While cloud security continues to be a top concern, we recently shared insights from a survey that show overall concern has dropped significantly since 2015. We’re now at a stage where half of organizations contend the cloud is more secure than their on-premises infrastructure. In conversations I have with our customers and partners, I hear increasingly about how using the cloud improves an organizations’ security posture. As many organizations push forward on their digital transformation through increased use of cloud services, understanding the current state of cloud security is essential.
Maintaining a strong security posture for your cloud-based innovation is a shared responsibility between you and your cloud provider. With Microsoft Azure, securing cloud resources is a partnership between Microsoft and our customers, so it’s essential that you understand the comprehensive set of security controls and capabilities available to you on Azure.
Microsoft Azure is built on a foundation of trust and security. With significant investments in security, compliance, privacy, and transparency, Azure provides a secure foundation to host your infrastructure, applications, and data in the cloud. Microsoft also provides built-in security controls and capabilities to further help you protect your data and applications on Azure. These can be classified broadly into four categories:
Manage and control user identity and access: Comprehensive identity management is the linchpin of any secure system. You must ensure that only authorized users can access your environments, data, and applications. Azure Active Directory serves as a central system for managing access across all your cloud services, including Azure, Office 365, and hundreds of popular SaaS and PaaS cloud services. Its federation capability means that you can use your on-premises identities and credentials to access those services, and Azure Multi-Factor Authentication provides for the most secure sign-on experience.
Increase network and infrastructure security: Azure provides you the security-hardened infrastructure to interconnect Azure VMs as well as make connections to on-premises datacenters. Additionally, you can extend your on-premises network to the cloud using secure site-to-site VPN or a dedicated Azure ExpressRoute connection. You can strengthen network security by configuring Network Security Groups, user-defined routing, IP forwarding, forced tunneling, endpoint ACLs, and Web Application Firewall as appropriate.
Encrypt communications and operation processes: Azure uses industry-standard protocols to encrypt data in transit as it travels between devices and Microsoft datacenters, and when it is stored in Azure Storage. You can also encrypt your virtual machine disks using Azure Disk Encryption. Azure Key Vault enables you to safeguard and control cryptographic keys and other secrets used by cloud apps and services. Azure Information Protection will help you classify, label, and protect your sensitive data.
Defend against threats: Microsoft enables actionable intelligence against increasingly sophisticated attacks using our network of global threat monitoring and insights. This threat intelligence is developed by analyzing a wide variety of signal sources and a massive scale of signals. (For example, customers authenticate with our services over 450 billion times every month, and we scan 200 billion emails for malware and phishing each month.) Our approach to protect the Azure platform includes intrusion detection, distributed denial-of-service (DDoS) attack prevention, penetration testing, behavioral analytics, anomaly detection, and machine learning. You can leverage additional services to develop a strong threat prevention, detection, and mitigation strategy.
Azure Active Directory Identity Protection helps you protect and mitigate against the risks from compromised identities. It offers a cloud powered, adaptive machine learning based identity protection system that can detect cyber-attacks, mitigate them in real time, and automatically suggest updates to your Azure AD configuration and conditional access policies. Services like Antimalware for Azure and Azure Security Center use advanced analytics to not only help in detecting threats but also prevent them. Azure Security Center helps you get a central view of the security state of all your Azure resources in real time, including recommendations for improving your security posture. You can use Operations Management Suite to extend the threat prevention, detection and quick response across Azure and other environments (on-premises, AWS). Log Analytics service will give you real-time insights to readily analyze millions of records across all of your workloads regardless of their physical location.
These are just a few examples of the broad set of security controls and services available to you with Azure. Over the past year, we have expanded the portfolio with many new security services and ongoing enhancements.
Microsoft is committed to continued innovation in helping you protect your data, applications, and identities in the cloud. Innovations we have delivered most recently include:
- New capabilities and enhancements in Azure Security Center available for preview this month include Just In Time network access to VMs, automatic discovery and recommendations for application whitelisting, and expanded Security Baselines with more than 100 recommended configurations defined by Microsoft and industry partners. Our research team continues to monitor the threat landscape and innovate on detection algorithms. Some new threat detections available to customers include Brute Force detections, outbound DDoS and Botnet detections, as well as new behavioral analytics for Windows and Linux VMs.
- Preview of Storage Service Encryption for File Storage. IT organizations can lift and shift their on-premises file shares to the cloud using Azure Files by simply pointing the applications to the Azure file share path. Azure Files now offer enhanced protection with the ability to encrypt data at rest.
- Azure SQL Database Threat Detection is already available in preview. Last week the team announced that it will be generally available in April 2017. Azure SQL Database Threat Detection provides an additional layer of security intelligence built into the Azure SQL Database service that uses machine learning to continuously monitor, profile, and detect suspicious database activity to help customers detect and respond to potential threats.
With these tools, organizations are able to securely transition to the cloud while also complying with regulatory requirements. Read how Ricoh USA Inc. discovered that Azure exceeds the level of security it could previously offer its customers.
Azure has a vibrant partner ecosystem, so it’s also easy to bring your trusted cloud security vendor with you, enabling you to leverage your existing security solutions. Find partner security solutions in Azure Marketplace.
Microsoft Azure at RSA 2017
For those of you attending RSA Conference this week in San Francisco, we hope to connect with you at the show. You can:
- See the keynote by Brad Smith, President and Chief Legal Officer at 8:35AM PST. You can stream it live if you’re not at RSA.
- Attend our sessions:
- A Vision for Shared, Central Intelligence to Ebb a Growing Flood of Alerts: SP03-T09
- How to Go from Responding to Hunting with Sysinternals Sysmon: HTA-T09
- Critical Hygiene for Preventing Major Breaches: CXO-F02
- Advances in Cloud-Scale Machine Learning for Cyber-Defense: EXP-T11
- Learnings from the Cloud: What to Watch When Watching for Breach: STR-W11
- Visit Booth 3501 in the North Expo Hall and learn how Microsoft solutions work together to improve your organization’s security posture. See the complete Microsoft schedule for RSA 2017. Hope to see you in San Francisco!