Category Archives : Security



I’m announcing that Azure has achieved adherence to the EU Cloud Code of Conduct (EU Cloud CoC), developed for cloud providers to align with the EU’s General Data Protection Regulation (GDPR). The EU Cloud CoC is the first GDPR code of conduct that has received the European Data Protection Board (EDPB) positive opinion, which was followed by final approval led by the Belgian Data Protection Authority. The EU Cloud CoC also marks the 100th compliance offering for Azure, more than any other cloud provider, providing customers a high level of assurance through controls, evidence, and verification.

The EU Cloud CoC serves as a basis for implementing the requirements of Article 28 of the GDPR for cloud providers acting as business-to-business processors under the GDPR. Because the EU Cloud CoC is approved by the EDPB, Azure customers can use Azure’s adherence to help demonstrate their own GDPR compliance, as well as cite it as a risk mitigator in a GDPR Data Protection Impact Assessment (DPIA). Article 40 of the GDPR specifically encourages the creation of codes of conduct, so as “to contribute to the proper application of the regulation.” SCOPE Europe acts as the independent monitoring body of the EU Cloud CoC.





The Regulatory Compliance dashboard in Azure Security Center is an excellent tool for helping organizations understand their compliance posture relative to industry standards. Reporting on compliance with specific standards is obviously critical for regulated customers, though tracking compliance status is also relevant to many other organizations who want to align with industry-defined best practices. Many of our customers use compliance frameworks as the basis of their organizational security model.

Azure Security Center improves your organization’s overall compliance readiness. By performing ongoing assessments, Azure Security Center provides rich, actionable insights and reports to simplify your regulatory compliance journey.

Several significant upgrades have recently been released to the compliance management experience in Azure Security Center, including Azure Security Benchmark integration with Secure Score, a new section for downloading audit certification reports, integration of shared responsibility model details into the product, and Workflow Automation functionality.

Azure Security Benchmark

Azure Security Benchmark is now fully integrated into the regulatory compliance dashboard as the default standard, available to all Azure Security Center customers for free. Azure Security Benchmark comprises the canonical set of controls that Microsoft defines and recommends as a security baseline, aligned with industry frameworks and customized to Azure and cloud environments.




This blog post was co-authored with Roy Levin, Senior Data Scientist

With the reality of working from home, more people and devices are now accessing corporate data across home networks. This raises the risks of cyber-attacks and elevates the importance of proper data protection. One of the resources most targeted by attackers is data storage, which can hold critical business data and sensitive information.

To help Azure customers better protect their storage environment, Azure Security Center provides Azure Defender for Storage, which alerts customers upon unusual and potentially harmful attempts to access or exploit their storage accounts.

What’s new in Azure Defender for Storage

As with all Microsoft security products, customers of Azure Defender for Storage benefit from Microsoft threat intelligence to detect and hunt for attacks. Microsoft amasses billions of signals for a holistic view of the security ecosystem. These shared signals and threat intelligence enrich Microsoft products and allow them to offer context, relevance, and priority management to help security teams act more efficiently.

Based on these capabilities, Azure Defender for Storage now alerts customers also upon the detection of malicious activities such as:

Upload of potential malware (using hash reputation analysis). Phishing campaigns




More customers than ever are shopping from home in the current health environment, and companies are responding by rapidly deploying cloud-based e-commerce solutions. Azure is helping these companies meet their customers’ needs with robust, customizable, and scalable e-commerce solutions that process transactions quickly and securely. 

Security is paramount for both e-commerce providers and customers, and we are always working to make Azure as secure as possible. 

Today we’re announcing that Azure is one of the first hyperscale cloud service providers to achieve Payment Card Industry Three-Domain Secure (PCI 3DS) certification. 

Azure retained a qualified 3DS Assessor Company to conduct an assessment of Azure’s PCI 3-D Secure Environment (3DE) in accordance with the PCI 3DS Core Security Standard. The PCI 3DS Core Security provides a framework for implementing security controls that support the integrity and confidentiality of card-not-present transactions using the EMV 3-D Secure (3DS) messaging protocol. EMV 3DS provides an additional layer of security for card-not-present transactions by enabling cardholders to authenticate to their card issuers before making online transactions. 

The Azure cloud platform offers various product offerings that may be used by customers to support their own PCI 3DS payment solutions. Although the Azure cloud platform does not manage




As the Azure engineering team continues to deliver a rapid pace of innovation for defense customers, we’re also continuing to support Department of Defense (DoD) customers and partners in delivering new capabilities to serve mission needs.

In many cases, accelerating mission workloads means forging a faster and more secure way for teams to build, ship, and authorize new applications. For the broad range of suppliers providing goods and services to the DoD, including the Defense Industrial Base (DIB), this also means navigating evolving compliance requirements.

Navigating the new Cybersecurity Maturity Model Certification (CMMC) from the DoD is one imminent challenge for customers and partners in the defense ecosystem. Our CMMC Acceleration Program is designed to help DIB customers both achieve a higher level of sustained cybersecurity and prepare for assessments. In addition, we’re delivering a host of new services at DoD Impact Level 5 and a range of partner programs to address the varied needs of our customers and partners from every angle.

Extensive IaaS and PaaS capabilities at DoD IL5

Mission owners choosing Azure Government can now access an even broader range of IaaS and Paas capabilities to drive initiatives forward using the 120 Azure Government services now




Resources hosted on Azure App Service are at the forefront as attackers are constantly on the lookout for vulnerabilities in web applications. Dormant domains are a permanent resident on the checklist of both opportunistic and target-oriented attackers. To reduce potential attack surface, Azure App Service enforces domain verification when binding custom domain to an App service resource.

In this blog, we discuss how Azure Defender for App Service identifies any Domain Name System (DNS) entries remaining in your DNS registrar when an App Service website is decommissioned—these are known as dangling DNS entries. When you remove a website and don’t remove its custom domain from your DNS registrar, the DNS entry is pointing at a non-existent resource and your subdomain is vulnerable to a takeover. We recommend that you implement processes to prevent dangling DNS entries and prevent subdomain takeovers.

General introduction: Dangling DNS

Dangling DNS starts when custom DNS from your domain’s DNS zone is mapped to a DNS CNAME record of an Azure resource that is no longer provisioned, leaving the associated domain “dangling”. This dangling DNS entry, also known as a dangling domain, leaves the domain vulnerable to a malicious action known as a subdomain takeover.




This blog post was co-authored by Anupam Vij, Principal PM Manager & Syed Pasha, Principal Network Engineer, Azure Networking.

2020 was a year unlike any other. It brought major disruptions to both the physical and digital worlds, and these changes are also evident in the cyberthreat landscape. The prevalence of Distributed Denial-of-Service (DDoS) attacks in 2020 has grown more than 50 percent with increasing complexity and a significant increase in the volume of DDoS traffic.

With the COVID-19 pandemic, billions of people across the world have been confined to their home environments, working, learning, and even socializing remotely, and internet traffic has exploded. Now, DDoS attacks are one of the largest security concerns: the surges in internet traffic make it easier for attackers to launch DDoS attacks since they don’t have to generate as much traffic to bring down services. Cybercriminals can exploit huge traffic streams to launch DDoS attacks, which makes it harder to distinguish between legitimate and malicious traffic.

At Microsoft, the Azure DDoS Protection team protects every property in Microsoft and the entire Azure infrastructure. This past year, we continued to defend against DDoS attacks in the face of an ever-evolving cyber landscape and unprecedented challenges.




Healthcare solutions offered in the cloud are drawing unprecedented attention today with the ongoing global pandemic and the accompanying need for social distancing. Microsoft has been on the forefront of empowering health organizations to leverage the power of the cloud. 

Protecting health information and complying with health regulations are critical components of any healthcare solution in the cloud, and Azure has long had a rich set of healthcare compliance offerings, including HDS, HIPAA, MARS-E, NEN 7510, and the increasingly important HITRUST CSF—a certifiable framework that provides organizations with a comprehensive and efficient approach to regulatory compliance and risk management.

Today we’re announcing with the Healthcare Information Trust Alliance (HITRUST) the availability to our customers of the HITRUST Shared Responsibility Matrix, which provides clarity on roles and responsibilities for implementing solutions in Azure that meet the rigorous HITRUST standard for protecting sensitive health data.

In collaboration with privacy, information security, and risk management leaders from the public and private sectors, HITRUST develops, maintains, and provides broad access to its widely adopted common risk and compliance management frameworks, related assessment, and assurance methodologies.

The HITRUST CSF provides the structure, transparency, guidance, and cross-references to authoritative sources organizations globally need to be




In Azure, your data is your data.  Not only is it protected at rest and in transit, but Microsoft Azure extends that protection while in use with confidential computing.

Azure was the first major public cloud to deliver confidential computing which opened up new levels of privacy and innovation for our customers. Today customers in finance, government, healthcare, and telecom use Azure to detect fraud, improve communications privacy, secure blockchain, deliver multi-party machine learning, and enable secure key management.

Azure now has the broadest portfolio of confidential computing options including confidential virtual machines, confidential containers, confidential machine learning, confidential IoT edge devices, and soon confidential capabilities within Azure SQL.

Today, we are announcing that Azure will be an early adopter of the 3rd generation Intel® Xeon® Platform, code named Ice Lake, which includes full memory encryption and accelerated cryptographic performance for confidential computing with Intel Software Guard Extensions (SGX). Available next year, this technology will unlock even more confidential computing scenarios for our customers.

Beyond the hardware security protections, Microsoft Azure Attestation (MAA) further improves security by enabling customers to remotely attest to the authenticity of the SGX enclave at the hardware level, ensures the latest security patches




In the last six months, COVID-19 has changed almost everything about the way we approach work and security. Now, you have to meet the needs of a remote workforce, support rapidly evolving business requirements, and steer your organization to the next normal – even without actually knowing what that normal will entail. At the same time, cybersecurity is more crucial than ever, as bad actors exploit the opportunity to prey on fears and weaknesses.

On the surface, all of this may seem intimidating. But with this kind of dramatic change also comes the opportunity to evolve. We know that the “new normal” now requires you to address a higher volume of security work than ever, all while remaining agile and reducing costs. How do you do that? By having a razor-sharp focus on what’s important. That’s why Microsoft Azure is here to empower you with cloud-native tools that give you the breadth of coverage you need to defend against bad actors, alongside built-in AI to help you focus your attentions on the biggest threats and most critical priorities.

Today, we’re pleased to announce a broad set of innovations to help you protect multicloud and Azure workloads including: