Microsoft Azure’s defense in depth approach to cloud vulnerabilities
By Salim Chawro Corporate Vice President, Azure Security
7 min read
Our digital world is changing, with more persistent, sophisticated, and driven cybercriminals. As risks increase and threats compound, trust is more important than ever. Customers need to be able to trust in the technology platforms they invest in to build and run their organizations. As one of the largest cloud service providers, we build trust by helping our customers be secure from the start and do more with the security of our cloud platforms that’s built in, embedded, and out of the box.
At Microsoft Azure, our security approach focuses on defense in depth, with layers of protection built throughout all phases of design, development, and deployment of our platforms and technologies. We also focus on transparency, making sure customers are aware of how we’re constantly working to learn and improve our offerings to help mitigate the cyberthreats of today and prepare for the cyberthreats of tomorrow.
In this blog, we highlight the extensive security commitments from our past, present, and into the future, as well as where we see opportunities for continued learning and growth. This piece kicks off a 4-part Azure Built-In Security series intended to share lessons we’ve learned from recent cloud vulnerabilities and how we’re applying these learnings to ensure our technologies and processes are secure for customers. Transparently sharing our learnings and changes is part of our commitment to building trust with our customers, and we hope it encourages other cloud providers to do the same.
Past, present, and future of our security commitments
For decades Microsoft has been, and continues to be, deeply focused on customer security and improving the security of our platforms. This commitment is evident in our long history of leading security best practices from our on-premises and software days to today’s cloud-first environments. A shining example of this is when in 2004, we pioneered the Security Development Lifecycle (SDL), a framework for how to build security into applications and services from the ground up whose influence has been far reaching. SDL is currently used as the basis for built-in security in key initiatives including international application security standards (ISO/IEC 27034-1) and the White House’s Executive Order on Cyber Security1.
As security leaders and practitioners know though, security’s job is never done. Constant vigilance is vital. This is why Microsoft currently invests heavily in internal security research as well as a comprehensive bug bounty program. Internally, Microsoft boasts more than 8,500 security experts constantly focused on vulnerability discovery, understanding attack trends and addressing patterns of security issues. Our world-class security research and threat intelligence helps protect customers, Microsoft, open-source software, and our industry partners alike.
We also invest in one of the industry’s most proactive Bug Bounty Programs. In 2021 alone, Microsoft awarded $13.7 million in bug bounties across a broad range of technologies. An emerging trend over the last year has been an uptick in externally reported vulnerabilities impacting several cloud providers, including Azure. While vulnerabilities are not uncommon across the industry, as a leading cloud provider and the number one security vendor, Microsoft is of greater interest to researchers and security competitors alike. This is why our public bounty program was the first to include cloud services, beginning in 2014, and in 2021 we further expanded the program to include higher rewards for cross-tenant bug reports. As anticipated, this clearly drew even more external security researcher interest in Azure, culminating in multiple cross-tenant bug bounties being awarded. Regardless of the reasons, these findings helped further secure specific Azure services and our customers.
Finally, we firmly believe that security is a team sport, and our focus on collaboration is evidenced in our contributions to the security ecosystem, such as our involvement in the NIST Secure Software Development Framework (SSDF)2, and improving the security posture of Open Source Software (OSS) through our $5 million investment in the OpenSSF Alpha-Omega project3.
Our commitment to security is unwavering, as seen in our decades-long leadership of SDL to present day vulnerability discovery, bug bounty programs, collaboration contributions, and continues well into the future with our commitment of investing more than $20 billion over five years4 in cybersecurity. While building-in security from the start is not new at Microsoft, we understand the security landscape is continually changing and evolving, and with it so should our learnings.
Our latest learnings and improvements for a more secure cloud
At Microsoft, a core part of our culture is a growth mindset. Findings from internal and external security researchers are critical to our ability to further secure all our platforms and products. For each report of a vulnerability in Azure, we perform in-depth root cause analysis and post-incident reviews whether discovered internally or externally. These reviews help us reflect and apply lessons learned, at all levels of the organization, and are paramount to ensuring that we constantly evolve and build in security at Microsoft.
Based on the insights we’ve gained from recent Azure vulnerability reports, we are improving in three key dimensions. These developments enhance our response process, extend our internal security research, and continually improve how we secure multitenant services.
1. Integrated response
Several lessons from the past year focused our attention in areas we recognize the need to improve, such as accelerating response timelines. We are addressing this throughout our Integrated Response processes and unifying internal and external response mechanisms. We started by increasing both the frequency and scope of our Security LiveSite Reviews at the executive level and below. We are also improving the integration of our external security case management and our internal incident communication and management systems. These changes reduce mean time to engagement and remediation of reported vulnerabilities, further refining our rapid response.
2. Cloud Variant Hunting
In response to cloud security trends, we have expanded our variant hunting program to include a global and dedicated Cloud Variant Hunting function. Variant hunting identifies additional and similar vulnerabilities in the impacted service, as well as identify similar vulnerabilities across other services, to ensure discovery and remediation is more thorough. This also leads to a deeper understanding of vulnerability patterns and subsequently drives holistic mitigations and fixes. Below are a few highlights from our Cloud Variant Hunting efforts:
- In Azure Automation we identified variants and fixed more than two dozen unique issues.
- In Azure Data Factory/Synapse we identified significant design improvements that further harden the service and address variants. We also worked with our supplier, and other cloud providers, to ensure that risks were addressed more broadly.
- In Azure Open Management Infrastructure we identified multiple variants, our researchers published CVE-2022-29149, and we drove the creation of Automatic Extension Upgrade capabilities to reduce time to remediate for customers. Our Automatic Extension Upgrade feature is already benefiting Azure Log Analytics, Azure Diagnostics, and Azure Desired State Configuration customers.
Additionally, Cloud Variant Hunting proactively identifies and fixes potential issues across all our services. This includes many known as well as novel classes of vulnerabilities, and in the coming months we will share more details of our research to benefit our customers and the community at large
3. Secure multitenancy
Based on learnings from all our security intelligence sources, we continue to evolve our Secure Multitenancy requirements as well as the automation we use at Microsoft to provide early detection and remediation of potential security risk. As we analyzed Azure and other cloud security cases over the last couple of years, both our internal and external security researchers have found unique ways to break through some isolation barriers. Microsoft invests heavily in proactive security measures to prevent this, so these new findings helped determine the most common causes and ensure we were committed to addressing them within Azure through a small number of highly leveraged changes.
We are also doubling down on our defense in depth approach by requiring and applying even more stringent standards for Compute, Network, and Credential isolation across all Azure services, especially when consuming third-party or OSS components. We are continuing to collaborate with the OSS community, such as PostgreSQL, as well as other cloud providers, on features which are highly desirable in multitenant cloud environments.
This work has already resulted in dozens of distinct findings and fixes with the majority (86 percent) attributed to our specific improvements in Compute, Network, or Credential isolation. Among our automation improvements, we are extending internal Dynamic Application Security Tests (DAST) to include more checks for validating Compute and Network isolation as well as adding net new runtime Credential isolation check capabilities. In parallel, our security experts continue to scrutinize our cloud services, validate they meet our standards, and innovate new automated controls for the benefit of our customers and Microsoft.
From the cloud security’s shared responsibility model, we recommend our customers use the Microsoft cloud security benchmark to improve their cloud security posture. We are developing a set of new recommendations focusing on multi-tenancy security best practices and will publish that in our next release.
In short, while Microsoft has a long and continued commitment to security, we are continually growing and evolving our learnings as the security landscape also evolves and shifts. In this spirit of constant learning, Microsoft is addressing recent Azure cloud security issues by enhancing secure multitenancy standards, expanding our cloud variant hunting capacity, and developing integrated response mechanisms. Our enhancements, and the scale of our security efforts, further demonstrate our leadership and decades-long commitment to continual improvement of our security programs and raising the bar for security industry-wide. We continue to be committed to integrating security into every phase of design, development, and operations so that our customers, and the world, can build on our cloud with confidence.
- Read additional blogs in this series to learn how Azure leverages cloud variant hunting, secure multitenancy, Confidential Compute and Rust to layer protection throughout every phase of design, development, and deployment.
- Learn more about the out-of-the-box capabilities embedded in our platforms.
- Learn more about how Microsoft Azure can help strengthen your security posture.
1WhiteHouse.gov, Executive Order on Improving the Nation’s Cybersecurity, May 12, 2021.
2National Institute of Standards and Technology, Secure Software Development Framework (SSDF) Project Overview, updated February 3, 2022.
3Open Source Security Foundation, OpenSSF Announces The Alpha-Omega Project to Improve Software Supply Chain Security for 10,000 OSS Projects, OpenSSF.org, February 1, 2022.
4GeekWire.com, Microsoft to quadruple cybersecurity investments, spending $20B over five years, Todd Bishop, August 25, 2021.