Azure VMware Solution addresses vulnerabilities in the infrastructure
At a high level, Azure VMware Solution is an Azure service, so it must follow all the same policies and requirements that Azure follows. Azure policies and procedures dictate that Azure VMware Solution must follow the Security Development Lifecycle (SDL) and must meet several regulatory requirements as promised by Azure.
Our approach to vulnerabilities
Azure VMware Solution takes an in-depth approach to vulnerability and risk management. We follow the SDL to ensure that we're building securely from the start. This focus on security includes working with any third-party solutions. Our services are continually assessed through automatic and manual reviews on a regular basis. We also partner with third-party partners on security hardening and early notifications of vulnerabilities within their solutions.
Vulnerability management
- Engineering and security teams triage any signal of vulnerabilities.
- Details within the signal are adjudicated and assigned a Common Vulnerability Scoring System (CVSS) score and risk rating according to compensating controls within the service.
- The risk rating is used against internal bug bars, internal policies, and regulations to establish a timeline for implementing a fix.
- Internal engineering teams partner with appropriate parties to qualify and roll out any fixes, patches, and other configuration updates necessary.
- Communications are drafted when necessary and published according to the risk rating assigned.
Tip
Communications are surfaced through Azure Service Health portal, known issues, or email.
Subset of regulations governing vulnerability and risk management
Azure VMware Solution is in scope for the following certifications and regulatory requirements. The regulations listed aren't a complete list of certifications that Azure VMware Solution holds. Instead, it's a list with specific requirements around vulnerability management. These regulations don't rely on other regulations for the same purpose. For example, certain regional certifications might point to ISO requirements for vulnerability management.
Note
You must be an active Microsoft customer to access the following audit reports hosted in the Service Trust Portal:
- ISO
- PCI: See the packages for DSS and 3DS for audit information.
- SOC
- NIST Cybersecurity Framework
- Cyber Essentials Plus
More information
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for