Azure Security Deep Dive

John P. Mello Jr.- Contributed Writer

February 18, 2020

Operating your infrastructure in the public cloud requires a lot of consideration. Today’s organizations may have data stored in traditional places, like data centers and on-premise networks, and data elsewhere, like in endpoints, with third-party vendors, and in the cloud. In those environments, identifying who or what is accessing data and ensuring access is limited is critically important. Just as perimeter defenses were once the prime way to protect data, now identity has assumed that role.

With identity as the new perimeter, organizations need to fashion their data protection strategy as if the network controls they’ve implemented don’t exist. In that least privilege or Zero Trust world, anyone or anything that accesses data needs to be authenticated, not just once, but continually. What’s more, they shouldn’t be given more access than they need to fulfill their job.

Cloud Security Guide

Maintaining a Zero Trust environment can be a complex task. It can require the creation of thousands of rules to achieve the granular permissions needed to make the process work. That’s why it’s important for organizations to understand public cloud provider’s security approach.

Let’s take a deeper look into Microsoft Azure.

Microsoft is an immigrant to the cloud, migrating there from the enterprise world. The company realized early on that the cloud was an existential threat to its business, and that it had to make a strong cloud offering, or there would be no more Microsoft. That’s why it has shown a tremendous commitment to Azure.

Azure was created for building, testing, deploying, and managing applications and services through its global network of data centers. It is built with customized hardware and has security controls integrated into its hardware and firmware components.

Microsoft has more than 3,500 cybersecurity experts working to keep Azure secure and an extensive threat intelligence operation that includes analysis of 18 billion Bing web pages, 400 billion emails, a billion Windows device updates, and 450 billion monthly authentications.

Azure is based on Microsoft’s Active Directory product, with some modifications for cloud operation. Because Active Directory is popular — it has a 95 percent market share in Fortune 500 companies — Azure will appear familiar to many IT professionals, which makes it comfortable for them to work with. On the other hand, because Active Directory has on-premise networking roots, some of its mechanisms aren’t as well-suited to the cloud as some of Azure’s competitors.

For example, multi-tenancy wasn’t a Microsoft strong suit. Hence, some features that worked in on-premise deployments didn’t work when they were cut and pasted into the cloud. In addition, some functions don’t work the way they do in an on-prem world.

Nevertheless, because of the strong connection to Active Directory, it’s easy to sync an enterprise Active Directory to Azure so all the identities, groups,  and memberships from the enterprise just float into the cloud where all the controls on those things are preserved.

Microsoft’s enterprise experience is evident in Azure in other ways, too. When designing Azure, Microsoft imposed tighter controls on setting up accounts to prevent scenarios where anyone with a credit card can spin up an account for an organization. Once an email domain is registered with an account, it’s difficult to set up another Azure account with it. That helps avoid a problem that pops up in AWS where organizations don’t know where all their accounts are. It also helps put a damper on the use of “Shadow IT” in the cloud.

Another strong suit of Azure is its use of encryption by default. It supports several encryption models. They include server-side encryption that uses service-managed keys, customer-managed keys in Key Vault, or customer-managed keys on customer-controlled hardware. With client-side encryption, keys can be managed and stored on-premises or in another secure location.

Microsoft Azure provides a foundation for your organization to host your infrastructure and applications while also providing some built-in security services and unique intelligence to protect workloads. Microsoft’s included a breadth of security tools that span across identity, networking, data, and IoT and to help organizations manage their security posture.

Sonrai Security can help.

If your organization has implemented Microsoft Azure and your organization is not sure where risks maybe, Sonrai Security can help. Our platform delivers a complete risk model of all these identity and data relationships, including activity and movement across cloud accounts, cloud providers, and 3rd party data stores.

The Sonrai Security platform has been developed to help organizations improve security, ensure compliance and increase operational efficiencies for Microsoft Azure and other cloud platforms. Core to the service is the ability to gain a centralized and consistent view into cloud identity and data relationships, activity, and data movement across cloud accounts, cloud providers, and 3rd party data stores. Request a demo of the Sonrai Security platform to see if this solution is right for your cloud environment.