Microsoft Azure – Security Summary
After reading all my previous articles, you should be able to have your own opinions on how Microsoft Azure – public cloud is being protected and secured.
- “How secure is Microsoft Azure? Should I trust it?”. Introduction.
- “Have you been hacked? No? Are you willing to bet on this?”. I give you an overview of numbers and situation of the current cyber threats and required cybersecurity means to fight with it.
- “Microsoft Azure – Security”. The description on how Microsoft is securing your data regarding physical, logical access.
- “Microsoft Azure – Privacy and Control”. Many times I hear questions about trust and about uncertainty where data stored in a public cloud is located. I try to explain how Microsoft is dealing with this topic.
- “Microsoft Azure – Transparency”. A few words on Microsoft approach to be transparent regarding regulations, audits, process and everything that deals with Microsoft Azure so that customers have a excellent view on how their data and services are being managed.
- “Microsoft Azure – Compliance”. Have you ever thought how many global, local and non-standard certifications, ISO, regulations are out there? Many… Which of them Microsoft Azure is meeting is described in this article.
- “Microsoft Azure – Security Summary”. This summary.
Here are my few thoughts & a conclusion:
- Security is a matter of trust, so the question is what level of trust do you have? If you do not trust public cloud because you are not sure (you cannot either see or touch) how your data is protected, then why should you choose to trust your let’s say… hardware? Like: keyboards, routers or even hard drives. Those have been delivered by different vendors and assembled most probably in China, correct? How about CPU or your motherboards? Are you 100% confident you trust them that they haven’t been compromised and infected before assembly process? Are you willing to put a bet on that? (Example to think over ref. http://www.pcworld.com/article/2965872/components-processors/design-flaw-in-intel-processors-opens-door-to-rootkits-researcher-says.html and another one ref. http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/ ).
- It is not revolution. It’s EVOLUTION. Do not try to stop. Try to understand, adjust, align and find your place in this reality – especially regarding IT.
- You may be confident that your users are not using SaaS applications in work at all. It means you have surface control feeling only. I have many times discussed this, and in a very simple way proven CSOs or administrators were wrong with such assumption. Microsoft Cloud App Discovery can be used (ref. https://docs.microsoft.com/en-us/azure/active-directory/active-directory-cloudappdiscovery-whatis ). In my many cases, it turned out that users are using many different SaaS apps. Should they be banned in the organization? Some perhaps yes. I always strongly advise not to ban, as people are very clever and will find a bypass or a workaround, but rather to allow but make sure SaaS app is used in a reasonable way.
- The same concept described above applies to the Bring your own device (BYOD) model – yes, you are allowed to use your latest – tech device and have a single device to use for private and work purposes. The deal is that company part of data stored on your device should be secured. Why? For so many years we have protected workstations with all that heavy technologies – firewalls, IDS, IPS, antivirus, antimalware, encryption, etc. and nowadays we get exactly the same data (emails, attachments) to our mobile devices which in most cases (yet) are not protected anyhow. So if you lose your device at the party, it is not a rocket science to get inside it and dump all your data.
- You might say “I do not care, it will not happen to me”. What if I told you that if it is YOU that have leaked critical data of your company by losing your unprotected and unmanaged phone, YOU may get sued for all the company’s loss? Depending on the data, it may be that other businesses will sue your company, which in turn will sue you and charge for all damages (that happened and potential ones as well). It may get horrid. So. Think. About. This. If someone asks me “how to protect both the company and employees?”, I always answer: use Mobile Device Management and Mobile Applications Management solutions. Microsoft implementation of MDM and MAM is called Microsoft Intune (ref. https://www.microsoft.com/pl-pl/cloud-platform/microsoft-intune ) as a service to make sure devices and applications are managed. However, adoption of MDM and MAM should be done in a correct way – neither in a too restrictive way nor used to control private stuff.
- If the technology changes so fast, is there a possibility to keep up to date with latest cloud trends, news, updates, complexity, architecture, etc.? Well, yes, but only if you choose narrow specialization (deeper than broader). Or you can transfer the risk to other 3rd parties that specialize in deploying such technologies and have up to date knowledge – like system integrators or Microsoft Partners. Predica is one of them (ref. http://predica.pl/ ) to make sure that you get the best experienced IT Architects and Consultants on the market. The value added is that those people have a possibility to directly ask for more in-depth knowledge or get help from Microsoft – like for example from people called Black Belts having a profound understanding of the product and sometimes even Product Groups members which are responsible for writing the code of the product. As a Microsoft MVP, we also get early access to and knowledge about the latest technologies before they are announced (of course under NDA and we are not disclosing that information, however, based on what is known we may advise in IT strategies).
- Every “as a service” model is a shared responsibility. Especially, IaaS, where you are the owner of entire infrastructure. If you do not update your servers, you are vulnerable to many threats. If you deploy company mission critical applications that haven’t been designed with security in developers’ mind and haven’t been penetration-tested, well – you are again vulnerable, and it would be your responsibility for all the attacks used based on bugs in your software or misconfiguration. Even the best technology will not protect you from that.
The last thing to think over is a question coming after reading all previous posts on how Microsoft’s public cloud – Azure is providing security. Bear in mind all numbers representing the amount of money Microsoft has invested. The question is “are you sure that today, in your Datacenter you are doing it better and you spend enough time and money for security?”.