Microsoft spells out Azure security liability

Microsoft has released an advisory detailing whether it or its customers are responsible for dealing with security breaches in its Azure cloud platform.

The list is detailed in a PDF entitled 'Shared Responsibilities for Cloud Computing'. When using the company's SaaS offering, Microsoft handles everything bar end-point security, user management and data classification.

PaaS customers also have to take care of clients, data, applications, identity and operating system security, while IaaS customers take responsibility for network controls, too. All on-premises IT remains the client's responsibility in all cases.

Microsoft will handle everything else, including servers, network hardware, and hypervisor issues. This means that Microsoft can clearly absolve itself of culpability for major security breaches if they occurred outside of its purview.

If an intrusion does happen on Microsoft's watch, however, the company has revealed that it may go so far as to take Azure offline in order to fix it.

The 'Microsoft Azure Security Response in the Cloud' whitepaper details how the company responds to potential breaches. The company follows a five-step process; detection of a potential threat, assessment of the threat's legitimacy and scope, diagnosis of the breach, stabilization and recovery to deal with the intrusion, and a final post-mortem, to identify and fix the initial flaw.

The whitepaper mentioned that during the course of the penultimate stage, "an emergency mitigation or containment step" may become necessary. Microsoft warned that "these actions may result in a temporary outage", but stated that "such decisions are not taken lightly."

It also assured customers that "when such an aggressive mitigation occurs, the standard processes for notifying customers of outages and recovery timelines would apply."