AI + Machine Learning, Azure Blueprints, Azure Security Center, Best practices, Microsoft Sentinel, Security
Customers get unmatched security with Windows Server and SQL Server workloads in Azure
By Arpan Shah General Manager, Microsoft Azure
4 min read
Customers such as Allscripts, Chevron, J.B. Hunt, and thousands of others are migrating their important workloads to Azure where they find unmatched security. While understanding cloud security is initially a concern to many, after digging in, customers often tell us the security posture they can set up within Azure is easier to implement and far more comprehensive than what they can provide for in other environments.
Azure delivers multiple layers of security, from the secure foundation in our physical datacenters, to our operational practices, to engineering processes that follow industry standard Mitre guidelines. On top of that, customers can choose from a variety of self-service security services that work for both Azure and on-premises workloads. We employ more than 3,500 cybersecurity professionals and spend $1 billion annually on security to help protect, detect, and respond to threats – delivering security operations that work 24x7x365 for our customers.
Let's look at some examples of how Azure delivers unmatched security for your Windows Server and SQL Server workloads.
The broadest built-in protections across hybrid environments with Azure Security Center
Customers can get the broadest built-in protection available across both cloud and on-premises through Azure Security Center. This includes security recommendations for virtual machines, storage, networking, databases, identity, application services, and IOT – all from a single integrated dashboard.
Azure Security Center leverages the Microsoft Intelligent Security Graph, which collects more than 6.5 trillion signals daily from Microsoft services such as Xbox, Dynamics 365, Office 365, Azure, and our broad partner ecosystem. With Azure Security Center, customers can easily install an agent on Windows Server and get detailed recommendations on which best practices to implement such as installing end-point protection and the latest patches. It also comes with all the capabilities of Microsoft Defender ATP built-in. As a result, you get to tap into our industry-leading threat protection to protect your Windows Server and SQL Server workloads.
Further, Azure Security Center integration will soon be available through Windows Admin Center, a modern Windows Server management solution being used to manage millions of instances today. With a few clicks, you will soon be able secure your Windows Server instances on-premises directly from Windows Admin Center.
Unique platform-level security and governance
Azure’s consistent policy platform makes it easier for you to apply security policies faster across your Windows Server and SQL Server workloads. For every workload you run in Azure, you can easily define a set of security policies and apply them uniformly across your subscriptions or management groups at scale. Using Azure Blueprints, you can literally create a new subscription with all the security settings you need in a few clicks. All of this is possible because Azure has a unique underlying resource management foundation, giving you the confidence that your Windows Server and SQL Server workloads are compliant by design. Best of all, Azure Governance capabilities are available at no additional charge.
Built-in, AI driven Security Information and Event Management (SIEM)
Customers often use SIEM to bring together threat protection information from across the enterprise to enable advanced hunting and threat mitigation. Azure Sentinel is a cloud-native SIEM with built-in AI that enables you to focus on the important threats rather than low fidelity signals. It helps reduce noise drastically—we have seen a reduction of up to 90 percent in alert fatigue from early adopters. It also lets you combine signals from your Windows Server and SQL Server workloads on Azure with all of your other assets including Office 365, on-premises applications, and firewalls to get ahead of bad actors and mitigate threats.
Industry leading confidential computing capabilities
Azure confidential computing offers encryption of data while in use, a protection that has been missing from both on-premises datacenters and public clouds. For certain workloads, it is important to ensure the data is not transparent while it is processed in the CPU. Azure brings this capability through hardware-based enclaves built on top of Intel SGX extensions in the Azure DC series of virtual machines. Microsoft, as the cloud operator, cannot access the data or compute resources inside a secure enclave. Confidential computing also opens up new scenarios like secure block-chain or multi-party machine learning where the data is shared between two parties, but neither has access to the other party’s data due to the secure enclaves. In addition, we have enhanced the Always Encrypted feature in SQL Server 2019 to support secure enclaves and you can build your own applications using this technology with our open SDK.
Unique database security monitoring for your cloud SQL
We use our experience from monitoring more than one million databases over the past few years to offer Advanced Data Security for SQL Database and SQL Server VMs. It includes two key components – vulnerability assessment and Advanced Threat Detection. Vulnerability assessment scans your databases so you can discover, track, and remediate potential database vulnerabilities. Advanced Threat Detection continuously monitors your database for suspicious activities like SQL injection and provides alerts on anomalous database access patterns. Threat alerts and reports from vulnerability assessments also appear in the Azure Security Center threats dashboard.
Free security updates for Windows Server and SQL Server 2008
We understand that customers are still running workloads on SQL Server and Windows Server 2008 and 2008 R2. These versions are approaching end of support in July 2019 and January 2020 respectively. You can automatically get three additional years of free Extended Security Updates if you simply migrate your 2008 and 2008 R2 instances to Azure to ensure they are protected. You can plan your upgrades to newer versions once they are in Azure. Additionally, for SQL Server, you can migrate legacy SQL Server workloads to Azure SQL Database Managed Instances. With this fully managed, version-less service your organization will not face end of support deadlines again.
Get started with Azure for unmatched security in the cloud
Microsoft offers you the training and best practice guidance you need to set up the most powerful protection for your Windows Server and SQL Server workloads in the cloud.
To learn even more best practices on how to take advantage of the built-in tools in Azure to protect your workloads, save the date for the upcoming Azure Security Expert Series webinar coming next Wednesday, June 19, 2019.