Moving to the cloud provides many benefits to organizations, but implementing adequate security controls within...
cloud provider environments can be challenging. Microsoft Azure is one of the largest cloud platforms in the market today, and Microsoft Azure security features have been added recently to make it more appealing to enterprise customers.
Microsoft is open about some of its operational security practices internally, including its Security Development Lifecycle, Microsoft Security Response Center and Microsoft Malware Protection Center. Information about these teams and security practices is disclosed in relative detail through standard audit and contract requests in SSAE 16 SOC 2 and other reports.
Microsoft Azure security includes allowing customers to establish an encrypted IPSec tunnel from their on-premises data center via the Azure Virtual Network Gateway. In addition, internal networks and virtual machine instances can be segmented individually or within deployments in the same customer subscription using virtual networks, private IP address ranges, and Network Security Groups that act as stateful firewall rule sets to individual systems and IP subnets. Standalone virtual network security appliances from select vendor partners can also be implemented within Azure to act as distinct security gateways, providing more robust intrusion prevention and Web application firewall capabilities.
For protection of data at rest within Azure, Microsoft offers the Azure Key Vault hardware security module to generate or import keys for use within applications or VMs in Azure. The Azure keys are 256-bit AES by default, which meets baseline industry standards for encryption of data. Azure Key Vault logs will soon be available for export to log monitoring and SIEM platforms, and all access to keys -- through direct access or API -- is recorded for a complete audit trail.
All Azure instances and applications can generate audit and logging events to the Windows Azure Diagnostics collectors that leverage Azure storage. These events can then be sent to Azure's HDInsight Hadoop services for aggregation and analysis, or exported for integration to an on-premises SIEM or other log management and monitoring service. Numerous reports are also integrated into the administrative dashboard for monitoring management portal logins and activity.
Microsoft Azure security offers a number of integrated antimalware options. For a simple, wholly integrated approach, customers can enable Microsoft Antimalware for Azure in the Azure management portal. This leverages Microsoft's own antimalware service within the virtual machine environment to monitor and protect VMs. Numerous leading antimalware players such as Symantec, McAfee, Kaspersky, Trend Micro and others have also adapted their products into Azure security. Some are available in virtual appliance formats, which then use Azure APIs to monitor virtual machines. Others are integrated into Active Directory, focused more on email, instant messaging and some Web-based malware.
Identity and access management
Microsoft offers multifactor authentication with its Azure Multi-Factor Authentication service, which is also available in a standalone server model for on-premises integration into Azure. Azure Active Directory is Azure's identity providing and management offering, which can integrate with on-premises Active Directory systems using Microsoft federation services. It also acts as a full-featured identity as a service offering to control and manage user access to Microsoft apps and other SaaS providers.
Finally, Microsoft allows customers to perform penetration tests of their Azure environment by filling out a form.
Microsoft Azure security in the future
With competition heating up for IaaS and PaaS cloud services, Microsoft Azure is emerging as one of the providers offering more customer-managed security controls. For organizations moving sensitive data and workloads to the cloud, security is becoming more paramount than ever, and will likely continue to be a competitive differentiator in the future for companies like Microsoft.
About the author:
Dave Shackleford is the owner and principal consultant of Voodoo Security LLC; lead faculty at IANS; and a SANS analyst, senior instructor and course author. He previously worked as CSO at Configuresoft; as CTO at the Center for Internet Security; and as a security architect, analyst and manager for several Fortune 500 companies. Shackleford currently serves on the board of directors at the SANS Technology Institute and helps lead the Atlanta chapter of the Cloud Security Alliance.
Find out how to leverage Microsoft Azure security features for PaaS security
How do Microsoft Azure security features stand up next to AWS security?
Learn what admins need to know about Microsoft Azure security