How Secure is Microsoft Azure?
BY: ALBERTO LUGO
One of the foremost concerns on the mind of every managed cloud platform provider is creating solutions that are not only effective but secure. As we all know, security is tantamount to the functionality of effective managed cloud solutions. Decades of experience have set Microsoft apart and allowed them to create some of the most reliable and secure solutions existing today. Microsoft Azure has capitalized on all this experience and industry-leading cyber security values.
Secure Development Lifecycle
Microsoft Azure was developed using an approach called the Secure Development Lifecycle or SDL. The security theme that guided its development was one of “assume breach” – immediately render all breaches ineffective. Using the SDL, all cyber security and privacy threats are addressed before a single line of code is written. The SDL starts with training. All technical team members working on the platform attend mandatory training on topics such as threat modeling, secure design, secure development and security testing. Before the design phase, the security requirements of the application are written to ensure they’re top priority in the application design. This is where security and privacy risks are.
In the design phase, threat modeling is used to uncover unnecessary risks in the application design such as an over the privileged user. In such a case, the user’s roles would be reduced in the application design to mitigate the risk. Microsoft publishes a list of security checks for developers to use in their code to create uniform code across all applications. This list also prevents developers from using code that’s no longer maintained and/or is insecure. After the code is written, it’s statically analyzed for vulnerabilities, and then dynamically analyzed through rigorous testing. During testing, the application is purposely given incorrect data, incorrectly formatted data, and randomly generated data to reveal possible vulnerabilities and test the inevitable edge cases that can arise in a real-world production environment.
At this point in the development lifecycle, changes to the design may have occurred. A new threat model is created for those new threats, and they are mitigated. Before the code is released, an incidence response plan is put in place to quickly deal with any new threats that may arise in the production environment. This includes contact information for in-house developers and contact information for third-party integrations. Before the code goes to production, there’s another security review to reanalyze threat models, the output of testing tools, and application integrity. This final report is then compared with the initial requirements to ensure the application securely accomplishes its goals. In the production environment, the pre release application state along with all necessary data is then backed up in case a rollback is required. Finally, the new application is released. Any problems can be quickly addressed by referring to the incidence response plan created before the release.
Microsoft Azure is the only cloud service that offers continuous security-health monitoring. The Azure Security Center makes it easy to tailor security solutions to your business needs. With the Azure Security Center and continuous integration, you can quickly detect threats and turn on a dime to mitigate them.
Certifications and Compliance
Microsoft Azure adheres to rigorous guidelines to maintain compliance and receive certifications such as ISO (International Organization for Standardization) 27001. This standard contains hundreds of specifications for how an organization should manage its information infrastructure to keep it secure. At least once per year, the ISO hires a third party to audit Microsoft Azure to ensure that it’s compliant with the specifications and that the specifications are working efficiently for them. Adherence to this standard has granted them tremendous acceptance in the global marketplace. Microsoft Azure was the first cloud provider to adhere to ISO 27018 which protects PII (Personally Identifiable Information) and requires the following:
- Customers of Microsoft cloud services know where their data is stored.
- Customer data won’t be used for marketing or advertising without explicit consent.
- Microsoft customers know what’s happening with their PII.
- Microsoft will comply only with legally binding requests for disclosure of customer data (microsoft.com).
The United States federal government has trusted its data with Microsoft Azure because it is also FedRAMP compliant. The FedRAMP standard was created as a response to the Federal Information Security Management act. This law provides rules about the correct approach to storing, monitoring and safeguarding data. The FedRAMP standard outlines a means to accomplish these objectives while also speeding up the adoption of secure data storage solutions nationwide.
Around the globe, Microsoft Azure has exceeded cyber security expectations. It’s compliant with or exceeds European Union laws for the transfer and storage of personal data, the Argentina PDPA (Personal Data Protection Act), and Canadian privacy laws just to name a few. You can see a full list of their compliance offerings and certifications here. Microsoft Azure really outshines competitors like AWS in the global data center marketplace. With 42 covered regions around the world, Microsoft Azure allows you to put your products and data right where your customers are – creating a faster, simpler, and more secure customer experience.
Secure Identity Management Made Easy
Microsoft Azure has been integrated with Microsoft Active Directory to allow users to be authenticated once and gain access to their Azure applications as well as Office 365 and other Software as a Software (SAAS) applications. This integration is called Azure AD Connect, and it’s built on three components:
- Synchronization – This component keeps track of all users and groups on-site and ensures that they match what’s in the cloud.
- AD FS (Active Directory Federation Services) – This is an optional component that is used to address complicated authentication issues.
- Azure AD Connect Health – This component allows you to monitor all your on-site identities as well as the Synchronization and AD FS components.
We’ve seen how Microsoft Azure, a leader in the global data center marketplace, has developed its products to be the best and most secure in the industry. It’s a powerful tool that’s already being used by major organizations like Geico, Uber, Whole Foods, and the United States Government, and it’s also available to you.