|Industry||Cloud computing, Web services|
|Headquarters||Redmond, Washington, United States|
|Key people||Satya Nadella (CEO)|
|Products||IaaS, PaaS, DBaaS, DaaS|
|Revenue||$38.0 billion (2020, Q4)|
Microsoft Azure is a collection of public, private, hybrid, and multicloud cloud computing services offered by Microsoft, an American multinational information technology company. Microsoft Azure deploys to over 160 data centers in various locations around the world. More than 200 different products and services are associated with Microsoft Azure, representing elastic computing, networking, content delivery, data storage, database management, security management, enterprise management, data analysis, container management, developer support, blockchain management, media management, internet of things, and artificial intelligence.
This section uses public information to provide some answers to the 18 questions posed in Chapter 6 of the wiki-based guide Choosing and Implementing a Cloud-based Service for Your Laboratory. In some cases, public information could not be found, and a recommendation to further discuss the question with the cloud service provider (CSP) is made.
1. What experience do you have working with laboratory customers in our specific industry?
Known laboratories and related organizations leaning on Azure include the Association of Public Health Laboratories, Bio-Rad Laboratories, Northwest Nuclear Laboratories, and PathWest Laboratory Medicine WA. Additionally, laboratory informatics software developers like BtB Software, LLC, EarthSoft, Eusoft Srl, and TRIBVN Healthcare also turn to Microsoft Azure to host their software solutions. A Microsoft Azure representative is likely to be able to supply more examples of laboratories and laboratory informatics developers that use or have used Microsoft Azure.
2. Can your solution readily integrate with our other systems and business processes, making it easier for our end users to perform their tasks?
It will ultimately be up to your organization to get an answer from Microsoft tailored to your systems and business processes. However, this much can be said about Microsoft Azure integrations. Microsoft provides a list of six integration tools to better integrate applications, data, and processes seamlessly: Azure Logic Apps, Service Bus, API Management, Event Grid, Azure Functions, and Azure Data Factory. These tools assist with workflow management, hybrid cloud connections, API management, service management, and event-driven process management. Consult the documentation for each to learn more.
3. What is the average total historical downtime for the service(s) we're interested in?
Some public information is made available about historic outages and downtime. Microsoft Azure has a systems status page with status history (you have to click on the "Azure status history" link at the top right). You should be able to read through the incident details for each issue, going back through a fair amount of history. This will give you a partial picture of the issues experienced in the past, as well as any scheduled maintenance and currently impacted services. A follow-up on this question with a Microsoft Azure representative may reveal more historical downtime history for the services you are interested in.
4. Do we receive comprehensive downtime support in the case of downtime?
Microsoft Azure does not make this answer clear. However, the answer is likely tied to what after-sales support plan you choose. Confirm with Microsoft Azure what downtime support they provide based on the services your organization are interested in.
5. Where are your servers located, and how is data securely transferred to and from those servers?
Microsoft Azure organizes its data centers into "geographies," which contain one or more regions. Some regions have availability zones, some don't. Those regions that don't have availability zones may use "availability sets," a logical grouping of virtual machines, to provide redundancy and availability. Azure uses its Content Delivery Network "for rapidly delivering high-bandwidth content to users by caching their content at strategically placed physical nodes across the world." When moving data to and from on-premises and Microsoft Azure systems, multiple transfer options exist, including physical transport (via Azure Import/Export or Azure Data Box), programmatic data transfer (via Azure CLI, AzCopy, PowerShell, etc.), or managed service transfer (via Azure Data Factory). As for the security of data in transit, Microsoft addresses this with various encryption mechanisms, including data-link layer encryption, TLS encryption, HTTPS, SMB encryption, SSH, etc. Consult the documentation or a representative for more information.
6. Who will have access to our data (including subcontractors), and what credentials, certifications, and compliance training do they have?
Microsoft Azure says this about physical security in relation to its personnel:
A need-to-access basis helps keep the number of individuals needed to complete a task in the datacenters to the bare minimum. After Microsoft grants permission, an individual only has access to the discrete area of the datacenter required, based on the approved business justification. Permissions are limited to a certain period of time, and then expire.
However, Microsoft doesn't publicly mention anything about the certifications and compliance training any of those personnel have. This is a conversation to have with a Microsoft Azure representative.
7. Will our sensitive and regulated data be stored on a machine dedicated to complying with the necessary regulations?
Not all Microsoft Azure machines have the same controls on them; it will depend on the region, product, and compliance requirements of your lab. That said, verify with a representative that the machine your data will land on meets all the necessary regulations affecting your data.
8. How segregated is our cloud data from another customer's, i.e., will lapses of security of another customer's cloud affect our cloud? (It typically won't, but asking the question will hopefully prompt the provider to better explain how your data is segregated.)
Microsoft Azure has moved past a paradigm of physical separation of data pools. In a Microsoft Policy Paper, the company argues that "multitenant environments meet the same standards as physically separated ones," while providing context to seven common security concerns raised by those wary of logical separation in the cloud. They add that "[s]uch concerns should, however, be considered in a larger context of balancing benefits and risks, e.g., comparing the competitiveness impact of not moving to the cloud with the risk of downtime should a cloud provider suffer an outage."
The concept of tenant isolation is addressed by Microsoft Azure in multiple documents. The primary documentation addresses the concepts and architecture behind Microsoft Azure's tenant isolation practices, while another lengthy document addresses the security aspects of tenancy isolation behind Microsoft Azure. Further technical details on how your data is segregated, if required, may be garnered in discussion with Microsoft Azure.
9. Do you have documented data security policies?
Microsoft Azure documents its security practices in several places:
- Azure security center
- Azure security documentation
- Azure security overview
- Introduction to Azure security
Some security-related documents, like the SOC 2 report, may not be publicly available, requiring direct discussion with a Microsoft Azure representative to obtain them.
10. How do you test your platform's security?
Customers can perform penetration testing of their own Azure-hosted applications without pre-approval, though they must still comply with Microsoft Cloud Unified Penetration Testing Rules of Engagement. As for internal security testing, a 2014 blog post (along with a detailed whitepaper) indicates that Microsoft Azure security gets tested by its Red Team. That practice is still presumably active today, but confirm this with a Microsoft Azure representative.
11. What are your policies for security audits, intrusion detection, and intrusion reporting?
Audits: For customer security auditing, Microsoft states that "Azure provides a wide array of configurable security auditing and logging options to help you identify gaps in your security policies and mechanisms." Internally, Microsoft Azure conducts auditing tasks of its own systems, for example with access control. "All access to customer data is strictly logged, and both Microsoft and third parties perform regular audits (as well as sample audits) to attest that any access is appropriate." It also references its SOC audits "twice a year to verify the effectiveness of its security controls in audit scope."
Intrusion detection and reporting: Microsoft Azure provides documentation to customers on its various threat protection services, including Azure Active Directory, Azure Monitor, and Azure Security Center. These options provide "a wide array of options to configure and customize security to meet the requirements of your app deployments." As for its own intrusion detection, Microsoft Azure leans on its Detection and Response Team (DART) to support its own intrusion detection and reporting needs. For more details on internal threat detection and reporting, discuss this with a representative.
12. What data logging information is kept and acted upon in relation to our data?
Microsoft Azure details its data definitions and gives examples of those categories of data, including a little information about what happens to that data. It appears to classify logs as part of service-generated data:
Microsoft aggregates this data from our online services and uses it to make sure performance, security, scaling, and other services that impact the customer experience are operating at the levels our customers require. For example, to understand how to ramp up data center capacity as a customer's use of Microsoft Teams increases, we process log data of their Teams usage. We then review the logs for peak times and decide which data centers to add to meet this capacity.
Be sure a Microsoft Azure representative provides additional details about what logging information they collect and use as it relates to your data.
13. How thorough are those logs and can we audit them on-demand?
Microsoft Azure users can view their own logs. However, it's unclear if you are able to audit internal Azure operation logs on-demand. This is a conversation to have with a representative.
14. For HIPAA-eligible data (e-PHI) we may have, will you sign a business associate agreement?
15. What happens to our data should the contract expire or be terminated?
Per the Online Services Data Protection Addendum:
Except for free trials and LinkedIn services, Microsoft will retain Customer Data that remains stored in Online Services in a limited function account for 90 days after expiration or termination of Customer’s subscription so that Customer may extract the data. After the 90-day retention period ends, Microsoft will disable Customer’s account and delete the Customer Data and Personal Data within an additional 90 days, unless Microsoft is permitted or required by applicable law, or authorized under this DPA, to retain such data.
16. What happens to our data should you go out of business or suffer a catastrophic event?
It's not publicly clear how Microsoft Azure would handle your data should they go out of business; consult with a representative about this topic. As for catastrophic events, Microsoft Azure uses either availability zones or availability sets for ensuring data availability and redundancy. Those regions with availability zones typically have three. Those regions instead using sets use an undetermined number of them. In regions with availability zones, "[i]f one zone should fail, the [virtual machines] in the other zones will continue to run and Azure will load balance without impacting the customer’s applications." As for availability sets, "[i]f a hardware or software failure occurs, only a subset of your [virtual machines] are impacted and your overall solution stays operational." It's highly unlikely that all availability zones or sets would be affected in an catastrophic event. However, if this is a concern, discuss further data redundancy with a Microsoft Azure representative.
17. Can we use your interface to extract our data when we want, and in what format will it be?
Per the Online Services Data Protection Addendum, "[a]t all times during the term of Customer’s subscription, Customer will have the ability to access, extract, and delete Customer Data stored in each Online Service." However, the format of that data is not addressed. Discuss this topic with a Microsoft Azure representative.
18. Are your support services native or outsourced/offshored?
Managed security services
Microsoft Azure does not provide managed security services. However, Azure customers can utilize partnered "Azure Expert Managed Service Providers."
Documentation and other media
- Audit reports (requires log in)
- Azure compliance offerings whitepaper
- Azure data residency and protection whitepaper
- Azure integration services whitepaper
- Azure security documentation
- Disaster recovery documentation
- HIPAA compliance
- Microsoft Azure architecture framework or description
- Microsoft Azure Expert Managed Service Providers
- Microsoft Azure shared responsibility model
- Microsoft Azure trust center
- "Microsoft Cloud Strength Drives Fourth Quarter Results". Microsoft Investor Relations. 22 July 2020. https://www.microsoft.com/en-us/Investor/earnings/FY-2020-Q4/press-release-webcast. Retrieved 28 April 2021.
- "Azure Global Infrastructure". Microsoft. https://azure.microsoft.com/en-us/global-infrastructure/. Retrieved 28 April 2021.
- "Azure Products". Microsoft. https://azure.microsoft.com/en-us/services/. Retrieved 28 April 2021.
- "Bringing COVID-19 exposure notification to the public health community". Association of Public Health Laboratories. 17 July 2020. https://www.aphlblog.org/bringing-covid-19-exposure-notification-to-the-public-health-community/. Retrieved 17 April 2021.
- "Bio-Rad Laboratories, Inc. API". Bio-Rad Laboratories, Inc.. https://bioradqsdapim-non-prod.portal.azure-api.net/. Retrieved 17 April 2021.
- "IT Technology & Telemetry". Northwest Nuclear Laboratories. https://www.nwnlabs.org/computer-science. Retrieved 17 April 2021.
- Yates-Roberts, E. (3 September 2020). "PathWest uses Microsoft Azure to improve transplant outcomes". The Record. https://www.technologyrecord.com/Article/pathwest-uses-microsoft-azure-to-improve-transplant-outcomes-112083. Retrieved 17 April 2021.
- "BtB Software: LIMS; Designed for Public Health and Private Clinical Laboratories". BtB Software, LLC. https://www.btbsoftware.com/. Retrieved 17 April 2021.
- "EQuIS Software Offerings on Microsoft Azure Query and Export Data, Integrate with Sensors, and Serve Other Environmental Project Management Needs" (PDF). Microsoft Corporation. 2017. https://earthsoft.com/wp-content/uploads/2017/08/Microsoft-Azure-Partner-Datasheet-EarthSoft.pdf. Retrieved 17 April 2021.
- "LIMS Webinar: Advantages and challenges of the Cloud Computing". Eusoft Srl. 2 May 2019. https://www.eusoft.co.uk/meeting/free-lims-webinar-advantages-and-challenges-of-the-cloud-computing/. Retrieved 17 April 2021.
- TRIBVN Healthcare (7 December 2020). "TRIBVN Healthcare Announces Full Compatibility of its Digital Health Solutions with Microsoft Azure". TissuePathology.com. https://tissuepathology.com/2020/12/07/tribvn-healthcare-announces-full-compatibility-of-its-digital-health-solutions-with-microsoft-azure/. Retrieved 17 April 2021.
- "Integration Services". Microsoft Corporation. https://azure.microsoft.com/en-us/product-categories/integration/. Retrieved 17 April 2021.
- "Enabling Data Residency and Data Protection in Microsoft Azure Regions" (PDF). Microsoft Corporation. April 2021. https://azure.microsoft.com/mediahandler/files/resourcefiles/achieving-compliant-data-residency-and-security-with-azure/Enabling_Data_Residency_and_Data_Protection_in_Azure_Regions-2021.pdf. Retrieved 17 April 2021.
- Ua, D.; Sudbring, A.; Coulter, D. et al. (9 May 2018). "What is a content delivery network on Azure?". Microsoft Documentation. Microsoft Corporation. https://docs.microsoft.com/en-us/azure/cdn/cdn-overview. Retrieved 17 April 2021.
- Tejada, Z.; Kshirsagar, D.; Coulter, D. et al. (20 November 2019). "Transferring data to and from Azure". Microsoft Documentation. Microsoft Corporation. https://docs.microsoft.com/en-us/azure/architecture/data-guide/scenarios/data-transfer. Retrieved 17 April 2021.
- Baldwin, M.; Coulter, D.; Campise, K. et al. (20 July 2020). "Azure encryption overview". Microsoft Documentation. Microsoft Corporation. https://docs.microsoft.com/en-us/azure/security/fundamentals/encryption-overview. Retrieved 17 April 2021.
- Lanfear, T.; Lehr, B.; Wassenaar, B. et al. (10 July 2020). "Azure facilities, premises, and physical security". Microsoft Documentation. Microsoft Corporation. https://docs.microsoft.com/en-us/azure/security/fundamentals/physical-security. Retrieved 17 April 2021.
- "Security implications of logical separation in the cloud" (PDF). Microsoft Corporation. https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/REXpGk. Retrieved 18 April 2021.
- Lanfear, T.; Toh, A.; Coulter, D. et al. (3 February 2021). "Penetration testing". Microsoft Documentation. Microsoft Corporation. https://docs.microsoft.com/en-us/azure/security/fundamentals/pen-testing. Retrieved 18 April 2021.
- Field, S. (11 November 2014). "Red Teaming: Using Cutting-Edge Threat Simulation to Harden the Microsoft Enterprise Cloud". Microsoft Azure Blog. https://azure.microsoft.com/en-us/blog/red-teaming-using-cutting-edge-threat-simulation-to-harden-the-microsoft-enterprise-cloud/. Retrieved 18 April 2021.
- Lanfear, T.; Wren, B.; Coulter, D. et al. (31 October 2019). "Azure security logging and auditing". Microsoft Documentation. Microsoft Corporation. https://docs.microsoft.com/en-us/azure/security/fundamentals/log-audit. Retrieved 18 April 2021.
- Lanfear, T.; Mel; Wren, B. et al. (3 February 2021). "Azure threat protection". Microsoft Documentation. Microsoft Corporation. https://docs.microsoft.com/en-us/azure/security/fundamentals/threat-detection. Retrieved 18 April 2021.
- "How Microsoft categorizes data for online services". Microsoft Corporation. https://www.microsoft.com/en-us/trust-center/privacy/customer-data-definitions. Retrieved 18 April 2021.
- Mazzoli, R. (26 March 2021). "Health Insurance Portability and Accountability (HIPAA) & HITECH Act". Microsoft Documentation. Microsoft Documentation. https://docs.microsoft.com/en-us/compliance/regulatory/offering-hipaa-hitech. Retrieved 18 April 2021.
- "Microsoft Online Services Data Protection Addendum" (PDF). Microsoft Corporation. 9 December 2020. https://www.microsoftvolumelicensing.com/Downloader.aspx?DocumentId=18600. Retrieved 18 April 2021.
- "Microsoft Continues to Outsource Internal Support and Services". Microsoft Corporation. 2 January 1996. https://news.microsoft.com/1996/01/02/microsoft-continues-to-outsource-internal-support-and-services/. Retrieved 18 April 2021.
- Bowie, W. (6 February 2016). "Why does MS outsource technical support to people who don't speak english?". Microsoft Community. Microsoft Corporation. https://answers.microsoft.com/en-us/msoffice/forum/msoffice_install-mso_win10-mso_365hp/why-does-ms-outsource-technical-support-to-people/fb2e0b2a-7bbb-478e-9b43-22aaebd783ca. Retrieved 18 April 2021.
- "Azure Expert Managed Service Providers (MSPs)". Microsoft. https://www.microsoft.com/azure/partners/azureexpertmsp. Retrieved 27 May 2021.