Data protection and data security

Data protection

Please adhere to the Data Protection Guideline of the University of Vienna (login required).

Within the Azure environment of the University of Vienna, you have only access to Azure data centres located in the European Union which meet the high standard of data protection required by the GDPR. These are located in the regions of Northern Ireland (Ireland), Western Europe (Netherlands) and Sweden Central. Microsoft has announced the establishment of a cloud data centre region in Austria by 2024, which will then also be available. Microsoft is obliged to never process data outside the EU when an EU data centre is selected.

In addition to these measures, the following recommendations by the Data Protection Officer apply:

• When processing personal data as part of projects and research projects, please consult with the Data Protection Officer before using Microsoft Azure.
• Please process as few personal data as possible via Microsoft Azure.
• Data stored on Azure should be encrypted if technically possible.

If you have questions about data protection, you can contact the Data Protection Officer of the University of Vienna via a Servicedesk form.

In addition, the University of Vienna offers free webinars on data protection and cloud systems (in German) for employees at regular intervals.

Data security

The IT Security team emphasises that you are responsible for the security of the data you manage in Microsoft Azure. You must configure Azure resources in a way that guarantees the greatest possible data safety. For all services provided on the Azure platform, you have to take appropriate measures to sufficiently protect the data stored and processed in Azure.

The objective of your IT security measures is to guarantee the

• integrity;
• availability and
• confidentiality of data 

in the best possible way.

The IT Security team of the University of Vienna is available to answer questions about data security via security.zid@univie.ac.at.

Fundamentals and principles

You have to adhere to the following key fundamentals and principles of data security when using Microsoft Azure:

• Least privilege principle: Permissions are granted in accordance with the least privilege principle. This means that administrators and users are granted only those permissions that are necessary for their activities. Make sure to immediately revoke permissions that are no longer needed, for example, when employees leave the University or when their tasks change.
• Password security: You have to comply with the password policy of the ZID. Passwords used for administrative tasks should be as long as possible and randomly generated. In this context, a randomly generated password based on at least 62 characters (a-z, A-Z, 0-9) and with a minimum length of 16 characters is considered sufficiently secure. The ZID recommends using a password manager such as KeePass, which stores passwords and randomly generates secure passwords. You must create and use a separate password for each service you use.
• Network security: Make sure that all your resources (such as servers, databases) that you need are protected by firewalls which filter the network traffic (especially incoming traffic and, if possible, also outgoing traffic). Azure Network Security Groups must be configured in accordance with the least privilege principle. Please note that the firewall of the University of Vienna (including the intrusive prevention system) does not filter the network traffic of your Azure resources.
• Patch management: You are responsible for the patch management of the resources you use. Make sure that security updates are completed in due time. Furthermore, the ZID recommends subscribing to the mailing lists of CERT.at. They provide immediate information about important security gaps that could also affect your cloud resources (servers, databases, etc.).
• Encryption: Store and transfer data (connection data and data at rest) in an encrypted way, whenever technically possible. The data should be encrypted on the client side (client-side administration of the keys). Alternatively, you can also use the encryption mechanisms available in Azure (administration of the keys by Microsoft). However, due to the functional principles of many Azure services, especially of software-as-a-service services, encrypting the data is often not possible. In these cases, please take particular care which data you upload to the cloud.
• Know-how: Obtain information about best practices regarding the configuration of your cloud resources, such as from the recommendations of the ZID on the use of cloud storage services or the security recommendations of Microsoft.