Public cloud providers like Microsoft Azure introduce a unique set of security challenges for solution providers to grapple with as customers increasingly shift workloads to the more cost-effective platform.
Microsoft’s deep roots in the enterprise space have created a somewhat different customer profile and threat landscape for Azure as compared with the cloud platforms at more historically consumer-oriented companies like Amazon and Google.
On one hand, adversaries have spent decades creating malware and exploits that can now be used to target Azure’s identification tools and blob storage. But on the other, Microsoft’s business focus meant that it was early to the cloud firewall game and has tools in place to lock down ports and secure virtual machines.
From focusing more heavily on applications than infrastructure to having more customers with data that’s private and inaccessible over the internet, here are eight of the biggest Microsoft Azure security issues solution providers are grappling with.
Greater focus on applications than infrastructure
Microsoft is definitely more focused on Azure applications, and has changed the conversation to be more around SaaS and APIs rather than how to build or migrate architecture, according to John Maddison, Fortinet’s EVP of products and solutions.
AWS is the largest public cloud provider, and has remained very focused on infrastructure-as-a-service, Maddison said. In contrast, Maddison said Microsoft’s role in Azure has resulted in conversations being more around Office 365, the Windows suite, and wrapping applications into a secure package.
Azure implementations have some security built in, and customers can turn to third parties for further security enhancements, Maddison said. Similarly, Maddison said Microsoft offers its own security for Office 365 migrations, which can be complemented by sandboxing or additional email scans via a third-party SaaS or API service.
Azure blob storage is common target of hackers
Azure has been abused a bit more than AWS in actual attacker stagecraft since it is a trusted environment that can be set up for free, and that’s expected to continue going forward, according to Ryan Kalember, Proofpoint’s EVP of cybersecurity strategy.
Attackers are very familiar with the Microsoft ecosystem, Kalember said, and have found SharePoint to be a wonderful tool for staging malware-based attacks via malicious link along with using compromise Office 365 accounts to launch attacks on third-party targets. Kalember said a PDF-based phishing campaign associated with Hurricane Michael actually pointed to pages hosted on Azure blob storage.
Campaigns oriented around Azure blob storage are incredibly cheap and very effective because it is by default trusted, and they occur pretty often since attackers are more familiar with the Microsoft ecosystem, Kalember said. Kalember said that Azure blob storage isn’t the type of IP that should be whitelisted, and recommended that anything done in a user’s own environment not blindly trust Azure.
Azure firewall is less mature, but easier to deploy
Azure’s firewall isn’t as mature as those offered by traditional firewall vendors, but doesn’t require customers to work as hard at deploying it, according to Reuven Harrison, Tufin’s co-founder and CTO. Specifically, Harrison said the Azure firewall has the advantage of being immediately available without requiring lots of configuration work.
Azure was the first provider to offer a cloud service with a firewall since Microsoft knows the pain points of enterprises and understood that enterprise security teams want to be able to use a firewall, Harrison said. The Azure tool is easy for firewall teams to get their hands around and use to gain control over a security environment, according to Harrison.
But all the traditional firewall vendors also have options that work in the cloud and provide rich functionality, Harrison said.
Subject to lots of identity-based attacks
Microsoft has moved its on-premise identity tools to the cloud, which it pushes heavily to be used around Azure, said Bitglass CTO Anurag Kahol. Organisations typically use active directory from a CASB (cloud access security broker) tool to provide identity protection around AWS, but in Azure, Kahol said businesses typically end up using Microsoft’s identity tools for their entire company.
People from different countries attempt to provision attacks against Azure by trying to use an organisation’s tenant ID and passwords across all sites, Kahol said. As a result, Kahol said he’s seen more identity-based attacks against Azure than AWS.
Kahol recommends that businesses pursue an architecture that not only relies on the Microsoft identity features, but also gets separate authentication capabilities from a CASB tool like Bitglass. If the identity of a user is known, Kahol said CASBs are in a much better position to correlate the different types of access happening across a server.
Azure deployments tend to be IT-centric, not cloud-centric
A lot of the Infrastructure-as-a-Service deployment in Azure tends to be IT-centric rather than cloud-centric due to Microsoft’s relationships with traditional enterprises, said Kaushik Narayan, CTO of McAfee’s cloud business unit. Narayan said data on Azure therefore tends to be private, and less accessible over the internet than AWS environments.
As a result, Kaushik said attacks over the network are slightly less likely with Azure than with AWS. Instead, Kaushik said components like the Azure Cosmos DB database service tend to be more of a target for hackers since they’re open to the internet.
The sheer isolation of traditional computing systems provides a lot of protection, but that isolation of private data can be lost in Azure even if it’s unintentional, said John Dodds, McAfee’s director of product management. Businesses are more likely to be susceptible to risks they haven’t thought much about such as having sensitive data sitting in Cosmos, Dodds said.
More frequently targeted with malware
Malware has been a big problem for Windows since it’s an obvious way to gain control over a machine, which has resulted in Microsoft being a frequent target, according to Aditya Joshi, Threat Stack’s EVP of products and technology.
Microsoft has an anti-malware offering that integrates with the Azure Security Center, Joshi said, and third-party anti-malware tools can address the issue as well. Joshi said Microsoft has excelled at being a development-centric company and bringing different security offerings together.
Windows and Linux are fundamentally different operating systems with security domains that function and need to be supported in very different ways, Joshi said. And when it comes to supporting Windows, Joshi said that Microsoft Azure has clear advantages over the other cloud providers.
Ports that haven’t been properly secured
Customers have taken advantage of a feature in the Azure Security Center called Just-in-Time that shuts down ports while concurrently enabling virtual machines, according to Scott Woodgate, senior director of Microsoft Azure Management and Security Marketing.
The feature dramatically decreases Azure’s susceptibility to super-common threat vectors like RDP (remote desktop protocol)-based attacks by making it so that a legitimate user has access only from a specific IP address for just one-to-three hours, Woodgate said. Just-In-Time was introduced 18 months ago, Woodgate said, and can be turned on with the click of a button.
The fundamental benefit of Just-in-Time is the additional layer of protection it provides on virtual machines, Woodgate said. In addition, Woodgate said the feature should reduce the responsibilities of the SOC (security operations center) around patching or upgrading tools, which in turn would provide them with more time to focus on hunting threats.
Has reputation of being more proprietary in nature
Microsoft has the strong reputation of being more proprietary in nature, which creates an additional hurdle for companies looking to both use open-source tools and work in the Microsoft realm, according to Tim Mackey, principal security strategist with the Synopsys Cybersecurity Research Center.
One way to bridge that gap, though, is through the adoption of Kubernetes and other containerisation technology, which Mackey said Microsoft has done fantastic work in. Organisations that have gone down the Microsoft path are in a good position to leverage their competency around containers capitalize on things like Azure DevOps, Mackey said.
Changing cloud providers under conventional circumstances can be difficult and costly, Mackey said. But Kubernetes’ ability to abstract away the management plane that cloud providers put in place around workloads makes it easier for organisations to spread their eggs across multiple cloud provider baskets, according to Mackey.