Microsoft Azure – Security
Cloud security cannot be developed by chance or without understanding the market needs. There is no place for a mistake which could cause mistrust to all cloud solutions and providers. Security should be provided on every layer – physical (Datacenters) and logical (design, operations, isolation, etc.). Microsoft mantra is:
“Microsoft makes security a priority at every step,
from code development to incident response.”
Microsoft when developing its cloud services enforces security on every level, from the very first line of the source code written having in mind following approaches:
- Security Development Lifecycle. It is a process that is obligatory to follow at the company-wide level and has to be obeyed so that software is then always verified in terms of
- Assume breach. Microsoft’s (and not only theirs) security strategy and approach are to assume its services have already been breached. With that assumption, Microsoft has two different teams – the Red Team which tries to get inside and compromise Microsoft services, and the Blue Team that works to counteract to the Red Team. The Red Team use real world attacks and both known & unknown bugs, 0days to get inside at every cost. On the other hand, Blue Team detects, protects and recovers from breaches. You may be wondering: on what data such war games are happening? Those may be free or trial subscriptions. Microsoft never gets access or tries to “hack” their paid clients and subscriptions. For more insight on penetration tests teams, please visit this site ref. https://azure.microsoft.com/pl-pl/resources/videos/red-vs-blue-internal-security-penetration-testing-of-microsoft-azure/ .
- 24/7 security incident response. This is a global service working 365 days a year to mitigate effects of attacks and provides an incident
Now, if it comes to physical security, Microsoft invests heavily in their Datacenters, so they are secured with the highest standards. A few things you should know:
- Every Datacenter complies with ISO 27001, even if located in different parts of the world.
- Datacenters do not have flashing banners or signs where they are located. Of course, Microsoft doesn’t put a bag on your head when doing a Datacenter visit, but still, they try not to reveal that places.
- Datacenters are being monitored 24/7 and secured regarding physical security. Of course, there is a centralized monitoring and alerts implemented, but bear in mind that Datacenter administrators do not have access to your data and they do not know what your data are. Unless you ask Microsoft to help you troubleshoot your issues and give your blessing for Microsoft team.
- Microsoft manages updates: hardware, software including OS, web apps and databases. I’ve learned that #1 any administrators’ sin is that they do not have or do not apply the update policy correctly. Here, in such a shared responsibility approach, it’s Microsoft that has to worry about updates. What’s important is the model of “as a service” because in IaaS model no matter how secure is physical infrastructure, if WE do not provide security (including OS updates) to our VMs. Moreover, Microsoft can implement the latest patches very quickly and directly to their managed infrastructure, so the time between fix and applying updates is really minimal.
- All the source code before deploying is scanned with Antivirus and Antimalware software. Microsoft has a massive database of potential threats, viruses, etc. It is built from the information from their servers, workstations and mobile devices, and so Microsoft can use this data to protect your data better. Now, since some time, Microsoft is adding machine learning capabilities to keep you safe, please have a read on that solution implemented in Windows Defender in Windows 10 ref. https://blogs.technet.microsoft.com/mmpc/2015/11/16/windows-defender-rise-of-the-machine-learning/ .
- I told you about red teams and blue teams trying to play a hack game with each other, but if you do not trust Microsoft Cloud, you can perform your own penetration tests. You have to submit a penetration test form and agree to terms and conditions. “Yeaaah, right! So if I told them, they would prepare, right?! What’s the point in informing Microsoft?” The point is that when you do your pentests, no black-suited men will knock on your door and handcuffing you for attacking Microsoft Cloud J It’s better to warn.
- Firewalls, DDOS protection, security infrastructure, etc. It’s not only from the network outside (public Internet), but also internal network is being protected!
One of the last things to mention is VMs protection. Those are protected by isolation of network, storage and users identities but also encryption.
- For digital identities, you can use Azure Active Directory (also read about Azure Active Directory Domain Services) that offers enterprise identity catalog and access management in the cloud. It is integrated with thousands of applications and provides Single Sign-On.
- For better network performance and security you can always set up a Site-To-Site or Point-To-Site VPN. You can also be having a dedicated, private connection directly to Microsoft Azure Datacenter which is called Express Route https://azure.microsoft.com/en-us/services/expressroute/ .
Alex Simons (Director of PM, Microsoft Identity Division. Redmond, WA) in 2016 in his blog (ref. https://blogs.technet.microsoft.com/enterprisemobility/2016/02/24/identity-and-security-innovations-for-your-enterprise/) wrote:
“Every day we automatically deflect 1.5 million attacks by challenging or blocking fraudulent login attempts across Microsoft consumer online services like Microsoft Account and XBOX Live. We identify over 30k compromised user accounts per day”.
Wow, that’s a lot! Don’t you think? And how do they do that? I mean how do they know your account has been compromised? The answer may be that Microsoft may be using some of the sites as https://haveibeenpwned.com/ by Troy Hunt to detect if your credentials have been leaked in the biggest breaches.
Microsoft is so convinced about all security and their Microsoft Azure and Office 365 that they use it for their day to day operations. Actually, they use each of the services before it goes to the others (Insiders or paid customers). It’s called dogfooding. Why? If you are interested, have a read here ref. https://blogs.technet.microsoft.com/mscom/2006/07/18/why-dogfood/ and here ref. https://en.wikipedia.org/wiki/Eating_your_own_dog_food
If you want to learn even more how Microsoft security technologies and processes keep your data safe, please visit https://www.microsoft.com/en-us/TrustCenter/Security/default.aspx# .