3. Two-factor
authentication
with biometrics
Employee &
contractor vetting
Metal
detectors
Video coverage
rack front & back
Inability to identify
location of specific
customer data
Secure
destruction bins
Ongoing
roaming patrols
Video
coverage
Ongoing
roaming patrols
Front
entrance gate
1 defined
access point
Video
coverage
Perimeter
fencing
Two-factor
authentication
with biometrics
Video
coverage
No building
signage
24x7x365
security operations
Verified single
person entry
Ongoing
roaming patrols
Background
check
System
check
Access
approval
Perimeter
Building
Server
environment
Physical datacenter security
4. Protect customer data
Data, network segregation. DDoS
protection at the edge. Platform
segregation. Confidential computing.
Secure hardware
Custom-built hardware with
integrated security and attestation
Continuous testing
War game exercises by Microsoft
teams, vulnerability scanning &
continuous monitoring
CUSTOMER 2CUSTOMER 1
Secure foundation
5. Protection at the edge
• OneDDoS protects the edge with Cloud scale filtering and
DDoS mitigation
• Edge layer protections screen unwanted traffic
• Encryption for data in transit
• Global Load Balancing improves resilience
IP and Isolation Controls
• Traffic between regions encrypted by default
• IP and protocol controls for endpoints
• Traffic isolation via site to site VPN or Azure ExpressRoute
Infrastructure security
Azure
Virtual Network
Isolation
Endpoint
Restrictions
OneDDoS
6. No standing access to production servers
and services. Just In Time Elevation
required.
Multi-factor authentication required for
admin actions
“Secure Workstations” required to access
production
Access requests are audited, logged and
monitored
Operational Security
8. VIRTUAL MACHINES APPLICATIONS STORAGE & DATABASES
Built-in Controls | Data protection
Enable built-in encryption across resources
Azure Storage Service Encryption
Azure Disk Encryption
SQL TDE/Always Encrypted
Encrypt data while in use
Azure confidential computing
Use delegated access to storage objects
Shared Access Signature enables more granular access control
Use a key management system
Keep keys in a hardware HSM/don’t store key in apps/GitHub
Use one Key Vault per security boundary/per app/per region
Monitor/audit key usage-pipe information into SIEM for
analysis/threat detection
Use Key Vault to enroll and automatically renew certificates
9. Azure Security Center
with advanced analytics for threat detection
Virtual
machines Applications
Storage
& databases Network
Built-in Controls | Threat protection
Mitigate potential vulnerabilities proactively
Ensure up to date VMs with relevant security patches
Enable host anti-malware
Reduce surface area of attack
Enable just in time access to management ports
Configure Application Whitelisting to prevent
malware execution
Detect threats early and respond faster
Use actionable alerts and incidents
Interactive investigation tool and playbooks to
orchestrate responses