The book "Microsoft Azure Security Infrastructure"

This book provides general information, design considerations, deployment scenarios, best practices, technology survey questions, and instructions to help you make a comprehensive presentation of the Azure security features.



An expert level of Azure or PowerShell is not required. It is also assumed that the reader has experience with enterprise-class information technology and a sufficient level of skill to work in the data center.



Today we publish part of the first chapter of this book. You can download the full version for free at the link .

---

Table of contents

• Cloud Security - 1;
• Identity Protection in Azure - 19;
• Azure Network Security - 53;
• Data and storage security - 85;
• Protection of virtual machines from malware - 103;
• Key management in Azure using Key Vault - 119;
• Internet of Things Security - 155;
• Hybrid media monitoring - 175;
• Operation and management in the cloud - 191;

Cloud Security

Before you begin to consider the main subject of this book, namely the security infrastructure of Microsoft Azure, it is important to understand what level of security can be provided in the cloud. To find out why the Azure cloud platform is truly reliable, you need to consider a number of important factors that affect the security of solutions in the cloud. Cloud security is the result of the joint efforts of your company and the cloud service provider. This chapter discusses the most important factors that will help you understand the limitations, areas of responsibility, and the capabilities of cloud technologies for later use as a reliable business platform.

')

Important factors affecting cloud security

Before embarking on the full-scale implementation of cloud systems, it is important for the responsible employees of the organization to understand how security is organized within the cloud model. This understanding needs to be developed before planning. If participants are not adequately familiar with the security features in the cloud, then the success of the entire project for the implementation of cloud systems may be at risk.



When planning the introduction of cloud technologies, it is important to evaluate the following aspects of their security:

• Compliance with the requirements
• Management of risks
• Identity and Access Management
• Security operations
• Endpoint protection
• Data protection

Each of these aspects needs attention. The required depth of study of individual issues depends on the specifics of your company: for example, the priorities of a medical institution and a manufacturing enterprise can vary greatly. In the following sections, we will look at each of these aspects in more detail.

Compliance with the requirements

Each organization has certain requirements, and it is important not to break them when moving to the cloud. The source of these requirements may be internal or external rules - for example, industry standards that are mandatory for compliance. Cloud service providers must be prepared to help customers meet the necessary requirements when implementing a cloud system. In many cases, customers must rely on a cloud service provider to comply.



To help customers comply with current requirements, Microsoft uses the following three methodologies.

• Initial consideration of required requirements
  
  
  • Reliable technology
  • Investment in compliance processes
  • Third Party Certification
• Assist clients in ensuring compliance
  
  
  • Transparency
  • Choice
  • Flexibility
• Cooperation with leading companies in various industries
  
  
  • Standards development
  • Collaboration with legislative and regulatory bodies

It is recommended in close cooperation with the cloud service provider to analyze what requirements your organization should meet and to what extent the cloud service provider offers match them. It is also very important to make sure that the cloud service provider already has experience in implementing the most secure and reliable cloud services that ensure the highest confidentiality and protection of customer data.

Learn more: For more information on how Microsoft helps customers ensure compliance, see the article .

Management of risks

For the successful implementation of cloud systems, it is very important that the client can trust the security system of the supplier’s infrastructure. The cloud service provider must implement and strictly adhere to the rules and security risk management programs of the Internet. When managing risks in a cloud environment, it is important to consider the level of its dynamism.



Microsoft has been successfully providing online services to customers for many years. During this time, highly efficient processes have been developed that allow controlling these new risks. As part of risk management, the cloud service provider should perform the following tasks:

• Identify environmental vulnerabilities and threats.
• Quantitative risk analysis.
• Publication of data on risks threatening the cloud environment.
• Counteraction to risks based on the analysis of possible consequences and their impact on the business.
• Verifying the effectiveness of possible countermeasures and residual risk analysis.
• Continuous risk management.

It is very important that customers actively cooperate with cloud service providers and require them to ensure maximum transparency of processes. In this case, customers will be able to analyze the measures taken to counter risks and assess how they correspond to the level of data privacy and the degree of protection that is required for their organization.

Identity and Access Management

In today's world, users often have the opportunity to perform work anywhere in the world using a wide range of devices, while accessing the most diverse cloud services. In such circumstances, the security of user identities becomes especially important. When using cloud systems, it is the certificates that become the border between "their" and "alien". Certificates represent the management plane of your entire infrastructure, whether it is local or cloudy. Certificates are used to control access to any services from any device and allow you to track and analyze data usage patterns.



In order to embed cloud technologies in your organization, you need to familiarize yourself with the available identity and access management capabilities, as well as understand how these methods allow you to interact with the existing local infrastructure. When planning identity and access management, it is important to consider the following factors:

• Preparation of certificates
  
  
  • Identity preparation requirements depend on the cloud computing model used: software as a service (SaaS), platform as a service (PaaS), or infrastructure as a service (IaaS).
  • Evaluate the capabilities to securely automate the preparation of identities using the existing local infrastructure.
• Federation
  
  
  • Analyze the available methods and the possibilities of integrating these methods with your local infrastructure.
• Single Sign On (SSO)
  
  
  • Analyze your organization’s SSO requirements and the ability to integrate single sign-on with your applications.
• Profile Management
  
  
  • Analyze the available solutions that the cloud service provider offers and how they meet the requirements of your organization.
• Access control
  
  
  • Evaluate the ability to control access to data that offers a cloud service provider.
  • Implement role-based access control (RBAC).

Security operations

For organizations that are switching to cloud technologies, it is important to adapt internal processes accordingly, including security monitoring, auditing, incident response, and forensic examinations. The cloud platform should enable IT administrators to monitor the status of services in real time in order to monitor their performance and quickly restore functioning after a failure.



You must ensure that all deployed services are monitored and maintained in accordance with the service level agreement (SLA) between the cloud service provider and the client organization. The following are other factors that affect the security of operations in the cloud.

• Training of employees of the organization during the process.
• Implement industry standards and practices for operations, for example, NIST SP 800-531.
• Manage security information in accordance with industry standards, such as NIST SP 800-612.
• The use of threat intelligence provided by the cloud service provider.
• Continuous updating of controls and risk mitigation to increase the safety of operations.

Endpoint protection

Cloud service provider infrastructure security is not the only factor determining cloud security. Later in this chapter, we will look at the concept of distributed responsibility. One of its aspects is that when deploying cloud technologies, an organization must ensure endpoint security. When implementing cloud systems in a company, it is recommended to increase the security of endpoints, since after such a transition they will open external connections more often and access more applications that can be deployed in environments of other cloud service providers.



The main target of attacks are users, and it is through the endpoints that users usually receive information. The user's work computer, his smartphone, any other device that can be used to access cloud resources are all endpoints. The attackers know that it is the users who are the weakest link in the security chain, and they are constantly improving social engineering methods (for example, phishing e-mails), the task of which is to force the user to perform an action that compromises the end point. When designing endpoint protection as part of an overall cloud security strategy, it is recommended to follow the following principles.

• Update endpoint software in a timely manner.
• Enable automatic update of signatures on endpoints.
• Monitor access to software update sources.
• Ensure that end users do not have local administrator rights.
• Grant users only the minimum privileges they need to work, and use role-based administration.
• Respond promptly to notifications from endpoints.

Note. Protecting privileged access is a critical step in ensuring business security. We recommend that you read the article on privileged access workstations (PAW) at aka.ms/cyberpaw and learn more about the Microsoft methodology for protecting your most valuable assets.

Data protection

From a security point of view, the ultimate goal when transferring data to the cloud is to protect data wherever it is located. The process of data transfer consists of several stages. A stage is determined by the location of the data at a specific point in time. See the diagram in the picture:







The diagram shows the following steps:

1. Data is stored on the user device. The data is at the end point, which can be any device. It is necessary to ensure that the data stored on user devices used for business purposes (BYOD scripts), as well as on company devices, must be encrypted.
2. Data is transferred from the user's device to the cloud. The data must be protected when they leave the user device. There are many technologies to protect data regardless of location, for example, Azure Rights Management. The data channel must be encrypted. Appropriate technologies, such as TLS, must be enforced.
3. The data is stored in the data center of the cloud service provider. When data is sent to the servers of the cloud service provider, the storage infrastructure must ensure their redundancy and protection. Be sure to find out exactly how your cloud service provider encrypts data during storage, who is responsible for key management, and how data redundancy is ensured.
4. Data is transferred from the cloud to the local environment. In this case, the recommendations for stage 2 are valid. It is necessary to ensure encryption of both the file itself and the transport layer.
5. Data is stored in a local environment. Securing data in a local environment is a client's task. A critical stage in its implementation is the encryption of data stored in the company's data center. Your infrastructure should provide the necessary level of encryption, data redundancy and key management.

Important factors affecting cloud security

In the transition to the use of cloud technologies, other principles begin to operate. Cloud services differ from local virtual machines and mainframes with access time sharing in a variety of relationships, including scalability, speed, and architecture. Therefore, the approach to them should be different. When collaborating with a cloud service provider (for example, using Azure), it is recommended to analyze the following issues.



A well-designed cloud service allows you to put machines into operation or stop using them in a few minutes or hours. Many services of this type allow you to cope with peak loads that are more than 10 times greater than normal and operate during the day. Software development is now very fast, and weekly (and even daily) code changes have become the norm. Therefore, testing should be carried out on the basis of working services, but without the use of confidential working data. For any organization that moves to the use of cloud technologies, it is important to establish trust with the cloud service provider and use all available tools to define and mutually follow mutually accepted requirements within these relationships.



I sometimes give my friends the following example. If in the 90s I needed a dozen servers for a new project, then planning, ordering, delivering, placing, connecting, setting up and deploying could take 4-6 months, and only after that could the team start testing the working version of the service . Today, thanks to Azure, I can do it in 30 minutes using only one phone.



Jim Molini

Senior Program Manager, C + E Security

Division of responsibility

In a traditional data center, the responsibility for all aspects of the infrastructure lies with the IT company itself. This is how local computing environments have worked since the advent of modern client-server architectures (and even earlier, in the era of mainframes). If the network, storage or computing systems did not work as they should, then it was the IT company that had to determine the cause and correct the problem.



With security units, the situation was similar. The security department worked with the IT department, and together they secured the components of the IT infrastructure. The company's security department set the requirements, discussed them with the IT department, and defined management tools that IT infrastructure and operators could implement. In addition, the security department defined standards and regularly conducted an infrastructure audit for compliance with these standards.



For data centers located outside of local environments, all this remains in force. However, with the advent of computing environments based on public clouds, IT and security departments have a new partner — a cloud service provider. Such a supplier has its own IT infrastructure and is obliged to ensure its compliance with the requirements of security and manageability.



This means that you will not only need to prepare and take into account your own security requirements, but also to have sufficient capabilities to monitor the security infrastructure of the cloud service provider and monitor its operations. The required capabilities for such monitoring depend on the cloud security model that your company uses in the infrastructure of the service provider.

Cloud computing

In this section, we will briefly look at the topic of cloud computing in order to proceed from the general concepts of what is and is not related to them. This section will help you understand how security works in the cloud, which approaches used in familiar data centers have remained in place, and which have changed.

Cloud computing definition published by NIST

For a while, the term "cloud computing" was not a formal definition. Of course, people with experience in the industry under the "cloud" understood the Internet. For some, the essence of cloud computing was precisely to provide services via the Internet.



Separate analysts used the term utility computing ("computing as a utility service"), thus focusing on the service delivery model. Within the framework of the communal model there is a certain set of opportunities that are available to everyone. Payment is charged according to the amount of resources used. Very similar to the consumption, for example, of electricity and gas by private individuals.



Currently, authorities and companies from many countries use the definition of cloud computing, which was published by NIST. They find it most reliable and useful. NIST is the US National Institute of Standards and Technology.



The NIST Institute has published "five basic characteristics" of cloud computing, as well as the definition of cloud service and cloud deployment models. These formulations have significantly advanced the understanding of the nature of cloud computing.



The figure shows the five basic characteristics, cloud service models, and cloud deployment models.

Cloud Computing Characteristics

NIST outlines the following five basic cloud computing features:

• Possibility of self-service on request. The ability of the cloud platform to provide cloud service consumers with the necessary resources without any interaction with them. An example of the implementation of such a possibility: the consumer fills out a web form, indicating his requirements for resources, and the cloud service provider highlights the necessary.
• Extensive access using the network. The ability to access cloud resources from virtually anywhere in the world from any device. It is important to note that broad access through the network is part of the definition of cloud computing, and providing such access is an important condition for successful deployment. But this item does not mean that access should be open always and for all. As you explore this book, you'll learn that access controls are a critical part of any cloud system.
• Support for quick changes. This means that consumers of cloud services can quickly receive cloud resources as needed, and then return them to the pool of shared cloud resources when this need is no longer necessary. Cloud services are designed so that consumers can quickly receive and return resources. From the client’s point of view, the amount of resources that can be obtained from the cloud is practically unlimited. If the consumer of the cloud service believes that he will need more resources soon, he can request them from the supplier to cope with the upcoming load. The basis of this dynamic elasticity is precisely the unlimited resources from the point of view of the consumer.
• Resource Pooling. All users of the cloud service use resources from the common set (pool). Servers, network components and storage are common to all users of the cloud environment. This resource pool is dynamically divided into parts so that clients have access only to their own data, applications and virtual machines. In view of this requirement, for the success of any cloud infrastructure, it is necessary to implement isolation at all levels. (We will look at the topic of isolation in more detail later in this chapter.)
• Accounting for consumption. Consumers of cloud services pay only for those resources that were used - just as in the case of utilities, for example, when paying for electricity, water or gas consumption (although in this case the base rate for access to services is sometimes used). This clause also means that the cloud service provider must ensure transparency of consumption — provide customers with information about the volume of consumption so that they can plan their future needs and costs.

Cloud Service Models

In the definition of cloud computing, which published the Institute NIST, there are three service models and four deployment models. The service model determines which level of service from the entire solution package the cloud service provider provides to its customers. The deployment model determines how and to whom these services are provided.



Cloud service models:

• Infrastructure as a service (laaS). Providing basic physical infrastructure, computing systems and data warehouses. The cloud service provider owns and is responsible for maintaining such an infrastructure, and it is he who is obliged to maintain its operability, ensure high efficiency and safety of components. Unlike the local computing environment, when using laaS, it is not your responsibility to support these basic levels of the environment for any solution that you host in the infrastructure of the cloud service provider partner.
• Platform as a service (PaaS). Here, the client receives the same as in the case of “platform as a service”, as well as components of the development platform. Within this model, the cloud service provider controls not only the infrastructure, but also the operating system (or components that provide similar functionality) and the runtime environment (for example, the web server platform) that are necessary to run applications developed by clients. Securing these operating systems (or analogs) and the runtime is also the responsibility of the cloud service provider, not the customer.
• Software as a service (SaaS). This option is also called “off-the-shelf service”. In this case, the maintenance of the entire infrastructure, platform and application environment is the responsibility of the service provider. The “software as a service” approach allows customers to get a full-fledged application with a set of capabilities that are usually inherent in local solutions. Examples include Microsoft Exchange Server (for email) and Microsoft SharePoint (for collaboration). Secure application deployment and management are also the responsibility of the cloud service provider.

Cloud deployment models

NIST outlines four deployment models:

• Public cloud This model is designed so that many customers can access the common infrastructure from anywhere in the world. All public cloud clients share common components — servers, network devices, and storage devices. Of course, the deployment and management methods for these physical components of the infrastructure are in line with the requirements for the cloud. As we will see later, the key condition for the success of a public cloud is reliable isolation: the ability to isolate the resources of various clients at all levels. Fulfillment of this condition is the main responsibility of all providers of public cloud services.
• Private cloud. As part of this deployment model, the deployment of the cloud is managed by the company's IT department. A private cloud and a traditional data center are not the same thing (although these concepts are often confused). The private cloud, in contrast to the traditional local data center, meets all five basic cloud computing features that were proposed by NIST (we reviewed them above). The isolation requirement applies to private clouds (although in this case it may be less important than for public clouds - it depends on the usage scenario, on the existing level of trust and separation into security zones in the company's infrastructure, as well as on the company's requirements for cloud protection ).
  
  
  
  How does a private cloud differ from a public one? The fact that the company can manage all the components of its private cloud without any dependence on other organizations.
• Hybrid cloud Such a deployment model usually involves a combination of public and private clouds. There are other types of hybrid clouds — for example, combinations of public and public clouds or even two public clouds. In a typical hybrid cloud deployment scenario, the various components of the solution are located in two environments - in a public cloud and in a private cloud.
  
  
  
  Consider as an example a three-tier application that has an external web interface, an intermediate level of application logic, and a service level of databases. In the case of a hybrid cloud environment, the front-end web servers and application logic servers are located in the public cloud, and the service databases are located in the local infrastructure. Typically, the local network communicates with the public cloud through a connection of various media — for example, a VPN connection or a dedicated WAN channel.
• Public cloud Such a cloud is a kind of public, but it is not open to all potential users. Public cloud infrastructures are intended for use by a specific group of people — for example, a government in a region, state, or country.

Azure Security Architecture

As we said in this chapter, responsibility for cloud security is shared among several participants. Azure is no exception. However, the design of the Azure platform initially used the principles that are called the Security Development Lifecycle (SDL), or "the life cycle of developing secure applications." The Azure platform implements many features that enhance the protection of client resources located in it.



Security is built into the Azure infrastructure at various levels: physical security, data security, identity and access management, application security. Figure 1-4 shows some of the core components of the Azure architecture.







The first line of protection is verification of the user's identity at the subscription level. The subscription owner or account administrator is the person who signed up for your Azure subscription. He has access to the account management center and the ability to perform all available management operations. In new subscriptions, the account administrator is also assigned the role of the services administrator, and therefore the right to manage the Azure portal. The client must exercise the utmost discretion in giving anyone access to this account.

Note. Azure administrators must use role-based access control (RBAC) to grant users the necessary permissions. Learn more about RBAC here: azure.microsoft.com/documentation/articles/role-based-access-control-configure.

After the user is authenticated according to his level of authorization, he can manage the resources available to him using the Azure portal. The Azure portal is a centralized resource with convenient capabilities for preparing cloud resources, deploying and managing them. In addition, there is a report on current costs and the estimated cost of resources that are expected to be spent in a month.



A subscription may include several cloud services and several storage accounts (however, both are optional components). On the Azure portal, you can prepare for work a new cloud service — for example, a virtual machine. These virtual machines run on the basis of resources that come from the compute and storage components of Azure.



Virtual machines can be configured to be accessible over the Internet, or so that they can only interact with components of the Azure infrastructure. You can protect the resources available in virtual machines (for example, on a web server) and restrict access to these resources using access control lists (ACLs). To isolate virtual machines in the cloud, you can create multiple virtual networks and control the transfer of traffic between them using network security groups (NSGs).

More details. For more information about Azure Active Directory, see Chapter 2, “Identity Protection in Azure.” For more information about network security groups, see Chapter 3, "Azure Network Security."

The next, deeper level of Azure is called the Azure structure. Microsoft manages this structure and protects its resources. The purpose of this structure is to manage computational resources and storage, allocate resources and ensure recoverability in the event of a hardware failure. The most important task of this level is to provide a sufficient level of redundancy and error resilience to fulfill the conditions of a service level agreement (SLA).

---

Download the full version of the book for free and study it at the link below.



→ Download