SOLVED

Azure Penetration Testing

%3CLINGO-SUB%20id%3D%22lingo-sub-95846%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Penetration%20Testing%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-95846%22%20slang%3D%22en-US%22%3E%3CP%3EMost%20recent%20penetration%20testing%20report%20is%20from%20early%202016%20-%20I%20would%20like%20to%20see%20these%20produced%20more%20often%20(even%20in%20our%20on-premise%20solutions%2C%20we%20produce%20these%20quarterly).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-62783%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Penetration%20Testing%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-62783%22%20slang%3D%22en-US%22%3E%3CP%3EI%20would%20take%20a%20look%20at%20Microsoft%20Trust%20Center%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ehere%20is%20a%20link%20to%20multiple%20Azure%20compliance%20audit%20reports%2C%20including%20latest%20pen%20test%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Ftrustcenter%2Fguidance%2Frisk-assessment%3FdownloadDocument%3Dnli%26amp%3BdocumentId%3D0cdb9405-2ce8-4a2e-aa87-16e3decd453c%23Audit-reports%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.microsoft.com%2Fen-us%2Ftrustcenter%2Fguidance%2Frisk-assessment%3FdownloadDocument%3Dnli%26amp%3BdocumentId%3D0cdb9405-2ce8-4a2e-aa87-16e3decd453c%23Audit-reports%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-62757%22%20slang%3D%22en-US%22%3EAzure%20Penetration%20Testing%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-62757%22%20slang%3D%22en-US%22%3E%3CP%3EOur%20firm%20has%20PaaS%20and%20IaaS%20resources%20deployed%20on%20Azure.%20We're%20undergoing%20a%20security%20audit%20by%20a%20p%3CSPAN%3Erospective%20client%20who%20has%20asked%26nbsp%3Bhow%20often%20Microsoft's%20security%20team%20conducts%20penetration%20tests%20of%20Azure%20systems%20and%20when%20the%20last%20test%20was%20performed.%20I%20have%20found%20various%20postings%20and%20white%20papers%20by%20Microsoft%20mentioning%20the%20internal%20penetration%20testing%20(%3CA%20href%3D%22https%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Fsecurity%2Fmt346049.aspx%2C%26nbsp%3Bhttps%3A%2F%2Fgallery.technet.microsoft.com%2FCloud-Red-Teaming-b837392e%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Fsecurity%2Fmt346049.aspx%2C%26nbsp%3Bhttps%3A%2F%2Fgallery.technet.microsoft.com%2FCloud-Red-Teaming-b837392e%3C%2FA%3E)%2C%20but%20none%20that%20give%20specifics%20that%20would%20allow%20us%20to%20answer%20the%20audit%20team's%20questions.%20Where%20could%20we%20find%20answers%20to%20these%20questions%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThanks.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-62757%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Visitor

Our firm has PaaS and IaaS resources deployed on Azure. We're undergoing a security audit by a prospective client who has asked how often Microsoft's security team conducts penetration tests of Azure systems and when the last test was performed. I have found various postings and white papers by Microsoft mentioning the internal penetration testing (https://technet.microsoft.com/en-us/security/mt346049.aspx, https://gallery.technet.microsoft.com/Cl...), but none that give specifics that would allow us to answer the audit team's questions. Where could we find answers to these questions?

 

Thanks.

2 Replies
best response confirmed by Michael Holste (Microsoft)
Solution

I would take a look at Microsoft Trust Center:

 

here is a link to multiple Azure compliance audit reports, including latest pen test:

 

https://www.microsoft.com/en-us/trustcenter/guidance/risk-assessment?downloadDocument=nli&documentId...

Most recent penetration testing report is from early 2016 - I would like to see these produced more often (even in our on-premise solutions, we produce these quarterly).