Category Archives : Security

16

Jan

Microsoft Azure obtains Korea-Information Security Management System (K-ISMS) certification

Microsoft helps organizations all over the world comply with national, regional, and industry-specific regulatory requirements. These requirements are aimed at securing and protecting the data of individuals, establishments, and critical technology infrastructures. Azure meets the broadest set of international and industry-specific compliance standards, and we’ve added another country-specific compliance offering to our extensive portfolio with the K-ISMS.

The K-ISMS certification was introduced by the Korea Internet and Security Agency (KISA) and is designed to ensure the security and privacy of data in the region through a stringent set of control requirements. Achieving this certification means Azure customers in South Korea can more easily demonstrate adherence to local legal requirements for protection of key digital information assets and meet KISA compliance standards more easily.

KISA established the K-ISMS to safeguard the information technology infrastructure within Korea. This helps organizations implement and operate information security management systems that facilitate effective risk management and enable them to apply best practice security measures.

This framework is built on successful information security strategies and policies, as well as security counter measures and threat response procedures to minimize the impact of any security breaches. These requirements have a significant overlap with ISO27001/2 control objectives but are

Share

14

Jan

Our 2019 Resolution: Help you transform your 2008 server applications with Azure!

This blog post was co-authored by Erin Chapple, CVP, Microsoft Windows Server, and Rohan Kumar, CVP, Microsoft Data.

The beginning of a new year is always a time to reflect on our plans. At Microsoft, with the end of support for 2008 servers looming, we’ve been thinking about how we can help you with your server refresh journey. How can we enable you to take advantage of all the cutting-edge innovations available in Azure?

And as we take stock, we believe that the 3 reasons why Azure is the best place to transform your 2008 server applications are:

Security: With security threats becoming more and more sophisticated, increasing your organization’s security policies should be top of mind. The good news is that Azure is the most trusted cloud in the market with more certifications than any other public cloud. Innovation: We have an optimized, low-risk path to help you embrace Azure. And once you are there, you can continue to innovate with fully-managed services such as Azure SQL Database, Azure Cosmos DB and Azure AI. Cost savings: By taking advantage of Azure Hybrid Benefit and Extended Security updates, you can save significantly. For example, moving a hundred 2008 servers to

Share

14

Jan

Azure Backup for virtual machines behind an Azure Firewall

This blog post primarily talks about how Azure Firewall and Azure Backup can be leveraged to provide comprehensive protection to your data. The former protects your network, while the latter backs up your data to the cloud. Azure Firewall, now generally available, is a cloud-based network security service that protects your Azure Virtual Network resources. It is a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability. With Azure Firewall you can centrally create, enforce, and log application and network connectivity policies across subscriptions and virtual networks. It uses a static public IP address for your virtual network resources, allowing outside firewalls to identify traffic originating from your virtual network.

Backup of Azure Virtual Machines

In a typical scenario, you may have Azure Virtual Machines (VMs) running business-critical workloads behind an Azure Firewall. While this is an effective means of shielding your VMs against network threats, you would also want to protect your data in the VMs using Azure VM Backup. This further reduces the odds of being exposed to several risks. Azure Backup protects the data in your VMs by safely storing it in your Recovery Services Vault. This involves moving data from your

Share

10

Jan

Questions on data residency and compliance in Microsoft Azure? We got answers!

Questions about the security of and control over customer data, and where it resides, are on the minds of cloud customers today. We’re hearing you, and in response, we published a whitepaper that gives clear answers and guidance into the security, data residency, data flows, and compliance aspects of Microsoft Azure. The paper is designed to help our customers ensure that their customer data on Azure is handled in a way that meets their data protection, regulatory, and sovereignty requirements.

Transparency and control are essential to establishing and maintaining trust in cloud technology, while restricted and regulated industries have additional requirements for risk management and to ensure ongoing compliance. To address this, Microsoft provides an industry-leading security and compliance portfolio.

Security is built into the Azure platform beginning with the development process, which is conducted in accordance with the Security Development Lifecycle (SDL). Azure also includes technologies, controls, and tools that address data management and governance, such as Active Directory identity and access controls, network and infrastructure security technologies and tools, threat protection, and encryption to protect data in transit and at rest.

Microsoft gives customers options so they can control the types of data and locations where customer data

Share

20

Dec

Anatomy of a secured MCU
Anatomy of a secured MCU

Secure silicon

Azure Sphere is an end-to-end solution containing three complementary components that provide a secured IoT platform. They include an Azure Sphere microcontroller unit (MCU), an operating system optimized for IoT scenarios that is managed by Microsoft, and a suite of secured, scalable online services. Microsoft provides over a decade of support for the operating system as well as use of the security service for a single per device fee to simplify business planning.

Microsoft built its name in software, but our expertise in silicon runs deep. Over the last 15 years, Microsoft has deeply invested in hardware-based security by designing custom silicon for various Microsoft products. Azure Sphere’s silicon architecture is a culmination of all those years of experience, and our Pluton Security Subsystem is the heart of our security story. In this blog post, I’ll drill down a layer to discuss what puts the “secured” in a secured Azure Sphere MCU. Specifically, I’ll dive into Pluton’s design details, as well as some other general silicon security improvements.

Broadly, any MCU-based device belongs in one of two categories – devices that may connect to the Internet and devices designed to never connect to the Internet. Until recently, virtually

Share

17

Dec

Transparent Data Encryption (TDE) with customer managed keys for Managed Instance

We are excited to announce the public preview of Transparent Data Encryption (TDE) with Bring Your Own Key (BYOK) support for Microsoft Azure SQL Database Managed Instance. Azure SQL Database Managed Instance is a new deployment option in SQL Database that combines the best of on-premises SQL Server with the operational and financial benefits of an intelligent, fully-managed relational database service. 

TDE with BYOK support has been generally available for single databases and elastic pools since April 2018. It is one of the most frequently requested capabilities by enterprise customers who are looking to protect data at rest, or meet regulatory and compliance obligations that require implementation of specific key management controls. TDE with BYOK support is offered in addition to TDE with service managed keys which is enabled on all new Azure SQL Databases, single databases, pools, and managed instances by default.

TDE with BYOK support uses Azure Key Vault, which provides highly available and scalable secure storage for RSA cryptographic keys backed by FIPS 140-2 Level 2 validated hardware security modules (HSMs). Azure Key Vault streamlines the key management process and enables customers to maintain full control of encryption keys, including managing and auditing key access.

Customers can

Share

05

Dec

Azure obtains automotive industry’s TISAX compliance
Azure obtains automotive industry’s TISAX compliance

Microsoft data centers and operations centers handling Microsoft Azure, Office 365, and Dynamics 365 have been evaluated by independent auditors as meeting the strong security requirements of the Trusted Information Security Assessment Exchange (TISAX). TISAX is used by European automotive companies to provide a common information security assessment for internal assessments, the evaluation of suppliers, and as an information exchange mechanism.

As the automotive industry rapidly evolves to incorporate new technologies like the Internet of Things (IoT), connections to the cloud, autonomous vehicles, information security, and privacy are more important than ever, making such specialized compliance offerings as TISAX critical to winning customer trust. Azure’s TISAX compliance allows many companies in the European automotive sector to more easily leverage Azure services, as well as exchange data with suppliers who are also TISAX compliant. 

Microsoft’s Northern Europe (Dublin region, Ireland) and Western Europe (Amsterdam region, Netherlands) were assessed at the TISAX assessment level 3 standard, the highest level used for the most sensitive data such as the artificial intelligence (AI) systems required for the development of autonomous vehicles. Selected data centers in France, the United Kingdom, the United States, Canada, Korea, Japan, Australia, and selected regions in Asia have been assessed

Share

28

Nov

Announcing Azure Dedicated HSM availability

The Microsoft Azure Dedicated Hardware Security Module (HSM) service provides cryptographic key storage in Azure and meets the most stringent customer security and compliance requirements. This service is the ideal solution for customers requiring FIPS 140-2 Level 3 validated devices with complete and exclusive control of the HSM appliance. The Azure Dedicated HSM service uses SafeNet Luna Network HSM 7 devices from Gemalto. This device offers the highest levels of performance and cryptographic integration options and makes it simple for you to migrate HSM-protected applications to Azure. The Azure Dedicated HSM is leased on a single-tenant basis.

Key benefits Migrate HSM-protected applications: The Gemalto HSM model uses hundreds of applications such as Oracle DB TDE, Active Directory Certificate Services, Apache/NGINX TLS offload, and your own applications that have integrated with SafeNet HSMs over the last 15 years. This makes it easy for you to migrate applications to Azure Virtual Machines or run hybrid topologies spanning across Azure and on-premises. It can also be used to back up keys on-premises. Once your applications have migrated to Azure, you will achieve low latency (single-digit millisecond) and high throughput for cryptographic operations (10,000 RSA-2048 tps). Azure Dedicated HSM supports up to ten partitions

Share

28

Nov

Simplifying security for serverless and web apps with Azure Functions and App Service

Serverless and PaaS are all about unleashing developer productivity by reducing the management burden and allowing you to focus on what matters most, your application logic. That can’t come at the cost of security, though, and it needs to be easy to achieve best practices. Fortunately, we have a whole host of capabilities in the App Service and Azure Functions platform that dramatically reduce the burden of securing your apps.

Today, we’re announcing new security features which reduce the amount of code you need in order to work with identities and secrets under management. These include:

Key Vault references for Application Settings (public preview) User-assigned managed identities (public preview) Managed identities for App Service on Linux/Web App for Containers (public preview) ClaimsPrincipal binding data for Azure Functions Support for Access-Control-Allow-Credentials in CORS config

We’re also continuing to invest in Azure Security Center as a primary hub for security across your Azure resources, as it offers a fantastic way to catch and resolve configuration vulnerabilities, limit your exposure to threats, or detect attacks so you can respond to them. For example, you may think you’ve restricted all your apps to HTTPS-only, but Security Center will help you make absolutely sure. If

Share

26

Nov

The Green Team solves high-risk, systemic security issues for Microsoft Azure

In the past, I’ve spoken at length on the criticality of assuming breaches can and will occur rather than simply seeking to focus solely on preventing breaches from occurring. Dating back to 2009 this security strategy, called Assume Breach, has historically been executed by two core groups in Microsoft: The Red Team (attackers) and the Blue Team (defenders). We now introduce the Green Team (fixers).

In 2016, we continued to evolve Assume Breach and established both the concept as well as the function of Green Teaming in Microsoft Azure. An industry first, the Green Team consists of dedicated resources focusing on remediation and solving classes of high-risk and systemic security vulnerabilities for the azure platform. The Green Team works closely with the Red and Blue Teams to understand what high-risk, systemic security issues exist – specifically focusing in on those that enable or lead to breaches – and by performing root cause analysis identify and address these issues at scale. The team continuously implements the latest best practices to help secure the azure platform and help protect customer data and workloads. To see some of their best practices in action, let’s look at an example of how this team helps protect

Share