socilogica utilizes both cloud and physical servers in our infrastructure. Our cloud is provisioned by a Microsoft Azure. The infrastructure is comprised of a large global portfolio of more than 100 datacenters, 1 million servers, content distribution networks, edge computing nodes, and fiber optic networks. This portfolio is built and managed by a team of experts working 24x7x365 to support services for more than 1 billion customers.
We value your data, and we work hard to protect it. We store it on multiple hosts in multiple locations and back it up regularly. Client data is stored on our Azure cloud servers. Azure adheres to a rigorous set of security controls that govern operations and support. Microsoft deploys combinations of preventive, defensive, and reactive controls including the following mechanisms to help protect against unauthorized developer and/or administrative activity:
• Tight access controls on sensitive data, including a requirement for two-factor smartcard-based authentication to perform sensitive operations.
• Combinations of controls that enhance independent detection of malicious activity.
• Multiple levels of monitoring, logging, and reporting.
• Additionally, Microsoft conducts background verification checks of certain operations personnel and limits access to applications, systems, and network infrastructure in proportion to the level of background verification.
Assume breach. One key operational best practice that Microsoft uses to harden its cloud services is known as the “assume breach” strategy. A dedicated “red team” of software security experts simulates real-world attacks at the network, platform, and application layers, testing Azure’s ability to detect, protect against, and recover from breaches. By constantly challenging the security capabilities of the service, Microsoft can stay ahead of emerging threats.
Incident management and response
Microsoft has a global, 24x7 incident response service that works to mitigate the effects of attacks and malicious activity. The incident response team follows established procedures for incident management, communication, and recovery, and uses discoverable and predictable interfaces with internal and external partners alike. In the event of a security incident, the security team follows these five phases:
• Identification: If an event indicates a security issue, the incident is assigned a severity classification and appropriately escalated within Microsoft.
• Containment: The immediate priority of the escalation team is to ensure the incident is contained and data is safe.
• Eradication: After the situation is contained, the escalation team moves toward eradicating any damage caused by the security incident and identifies the root cause of the security issue.
• Recovery: Software or configuration updates are applied to the system and services are returned to full working capacity.
• Lessons Learned: Each security incident is analyzed to ensure the appropriate mitigations are applied to protect against future recurrence.
Azure infrastructure includes hardware, software, networks, administrative and operations staff, and the physical data centers that house it all. Azure addresses security risks across its infrastructure.
Physical security. Azure runs in geographically distributed Microsoft facilities, sharing space and utilities with other Microsoft Online Services. Each facility is designed to run 24x7x365 and employs various measures to help protect operations from power failure, physical intrusion, and network outages. These datacenters comply with industry standards (such as ISO 27001) for physical security and availability. They are managed, monitored, and administered by Microsoft operations personnel.
Monitoring and logging. Centralized monitoring, correlation, and analysis systems manage the large amount of information generated by devices within the Azure environment, providing continuous visibility and timely alerts to the teams that manage the service. Additional monitoring, logging, and reporting capabilities provide visibility to customers.
Security update management helps protect systems from known vulnerabilities. Azure uses integrated deployment systems to manage the distribution and installation of security updates for Microsoft software. Azure uses a combination of Microsoft and third-party scanning tools to run OS, web application, and database scans of the Azure environment.
Antivirus and antimalware
Azure software components must go through a virus scan prior to deployment. Code is not moved to production without a clean and successful virus scan. In addition, Microsoft provides native antimalware on all Azure VMs. Microsoft recommends that customers run some form of antimalware or antivirus on all virtual machines (VMs). Customers can install Microsoft Antimalware for Cloud Services and Virtual Machines or another antivirus solution on VMs, and VMs can be routinely reimaged to clean out intrusions that may have gone undetected.
Microsoft conducts regular penetration testing to improve Azure security controls and processes. Microsoft understands that security assessment is also an important part of socilogica’s application development and deployment. Therefore, Microsoft has established a policy to carry out authorized penetration testing on their own—and only their own—applications hosted in Azure.
Azure has a defense system against Distributed Denial-of-Service (DDoS) attacks on Azure platform services. It uses standard detection and mitigation techniques. Azure’s DDoS defense system is designed to withstand attacks generated from outside and inside the platform.
Azure networking provides the infrastructure necessary to securely connect VMs to one another and to connect on-premises data centers with Azure VMs. Because Azure’s shared infrastructure hosts hundreds of millions of active VMs, protecting the security and confidentiality of network traffic is critical.
In the traditional datacenter model, a company’s IT organization controls networked systems, including physical access to networking equipment. In the cloud service model, the responsibilities for network protection and management are shared between the cloud provider and the customer. Customers do not have physical access, but they implement the logical equivalent within their cloud environment through tools such as Guest operating system (OS) firewalls, Virtual Network Gateway configuration, and Virtual Private Networks.
Azure is a multitenant service, meaning that multiple customers’ deployments and VMs are stored on the same physical hardware. Azure uses logical isolation to segregate each customer’s data from that of others. This provides the scale and economic benefits of multitenant services while rigorously preventing customers from accessing one another’s data.
socilogica can assign multiple deployments to a virtual network and allow those deployments to communicate with each other through private IP addresses. Each virtual network is isolated from other virtual networks.
Built-in cryptographic technology enables socilogica to encrypt communications within and between deployments, between Azure regions, and from Azure to on-premises data centers.
Azure allows socilogica to encrypt data and manage keys, and safeguards customer data for applications, platform, system and storage using three specific methods: encryption, segregation, and destruction.
Azure is a multitenant service, meaning that multiple customers’ deployments and virtual machines are stored on the same physical hardware.
Protecting data in transit
Azure protects data in transit, such as between two virtual networks. Azure uses industry standard transport protocols such as TLS between devices and Microsoft datacenters, and within datacenters themselves.
Certain sensitive data is encrypted in transit to align with best practices for protecting confidentiality and data integrity. For data in transit, Azure uses industry-standard transport protocols between devices and Microsoft datacenters and within datacenters themselves.
socilogica or at it’s client’s request may opt for in-country storage for compliance or latency considerations or out-of-country storage for security or disaster recovery purposes. Data may be replicated within a selected geographic area for redundancy.
When socilogica deletes customer data or leave Azure, Microsoft follows strict standards for overwriting storage resources before reuse. As part of our agreements for cloud services such as Azure Storage, Azure VMs, and Azure Active Directory, Microsoft contractually commit to specific processes for the deletion of data.
Socilogica uses third party vendors and hosting partners to provide the necessary hardware, software, networking, storage, and related technology required to run Socilogica products. Although socilogica owns the code, databases, and all rights to the socilogica application, you retain all rights to your data.
How to Contact socilogica about Security Questions