Skip Navigation

Strengthen security with key Azure innovations

Posted on September 24, 2018

Director of Program Management, Azure Security

Cybersecurity can be challenging for many organizations. It doesn’t have to be. Migrating your workloads to the cloud can help achieve better security. Microsoft Azure provides you with a highly secure foundation to migrate your workloads to the cloud safely and help reduce infrastructure security costs. Azure also includes built-in security controls to enable defense in depth and unique threat intelligence across trillions of diverse signals from Microsoft services to help identify and protect against rapidly evolving threats. Many global companies like Merrill Corporation and Tenemos are accelerating their cloud adoption due to the security benefits that Microsoft Azure provides.

You can simplify security with the built-in controls available in Azure and integrate with your existing security tools through our partner solutions to gain defense in depth. These controls and services span across identity, networking, and data and even include services to help you protect against threats, manage your security posture, and secure your IoT devices. We have continued to invest in new capabilities in this area. These innovations across built-in controls and through partner integrations provide more flexibility and enhanced security that can extend from cloud to the edge. I am excited to share few capabilities and services that we will announce at the Microsoft Ignite conference this week:

Managing your identity without a password: Microsoft protects hundreds of thousands of line-of-business and SaaS apps as they connect to Azure AD. At Ignite, we are delivering new support for password-less login to Azure AD connected apps via Microsoft Authenticator. The Authenticator app replaces your password with a more secure multi-factor sign in that combines your phone and your fingerprint, face, or PIN. Using a multi-factor sign-in method reduces risk and makes the user experience simpler by eliminating passwords.

Adding new layers to network protection: You can already use many built-in services in Azure such as network security groups, Web Application Firewall (WAF), Virtual Private Network, or DDoS protection, to help safeguard applications and data from network attacks. This week at Ignite, we are adding a few more options to help access and protect you networked resources in Azure. We are announcing the general availability of Azure ExpressRoute Global Reach which allows you to securely connect your on-premises networks via the ExpressRoute service using the Microsoft's global network. Azure Virtual WAN will also be generally available, allowing you to automate and deploy large scale branch connectivity and access to resources in Azure. Further, at Ignite we are launching ExpressRoute support in preview for Virtual WAN, allowing you seamless transit across VPN, SDWAN and ExpressRoute circuits connected to Virtual WAN, using the Microsoft global network backbone.

Also announcing this week, is the general availability of Azure Firewall, offering you the ability to centrally create, enforce, and log application and network connectivity policies across subscriptions and virtual networks for both in and outbound as well as hybrid connections to Azure. Azure Firewall helps you enforce your network security polices while taking advantage of the scale and simplicity provided by the cloud. Azure Virtual Network TAP, available in preview is the first native Network “Terminal Access Point” in public cloud. Azure vTAP provides “tap” capabilities for your virtual network, allowing you to continuously mirror traffic from a virtual network to a packet collector with Virtual Network terminal access point (TAP) (preview). The mirrored traffic is a deep copy of the inbound and outbound VM network traffic and can be streamed to a destination IP endpoint, a 3rd party security appliance or an internal load balancer, in the same virtual network or peered virtual network.

Protecting data wherever it is: You have been able to protect the data you store and process in Azure at rest and in transit with built-in encryption capabilities.  We are excited to take data security to a new level- protecting data while it’s in use, especially important for highly sensitive and mission critical data and intellectual property. Microsoft is the first cloud provider to enable confidential computing, which protects the confidentiality and integrity of customer data and code while it’s processed in the public cloud through the use of Trusted execution environments (TEEs). TEEs are hardware or software implementations that protect data from outside access while it is being processed.  

During our Private Preview program, we worked with customers such as Royal Bank of Canada and T-Mobile to ensure that Azure confidential computing meets their scenarios and we are now ready to release several new offerings publicly in early October.

We are launching a new family of virtual machines in Azure (DC series) accessible to all Azure customers. This new VM family is backed by the latest generation of the Intel Xeon processors with Intel SGX. You are now able to build, run, and test SGX based applications using these VMs to protect your data while in use. 

We will open source a new SDK to provide a consistent API surface and enclaving abstraction, supporting portability across enclave technologies and flexibility in architecture across all platforms from cloud to edge.  We are excited to announce that OE SDK will support Intel SGX technology and Arm TrustZone soon afterward.  We have a strong commitment to creating a collaborative community and to help standardize secure enclave-based application development.

Protecting sensitive information in Azure SQL: Discovering and classifying your most sensitive data can play a pivotal role in your organizational information protection stature. You can discover, classify, label, and protect your sensitive data in Azure SQL Database using the  capabilities in the service. Now you can also customize your SQL Information Protection policy directly from Azure Security Center to help ensure the confidentiality of highly sensitive data and manage security policies from one central location.

Improving cloud security posture: As you migrate virtual machines, data, and networks to the cloud, you need a tool that can provide you with instant insight into the security state of your resources. Azure Security Center can help you strengthen your security posture and protect against threats. Our agent-based approach allows Security Center to continuously assess the security state of your workloads across Azure, other clouds and on-premises. Security Center identifies vulnerabilities and provides you with actionable recommendations, so you can quickly remediate risks.

You will have many new capabilities available in Security Center this week. Secure Score gives you a dynamic report card for your security posture. It continuously assesses the security of Azure resources and server workloads running across on-premises and other clouds. You can improve the security score based on the recommendations provided in Security Center about available controls and secure configurations.

Protecting against threats across different services: The cybersecurity threat landscape is continuously evolving. Security Center uses machine learning and advanced analytics to detect threats and alert you. We are expanding our threat protection capabilities to include detecting threats on Linux, Azure Storage, and Azure Postgress SQL and providing endpoint detection and response capabilities for Windows Server by integrating with Windows Defender ATP. To learn more about these capabilities and other Security Center announcements, visit our blog.

Two key innovations coming up shortly

Managing your own hardware security module (HSM): We will soon release a new key management solution, Azure Dedicated HSM, that enables customers to keep full administrative and cryptographic control over the hardware security modules (HSMs) that process their encryption keys, meet compliance requirements for several industry standards and regulations (such as FIPS 140-2 Level 3, GDPR, HIPAA, PCI-DSS, and eIDAS), while also meeting demanding latency and throughput requirements for their applications. This service is targeted at scenarios that require direct HSM access such as migration or HSM-specific features.

Azure Key Vault, which is also backed by HSMs, remains the solution of choice for most key management needs where near instant deployments, high availability, integration with other Microsoft cloud services and pay-as-you go pricing are the key benefits customer is seeking.

Auditing and automated approval process for service access to Azure compute: We are improving on existing processes for the very rare instances when a customer asks Microsoft to access to their compute resources to resolve an issue. Microsoft Engineers do not have standing access to any service operation. Just-in-time access with limited and time-bound authorization is provided to Microsoft engineers to help them resolve a specific customer request. With a new automated approval process, you can get more granularity and auditing capabilities.

Whether you are using a service provided by Microsoft or one from of our broad partner ecosystem, these built-in controls help to protect your workloads quickly.

From state-of-the art facilities to integrated first-party and third-party security services to unique intelligent insights, Azure is the cloud that can help you strengthen your security posture. For more information, read our Azure security best practices and visit our webpage.

For those of you attending Ignite this week in Orlando, make sure to join us for our Azure Security Fundamentals session on Wednesday, September 26 from 9-10:15am EST in OCCC WF 3-4 for more information. Don’t forget to visit us at our booth learn more about Azure security. We cannot wait to connect with you!