Data protection and data security
During the configuration of the Azure environment at the University of Vienna, various organisational and technical measures were taken to guarantee a high level of data protection and data security. Nevertheless, users must be aware that Microsoft Azure is a public cloud and that the data therefore leaves the University of Vienna. Therefore, always check which data you process and/or store in Azure and for how long and for which purpose you do so.
Note
The ZID recommends to always use the services provided by the University of Vienna for the long-term storage of research data.
The information on this website was jointly provided by the Data protection officer of the University of Vienna and the IT Security team of the ZID. If you use Microsoft Azure, you acknowledge the following recommendations and commit to complying with these measures. In case of intentional violations, access to the service may be withdrawn with immediate effect.
Data protection
Please adhere to the Data Protection Guideline of the University of Vienna (login required).
Within the Azure environment of the University of Vienna, you have only access to Azure data centres located in the European Union which meet the high standard of data protection required by the GDPR. These are located in the regions of Northern Ireland (Ireland), Western Europe (Netherlands) and Sweden Central. Microsoft has announced the establishment of a cloud data centre region in Austria by 2024, which will then also be available. Microsoft is obliged to never process data outside the EU when an EU data centre is selected.
In addition to these measures, the following recommendations by the Data Protection Officer apply:
- When processing personal data as part of projects and research projects, please consult with the Data Protection Officer before using Microsoft Azure.
- Please process as few personal data as possible via Microsoft Azure.
- Data stored on Azure should be encrypted if technically possible.
If you have questions about data protection, you can contact the Data Protection Officer of the University of Vienna via a Servicedesk form.
In addition, the University of Vienna offers free webinars on data protection and cloud systems (in German) for employees at regular intervals.
Artificial intelligence
When using Microsoft products, it is possible that Microsoft is already using artificial intelligence (AI) to optimise the products. Of course, the University of Vienna also checks the data protection compliance of AI-supported products in this context.
In particular, only those products are made available to employees and/or students of the University of Vienna that the University of Vienna believes can be used in compliance with data protection regulations. In addition, the University of Vienna specifies Terms of Use (in German) for the use of AI-based products, which must be complied with.
You can find more information about Microsoft’s AI products on the Microsoft website:
- Azure OpenAI
- Speech Studio: text to speech, speech to text
Data security
The IT Security team emphasises that you are responsible for the security of the data you manage in Microsoft Azure. You must configure Azure resources in a way that guarantees the greatest possible data safety. For all services provided on the Azure platform, you have to take appropriate measures to sufficiently protect the data stored and processed in Azure.
The objective of your IT security measures is to guarantee the
- integrity;
- availability and
- confidentiality of data
in the best possible way.
The IT Security team of the University of Vienna is available to answer questions about data security via security.zid@univie.ac.at.
Fundamentals and principles
You have to adhere to the following key fundamentals and principles of data security when using Microsoft Azure:
- Least privilege principle: Permissions are granted in accordance with the least privilege principle. This means that administrators and users are granted only those permissions that are necessary for their activities. Make sure to immediately revoke permissions that are no longer needed, for example, when employees leave the University or when their tasks change.
- Password security: You have to comply with the password policy of the ZID. Passwords used for administrative tasks should be as long as possible and randomly generated. In this context, a randomly generated password based on at least 62 characters (a-z, A-Z, 0-9) and with a minimum length of 16 characters is considered sufficiently secure. The ZID recommends using a password manager such as KeePass, which stores passwords and randomly generates secure passwords. You must create and use a separate password for each service you use.
- Network security: Make sure that all your resources (such as servers, databases) that you need are protected by firewalls which filter the network traffic (especially incoming traffic and, if possible, also outgoing traffic). Azure Network Security Groups must be configured in accordance with the least privilege principle. Please note that the firewall of the University of Vienna (including the intrusive prevention system) does not filter the network traffic of your Azure resources.
- Patch management: You are responsible for the patch management of the resources you use. Make sure that security updates are completed in due time. Furthermore, the ZID recommends subscribing to the mailing lists of CERT.at. They provide immediate information about important security gaps that could also affect your cloud resources (servers, databases, etc.).
- Encryption: Store and transfer data (connection data and data at rest) in an encrypted way, whenever technically possible. The data should be encrypted on the client side (client-side administration of the keys). Alternatively, you can also use the encryption mechanisms available in Azure (administration of the keys by Microsoft). However, due to the functional principles of many Azure services, especially of software-as-a-service services, encrypting the data is often not possible. In these cases, please take particular care which data you upload to the cloud.
- Know-how: Obtain information about best practices regarding the configuration of your cloud resources, such as from the recommendations of the ZID on the use of cloud storage services or the security recommendations of Microsoft.
Security incidents
If you use Azure and suspect that a security incident occurred, please contact the IT Security team via security.zid@univie.ac.at.
In case of IT security incidents, the ZID immediately takes measures (such as immediate deactivation) if necessary and may prohibit the use of the resource if it was used or configured in a negligent way. Please note: Security incidents due to the misuse of Azure resources can result in enormous costs incurred to your cost centre.