Azure Security Solutions
*** Please note: An updated version of this course is available here. ***
Security is a critical concern for anyone who uses the cloud. Microsoft takes this seriously and built and operates the Azure Platform with security as a key principle. Microsoft secures data centers, and management applications; and provides pay-as-you-go security services. Learn how to take advantage of these security features and services to enable strong security practices in your organization and to protect and secure your own cloud applications.
This course is for security engineers, chief security officers, solution architects, information technologists or anyone wanting to understand security options within the Azure platform.
Viewers should have a basic understanding of cyber security, authentication and authorization best practices, and encryption. Some familiarity with the Azure platform will also be helpful but is not required.
- Understand the shared responsibility model
- Learn how to secure Azure resources such as virtual machines and storage accounts
- Learn how to secure your Azure-based applications
- Learn how to monitor your Azure resources with Azure Security Center
Welcome and Introduction: A brief introduction to the course and an overview of what Bill and Maura will be covering.
Shared Responsibility: In this lesson we'll cover Cyber Security, using CIA Principle: Confidentiality – Integrity. Availability; what security professionals do to ensure the parts of CIA: Prevent – Detect – Respond.
Microsoft’s responsibilities and their own security/compliance processes. What a customer is responsible for. And finally the tools that Azure provides, including AAD, Encryption, secure networking
Protecting Accounts: In this lesson we'll cover Azure Active Directory, and Mult-Factor Authorization.
Securing the Azure Portal: In this lesson we'll cover role-based access control.
Indentity Management for Apps: In this lesson we'll cover AAD protection and integration for business Apps.
Network Security: In this lesson we'll cover Virtual Private Networks and firewalls.
Data Security: In this lesson we'll cover Encryption and Masking.
Secrets Management: In this lesson we'll cover Key Vault and Shared Access Signatures.
Monitoring and Audting: In this lesson we'll discuss the Azure Security Center.
Course Conclusion: Course Wrap-Up
In this lecture, we discuss the shared responsibility model for security in cloud computing. Let's start with a brief introduction to some information security concepts: confidentiality, integrity, and availability. These three components make up the CIA triad of information security, and this is a well-known model in the information security space. Confidentiality of data means that only authorized users should be able to view the information.
Integrity of data means that only authorized users can modify information, and that the information is not tampered with at rest or in transit. And availability means data and applications are accessible to authorized users when they need it. As information security professionals, we need to be concerned with CIA. Of course, this is not unique to cloud applications. It's what we need to do every day in our organizations.
This course emphasizes the features and services of Azure that facilitate preventing confidentiality and integrity violations, the C and I of the CIA triad. The A in the CIA triad is availability, and Azure has a great story with backups, geo replication, and other capabilities for disaster recovery and business continuity, but these are beyond the scope of this course. Let's go back to the responsibility aspect of all this. Have a look at the chart and the column headings. IAAS represents infrastructure as a service.
These are services, such as virtual machines, that are fully managed by cloud customers. PAAS represents platform as a service. These are services, such as Azure websites, where the cloud customer deploys an application to the cloud provider's platform, but maintains responsibility for the application itself. These could also be server-less options, like Azure Functions. And SAAS represents software as a service, where the cloud provider provides a fully functional application, which is shared across organizations.
Think of applications such as Office 365 or SalesForce.com. If you scan from the bottom row and go up, you can see that Microsoft's responsibility is quite high when it comes to physical security, and virtual machine infrastructure, network controls, and then it diminishes as you move further up the chart. You can also see that some cells are orange, which means it's entirely the responsibility of the customer. Some are blue, which is entirely the responsibility of Microsoft, and some are both orange and blue, representing a shared responsibility.
When we put our information on Azure or utilize Azure services, we're entering into a trust relationship with Microsoft. We're trusting them in our CIA model. For example, we need to be sure that not just anyone can enter a Microsoft Azure data center, that Microsoft employees who have access to data centers, either physically or virtually, can't view or change our information, and that Microsoft has controls in place to make our data highly available. This includes uptime and failover capabilities. It's beyond the scope of this course to go into what actions Microsoft takes to ensure their part in shared responsibility, but it does include a wide variety of compliance certification, employee background checks, failover and geo replication of data, and data center physical security. You can learn more about these details from the Microsoft Trust Center.
There's a link provided on the slide. As you'll hopefully conclude from this chart, as a cloud customer, you are responsible for the security of your applications. You're responsible for how you set up and authorize users within the identity and access management route, and you're responsible for safely storing and protecting your data.
Thankfully, Azure provides a lot of help with features and services, which we'll cover in future lectures in this course. Some examples include Azure Active Directory, for identity management, role-based access controls in the Azure Portal, encryption of data, and secured networking via network security groups and system firewalls. And before we end this lecture, here's the most important point about the shared responsibility model: even though Microsoft Azure provides a great set of tools, you need to put these tools to use in order to get the benefits. That's your share of the shared responsibility model of cloud security. Let's go take a look at some of those tools.
Bill Wilder is a hands-on architect currently focused on building cloud-native solutions on the Microsoft Azure cloud platform. Bill is CTO at Finomial which provides SaaS solutions to the global hedge fund industry from the cloud, co-founded Development Partners Software in 1999, and has broad industry experience with companies of all sizes – from modest startups to giant enterprises. Bill has been leading the Boston Azure group since founding it in 2009, has been recognized as a Microsoft MVP for Azure since 2010, and is author of Cloud Architecture Patterns (O’Reilly Media, 2012). He speaks frequently at community events, and occasionally at conferences, usually on topics relating to cloud, cybersecurity, and software architecture.