About this book

Microsoft Azure Security helps you ensure that all your applications and services stay secure and safe from any threats. Starting with a quick tour through the fundamentals of security standards, you will quickly gain a comprehensive overview of Azure Services where security has to be managed directly. You will then see some use cases of Azure usage, exploring the various building blocks of the entire platform. This will help you get involved with the services covered in the ensuing chapters.

Next, you will learn to identify, for any given service of Azure, where the possible traps are and how malicious behaviors could lead up to a huge loss in terms of information and consequently, money. Finish with a flourish by implementing authentication solutions within applications with Azure Services and learn the best practices for Azure-related IT resources. With this comprehensive guide, you will learn many of the key security processes along with network, system, and host security and ensure that your applications and services are secure.

Publication date:
April 2015
Publisher
Packt
Pages
152
ISBN
9781784399979

 

Chapter 1. The Fundamentals of Security Standards

Before we get down to talking about Azure specifically, we need to gather some basic information about what security means in the context of information technology, where it is often called information security. In this chapter, we are going to talk about the following topics:

  • Information security fundamentals

  • Physical measures versus logical measures

  • Security standards and Azure

In this chapter, we will show how these security principles are often related to common sense (and to a good understanding of a few core concepts) and how they have to be achieved during the whole process. Here, the process is a comprehensive end-to-end series of tasks involved in information management, and not only the usage of Azure technology.

 

Information security fundamentals


Let's start with a brief recap of high school concepts, such as the difference between data and information. In many cases, both should be treated as important assets, though there is an important difference.

Data is the raw piece of a fact, which describes something; information is the output of a process of elaboration of raw data.

Tip

Think about a sensitive digital document containing strategic company plans. If someone sees the raw bits of this document, no one could probably gain any kind of advantage from it. Instead, if these bits (the data) are properly translated by some software into a human-readable document, information is generated.

I mentioned that both of these are important, since raw data can produce a lot of information. However, it is generally accepted that information has much more value as it represents the output of a high value transformation process.

CIA triangle

It is probably well known that the most widely-accepted principles of IT security are confidentiality, integrity, and availability. Despite many security experts defining even more indicators/principles related to IT security, most security controls are focused on these principles, since the vulnerabilities are often expressed as a breach of one (or many) of these three. These three principles are also known as the CIA triangle:

  • Confidentiality: This is about disclosure.

    A breach of confidentiality means that somewhere, some critical and confidential information has been disclosed unexpectedly.

  • Integrity: This is about state of information.

    A breach of integrity means that information has been corrupted or, alternatively, the meaning of the information has been altered unexpectedly.

  • Availability: This is about interruption.

    A breach of availability means that information access is denied unexpectedly.

Ensuring confidentiality, integrity, and availability means that information flows are always monitored and the necessary controls are enforced.

We say that a breach means an exposure, which is caused by an event that occurred when exploiting a vulnerability located in some point of the involved process.

Tip

Those events are often called incidents, since they expose a system to loss or damage. Later, we you learn how to identify the threats of a system, which is one of the main purposes of Information Security Management (ISM).

As you can see from the the three principles discussed, for each security principle we need to ensure that information flows are always monitored and the necessary controls are enforced. The first is a basic milestone of information security, since all the information flows have to be known and documented by an officer in order to plan which controls should be enforced. The second part, instead, is related to a specific principle; security measures vary from one principle to another, as follows:

  • The examples of the measures for confidentiality are:

    • Applying classification signs on a company's documents could help people understand which grade of secrecy is applied.

    • Applying a deny-all policy and allowing only a minimal set of permissions to users will reduce the risk of a loss of confidentiality.

  • The examples of the measures for integrity are:

    • A data validation policy for users involved in data entry or data manipulation helps to reduce the probability of errors and, consequently, a loss of integrity.

    • Continuous backups could mitigate the damage of data corruption, by restoring the most recent and consistent version of data.

  • The examples of the measures for availability are:

    • Having at least two power sources for critical IT infrastructure increases the availability of a system in case damage is suffered by one of them. This is an example of redundancy.

    • Again, backups can be also be viewed as measures to increase availability since, in the case of a hardware failure, a good backup procedure could reduce the downtime dramatically.

Sometimes we encounter other principles related to security, such as non-repudiation, authenticity, utility, possession, and more. I prefer to reduce all the principles to the CIA triangle, since I think the other ones are specializations of this base model.

Security management

In this book, we will try to teach you that security should not be delegated to fancy tools or to all-in-one salvation software, but it is primarily related to the awareness of people involved in business processes. Companies should (and must) implement internal procedures to assess themselves by a security perspective, documenting the risks they are subjected to and the measures to mitigate (if necessary) these risks.

This is, in summary, the purpose of a Security Management System which, when talking about IT, becomes an Information Security Management System (ISMS).

In the previous sections, we talked about risks, vulnerabilities, threats, and incidents; now let us try to give an example.

A company hires sales representatives, giving them a PC with essential tools of trade, Customer Relationship Management (CRM) access, and a database of clients with their details (that is, the past revenues). The person in charge of security decides to force users in mobility to use a Virtual Private Network (VPN) to connect to the company network and to choose a strong password for the desktop access. However, if the PC's hard drive is not fully encrypted, the company is vulnerable to loss of confidentiality, in the case of theft or loss; the threat is that someone could attach the hard drive to another PC and read all the plain data. The risk associated with this event is the likelihood of a sales representative losing the PC or a thief stealing it, regardless of using the information contained in it. The measures in this case could be at least two: avoid saving sensitive data on the PC, making it a stateless device (or thin client), or performing a full disk encryption. In both cases, someone taking physical access and ownership of the device cannot take advantage of the information contained in it.

In this example, we used the appropriate terminology to describe a typical real-world scenario. Please note that security controls (or measures) could themselves lead to new risks. Imagine a company policy that forces each PC to be encrypted with a key. In the case of the user losing this key, the PC would become useless even for people who have the right to access it. Again, if the disk key is a number, writing it down on the back cover of the PC completely avoids the benefit introduced by the encryption policy (a thief could steal both the PC and the key, gaining access to the device's sensitive information). These are two cases when measures to ensure confidentiality introduce new risks related to availability and confidentiality.

This is one of the reasons why a planned, documented, and formal ISMS is really needed by most companies who are dealing in information.

Tip

The process of understanding, assessing, and documenting current threats and risks is often known as due diligence, while the actual implementation of these measures to protect the company from threats is known as due care.

Medium or big companies approach ISM by appointing a dedicated staff member as the Information Security Officer (ISO), who is usually in charge of a division (or a small portion of a company), and a Chief Information Security Officer (CISO), who is usually in charge of implementing the security strategy for the entire company.

Tip

Why are dedicated staff needed to implement security?

Although the implementation of ISMS seems a like one-time task, it is, in fact, a continuous process of iterative improvement, based on the monitoring of the actual procedures, that have been placed as a result of the previous implementation. As in software development, it is hard to say "it's finished" for a particular piece of software; rather, when a software has been released, new functionalities or fixing must be made accordingly to new business requirements. In ISM, it is the same.

Risk analysis

A threat should not always be contrasted; regarding the previous example, if the possible loss in the PC costs of the sales representative (in terms of the information lost) is less than the measure to fight against this threat (by implementing proper measures), the company could accept the risk. Today, it is often very cheap to protect a PC (through encryption, for instance), but there are other cases where it would be convenient to avoid an expensive implementation. This conclusion can be made only after a documented process of analysis.

As per the book Foundations of Information Security, Van Haren by Jule Hintzbergen, Kees Hintzbergen, Andre Smulders, and Hans Baars, a risk could be accepted or mitigated by five kind of countermeasures: preventive, reductive, detective, repressive, and corrective measures.

Coming back to the previous example, we may face this situation:

  • A PC with sensitive data is given to an employee

  • A thief could steal it (or the employee could lose it)

A preventive measure would make this an impossible risk; for example, by avoiding giving PCs to the employees. A reductive measure would reduce the likelihood of the risk, by forcing the employees to be always be hard connected to their devices. A detective measure helps to promptly realize that an incident has occurred, by placing some localization device on the PC, which is somehow connected to a real-time tracking system. A repressive measure would limit the consequences of an incident, for example, by remote wiping the stolen (or lost) PC. Finally, a corrective measure would recover the consistent state before the incident, by providing a new PC for the employees. As previously said, a risk could also be accepted. In such cases, no countermeasures are taken, but the risk should be documented as well.

 

Physical measures and logical measures


Now, we will see which measures could be placed to manage the risks related to information security, dividing them into this classification:

  • Physical measures: These measures involve some kind of physical infrastructure (smaller or bigger), which protects sensitive resources

  • Logical measures: These measures are achieved by logical implementations (new or modified business processes and software implementations)

    Tip

    Some people split logical measures into technical (related to IT stuff) and organizational (related to processes). However, for the purpose of this book, this classification is enough.

Introducing ISO/IEC 27000

The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) often work together to build international standards around specific technical fields. They released the ISO/IEC 27000 series to provide a family of standards for ISMS, starting from definitions (ISO/IEC 27000) up to governance (ISO/IEC 27014) and even more. Two standards of particular interests are the ISO/IEC 27001 and the ISO/IEC 27002. The first has been released to define the requirements to build an ISMS, while the second has been released to provide controls (or measures) to help companies implement an effective ISMS, as described in the 27001 document.

Tip

International standards should be transposed to the actual requirements of a specific environment; they provide a framework supporting the process of building an effective ISMS, while they are not prescriptive at all. However, companies that adhere to the guidelines of these international standards are less exposed to unexpected exceptions, giving the entire company an added sense of trust and robustness.

Physical security and controls

Physical security is the part of information security that is probably well known by anyone. Since it protects an asset physically, we have all probably dealt with it in our lives in many circumstances, such as how do we protect a building, how do we protect a car, and how do we protect cash? First, we will try to physically protect these resources from outside access with simple or sophisticated security measures.

Security boundaries

With information security, we start from the assumption that we have something similar to a server farm to protect against damage or thieves. Therefore, what should we do to enforce security?

We cannot answer this question without knowing the following initial conditions:

  • Where is the server farm building located?

  • Are there some fences/gates to cross to get into the building area or not?

  • How far is the building from the nearest police station (or private security office)?

  • Is the building outside an area monitored for suspicious activities?

Answering these questions is, in fact, a part of the ISMS process itself. Providing a good description of the initial conditions helps to build measures to mitigate risks. Let's proceed to going into the building with other questions:

  • Is the building entrance properly supervised?

  • Is there a key (or an identification) to get into the building?

    • Could that key/ID be copied easily?

    • Could someone else use that key/ID?

  • Is there a proper security control for loading/unloading areas?

Please note, we are not yet into the working space and we already have many security issues to manage. Let's proceed, going at the top floor where the server farm is:

  • Is the server farm room protected against intrusion?

  • Are there any proper intrusion detection systems (alarms or sensors)?

  • In case of an unexpected breach, is there a process to block the company in order to reduce the risk of losing data (and to catch the thief)?

We are just talking about measures to prevent unauthorized access to sensitive assets for people who do not have the right to be there. However, we should also consider other risks:

  • Could the legitimate administrator shut down the power source of the server farm?

    • Or they should be at least two power sources at the same time?

  • Is the server farm room properly furnished with fire extinguishers?

  • Are incoming post parcels properly scanned to detect prohibited materials, explosives, and dangerous goods?

    Note

    Many security measures seem as though they're evidence of the paranoia of the CISO. However, not every possible measure should be implemented since, as we said before, a company could also accept the risk, or reduce it to another one.

As mentioned previously, each answer (and consequently each countermeasure) could lead to a new risk. The purpose of an ISMS is also to set up a continuous improvement process to find and manage new risks properly.

Note

Exercise for you:

Is the new monitoring system installed in the whole company to protect the assets compliant with local laws and regulations? Have proper actions to legally film employees been done?

Mobile equipment

In the previous example, we talked about ways to protect a hypothetical server farm against unauthorized access or disasters such as fire. Those considerations are still valid for on-premise equipment that is stable fastened in company offices, such as cabling, desks, and big workstations. These are examples of what a thief could not easily steal (because of the weight and risk involved).

Imagine now how sensitive a CEO's desktop is in terms of confidentiality of information: documents, laptops, and smartphones might contain business secrets and losing them could lead the company into disaster too.

Protecting mobile resources with physical measures means applying new measures to provide security even outside it, in addition to the safety measures that are already implemented in the company.

Tip

Smartphones are like mini-PCs with saved credentials, sensitive web browser history, financial data, and e-mail accounts, and the risk of losing this data is mainly related to the mobility of the owner.

Let's consider an agent travelling with his or her mobile equipment. These are some of the questions that may arise pertaining to the physical security of this equipment:

  • Is the smartphone always (when not in use) enclosed in a container (pocket, bag, or pack)?

    • Is it protected from falls and shocks by a proper shell or cover?

  • Are sensitive paper-based documents enclosed in plastic sealed envelopes to protect them from water?

  • Does the agent have a second power supply to operate his or her PC in case of low battery?

These three questions give examples of what physical security for mobile devices could be:

  • The first is about confidentiality (protecting the smartphone against loss) and availability (protecting it from breakage)

  • The second is about integrity (a wet document may be compromised)

  • The third is about availability (an agent without his or her operational PC can waste time and money)

Logical security and controls

Logical security is something that is not a physical measure to enforce security, such as access control, cryptography, organizational security processes, conventions, and many more. In this section, you will completely understand how ISMS is a pervasive approach, defining almost everything that is somehow related to the security of information.

Human resources

Enforcing personnel security starts when the HR department evaluates a new candidate to hire in the company. First, the department should perform adequate screening of the candidate by verifying the information he or she is showing to the company in the resume. If the research gives an evidence of the candidate's insincerity, this is, of course, a negative component in the overall evaluation.

Also, the reliability of a candidate should be taken into consideration, mostly if he or she has to work with sensitive information, or is in contact with high-profile employees. Verify the truthfulness of the information declared by the candidate, which is again a good index of evaluation, especially if the entities who recommend him or her are certified or well known.

Another aspect strongly related to information security is the ability for an employee to disclose what he or she receives from the company as long as he or she works for it. Actually, the problem is still valid even after a person is outplaced, since the secrecy of the company information remains. By using Non-Disclosure Agreements (NDA) with employees, even if the company cannot solve the problem, it can reduce the risk of someone publicly disclosing the information.

During the working lifetime of employees, the company must train them to adhere to internal regulations, for example, the security policies about information technology. Government laws hardly recognize the validity of companies' internal policies and code of conduct; they can be used to create awareness and, in the case of failure of an employee, they can be used to raise the appropriate disciplinary process.

Note

A code of conduct is a document (or a set of documents) used to state the responsibilities of an employee regarding the best practices to enforce minimal security measures, that are implemented by a company. A code of conduct may deny the use of social networks during work time, since social engineering can extract sensitive information from people's activities feed.

Access control

When someone talks about IT and software security, respectively, the first topic is always access control. Access control is a logical measure to guarantee that only authorized entities can access private resources.

New employees of a company are provided with certain security tokens, such as keys, badges, security cards, and so on to allow them access to specific physical and logical resources. At the end of the work relationship, they must be prevented from access to the company resources by the company revoking them.

Tip

Access control is also a physical measure, similar to badges or biometrics, while entering a building or a restricted area.

Almost every access control system uses credentials to identify and authorize users. Credentials are a couple of objects: the first identifies the user (or entity) and the other (that is very private) is like a key shared between the user and the system. In complex IT infrastructures, managing the credentials of a company is not an easy task to maintain. To reduce the risks connected to credential management, it is often recommended to use a centralized system of identity management (that is, Active Directory), which is useful to issue/delete credentials and to grant/revoke permission, especially when Role-Based Access Control (RBAC) is in use.

While using a centralized system for identity management reduces some risks, it also introduces new ones, as previously stated in this chapter. The system administrator now has the capability to grant extra powers to unauthorized users, and can access the company's protected data. Therefore, the new measures that rise to reduce these risks in the company are:

  • Independent auditing can be done for every administrative task (this is a detective measure)

  • A multifactor authentication (biometrics) could be enforced to compel the administrator to be physically at the office to operate

  • An approval process (two administrators) could be set to perform a double check on administrative tasks

Access control is the very first measure to protect data, but the ability to recover lost credentials (in a short amount of time) is important too, to avoid unavailability or Denial of Service (DoS).

Mobile devices

With the spread of mobile devices, new risks have arisen in security. First of all, losing the device can compromise company trade secrets, even if the device is found and used by someone who is not going to use the sensitive information. However, from an IT security perspective, the issue still remains.

Many modern mobile operating systems (that is, iOS, Android, and Windows phones) have a sort of built-in security system to protect themselves from misuse. Unlocking the screen by entering a passcode could be an effective entry-level protection. However, an experienced technician who wants to recover personal data can open the device and connect to its memory to manually recover the private data. Under these conditions, a full disk encryption is advised to prevent this circumstance.

Tip

In recent years, many companies are adopting the Bring Your Own Device (BYOD) philosophy. It is a strategy that, on one hand, can let companies save money for the acquisition and maintenance of devices and, on the other hand, introduce a series of risks associated with the potential loss of governance around personal devices. In these cases, a trade-off between what an employee knows and what he or she can store on devices is required. Under these circumstances, digital services, such as intranet and e-mail are usually blocked by design.

This is similar to desktop computers and laptops. While in most cases, a thief would steal them to resell them somewhere, the possibility of a hard inspection is concrete and a full disk encryption is a good (and often, easy) solution to achieve.

Tip

Many modern mobile operating systems also provide the capability to remote wipe the mobile device. This is a good solution to erase the contents of the device but it is available only if, after the loss, the device is reconnected to a network.

As usual, a new measure introduces new risks, such as what if the cryptography key is lost and who should be in charge (in a company) of the key management? We will discuss this in a later section.

Note

Inventory management process is required as a measure to correctly address the problem of tracking and monitoring the actual assets of mobile devices distributed to employees. Only through an accurate and planned process of inventory management can companies know at a given point of time which resources are in/out and who the current owner is.

Cryptography

Most of you probably know what encryption is. If we have a sender and a receiver, assuming the channel is unsafe (someone is listening), encryption transforms the message into another one with no semantic meanings until the receiver has received it, when it then comes back to the original form.

Symmetric encryption stands upon these concepts:

  • The sender and receiver know a key

  • Using a well-known algorithm, the sender encrypts the message with the key

  • Using the same reverse algorithm, the receiver decrypts the message

This method, unfortunately, assumes that both parties possess the same key before the communication, and this exchange must be made in a secure manner. If this assumption is wrong, asymmetrical encryption can help. In asymmetric encryption, the sender has a public key and the receiver a private key. The public key is used to encrypt the data, while the private key is used to decrypt the data. Only the receiver can decrypt the data, so:

  • The sender needs to send a message to the receiver; therefore, it asks for the receiver's public key

  • With this key, the sender sends the encrypted message through the channel

  • The receiver uses its private key to decrypt the message

If the public key is lost or intercepted, someone could just encrypt messages, not decrypt them. A man-in-the-middle behaves like the receiver, giving the sender its public key so it knows what it wants to send.

Public Key Infrastructure (PKI) is required when we want to correctly identify who the speaker at the other side of the cable is. With PKI, a sender can verify the identity of a receiver, while, for example, it gives back its public key to start an encrypted conversation. With PKI, the sender asks an authority the correctness of the information received by the receiver before it starts the communication process. HTTPS is an example of how PKI is used in Internet communication.

Communication

Communication is probably the key value of any company today. Sending an e-mail to a supplier or a colleague exposes the company to the risk of an information leak, if no security measures are taken.

Tip

A specific internal regulation is needed while working with third parties operating on behalf of the company (that is, outsourcing), and a fortiori when these third parties need access to sensitive information.

The following questions can help you to understand which risks are concrete:

  • Is the Instant Messaging (IM) system implementing a proper cryptography strategy to handle messages between parties?

    • Is the software used trusted?

  • What is permitted to be sent by e-mail? Are there policies to filter incoming and outgoing messages, based on content, attachment, or sender/destination?

  • Are people properly informed about what to disclose? Are they aware of which communication channel they can use to share the company's sensitive data?

Managing communication safely is harder than replying to these questions, but it is out of the scope of this book.

Software management

Giving IT equipment to employees exposes the company to a huge number of risks if they are permitted to install and use arbitrary software. This is why modern operating systems have sophisticated mechanisms to configure usage policies in order to permit/deny users to perform specific operations. However, configuring and maintaining the devices of a medium (or big) company one by one is not a simple task to perform. This is why it is recommended that you implement a centralized management system for devices and operating systems, performing administrative tasks in batches from a remote location.

If you do not have a clear understanding of how important software management is, please note the following:

  • What if a user needs a new software? A proper process should be documented, where, for example, the user asks IT to install the software, and they, after validating the request, perform the remote installation of the requested tool.

  • What if a user opens a virus or, generically, a malware application from the e-mail? Users should not have the proper rights to compromise the operating system. However, proper software restrictions in execution, Internet browsing, and content filtering could help to reduce the risks.

    Note

    Exercise for you:

    What about updates? Should users be independent while applying them? Why not? Is it a security issue or just a governance one?

Laws and regulations

A company should produce appropriate documentation about its processes to identify risks. As we said earlier, a good code of conduct should be distributed and adhered to by, by employees to build organizational ethics. Internal regulations must be presented to third parties, contractors, and external entities (who have business relationships with the company) to rule the connection and treatment of sensitive information.

These principles are real but first, a company should address local laws and regulations, such as:

  • What are the code of conduct, the regulations, and the policies that are compliant with the law?

  • Is every piece of software used compliant with local laws and regulations?

    • If not, what action could be implemented to replace them?

  • Are the employees informed properly about laws and regulations, on top of the company's rules, to reduce the risk of them making mistakes?

Every country defines its own laws and regulations, for example:

  • In some places, encryption is considered forbidden in some applications

  • In some places, filming employees or visitors is considered illegal, even with a notice

  • In some places, using location tracking on a company's devices given to users, is not permitted

IT security must include also the defects of local laws and regulations, for example, the patents or the rights contained within Intellectual Property (IP). Different countries treat software patents differently; for an international company, choosing where to develop software could shape the future of the company itself.

The same applies to IP. There are countries where everything an employee produces (in terms of IP) during his or her work is the property of the company; other countries have different rules. So, as local regulations may differ, proper contracts and agreements should be made to create a common framework that can be used for an international company operating worldwide.

Security in software development

We covered security while using software, but what can we say about building it? The process of creating software hides a series of potential threats that must be addressed correctly before starting the development process. As usual, documented procedures and policies are the main tools a company can use to correctly map each vulnerability with every measure, to control (and reduce, where possible) the risks.

Local development tools

A developer often uses tools that require administrative access to the local machine (think about local web servers); also, during development, a new tool (or set of tools) needs to be installed quickly to perform an immediate action without asking for support. Finally, the operating system itself may be custom configured to test the software infrastructure created.

Note

In some companies, speed is generally preferred over quality. In these environments, inexperienced developers must perform their work on top of every other administrative task (configuring networks, operating systems, and more). It may happen that a wrong configuration may lead the system into an inconsistent state, exposing the local environment (if not the entire network) to malicious software or external attackers.

The importance of a well-known, verified, and approved base set of development tools is important for a software development company; starting from this, the exceptions can be defined and the proper process to extend or upgrade a developer's permissions must be implemented.

Access to source code

If a company operates as a software house, the most important asset is code: how can we manage it safely? There is no a unique answer to this question, nor a procedure to avoid leaks. Of course, there are some suggestions:

  • Is the code stored or checked in a code repository? A source code repository helps to granularly grant permission to a particular subset of the codebase on a user-by-user basis.

  • Is the code repository publicly available on Internet? If not, an employee cannot use/dump the codebase from another PC or outside the company's premises. If it does, an employee can even work outside the company or leak the sensitive data.

A safe environment could be a Virtual Machine (VM) (accessible only from inside the company through a remote desktop solution) with the development tools and source code access. By denying Internet access and the copy/paste functionality from/to the VM, a company can reduce the risk of code leaks.

Credentials management

Except when we are working in the perfect company, developers usually gain access to sensitive data or, at least, much more than normal users. It is common to share the database credentials with the main developer, thinking that he or she is reliable. This is probably true but the problem is, by design, this means giving inadequate (or excessive) access to someone.

Tip

A person with administrative access is an administrator and they can, in addition to operating sensitive data, make new administrators or change the existing ones.

In the rest of the book, we will discuss what it means to be an administrator of an Azure-based environment and we will look into different ways you can use to minimize the risk of security incidents.

 

Security standards in Azure


Microsoft manages the Azure infrastructure. At the most, users can manage the operating system inside a VM, but they do not need to administer, edit, or influence the under the hood infrastructure. They should not be able to do that at all.

Therefore, Azure is a shared environment. This means that a customer's VM can run on the same physical server of another customer and for any given Azure Service, two customers can even share the same VM (in some Platform as a Service (PaaS) and Software as a Service (SaaS) scenarios).

From the point of view of a customer, a shared environment could sound bad but also good, since there less is to manage and fewer errors might rise. As a consequence of this, Microsoft manages some rings of security, pursues other goals, and the availability of the shared environment.

Note

Incidents and business continuity:

Incidents may occur, even for super-skilled people who are working in a Microsoft Azure datacenter. Incidents are caused by human faults (pressing the wrong button, inadvertently stumbling upon a power generator with coffee, and so on), by software bugs (a piece of code of a VM management tool crashes on January 1), and by a mix of both (a user forgot to renew an SSL certificate, which leads to the unexpected behavior of the application). When an incident occurs, the consequence could be a downtime in the customers' services. If the incident is not properly addressed, it could lead to a disaster.

Microsoft Azure, like many Cloud computing suites, guarantees a Service Level Agreement (SLA) on its building blocks. The key focus of the SLA is not what happened to the system, but how much time the system was unavailable in a given timeframe (usually a year). This indicator is measurable and it is also a contractual constraint, which is financially backed.

SLA is directly connected to business continuity: an e-commerce operator's interest is to reduce the risk of unexpected periods of unavailability that cause immediate loss of profits.

Implementing security, privacy, and compliance

Microsoft Azure implements the most recognized standards about security and privacy and implements effective practices about compliance. The Microsoft Azure Trust Center (http://azure.microsoft.com/en-us/support/trust-center/) highlights the attention given to the Cloud infrastructure in terms of what Microsoft does to enforce security, privacy, and compliance. Let's discuss these in detail.

Security

Part of Microsoft's attention to security is also about processes and management, by implementing a series of measures:

  • Security centers: Microsoft implemented internal units for security, such as the Microsoft Digital Crimes Unit, Microsoft Cybercrime Center, and Microsoft Malware Protection Center

  • Security Development Lifecycle (SDL): Microsoft implemented SDL to provide a software development process that is more secure from a security perspective

    Note

    More information about SDL can be found here: http://www.microsoft.com/security/sdl/default.aspx, including a training path to implement our own process.

  • Incident task force: Microsoft documentation often states that infrastructures are designed to react, assuming there is a breach, fielding a task force of security experts who are available 24 x 7

The first point of interest is the management of the datacenter, where Microsoft takes care of everything including:

  • Physical security: Microsoft assures that the datacenter buildings are designed to be monitored and controlled in the case of physical attacks (environmental or criminal).

  • Software updates: For each managed service running on Azure (PaaS and SaaS services, at least), Microsoft applies the latest security updates (as long as there is malware protection), in order to avoid security breaches to its customers.

  • Hacking countermeasures: Azure implements techniques to detect software intrusions and Distributed Denial of Service (DDoS) attacks, and performs periodic penetration tests to constantly ensure these requirements are met.

  • Isolation: Since resources are shared, isolation between tenants (customers, but also different subscriptions) is implemented by design. Network activity between VMs is restricted (except the cases intentionally left for customers solutions).

In the rest of the book, we will discuss what we should do to implement security from a user perspective; while Azure manages the datacenter, users must manage the application's security.

Privacy

Microsoft Azure is a public Cloud product so, to ensure adoption, it must adhere to most of the security and privacy standards and/or regulations to be used worldwide. We can choose our own region to store applications and data and Microsoft assumes that for the services implementing geo-replication, data won't ever leave the geo-political area.

Note

What does the term geo-political area mean? Let's, for example, choose west Europe as the location for our deployment. In some cases, Microsoft, to ensure availability, creates replicas in another datacenter, preventing the supposed downtime in the case of a disaster in the primary one. However, a customer would not want the data replicated outside the political boundaries he or she has chosen. This is why there are often (at least) two datacenters in the same political region (that is, in Europe) where rules are accordant.

While privacy is also enforced at the personnel level (no one inside Microsoft can access resources, except for customers who request assistance), Microsoft offers strong contractual agreements to the enterprise customers and does not use data to sell advertisements anywhere.

Compliance

Previously in the chapter, you saw how security is mostly about processes instead of technology. We introduced the importance of standards, while implementing the proper controls and measures to be adequately safe. While avoiding unnecessary details, you must know that Microsoft Azure is certified for ISO/IEC 27001, while it is audited yearly.

 

Summary


In this chapter, we introduced IT security issues and also covered how a security officer should think while facing this aspect. We looked at the ISO standards and covered some security controls to help you understand what a Cloud vendor does and to better understand what we have to do.

In the next chapters, we only talk about Azure and we focus on the processes instead of the technology. In the next chapter, we talk about Identity and Access Management from the user's perspective by implementing security controls in the authentication process.

About the Author

  • Roberto Freato

    Roberto Freato has been an independent IT consultant since he started to work. Working for small software factories while he was studying, after his M.Sc. in Computer Science Engineering with his thesis on Consumer Cloud Computing, he got specialization in Cloud and Azure. Today, he works as a freelance consultant for major companies in Italy, helping clients design and kick off their distributed software solutions. He trains the developer community in his free time, speaking at many conferences. He has been a Microsoft MVP since 2010.

    Browse publications by this author

Latest Reviews

(1 reviews total)
It has always been a smooth experience with PackT. Never a need to call for support.