Microsoft Azure is a diverse offering, reaching customers across almost every industry imaginable. But the truth about cloud platforms is that many features are only relevant to certain users or particular industries. But if there’s one capability area that comes close to being truly “global” among Azure users, it’s sure to be security.
Security failure is definitely not an option
Over the past six months, major government contracts for the defense sector have become part and parcel of “cloud wars.” The US Department of Defense’s demanding standards for its new private cloud for classified data have winnowed the field of potential competitors down to just two: AWS and Azure. While the lengthy federal contracting process continues, it remains unclear which of the two enterprises will ultimately secure the decade-long, multi-billion dollar win. AWS was a first mover in high-level certifications and ultra-secure data centers, staffed by fully vetted US nationals, but Microsoft is doing a good job of playing catchup through its Azure Government and Azure Stack offerings as well as by racing to get new security certifications.
At the end of May, all US Azure regions achieved FedRAMP High certification, meaning that less sensitive federal workloads can be transitioned out of Azure Government regions and into the regular public cloud.
Both the public and private sector are watching with bated breath to see how the big cloud providers’ security is working. For the Azure team, any security issue, even in the private cloud could cast doubts on its bid for the DoD JEDI contract, especially amongst risk-averse Pentagon bureaucrats. Of concern recently are reports that public cloud instances are being used to host scams. In May alone, at least 200 tech support scam sites were being hosted on Azure.
In many respects, that’s a drop in the bucket compared to the size and scope of Azure as a whole, but even small scale scams or exploits being so much as hosted on the platform can reflective negatively on Microsoft. The Azure team may need to consider more steps in future updates to spot and prevent cybercrime hosting on the platform.
The Azure Security Center team did cite one win on April 8, spotting a cryptocurrency mining attack in real-time, exploiting an RCE vulnerability, and warned the customer in time to stop the attack.
Whether or not Microsoft ultimately wins the JEDI contract, its efforts may prove useful in other large markets. In collaboration with regional partners, it is likely to open secure government and military data centers for many countries in Europe and East Asia or focus more on the Canadian and Australian federal governments. In 2017, Estonia became the first country to create a data embassy—a secure backup of its entire government IT infrastructure in a data center, granted full diplomatic privileges in Luxembourg, signaling a new direction for government cloud projects.
Hardening databases and the network edge
Data in storage is often the target of exploits and preventing access is increasingly key. Therefore, Microsoft added role-based access control for Storage Blobs at the end of March, feeding data into Storage Analytics logs. Just a few days later, on April 3, the team announced Advanced Threat Protection for Azure Storage for detecting anomalous activities. For SQL Databases, Microsoft implemented the App Authentication library at the end of April, which authenticates from existing .NET apps to SQL Database.
Since the roll out of Azure Firewall, the Azure team has made the case that the service is a more scalable and adaptable alternative to network virtual appliances (NVAs), with more features to boot. Although they are on the roadmap for Azure Firewall, NVAs still have a leg up with features such as traffic filtering rules, SSL termination with deep packet inspection, and central management.
Confusingly, Microsoft also released Web Application Firewall for Azure Front Door Service. In spite of the similar nomenclature, WAF is more focused to web apps, with Managed RuleSet pre-configured rules or custom rules and a speciality in OWASP TOP 10 exploits.
Although internal threats exist, most companies probably face their biggest threats from public internet. In Q2, Azure Security Center was retooled with new recommendations to send out alerts for traffic originating from IP addresses flagged by a new algorithm. This process of “network hardening” is intended to close the gaps with existing network security group rules.
Centralizing and automating security
Microsoft launched its Azure Sentinel security information and event management system at the end of February, which fit into a broader pattern of centralizing security information and either automating or enhancing it whenever possible. Particularly in the US—but also worldwide—most markets face a serious shortage of cybersecurity professionals, meaning that end customers will benefit from anything that cuts down on manual processes and shifts burdens elsewhere.
As Q2 got underway, Microsoft came out with machine learning tools for Sentinel. The Fusion feature merged yellow alerts for as much as a 90 percent reduction in alert fatigue. Developers were granted authoring environments and even template ML algorithms with Spark, Databrick and other tools. An integration between Sentinel and the Kusto query language also makes it easier to spot suspicious activity.
Microsoft has also emphasized the risks of misconfigured Docker daemons. Security Center is able to conduct scanning for threats, but a large number of honeypots detected by Threat Intelligence Center may mean that many organizations should be more vigilant about the configuration of their containers. Users must be careful about running containers with privileges that are too high—potentially allowing hackers to access the host—and can implement role-based access control to set different permissions for resources within a cluster.
The integrated approach
In Q2, Microsoft remained steady with its security updates, adding emphasis to databases, network security, and the gathering of actionable insights. But perhaps one of the most important changes this quarter is the “SIEM+SOAR” approach (SOAR stands for security orchestration automated response) for Sentinel and Security Center. Rather than just automating and consolidating alerts, Microsoft seems to be steering toward a process of systems taking action to stop threats. For now, SOAR is still entering security parlance and the exact nature of increasing integration between Sentinel and Security Center remains unclear.