5 min read
This is the second blog in a 4-part blog post series on how Microsoft Azure provides a secure foundation.
Today we’re at RSA, and we are delighted to sponsor and participate in this industry event centered in security. I thought I’d take the opportunity to share our perspective on cloud security with Azure.
As we all know, companies worldwide are challenged by the ongoing volume of evolving security threats and with retaining qualified security talent to respond to these threats. In fact, the average large organization gets 17,000 security alerts each week, which results in an of average 99 days to discover security breaches. That contrasts with the less than 48 hours it takes for security breaches to grow from one system compromised into significantly broader issues.
As you look for solutions to address these challenges, Azure can help strengthen your security posture, while reducing cost and complexity. Thousands of companies and governments from all over the world including TD Bank, First Tech Credit Union, Geico, 3M, Rolls-Royce, state of Hawaii, city of Musson, and Heineken have chosen Azure as their trusted cloud. Azure provides value in three key areas – a secure foundation that is provided by Microsoft, built-in security controls to help you quickly configure security across the full-stack, and unique intelligence at cloud scale to help you safeguard data and respond to threats in real-time.
1. Azure’s secure foundation
Microsoft invests over a billion dollars annually into cybersecurity, including the Azure platform, so you can allocate your IT budget and resources towards other business-critical initiatives.
You get to take advantage of 3,500 dedicated cybersecurity professionals working together across the Cyber Defense Operations Center, digital crimes unit and other teams to help protect, detect and respond to threats in real time.
For physical security, Azure has hundreds of datacenters in 50 regions, and these have extensive multi-layered protections to ensure unauthorized users cannot gain physical access to your customer data.
Cloud security includes much more than cybersecurity experts and physical controls. The computing infrastructure for Azure is built on customized hardware with security controls integrated into the hardware and firmware components including secret management and increasingly hardware-based enclave technology.
The extensive network infrastructure has built-in protections against DDoS to safeguard your resources against volumetric or protocol layer attacks. Azure DDoS Protection has the operational capacity to scale protection to the largest of workloads and experience protecting Microsoft services such as Xbox and O365.
We know security is an ever-evolving state, so to save you time, we manage the basics such as ensuring the servers that run Azure are patched. We actively work to identify vulnerabilities through continuous testing and monitoring and run exercises such as red team versus blue team cyber penetration testing.
We regularly hear from customers that one of the reasons they chose Azure is the secure foundation is provides which enables them to put more of their resources towards delivering core value.
2. Azure’s built-in security controls
Even with the secure foundation that Azure provides, security is ultimately a joint responsibility between Microsoft and our customers. When you put your workloads and data on Azure, we recommend you follow security best practices. Azure has built-in security controls to help you get protected faster across identity, network, data and tools to help you with security management and threat protection.
Manage identity and access: Azure Active Directory is the central system for managing access across all your cloud services, including Azure, Office 365, and hundreds of popular SaaS and PaaS cloud services as well as on-premises. Active Directory is the most used directory service in the world. Microsoft recommends that you secure access with Azure Multi-Factor Authentication. We also recommend that you follow the same approach we do on Azure internally and limit access to only those who need it on a task-by-task basis using Role-Based Access.
Secure your network: Building and maintaining a secure network through Azure virtual networks (VNet) would typically start with segmenting subnets and configuring access rules using Network and Application Security Groups. Extend your on-premises network to the cloud using secure site-to-site VPN or a dedicated Azure ExpressRoute connection. Protect your web applications with the built-in Web Application Firewall. Announcing at RSA this week, Azure DDoS Protection Standard gives you more control over DDoS protection for your virtual networks with turnkey protection, telemetry and alerting.
Safeguard data and manage secrets: Azure can help protect your data while it’s in transit, at rest or even while it’s being used. Azure uses industry-standard protocols to encrypt data in transit as it travels between devices and Microsoft datacenters. When the data is kept in Azure Storage, you can use built-in data encryption to protect it. Azure Key Vault enables you to safeguard and control cryptographic keys and other secrets used by cloud apps and services. Data encryption controls are built-in to services from virtual machines to SQL to CosmosDB and Azure Data Lake. You can even protect data while it’s in use with the recently announced Azure confidential computing.
Unified security management to help prevent and detect threats: Azure Security Center provides you with insight into security issues with your Azure workloads and provides clear suggestions on what to fix. Azure Security Center goes beyond the capabilities of agentless alternatives found in other clouds to detect important security issues within virtual machines and cloud resources using an agent. You can even extend Azure Security Center to manage your on-premises workloads.
You can protect your virtual machine management ports from brute-force attacks using Azure Security Center Just-in-Time VM access. This week at RSA, we are announcing many new capabilities for Azure Security Center including enhanced protection for servers with Windows Defender ATP integration, improved management dashboard experience to help assess compliance across multiple subscriptions and configuring security easily within the context of virtual machine experience.
Azure’s breadth of built-in security services across identity, networking, data, threat prevention and security management make it simple for you to improve your security posture. You can also extend your existing investments to Azure with the many partner security solutions available in the Azure Marketplace from companies like Barracuda, Palo Alto, and Check Point.
3. Azure’s unique intelligence
In a world of evolving threats, the size of the threat dataset is both large and constantly changing. Since we are all working together to combat against cyberattacks, we need to leverage collective intelligence to help us keep pace with threats. The Microsoft Intelligence Security Graph brings together signals from many Microsoft products used at massive scale, including data from 450 billion authentications per month, 4 billion emails and 1 billion devices—to provide the intelligence you need to protect from evolving threats. At RSA, we are announcing the preview of the API for the Microsoft Intelligence Security Graph to further increase the richness of information in the graph and make it more accessible.
Azure Security Center’s threat protection helps you detect and mitigate threats with security alert dashboards by combining the Microsoft Intelligence Security Graph with machine learning and visualizations to help you understand the most critical issues, and even quickly visualize a complete attack chain. We recommend every enterprise customer turns on this capability.
I recommend that you consider the security capabilities Azure provides from its secure foundation, to built-in controls and unique intelligence to strengthen your security posture. To dive deeper, watch our new Azure Essentials video and visit our web page.
Azure Security at RSA 2018
For those of you attending RSA Conference this week in San Francisco, please visit us at booth 3501 to learn more about Azure Security. We cannot wait to connect with you!
1”7 steps to a holistic security strategy,” 2017, Microsoft.
2”M-Trends 2016,” 2016, Mandiant Consulting.
3”Anatomy of a Breach,” 2016, Microsoft.