Information Security at Microsoft Azure
| Joost Krapels |
Microsoft Azure forms, together with Amazon Web Services and Google Cloud, The Big Three; the three largest cloud providers. Their clients store tons of data, making the web services vital to many operational processes. Securing that data is critical, which Microsoft more than agrees with. They have made a lot of information and documentation available, which is spread out all over the website. In this article we provide an overview of the most important Azure security guidelines, tools, and best practices, and where to find them.
This article is about Azure only. We have a similar article on Amazon AWS security.
Information provision at Azure
Azure is massive. Their security staff alone consists of 3500 people, and 95% of the Fortune 500 companies run Azure. With such a large organization, it is vital that all users can access the information they need, and do not lack in security due to not being able to find implementation advice. Microsoft sadly does not have all of its information on security condensed in one page, making finding the right information challenging to say the least. Amazon Web Services, for example, has their central Security Center, but Azure has three: Azure Security Documentation, Azure Security, and Security products. For developers and other users, the most useful of these three is the the first one, Security Documentation.
Azure Security Documentation:
This part of the website serves as a sort of hub for all documents on information security. The main page starts with some frequently asked questions, followed by the highlights of all security sections, and has a menu on the left which provides full access to said sections. These sections are Architecture and Design, Data security and encryption, Platform and infrastructure, Application, Monitoring, auditing and operations, Governance and compliance, and Resources.
The Azure Security page gives a fairly general overview of the measures Azure themselves take to safeguard their users’data, as well as links to products, services, and information. The most interesting content of this page is the two promotion videos, providing an insight in Azure’s security measures and capabilities. We would describe the Azure Security page as a promotional, less well-linking, but great-looking version of the Security Documentation we discussed above.
Information security is a broad subject that requires attention to Infrastructure-, Platform-, and Software level. Azure has several products to assist with that, which can be found on their Security Products page. The page starts with a useful choice table with solutions for key management, DDOS protection and the web application gateway. If you can get the firewall to work correctly with your application, it is a good solution to protection from many vulnerabilities
Azure’s main security product/tool is called Azure Security Center. Documentation on it can be found by clicking Documentation at the bottom of the information banner.
Other products that Azure offers are Azure Active Directory, VPN Gateway and Azure Dedicated HSM (hardware security modules). They can be found by navigation to Products at the top of the page and selecting Security.
Security best practices
Azure’s Security Best Practices can be reached directly from the menu on the Security Documentation page. It contains a no-nonsense list of links to best practices such as database security and network security. In August 2018 they published the white paper Security best practices for Azure solutions, a fairly large document that is a collection of all the best practices and, therefore, a good place to start.
Other interesting white papers to consider are:
- Introduction to Azure Security (11/2017)
- Advanced threat detection (11/2017)
- Azure logging and auditing (01/2019)
- Data classification for cloud readiness (11/2017)
- Azure network security (08/2018)
From the whitepapers and documentation, we have collected five easy steps to take to immediately improve your Azure security:
- Read the white paper Security best practices for Azure solutions.
- Controlling access to resources is one of the basic steps of information security. Where Amazon has IAM, Microsoft has Azure Active Directory.
- Implement the Data Security and Encryption best practice and use Azure Key vault to manage the keys.
- Protect and distribute the execution of your application using Azure Application Gateway.
- Set up and configure the Azure Web Application Firewall. It takes quite some steps, but the WAF is one of the best tools to help protect your cloud against the OWASP top 10 web application vulnerabilities.
In the open special interest LinkedIn group Information Security NL we like to discuss the latest news on privacy and security. This article has been posted there as well, and we are curious about your take on the situation. Information Security NL is a free initiative for sharing knowledge on information security. Did you find it useful? Please let us know.
Image credit: @chuttersnap via Unsplash
Joost Krapels has completed his BSc. Lifestyle Informatics (Artificial Intelligence) and MSc. Information Sciences at the VU Amsterdam. During his Master study he evaluated several compliance tools for GDPR compliance and interviewed business owners about the impact of the GDPR. Within ICT Institute, Joost provides IT advice to clients, advises clients on Privacy, improves our GDPR tools and templates, and helps develop the Security Verified standard.