Microsoft spells out Azure security liability

A smartphone held in front of an abstract blue digital background, with the Microsoft Azure logo displayed on screen

Microsoft has released an advisory detailing whether it or its customers are responsible for dealing with security breaches in its Azure cloud platform.

The list is detailed in a PDF entitled 'Shared Responsibilities for Cloud Computing'. When using the company's SaaS offering, Microsoft handles everything bar end-point security, user management and data classification.

PaaS customers also have to take care of clients, data, applications, identity and operating system security, while IaaS customers take responsibility for network controls, too. All on-premises IT remains the client's responsibility in all cases.

Microsoft will handle everything else, including servers, network hardware, and hypervisor issues. This means that Microsoft can clearly absolve itself of culpability for major security breaches if they occurred outside of its purview.

If an intrusion does happen on Microsoft's watch, however, the company has revealed that it may go so far as to take Azure offline in order to fix it.

The 'Microsoft Azure Security Response in the Cloud' whitepaper details how the company responds to potential breaches. The company follows a five-step process; detection of a potential threat, assessment of the threat's legitimacy and scope, diagnosis of the breach, stabilization and recovery to deal with the intrusion, and a final post-mortem, to identify and fix the initial flaw.

The whitepaper mentioned that during the course of the penultimate stage, "an emergency mitigation or containment step" may become necessary. Microsoft warned that "these actions may result in a temporary outage", but stated that "such decisions are not taken lightly."

It also assured customers that "when such an aggressive mitigation occurs, the standard processes for notifying customers of outages and recovery timelines would apply."

Adam Shepherd

Adam Shepherd has been a technology journalist since 2015, covering everything from cloud storage and security, to smartphones and servers. Over the course of his career, he’s seen the spread of 5G, the growing ubiquity of wireless devices, and the start of the connected revolution. He’s also been to more trade shows and technology conferences than he cares to count.

Adam is an avid follower of the latest hardware innovations, and he is never happier than when tinkering with complex network configurations, or exploring a new Linux distro. He was also previously a co-host on the ITPro Podcast, where he was often found ranting about his love of strange gadgets, his disdain for Windows Mobile, and everything in between.

You can find Adam tweeting about enterprise technology (or more often bad jokes) @AdamShepherUK.