Microsoft Azure Cloud Security Guide
Approaches to Security
Anyone who’s ever worked in a secure facility has developed a basic concept for what it takes to create and maintain such an atmosphere. There are any number of ways to control access to the facility using automatic gates and guards. Additionally, questions can be asked and access approved or denied based on valid need. Once an individual is granted access with in the facility, actually entering the building can also be further regulated and observed through a set of further security measures regarding doors, badges and escorts.
Behind all of these measures are policies which have been developed and fine-tuned which provide guidance for operation of the facility. These policies are carefully developed and consistently applied in order to maintain security, even down to data access and protection. The same is true when securing data in Microsoft Azure Cloud Security. Options for securing customer information have been developed so that Azure cloud clients can rely on security facilities within their spheres of operation to maintain the confidence of data protection and mitigating unwanted access.
Microsoft now offers a wide range of security features within its Azure cloud products which provide organizations with a high level of confidence that breaches will be minimized and any security incidents will be quickly addressed for the future. Clients can make use of Azure’s tools to develop their own policies which will mitigate any intrusions and minimize the effects of those which do occur.
Foundations of Azure Security
Azure achieves high-end security for cloud clients by providing the following:
- Management and control of identity and user access – Azure provides an Active Directory environment with greater control over user access to information. Multifactor authentication sign-in is available while Azure also provides greater control over authentication authorization and access control. Developers will also find tools to better integrate identity management across platforms including mobile and web apps. Authentication through Azure Active Directory can even be integrated into existing on-premise Active Directory and syncing.
- Encryption of communications and operations procedures – Azure includes data encryption at all levels whether information is in transit or at rest. Encryption keys can be stored in vaults both on premises and in the cloud. Data can even be encrypted before it is placed into the cloud.
- Solid networking infrastructure security – Azure hardens security networks even when communication between on-site and cloud networks are necessary. Through high-speed connections, Azure extends existing networks to the cloud using secure VPN connections while providing more design and infrastructure controls through the Azure Fabric Controller. Network Security Groups (NSG) control traffic to VM’s, help secure communications between Virtual Azure Networks and implements packet filtering firewalls by default on all hosts and VM’s. All datacenter locations in all regions provide a wide range of physical security and access controls to prevent breaches through such means.
- Tools for defense against intrusion and threats – Microsoft instituted throughout all Azure regions continual monitoring, testing and prevention processes. Anything from intrusion and anomaly detection to DDoS prevention and penetration testing as well as machine learning and behavioral analytics are employed for the highest security possible. Microsoft has its own antimalware deployed to prevent intrusions into VM’s and cloud services, but also supports third-party malware security solutions within subscriptions. The Azure security center serves as a main control for all client security concerns.
Key Security Features within Azure:
From Azure Security Center you can manage all of your security needs within Azure as well as hybrid implementations between on-premise and cloud instances. This console provides a unified view of your cloud resources with discoverability across networks to on-site infrastructure, allowing for management of security and application of policies from a central location. Central management of resources including collection, analysis and search are all available in the Security Center where vulnerabilities can be found and re-mediated.
The Application Gateway provides application routing and load-balancing services within Azure. The Gateway is highly available and extremely scalable based on client needs. Applications, including SQL, can be protected from the most common web-based threats, vulnerabilities and exploits with a web application firewall. The Application Gateway is well integrated with other Azure services including the Azure Traffic Manager.
With the use of Internet Protocol Security (IPSec) and Internet Key Exchange (IKE), Azure’s VPN Gateway provides secure connectivity between more on-premise infrastructure and cloud-based resources. Point to site VPN provides VM connectivity across Azure Virtual Networks for availability even for users on the road.
Azure DDoS Protection:
Monitoring is always on for the Azure DDoS protection, providing adaptive tuning, application layering, complete integration with all of Azure’s security features and analytics. Protection is simplified with immediate monitoring of all cloud resources to mitigate all detected attacks. Azure’s DDoS protection also works through layers three through seven to counteract common threats such as SQL injections. This feature also includes alerts and telemetry reports for better understanding of any attempted attack and how to mitigate vulnerabilities against web applications. Microsoft even uses service credits as a protection against resource costs incurred from documented attacks.
With cloud services, encryption keys are very important and Key Vault provides effective and secure storage of highly accessible keys which can be linked to applications for simple, high performance protection. The Key Vault covers passwords, secrets and policies which can be applied to cloud resources with the easy creation and migration of new vaults in a matter of minutes without the need for provisioning delays. Certificate provisioning for SSL/TLS achieves fast enrollment and automatic renewal from public CA sources.
Azure Information Protection:
All data can be protected with Azure’s Cloud Services including tracking and monitoring of behaviors to block intrusion activities. Information can be classified through policies in such management categories as automatic, recommended or controlled by users. Protection can be extended no matter how it is shared or stored. Share controls can be passed even to customers and enacted in Microsoft Office with recommendations available for data handling for users.
Azure Active Directory:
Complete identity management is available in Azure Active Directory where resources can be safeguarded by intelligence driven security policies. Azure AD is highly integrated with Office 365 and enables a higher level of productivity with security and management centralized. With one identity, users can access available applications through a web-based portal along with web application availability for on-premise and mobility access.
Azure Advanced Threat Protection:
Threats continue to mount regularly so Microsoft’s Azure’s security also includes advanced threat protection. Azure Advanced Threat Protection adds the power of cloud resources to effectively detect and investigate intrusions and threats. Device, user and resource usage is monitored to determine any security anomalies for fast insight and response. The security measures improve responses to attacks and leverage Microsoft’s Windows Defender Advanced Threat Protection for attack remediation
Delving a bit deeper into these security categories, it becomes clear that Microsoft has created its cloud environment with security as a top goal. However, it is important to remember that security is an ongoing role in which cloud customers have, and must, retain a role. Merely possessing a cloud presence does not remove the responsibility from the organization to follow best practices and determine policies which must be applied and followed using the available tools in Azure Cloud Services.
To learn more about Azure Cloud Security, contact the Certified Microsoft professionals at DirectKey – your online resource for all things Cloud.