This blog post was co-authored by Rotem Lurie, Program Manager, Azure Security Center.
Azure Security Center provides you with a bird’s eye security posture view across your Azure environment, enabling you to continuously monitor and improve your security posture using secure score in Azure. Security Center helps you identify and perform the hardening tasks recommended as security best practices and implement them across your machines, data services, and apps. This includes managing and enforcing your security policies and making sure your Azure Virtual Machines, non-Azure servers, and Azure PaaS services are compliant.
Today, we are announcing two new capabilities—the preview for remediating recommendations on a bulk of resources in a single click using secure score and the general availability (GA) of just-in-time (JIT) virtual machine (VM) access for Azure Firewall. Now you can secure your Azure Firewall protected environments with JIT, in addition to your network security group (NSG) protected environments.
Single click remediation for bulk resources in preview
With so many services offering security benefits, it’s often hard to know what steps to take first to secure and harden your workload. Secure score in Azure reviews your security recommendations and prioritizes them for you, so you know which recommendations
We are making it easier for customers to “lift and shift” applications to the cloud while maintaining the same security model used on-premises with the general availability of Azure Active Directory Domain Services (Azure AD DS) authentication for Azure Files. By integrating Azure AD DS, you can mount your Azure file share over SMB using Azure Active Directory (Azure AD) credentials from Azure AD DS domain joined Windows virtual machines (VMs) with NTFS access control lists (ACLs) enforced.
Azure AD DS authentication for Azure Files allows users to specify granular permissions on shares, files, and folders. It unblocks common use cases like single writer and multi-reader scenario for your line of business applications. As the file permission assignment and enforcement experience matches that of NTFS, lifting and shifting your application into Azure is as easy as moving it to a new SMB file server. This also makes Azure Files an ideal shared storage solution for cloud-based services. For example, Windows Virtual Desktop recommends using Azure Files to host different user profiles and leverage Azure AD DS authentication for access control.
Since Azure Files strictly enforces NTFS discretionary access control lists (DACLs), you can use familiar tools like Robocopy to
Choosing Azure for your applications and services allows you take advantage of a wide array of security tools and capabilities. These tools and capabilities help make it possible to create secure solutions on Azure. Among these capabilities is Azure disk encryption, designed to help protect and safeguard your data to meet your organizational security and compliance commitments. It uses the industry standard BitLocker Drive Encryption for Windows and DM-Crypt for Linux to provide volume encryption for OS and data disks. The solution is integrated with Azure Key Vault to help you control and manage disk encryption keys and secrets, and ensures that all data on virtual machine (VM) disks are encrypted both in-transit and at rest while in Azure Storage.
Beyond securing your applications, it is important to have a disaster recovery plan in place to keep your mission critical applications up and running when planned and unplanned outages occur. Azure Site Recovery helps orchestrate replication, failover, and recovery of applications running on Azure Virtual Machines so that they are available from a secondary region if you have any outages in the primary region.
Azure Site Recovery now supports disaster recovery of Azure disk encryption (V2) enabled virtual machines without
To help our customers manage their compliance obligations when hosting their environments in Microsoft Azure, we are publishing a series of blueprint samples built in to Azure. Our most recent release is the NIST SP 800-53 R4 blueprint that maps a core set of Azure Policy definitions to specific NIST SP 800-53 R4 controls. For US governmental entities and others with compliance requirements based on NIST SP 800-53, this blueprint helps customers proactively manage and monitor compliance of their Azure environments.
The free Azure Blueprints service helps enable cloud architects and information technology groups to define a repeatable set of Azure resources that implements and adheres to an organization’s standards, patterns, and requirements. Blueprints may help speed the creation of governed subscriptions, supporting the design of environments that comply with organizational standards and best practices and scale to support production implementations for large-scale migrations.
Azure leads the industry with more than 90 compliance offerings that meet a broad set of international and industry-specific compliance standards. This puts Microsoft in a unique position to help ease our customers’ burden to meet their compliance obligations. In fact, many of our customers, particularly those in regulated industries, have expressed strong interest in being
As organizations pursue digital transformation by connecting vital equipment or creating new connected products, IoT deployments will get bigger and more common. In fact, IDC forecasts that IoT will continue to grow at double digit rates until IoT spending surpasses $1 trillion in 2022. As these IoT deployments come online, newly connected devices will expand the attack surface available to attackers, creating opportunities to target the valuable data generated by IoT.
Organizations understand the risks and are rightly worried about IoT. Bain’s research shows that security concerns are the top reason organizations have slowed or paused IoT rollouts*. Because IoT requires integrating many different technologies (heterogenous devices must be linked to IoT cloud services that connect to analytics services and business applications), organizations face the challenge of securing both the pieces of their IoT solution and the connections between those pieces. Attackers target weak spots; even one weak device configuration, cloud service, or admin account can provide a way into your solution. Your organization must monitor for threats and misconfigurations across all parts of your IoT solution: devices, cloud services, the supporting infrastructure, and the admin accounts who access them.
To give your organization IoT threat protection and security posture
Governments around the world are in the process of a digital transformation, actively investigating solutions and selecting architectures that will help them transition many of their workloads to the cloud. There are many drivers behind the digital transformation, including the need to engage citizens, empower employees, transform government services, and optimize government operations. Governments across the world are also looking to improve their cybersecurity posture to secure their assets and counter the evolving threat landscape.
To help governments worldwide get answers to common cloud security related questions, Microsoft published a white paper, titled Azure for Secure Worldwide Public Sector Cloud Adoption. This paper addresses common security and isolation concerns pertinent to worldwide public sector customers. It also explores technologies available in Azure to help safeguard unclassified, confidential, and sensitive workloads in the public multi-tenant cloud in combination with Azure Stack and Azure Data Box Edge deployed on-premises and at the edge for fully disconnected scenarios involving highly sensitive data. The paper addresses common customer concerns, including:
Data residency and data sovereignty Government access to customer data, including CLOUD Act related questions Data encryption, including customer control of encryption keys Access to customer data by Microsoft personnel Threat detection and prevention
This two-part blog post is a part of a series about how organizations are using Azure Cosmos DB to meet real world needs, and the difference it’s making to them. In part one, we explored the challenges that led the Microsoft Azure Advanced Threat Protection team to adopt Azure Cosmos DB and how they’re using it. In part two, we’ll examine the outcomes resulting from the team’s efforts.
Built-in scalability, performance, availability, and more
The Azure Advanced Threat Protection team’s decision to use Azure Cosmos DB for its cloud-based security service has enabled the team to meet all key requirements, including zero database maintenance, uncompromised real-time performance, elastic scalability, high availability, and strong security and compliance. “Azure Cosmos DB gives us everything we need to deliver an enterprise-grade security service that’s capable of supporting the largest companies in the world, including Microsoft itself,” says Yaron Hagai, Principal Group Engineering Manager for Advanced Threat Analytics at Microsoft.
A managed database service has saved Hagai’s team immense maintenance efforts, allowing Azure Advanced Threat Protection to stay up and running with only a handful of service engineers. “Azure Advanced Threat Protection saves us from having to patch and upgrade servers, worry
This two-part blog post is a part of a series about how organizations are using Azure Cosmos DB to meet real world needs, and the difference it’s making to them. In part one, we explore the challenges that led the Microsoft Azure Advanced Threat Protection team to adopt Azure Cosmos DB and how they’re using it. In part two, we’ll examine the outcomes resulting from the team’s efforts.
Transformation of a real-time security solution to cloud scale
Microsoft Azure Advanced Threat Protection is a cloud-based security service that uses customers’ on-premises Azure Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions. Launched in 2018, it represents the evolution of Microsoft Advanced Threat Analytics, an on-premises solution, into Azure. Both offerings are composed of two main components:
An agent, or sensor, which is installed on each of an organization’s domain controllers. The sensor inspects traffic sent from users to the domain controller along with Event Tracing for Windows (ETW) events generated by the domain controller, sending that information to a centralized back-end. A centralized back-end, or center, which aggregates the information from all the sensors, learns the behavior of the organization’s users and computers,
We continue to expand our ecosystem by partnering with independent software vendors (ISV) around the globe to deliver prepackaged software solutions to Azure Stack customers. As we are getting closer to our two-year anniversary, we are humbled by the trust and confidence bestowed by our partners in the Azure Stack platform. We would like to highlight some of the partnerships that we built during this journey.
Thales now offers their CipherTrust Cloud Key Manager solution through the Azure Stack Marketplace that works with Azure and Azure Stack “Bring Your Own Key” (BYOK) APIs to enable such key control. CipherTrust Cloud Key Manager creates Azure-compatible keys from the Vormetric Data Security Manager that can offer up to FIPS 140-2 Level 3 protection. Customers can upload, manage, and revoke keys, as needed, to and from Azure Key Vaults running in Azure Stack or Azure, all from a single pane of glass.
Every organization has a unique journey to the cloud based on its history, business specifics, culture, and maybe most importantly their starting point. The journey to the cloud provides many options, features, functionalities, as well as opportunities to improve existing governance, operations, implement new ones, and even redesign the
Earlier this month we released our latest Azure Blueprint for a key compliance standard with the availability of the UK OFFICIAL blueprint for the Government-Cloud (G-Cloud) standard, and National Health Service (NHS) Information Governance of the United Kingdom. The new blueprints map a set of Azure policies to appropriate UK OFFICIAL and UK NHS controls for any Azure deployed architecture. This allows UK government agencies and partners, and UK health organizations to more easily create Azure environments that might store and process UK OFFICIAL government data and health data.
Azure Blueprints is a service that enables customers to define a repeatable set of Azure resources that implement and adhere to standards, patterns, and requirements. Azure Blueprints help customers to set up governed Azure environments that can scale to support production implementations for large-scale migrations.
The National Health Service is the national health system for England, which holds the population’s health data. NHS Digital published its guidance on the use of public cloud services for storing confidential patient data, which provides a single standard that governs the collection, storage, and processing of patient data. Adherence with NHS helps protect the integrity and confidentiality of patient data against unauthorized access, loss, damage,