Connect with us

Hi, what are you looking for?


Cloud Security

Microsoft Details Security Responsibilities for Azure Cloud Customers

Microsoft Publishes White Papers on Incident Response and Shared Responsibility for Azure Cloud Customers

Microsoft Publishes White Papers on Incident Response and Shared Responsibility for Azure Cloud Customers

Incident response is a hot topic. The cloud is a hot topic. But how do you respond to incidents in the cloud for which you may have no knowledge? It’s a difficult issue that could cause problematic relations between enterprises and the big clouds like Microsoft Azure, Amazon Web Services (AWS) and Google.

Now Microsoft is setting the ground rules with two new documents: Shared Responsibilities for Cloud Computing, and Microsoft Azure Security Response in the Cloud.

The first specifies Microsoft’s view of its own responsibilities (and therefore, by omission, the enterprise CISO’s responsibilities); while the second gives an outline of how Microsoft will actually respond.

Microsoft believes that there is a fairly fundamental split in responsibility. The cloud provider is responsible for the physical aspects of the cloud IT infrastructure and the software that it provides. The customer is responsible for its own data.

Responsibility of Security for Azure: ChartMicrosoft summarizes this with, “The importance to of [sic] understanding this shared responsibility model is essential to customers moving to the cloud. Cloud providers provide considerable advantage for security and compliance efforts, but does not absolve the customer from protecting their users, applications, and service offerings.”

It sounds simple, but there will inevitably be problems. Forensic proof will become important. If a customer’s data is modified via a flaw in Microsoft software that Microsoft doesn’t recognize, there could be issues.

This is where the CISO needs to understand both documents – because there are some incidents that Microsoft will not report to the customer. For Azure, Microsoft defines a security incident as “illegal or unauthorized access that results in the loss, disclosure or alteration of Customer Data.” But it adds, “Microsoft Azure does not monitor for or respond to security incidents within the customer’s area of responsibility.”

Advertisement. Scroll to continue reading.

So, put very simply, if Microsoft does not recognize the incident as being within its own area of responsibility, it cannot be expected to tell you about it. This, in turn, means that every IaaS customer will still need its own incident response plan covering the entire sequence from detecting incidents, through containment, evaluation, disclosure and crisis management. And as every CISO knows, visibility into the cloud is not always 20/20.

Having suggested that Microsoft’s definition of its and its customers’ responsibilities could cause operational difficulties, the remainder of the Incident management document is informative and valuable. It first outlines the roles that should be involved in a response, and then describes the plan itself.

Seven separate roles are described. There should be more in an enterprise plan. The Microsoft roles stop with an Executive Incident Manager – but an enterprise role should continue with a Crisis Management Team (possibly brought in from outside) to handle relations with public and press.

The plan itself involves five stages: Detect, Assess, Diagnose, Stabilize, and Close. Again, a sixth stage for enterprises should include something we could describe as ‘Manage Fallout;’ that is, crisis management.

Microsoft operates a separate function called Customer Security Incident Notification. “The goal of the customer security incident notification process,” says Microsoft, “is to provide impacted customers with accurate, actionable, and timely notice when their customer data has been breached. Such notices may also be required to meet specific legal requirements.”

This appears to be a ‘breach disclosure’ to the enterprise customer, not a breach disclosure to regulatory authorities. Interestingly, this follows the data protection responsibility outlined in the new European laws. Microsoft is the data processor. The enterprise customer is the data controller. Primary responsibility will always fall on the data controller; that is, legally a cloud customer cannot pass responsibility to its cloud provider. That should be a basic understanding for all enterprises moving their infrastructures into the cloud.

Related: Security Challenges of SDN and Cloud: The Critical Role of Visibility

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...