Both technological safeguards, such as encrypted communications, and operation processes help keep Customer Data secure. Customers have the flexibility to implement additional encryption and manage their own keys.
Data in transit.
Azure uses industry-standard transport protocols such as SSL and TLS between user devices and Microsoft data centers, and within data centers themselves. With virtual networks, customers can use industry standard IPsec protocol to encrypt traffic between their corporate VPN gateway and Azure. Customers can enable encryption for traffic between their own VMs and end users.
Data at rest.
Customers are responsible for ensuring that data stored in Azure is encrypted in accordance with their standards. Azure offers a wide range of encryption capabilities up to AES-256, giving customers the flexibility to choose the solution that best meets their needs. Options include .NET cryptographic services, Windows Server public key infrastructure (PKI) components, Microsoft StorSimple cloud-integrated storage, Active Directory Rights Management Services (AD RMS), and BitLocker for data import/export scenarios.
Azure is a multi-tenant service, meaning that multiple customers’ deployments and virtual machines are stored on the same physical hardware. Azure uses logical isolation to segregate each customer’s data from that of others. This provides the scale and economic benefits of multitenant services while rigorously preventing customers from accessing one another’s data.
When customers delete data or leave Azure, Microsoft follows strict standards for overwriting storage resources before reuse, as well physical destruction of decommissioned hardware.