Cloud security has made significant progress since the early days. Now, instead of going to the cloud despite the security issues, organizations are going there because of the security advantages. For many enterprises, it is now safer to store and process their data in the cloud than on their own premises. Yet while being tight enough to protect properly, cloud security must also preserve productivity.
The Azure public cloud service platform combines these different requirements. The fundamental trio of confidentiality, integrity, and availability is upheld at all levels – infrastructure, data, and applications. In addition, Azure gives you the ability to tune your security to meet your individual needs with straightforward, user-friendly, robust tools and options.
Azure defines six functional domains for security: identity, operations, applications, compute, storage, and networking. Within or across these domains, Azure offers comprehensive possibilities to apply, enhance, customize and track security measures.
Identity and access management
Authentication is one of the first steps to effective security, ensuring that users are who they claim to be. Microsoft combines the strength of multi-factor authentication (MFA) with user-friendliness in Microsoft Authenticator. Azure Active Directory facilitates secure access to data in applications and management of users and groups. Role-Based Access Control (RBAC) in Azure lets you respect two fundamental security principles: need to know (access is only granted to those who legitimately need it) and least privilege (only the minimum privileges needed to get jobs done).
From inside the organization, Azure Security Center enables end-to-end security monitoring and policy management, working with a wide range of security solutions to optimize protection and threat detection and elimination. A security-and-audit dashboard gives at-a-glance information on the organization’s security posture. It also has pre-defined search queries for priority issues.
Because vulnerabilities are often created through misconfiguration, Azure Resource Manager offers template-based deployment to help avoid errors. Resource management can be done efficiently and securely in one coordinated action. Azure Monitor lets you see status and automate measures to protect individual Azure resources and overall Azure infrastructure. Application Insights targets live web applications and automatic detection of performance issues.
Taking security to the next level, Azure Advisor suggests ways to improve security, availability, and performance, while also making recommendations on how to trim overall Azure costs.
With so many applications web-enabled or built for the web, Azure has a corresponding range of security features. Azure makes it easy for developers to implement a layered security architecture with separate access to each layer. Azure App Service then lets them handle authentication and authorization in applications without needing to change the application code.
The web application firewall (WAF) in the Azure Application Gateway increases protection for web applications from SQL injection, session hijacking, cross-site scripting, and other frequently used attacks. Vulnerability scanning can be done through integration with specialized applications such as Tinfoil Security. Penetration testing is also possible after obtaining approval from Azure.
Data for diagnostics is available from the web server as well as the web application. The web server diagnostics include real-time information on application pools, processes, sites, domains, and requests. They also allow detailed trace events to follow requests from the start to finish of request-and-response processes.
Azure has multiple features to ensure that execution of code in your Azure user space remains secure in terms of confidentiality, integrity, and availability. Confidentiality is maintained through encryption and virtual networking. Azure Disk Encryption lets you encrypt Windows and Linux IaaS virtual machine disks. SQL servers benefit from transparent data encryption (TDE) and column level encryption (CLE). In each of these cases, you can also further improve security by storing your encryption keys in Azure Key Vault, a hardware security module.
Integrity and availability are reinforced by simplified patch updates, Azure Backup and Azure Site Recovery. Azure Backup is virtual machine backup to safeguard your application data with no initial investment and minimal ongoing cost. Azure Site Recovery offers availability of your workloads and apps from an alternate location if your main location suffers outage, by assisting with replication, failover, and recovery.
Staying safe with data storage means keeping both the data and the data access secure. In Azure Storage, encryption at rest is automatic when data is being written to Azure storage. Encryption in transit secures data while it is moving, using transport-level encryption like HTTPS and wire encryption like SMB 3.0 encryption for Azure File shares.
To ensure that productivity is not penalized, Azure Storage also provides two ways to share resources. The first is a shared access signature (SAS) to grant another user limited permission to access objects in your Azure Storage space. The second is Cross-Origin Resource Sharing (CORS) to allow two domains to access each other’s assets. In addition, storage analytics give you information and insights into access requests, trends, and issues.
Finally, Azure also has functions to limit connectivity to and from devices and subnets. Fundamental to these capabilities is the Azure virtual network (VNet), a logically isolated part of the Azure network for your enterprise to use. You can segment your Azure virtual network into subnets and connect it to your on-premises network.
Within an Azure virtual network, network layer controls comprise Network Security Groups (NSGs), route control and forced tunneling. An NSG controls traffic between subnets of an Azure Virtual Network, as well as between an Azure virtual network and the Internet. Route control and forced tunneling are user-defined routing functions to ensure the most secure route available for traffic entering and exiting virtual machines. Forced tunneling prevents services from calling up services on the Internet.
In addition, the VPN gateway function can be used to send encrypted traffic between Azure virtual networks and over a public connection. ExpressRoute enables interconnection between Azure and on-premises networks via a dedicated private connection from a service provider. Further security-related features include traffic management (traffic routing, end-point health monitoring, automatic failover), load balancing, DNS services, and diagnostic log analytics. The Azure Security Center (see above) is a further resource for preventing, detecting, and reacting to threats.
Over the six domains described above – identity and access management, operations, applications, compute, storage, and networking – Azure security tools and functionalities bring you the capabilities to run your apps and workloads safely and reliably. Azure Security Center provides an overarching security approach and the rich Azure security features cover the security requirements of virtually any enterprise.