Category Archives : Security



Azure and Intel commit to delivering next generation confidential computing

In Azure, your data is your data.  Not only is it protected at rest and in transit, but Microsoft Azure extends that protection while in use with confidential computing.

Azure was the first major public cloud to deliver confidential computing which opened up new levels of privacy and innovation for our customers. Today customers in finance, government, healthcare, and telecom use Azure to detect fraud, improve communications privacy, secure blockchain, deliver multi-party machine learning, and enable secure key management.

Azure now has the broadest portfolio of confidential computing options including confidential virtual machines, confidential containers, confidential machine learning, confidential IoT edge devices, and soon confidential capabilities within Azure SQL.

Today, we are announcing that Azure will be an early adopter of the 3rd generation Intel® Xeon® Platform, code named Ice Lake, which includes full memory encryption and accelerated cryptographic performance for confidential computing with Intel Software Guard Extensions (SGX). Available next year, this technology will unlock even more confidential computing scenarios for our customers.

Beyond the hardware security protections, Microsoft Azure Attestation (MAA) further improves security by enabling customers to remotely attest to the authenticity of the SGX enclave at the hardware level, ensures the latest security patches




Protect multi-cloud workloads with new Azure security innovations

In the last six months, COVID-19 has changed almost everything about the way we approach work and security. Now, you have to meet the needs of a remote workforce, support rapidly evolving business requirements, and steer your organization to the next normal – even without actually knowing what that normal will entail. At the same time, cybersecurity is more crucial than ever, as bad actors exploit the opportunity to prey on fears and weaknesses.

On the surface, all of this may seem intimidating. But with this kind of dramatic change also comes the opportunity to evolve. We know that the “new normal” now requires you to address a higher volume of security work than ever, all while remaining agile and reducing costs. How do you do that? By having a razor-sharp focus on what’s important. That’s why Microsoft Azure is here to empower you with cloud-native tools that give you the breadth of coverage you need to defend against bad actors, alongside built-in AI to help you focus your attentions on the biggest threats and most critical priorities.

Today, we’re pleased to announce a broad set of innovations to help you protect multicloud and Azure workloads including:





Build a scalable security practice with Azure Lighthouse and Azure Sentinel

The Microsoft Azure Lighthouse product group is excited to launch a blog series covering areas in Azure Lighthouse where we are investing to make our service provider partners and enterprise customers successful with Azure. Our first blog in this series covers a top area of consideration for companies worldwide—Security with focus on how Azure Lighthouse can be used alongside Microsoft’s Azure Sentinel service to build an efficient and scalable security practice.

Today, organizations of all sizes are looking to reduce costs, complexity, and gain efficiencies in their security operations. As cloud security solutions help meet these requirements by providing flexibility, simplicity, pay for use, automatic scalability and protection across heterogenous environments, more and more companies are embracing cloud security solutions.

While achieving efficiencies is the need of the hour, organizations are also faced with shortage of security experts in the market.  Here is where there is tremendous potential for service providers to fill this gap by building and offering security services on top of cloud security solutions. Before diving deeper, let me start with a brief introduction to Azure Lighthouse and Azure Sentinel.

Azure Lighthouse helps service providers and large enterprises manage environments of multiple customers or individual subsidiaries,




Protecting Windows Virtual Desktop environments with Azure Security Center

With massive workforces now remote, IT admins and security professionals are under increased pressure to keep everyone productive and connected while combatting evolving threats.

Windows Virtual Desktop is a comprehensive desktop and application virtualization service running in Azure, delivering simplified management for virtual desktop infrastructure (VDI).

While organizations go through this transformation, allowing their employees to remain productive, IT and security professionals required to ensure the deployment of Windows Virtual Desktop is done in accordance with security best practices so it doesn’t add unnecessary risk to the business. In this blog, we will explore how Azure Security Center can help maintain your Windows Virtual Desktop environment configuration hygiene and compliance, and protect it against threats.

Overview of Windows Virtual Desktop Host Pool architecture

When setting up your Windows Virtual Desktop environment, you first need to create a Host Pool which is a collection of one or more identical virtual machines (VMs). To support the remote workforce use case, these VMs will usually run a Windows 10 multi-session OS. Below is an overview of the architecture:
You can find the VMs running in your host pool by checking the Host Pool details and clicking on the Resource Group name:






Azure Files support and new updates in advanced threat protection for Azure Storage

A year ago we announced the general availability of advanced threat protection for Azure Storage, to help our customers better protect their data in blob containers from the growing risk of cyberattacks. Since then, advanced threat protection for Azure Storage has been protecting millions of storage accounts and helping customers to detect common threats such as malware, access from suspicious sources (including TOR exit nodes), data exfiltration activities, and more.

Today we’re excited to announce the preview of extending advanced threat protection for Azure Storage to support Azure Files and Azure Data Lake Storage Gen2 API, helping our customers to protect their data stored in file shares and data stores designed for enterprise big data analytics.

Growing demand to secure file shares and data lakes

More and more organizations are moving their data to the cloud, seeking better security and data protection, data modernization, and optimized cost and performance of IT operations. It’s expected that over 80 percent of enterprise workloads will be in the cloud by the end of 2020.

This growing demand has also increased the popularity of Azure Files Storage, which delivers secure, Server Message Block (SMB) based, fully managed cloud file shares that can also be




New Azure Firewall features in Q2 CY2020
New Azure Firewall features in Q2 CY2020

We are pleased to announce several new Azure Firewall features that allow your organization to improve security, have more customization, and manage rules more easily. These new capabilities were added based on your top feedback:

Custom DNS support now in preview. DNS Proxy support now in preview. FQDN filtering in network rules now in preview. IP Groups now generally available. AKS FQDN tag now generally available. Azure Firewall is now HIPPA compliant. 

In addition, in early June 2020, we announced Azure Firewall forced tunneling and SQL FQDN filtering are now generally available.

Azure Firewall is a cloud-native firewall as a service (FWaaS) offering that allows you to centrally govern and log all your traffic flows using a DevOps approach. The service supports both application and network-level filtering rules and is integrated with the Microsoft Threat Intelligence feed for filtering known malicious IP addresses and domains. Azure Firewall is highly available with built-in auto scaling.

Custom DNS support now in preview

Since its launch in September 2018, Azure Firewall has been hardcoded to use Azure DNS to ensure the service can reliably resolve its outbound dependencies. Custom DNS provides separation between customer and service name resolution. This allows you to configure Azure




Stay ahead of attacks with Azure Security Center
Stay ahead of attacks with Azure Security Center

With massive workforces now remote, the stress of IT admins and security professionals is compounded by the increased pressure to keep everyone productive and connected while combatting evolving threats. Now more than ever, organizations need to reduce costs, keep up with compliance requirements, all while managing risks in this constantly evolving landscape.

Azure Security Center is a unified infrastructure security management system that strengthens the security posture of your data centers and provides advanced threat protection across your hybrid workloads in the cloud, whether they’re in Azure or not, as well as on-premises.

Last week Ann Johnson, Corporate Vice President, Cybersecurity Solutions Group, shared news of an upcoming Azure Security Center virtual event—Stay Ahead of Attacks with Azure Security Center on June 30, 2020, from 10:00 AM to 11:00 AM Pacific Time. It’s a great opportunity to learn threat protection strategies from the Microsoft security community and to hear how your peers are tackling tough and evolving security challenges.

At the event, you’ll learn how to strengthen your cloud security posture and achieve deep and broad threat protection across cloud workloads—in Azure, on-premises, and in hybrid cloud. We will also talk about how to combine Security Center with Azure Sentinel




Azure Container Registry: Securing container workflows
Azure Container Registry: Securing container workflows

Securing any environment requires multiple lines of defense. Azure Container Registry recently announced the general availability of features like Azure Private Link, customer-managed keys, dedicated data-endpoints, and Azure Policy definitions. These features provide tools to secure Azure Container Registry as part of the container end-to-end workflow.

Customer-managed keys

By default, when you store images and other artifacts in an Azure Container Registry, content is automatically encrypted at rest with Microsoft-managed keys.

Choosing Microsoft-managed keys means that Microsoft oversees managing the key’s lifecycle. Many organizations have stricter compliance needs, requiring ownership and management of the key’s lifecycle and access policies. In such cases, customers can choose customer-managed keys that are created and maintained in a customer’s Azure Key Vault instance. Since the keys are stored in Key Vault, customers can also closely monitor the access of these keys using the built-in diagnostics and audit logging capabilities  in Key Vault. Customer-managed keys supplement the default encryption capability with an additional encryption layer using keys provided by customers. See details on how you can create a registry enabled for customer-managed keys.

Private links

Container Registry previously had the ability to restrict access using firewall rules. With the introduction of Private Link, the registry




New Azure maps make identifying local compliance options easy

Countries around the world are placing more compliance requirements on organizations of all types, and customers want to more easily understand which compliance offerings are available in their locale before they deploy cloud resources. Today we’re releasing a new infographic, along with a 37-page e-book showing compliance details in over 30 key geographies.

Organizations around the world are taking advantage of digital transformation by moving data and services to the cloud. Yet for organizations to feel secure in taking advantage of the cloud, they must first trust in the security and privacy protections offered by cloud providers. Compliance plays a critical role in building that trust.

Azure is a cloud platform that is built for global compliance, being certified by independent auditors for a set of rigorous and widely-recognized compliance standards, including ISO/IEC 27001 and ISO/IEC 27018, FedRAMP, and SOC 1, 2, and 3 Reports. Azure compliance offerings are global, with over 90 compliance offerings, including offerings specific to separate geographies, regions, and industries.

Azure global compliance infographic

The Azure global compliance infographic provides a full-page, single view of all of Azure’s over 90 compliance offerings in a global context. The infographic displays global offerings, which apply to all Azure




Monitor your Azure workload compliance with Azure Security Benchmark

The Azure Security Benchmark v1 was released in January 2020 and is being used by organizations to manage their security and compliance policies for their Azure workloads. We are pleased to share that you can now track and monitor your compliance with the benchmark across your Azure environment in Azure Security Center.

The Azure Security Benchmark is a collection of over 90 security best practice recommendations you can employ to increase the overall security and compliance of all your workloads in Azure. The Azure Security Benchmark is based on common compliance frameworks and standards but is tailored to cloud deployments and specifically to Azure workloads. The benchmark provides specific guidance on how these common controls apply to Azure, and what you specifically need to implement in Azure to meet those requirements.

Now, not only can you understand the fundamental compliance framework requirements in Azure terms, but you can also measure and track how your own deployed Azure workloads are meeting those requirements at any given time.

Azure Security Center provides built-in automation for monitoring your compliance with the benchmark controls across different Azure resource types and workloads. Azure Security Center not only measures your compliance with the controls but also provides actionable