|
| 1 | +--- |
| 2 | +title: Concepts - How AVS Addresses Vulnerabilities in the Infrastructure |
| 3 | +description: The process that AVS follows to address security vulnerabilities. |
| 4 | +ms.topic: conceptual |
| 5 | +ms.service: azure-vmware |
| 6 | +ms.date: 01/18/2024 |
| 7 | +ms.custom: engagement-fy24 |
| 8 | +--- |
| 9 | + |
| 10 | + |
| 11 | +# How AVS Addresses Vulnerabilities in the Infrastructure |
| 12 | + |
| 13 | +At a high level, Azure VMware Solution (AVS) is a Microsoft Azure service and therefore must follow all the same policies and requirements that Azure follows. Azure policies and procedures dictate that AVS must follow the [SDL](https://www.microsoft.com/securityengineering/sdl) and must meet several regulatory requirements as promised by Microsoft Azure. |
| 14 | + |
| 15 | +## Our approach to vulnerabilities |
| 16 | + |
| 17 | +AVS takes a defense in depth approach to vulnerability and risk management. We follow the [SDL](https://www.microsoft.com/securityengineering/sdl) to ensure we're building securely from the start, including any third party solutions, and our services are continually assessed through both automation and manual reviews on a regular basis. Additionally, we also partner with third party partners on security hardening and early notifications of vulnerabilities within their solutions. |
| 18 | + |
| 19 | +### Vulnerability management |
| 20 | + |
| 21 | +- Engineering and Security Teams triage any signal of vulnerabilities. |
| 22 | +- Details within the signal are adjudicated and assigned a CVSS score and risk rating according to compensating controls within the service. |
| 23 | +- The risk rating is used against internal bug bars, internal policies and regulations to establish a timeline for implementing a fix. |
| 24 | +- Internal engineering teams partner with appropriate parties to qualify and roll out any fixes, patches and other configuration updates necessary. |
| 25 | +- Communications are drafted and published according to the risk rating assigned. |
| 26 | + |
| 27 | +### Subset of regulations governing vulnerability and risk management |
| 28 | + |
| 29 | +AVS is in scope for the following certifications and regulatory requirements. The regulations listed aren't a complete list of certifications AVS holds, rather it's a list with specific requirements around vulnerability management. These regulations don't rely on other regulations for the same purpose. IE, certain regional certifications may point to ISO requirements for vulnerability management. |
| 30 | + |
| 31 | +>[!NOTE] |
| 32 | +>To access the following audit reports hosted in the Service Trust Portal, you must be an active Microsoft customer. |
| 33 | +
|
| 34 | +- [ISO](https://servicetrust.microsoft.com/DocumentPage/38a05a38-6181-432e-a5ec-aa86008c56c9) |
| 35 | +- [PCI](https://servicetrust.microsoft.com/viewpage/PCI) \- See the packages for DSS and 3DS for Audit Information. |
| 36 | +- [SOC](https://servicetrust.microsoft.com/DocumentPage/f9858c69-b9c4-4097-9d09-1b95d3f994eb) |
| 37 | +- [NIST Cybersecurity Framework](https://servicetrust.microsoft.com/DocumentPage/bc0f7af3-5be8-427b-ac37-b84b86b6cc6b) |
| 38 | +- [Cyber Essentials Plus](https://servicetrust.microsoft.com/DocumentPage/d2758787-1e65-4894-891d-c11194721102) |
| 39 | + |
| 40 | +## More information |
| 41 | +[Azure VMware Solution Security Recommendations](/azure/azure-vmware/concepts-security-recommendations) |
| 42 | + |
| 43 | +[Azure VMware Solution Security Baseline](/security/benchmark/azure/baselines/azure-vmware-solution-security-baseline?toc=%2Fazure%2Fazure-vmware%2Ftoc.json) |
| 44 | + |
| 45 | +[Microsoft Azure’s defense in depth approach to cloud vulnerabilities](https://azure.microsoft.com/blog/microsoft-azures-defense-in-depth-approach-to-cloud-vulnerabilities/) |
| 46 | + |
| 47 | +[Microsoft Azure Compliance Offerings](/azure/compliance/) |
| 48 | + |
| 49 | +[Azure Service Health Portal](/azure/service-health/service-health-portal-update) |
0 commit comments