15 september 2022
A few words about the reliability of Azure
After discussing how data centers work, I would like to add a few words about ensuring reliability and security within teams working in cloud vendors. I have some experience working for a cloud provider, and below I will list a few points that are mandatory for any cloud vendor's employees to follow.

In general, requirements for reliability and security can be divided into two parts:

  1. Requirements for the teams working on the cloud services themselves
  2. Requirements set by security departments and government agencies

If we are talking about employees, the main goal here is to minimize the "human factor" that leads to incidents in both information security and technical areas.

Moreover, while requirements for data center employees are more stringent (to reduce the possibility of human errors, ideally every step and action should be regulated), requirements for ordinary developers and managers working on a particular cloud service are much softer (since their main task is to write code and manage products) and mainly aimed at eliminating human carelessness that can cause problems.

Here is a list of what was required from the cloud vendor's developers when I worked there:

  1. All accesses unrelated to immediate work are closed (least privilege)
  2. Take with you or destroy all paper records and erase all records on boards in meeting rooms.
  3. Computer locking if it is not in use
  4. Mandatory regular information security courses and subsequent certification
  5. Regular audits of code and processes by "external" people.

In general, you can add a motto that any Cloud employee should recite by heart if he was awakened at night:

The security of user data comes first!
Only the last two are disputable points, everything else must be unconditionally implemented in any self-respecting company. Information security courses and audits are more typical for large companies.

The second part is what is usually called Compliance and which is more or less the responsibility of any information security department in any company.

  1. Certification of the company's processes for compliance
  2. Analysis and monitoring of threats and response to them (in all intents)
  3. Tracking updates of the software, use by company employees
  4. Training and examination of employees

These lists, of course, are far from complete, because there is no limit to perfection and there are no limits in the data security.

Well, in the end, I would like to say a few words about certifications and audits.
Modern cloud technologies are “covered” by a large number of requirements that they must meet. An example is the well-known ISO 27001 or the same GDPR.

And every single vendor strives to be certified against a multitude of global and regional standards. Microsoft Azure is no exception and has over 100 compliance certifications. Well, if you do not believe, you can personally count them at this link:

https://learn.microsoft.com/en-us/azure/compliance/

In conclusion, I would like to say that the issues of safety and reliability of processes have huge costs, but there is no way without them. After all, all these standards are aimed at only one thing - to ensure the security and privacy of user data. And we already found out that

User data security is at the forefront!