- Physical security
- Physical security reviews
- Data bearing devices
- Equipment disposal
ER Express' data center is managed by Microsoft
- Microsoft designs, builds, and operates datacenters in a way that strictly controls physical access to the areas where your data is stored.
- Microsoft understands the importance of protecting your data, and is committed to helping secure the datacenters that contain your data.
- We have an entire division at Microsoft devoted to designing, building, and operating the physical facilities supporting Azure. This team is invested in maintaining state-of-the-art physical security.
- Microsoft takes a layered approach to physical security, to reduce the risk of unauthorized users gaining physical access to data and the datacenter resources.
- Datacenters managed by Microsoft have extensive layers of protection: access approval at the facility’s perimeter, at the building’s perimeter, inside the building, and on the datacenter floor. Layers of physical security are:
Access request and approval.
- You must request access prior to arriving at the datacenter. You're required to provide a valid business justification for your visit, such as compliance or auditing purposes. All requests are approved on a need-to-access basis by Microsoft employees.
- A need-to-access basis helps keep the number of individuals needed to complete a task in the datacenters to the bare minimum. After Microsoft grants permission, an individual only has access to the discrete area of the datacenter required, based on the approved business justification.
- Permissions are limited to a certain period of time, and then expire.
- When you arrive at a datacenter, you're required to go through a well-defined access point. Typically, tall fences made of steel and concrete encompass every inch of the perimeter.
- There are cameras around the datacenters, with a security team monitoring their videos at all times.
- The datacenter entrance is staffed with professional security officers who have undergone rigorous training and background checks.
- These security officers also routinely patrol the datacenter, and monitor the videos of cameras inside the datacenter at all times.
Inside the building.
- After you enter the building, you must pass two-factor authentication with biometrics to continue moving through the datacenter.
- If your identity is validated, you can enter only the portion of the datacenter that you have approved access to. You can stay there only for the duration of the time approved.
- You are only allowed onto the floor that you're approved to enter. You are required to pass a full body metal detection screening.
- To reduce the risk of unauthorized data entering or leaving the datacenter without our knowledge, only approved devices can make their way into the datacenter floor. Additionally, video cameras monitor the front and back of every server rack.
- When you exit the datacenter floor, you again must pass through full body metal detection screening. To leave the datacenter, you're required to pass through an additional security scan.
- Microsoft requires visitors to surrender badges upon departure from any Microsoft facility.
Physical security reviews
- Periodically, we conduct physical security reviews of the facilities, to ensure the datacenters properly address Azure security requirements.
- The datacenter hosting provider personnel do not provide Azure service management.
- Personnel can't sign in to Azure systems and don't have physical access to the Azure collocation room and cages.
Data bearing devices
- Microsoft uses best practice procedures and a wiping solution that is NIST 800-88 compliant.
- For hard drives that can’t be wiped, we use a destruction process that destroys it and renders the recovery of information impossible.
- This destruction process can be to disintegrate, shred, pulverize, or incinerate.
- We determine the means of disposal according to the asset type. We retain records of the destruction.
- Upon a system's end-of-life, Microsoft operational personnel follow rigorous data handling and hardware disposal procedures to assure that hardware containing your data is not made available to untrusted parties.
- We use a secure erase approach for hard drives that support it.
- For hard drives that can’t be wiped, we use a destruction process that destroys the drive and renders the recovery of information impossible.
- This destruction process can be to disintegrate, shred, pulverize, or incinerate. We determine the means of disposal according to the asset type.
- We retain records of the destruction. All Azure services use approved media storage and disposal management services.