quick to detect and protect against emerging malware, and it can immediately help protect your devices when a threat is first observed in any part of your environment.
Device Guard allows you to lock down your devices and servers to protect against new and unknown malware variants and advanced persistent threats. Unlike detection-based solutions such as antivirus programs that need constant updating to detect the latest threats, Device Guard locks down devices so they can only run the authorised applications you choose, which is an effective way to combat malware.
Credential Guard is a feature that isolates your secrets on a device, like your single sign on tokens, from access even in the event of a full Windows operating system compromise. This solution fundamentally prevents the use of hard-to-defend attacks such as “pass the hash”.
BitLocker Drive Encryption in Windows 10 and Windows Server 2016 provides enterprise-grade encryption to help protect your data when a device is lost or stolen. BitLocker fully encrypts your computer’s disk and flash drives to prevent unauthorised users from accessing your data.
Windows Information Protection picks up where BitLocker leaves off. While BitLocker protects the entire disk of a device, Windows Information Protection protects your data from unauthorised users and applications running on a machine. It also helps you prevent data from leaking from business to non-business documents or to locations on the web.
Shielded Virtual Machines allow you to use BitLocker to encrypt disks and virtual machines (VMs) running on Hyper-V, to prevent compromised or malicious administrators from attacking the contents of protected VMs.
Just Enough Administration and Just in Time Administration allows administrators to perform their regular jobs and actions, while enabling you to limit the scope of capabilities and time that administrators can run. If a privileged credential is compromised, the scope of damage is severely limited. This technique provides administrators with only the level of access they require during the time they are working on the project.