Security in Microsoft Cloud for Healthcare

Microsoft Azure, Microsoft Dynamics 365, Microsoft 365, and Microsoft Power Platform are subscription-based online services hosted by Microsoft Corporation within Microsoft managed datacenters. These online services are designed to provide performance, scalability, security, management capabilities, and service levels required for mission-critical applications and systems used by business organizations.

At Microsoft, trust is a focal point for service delivery, contractual commitments, and industry accreditation, which is why we embraced the Trusted Cloud initiative. The Trusted Cloud Initiative is a program of the Cloud Security Alliance (CSA) industry group created to help cloud service providers develop industry-recommended, secure and interoperable identity, and access and compliance management configurations and practices. This set of requirements, guidelines, and controlled processes ensures we deliver our cloud services with the highest standards regarding engineering, legal, and compliance support. Our focus is on maintaining data integrity in the cloud, which is governed by the following three (3) key principles:

Security, Privacy, and Compliance.

Visit the Trust Center to learn more.

Microsoft’s approach to securing our customers information involves a security control framework of technologies, operational procedures, and policies that meet the latest global standards and can quickly adapt to security trends and industry-specific needs. Additionally, we provide a set of customer-managed tools that adapt to the organization and its security needs. Security & Compliance center can track user and administrator activities, malware threats, data loss incidents, and more. The Reports dashboard is used for up-to-date reports related to the security and compliance features in the organization. Microsoft Azure Active Directory (Azure AD) reports can be used to stay informed on unusual or suspicious sign-in activities.

Our security policy defines the information security rules and requirements for the service environment. Microsoft performs periodic information security management system (ISMS) reviews and results are reviewed with management. This process involves monitoring ongoing effectiveness and improvement of the ISMS control environment by reviewing security issues, audit results, and monitoring status, and by planning and tracking necessary corrective actions.

These controls include:

  • Physical and logical network boundaries with strictly enforced change control policies
  • Segregation of duties requiring a business need to access an environment
  • Highly restricted physical and logical access to the cloud environment
  • Strict controls based on Security Development Lifecycle (SDL) and Operational Security Assurance (OSA) that define coding practices, quality testing, and code promotion
  • Ongoing security, privacy, and secure coding practices awareness and training
  • Continuous logging and audit of system access
  • Regular compliance audits to ensure control effectiveness

To help combat emerging and evolving threats, Microsoft employs an innovative "assume breach" strategy and uses highly specialized groups of security experts, known as the Red Team, to strengthen threat detection, response, and defense for its enterprise cloud services. Microsoft uses Red Teaming and live site testing against Microsoft-managed cloud infrastructure to simulate real-world breaches, conduct continuous security monitoring, and practice security incident response to validate and improve the security of online services.

The security team carries out frequent internal and external scans to identify vulnerabilities and assess the effectiveness of the patch management process. Services are scanned for known vulnerabilities; new services are added to the next timed quarterly scan, based on their date of inclusion, and follow a quarterly scanning schedule thereafter. These scans are used to ensure compliance with baseline configuration templates, validate that relevant patches are installed, and identify vulnerabilities. The scanning reports are reviewed by appropriate personnel and remediation efforts are promptly conducted.

All unused IO ports on edge production servers are disabled by operating system-level configurations that are defined in the baseline security configuration. Continuous configuration verification checks are enabled to detect drift in the operating system-level configurations. In addition, intrusion detection switches are enabled to detect physical access to a server.

Procedures to investigate and respond to malicious events detected by the Microsoft monitoring system in a timely manner have been established.

Microsoft employs the principles of separation of duties and least privilege throughout Microsoft operations. Access to customer data by Microsoft support personnel requires the customer’s explicit permission and is granted on a “just-in-time” basis that is logged and audited, then revoked after completion of the engagement. Within Microsoft, operations engineers and support personnel who access its production systems use hardened workstation PCs with virtual machines (VMs) provisioned on them for internal corporate network access and applications (such as email, intranet, and so on). All management workstation computers have Trusted Platform Modules (TPMs), the host boot drives are encrypted with BitLocker, and they are joined to a special organizational unit (OU) in the primary Microsoft corporate domain.

System hardening is enforced through Group Policy, with centralized software updating. For auditing and analysis, event logs (such as security and AppLocker) are collected from management workstations and saved to a central location. In addition, dedicated jump-boxes on the Microsoft network that require two-factor authentication are used to connect to production network.

Microsoft focuses on:

  1. Platform security

    1. Infrastructure and processes of our datacenters.
    2. Strong encryption technologies (at rest and in transit).

  2. Secure access and sharing

    1. Restrict access of information to approved people, devices, apps, locations, and data classification.
    2. Enforce who can share information and with who.

  3. Awareness and insights

    1. Complete understanding of how individuals are using SharePoint and OneDrive.
    2. Analyze usage to measure return on investment.
    3. Identify potentially suspicious activity.

  4. Information governance

    1. Classify what constitutes sensitive data and enforce how it can be used.
    2. Protection in the event of litigation.
    3. Retain business-critical files when people leave your organization.

  5. Compliance and trust

    1. Ensure that service operations are secure, compliant, trustworthy, and transparent.