1

For a potential project, we are tasked with developing a website (API/SPA principle) which has a paramount requirement of keeping personally identifiable information (PII) about its visitors anonymous, and the data they provide encrypted at rest. The latter requirement is quite easily addressed using available libraries and best practices.

What I'm concerned with, is that I can't find any clear information about which data Microsoft is storing about the hypothetical visitors to my website. This probably depends on the specific service we would use, which will likely be Azure Kubernetes Service (AKS).
Specifically the visitors IP addresses are considered sensitive and thus should not be stored anywhere.
As the owner/operator of the application I know that I have to actively enable additional services (e.g. log analytics) in order to see this information, but does Microsoft see about my visitors? I can't imagine they are keeping no logs whatsoever of who visits their infrastructure, if only for the purpose of e.g. blacklisting abusive IP addresses (DDoS attacks, ...).
Any documentation about this would be much appreciated.

Assuming Microsoft does keep track of visitor IP addresses, what would be alternatives that don't? I'm open to alternative cloud providers, or even a 3rd party service that acts as a gateway to the Azure infrastructure, making only its IP visible to Azure, and meanwhile not logging its visitors IP addresses.

Alex
  • 261
  • 1
  • 3
  • 8
  • What rules are you trying to comply with? GDPR, HIPAA, SSAE 16, etc? Did you look up Azure's own compliance with such rules? – Michael Hampton Sep 19 '20 at 16:23
  • Although the project needs to comply with GDPR, we want to enforce rules on top of that. GDPR dictates you can basically keep whichever user data you want, as long as you're transparent about it, can justify why you're keeping it, and provide a timeframe after which the data will be deleted. – Alex Sep 19 '20 at 20:10
  • They definitely track this information. All providers comply with laws where they operate. Legal and regulatory requirements also supersede GDPR, and even in democratic countries like the US the government can compel providers to surrender this information. Azure definitely cannot fulfill this requirement, and neither can any of the other large cloud providers. – Greg Askew Sep 20 '20 at 14:06

1 Answers1

2

There isn't really any published information on this, but Microsoft, and any other large cloud provider, will be tracking IP addresses of users entering their network. There is no option to disable this. You are going to struggle to find any cloud provider who will meet your needs in this area.

Sam Cogan
  • 38,158
  • 6
  • 77
  • 113