When using cloud services like Microsoft Azure, Microsoft ensures the fundamental security of cloud infrastructure, including physical security, basic network security, and security of the underlying hardware and software.
DTU Azure Tenant manages subscriptions to Azure cloud services for all DTU units (departments, centers and central administration). A "Subscription Owner" is a DTU user who has been granted an Azure subscription.
Subscription owners are responsible for the protection and management of their own data stored in the cloud. This includes classifying their data, managing access and identity, and ensuring data encryption both at rest and in transit, and additional network security measures. Subscription owners must also maintain compliance with legal and regulatory requirements related to their data. The following table outlines the respective responsibilities in DTU Azure Tenant among AIT, the Subscription Owner, and Microsoft.
Responsibilities for Azure Subscriptions Overview:
AIT follows the best security practices for Azure. As part of the policies activated in Entra ID or Azure policies, all users are required to use Multi-Factor Authentication (MFA). Additionally, all subscriptions must be restricted to EU regions unless an exemption is granted. Data in Azure is encrypted both at rest and in transit. You can access the DTU Azure Policies here. However, as a subscription owner, you have the responsibility to ensure that you manage your data and use your rights correctly when utilizing the Azure services.
Compliance with Security Policies of DTU: Subscription owner responsible for complying with security policies of DTU DTU politikker , DTU Sikkerhedskrav and Information security policies
Classify data based on its sensitivity and importance. If you are processing personal data, additional documentation duties may apply according to DTU's rules (read more here: GDPR).
Ensure you are familiar with the research data management requirements when handling research data: forskningsdata
Implement and maintain control measures to safeguard data from unauthorized access and breaches, in addition to measures already put in place by AIT. As a subscription owner, you have the authority to delegate access to data. Here is a guide on how to manage access rights: Data Encryption Best Practices
Ensure data backup procedures are established and maintained regularly if required, as the subscription does not include a backup service.
Ensuring correct assignment of data access permissions for apps you develop within the platform. Here’s a guide on granting permissions: Authorize access to blob data in the Azure portal - Azure Storage | Microsoft Learn
Establish and maintain a data retention policy that aligns with the purpose and type of data you are using. If you have questions regarding information security rules at DTU, please contact the DTU Information Security Team.
Ensure data processing agreements are in place with external partners when third parties have access to the Azure subscription or when data is sent to an external party. These agreements define how data is handled, processed, and protected, ensuring compliance with legal and security requirements such as GDPR.