Before we begin to discuss how to develop secure applications using Azure Cosmos DB, we should also highlight some of the different layers of security that Azure Cosmos DB offers. The following image illustrates these various layers of security:
Azure Cosmos DB is a ring zero Azure service, this means it will be available in any new Azure data center as soon as it goes online and must keep all its compliance certificates current. Azure Cosmos DB has a plethora of certifications that you can read more about in the blog post “Azure #CosmosDB: Secure, private, compliant”.
The first layer of Azure provides physical safety of data centers and continuous protections from DDoS attacks. Azure has dedicated teams to continuously monitor the security issues. All Azure services run a common security agent to collect anomalous activity. Production resources are patched regularly and all the secrets, certificates, or passwords have a defined lifetime. These certificates or secrets should be rotated after they expire. All the production ports in Azure Cosmos DB are scanned and penetration tested regularly. The source code is scanned for security issues and they require two approvers before integrating into the product. For additional information, read more
This is the fourth blog in a 4-part blog post series on how Microsoft Azure provides a secure foundation.
Microsoft provides you with a secure foundation to host your infrastructure and applications. In the last blog in this series on infrastructure security, I shared top customer concerns about high investment without clear ROI and challenges of retaining security experts. In this blog, I discuss how Microsoft Azure can help you gain security expertise without additional investment through our operational best practices and a global team of over 3,500 cybersecurity experts. Today, we are going to look at the different operational practices our security experts follow to help ensure your data is secure.
1. Secure deployment practices
The Security Development Lifecycle (SDL) is a collection of industry-recognized best practices that address the seven-phases of software development. It helps our developers build more secure software and meet security compliance requirements.
Our developers follow the SDL to ensure they are meeting core security principles throughout development, resolving security issues before their code is deployed, and adhering to the security standards used by all software developed for the Azure platform.
The SDL is a repeatable process that all software development teams within Azure use
This blog post is a part of our security series for National Cybersecurity Awareness Month where we discuss how federal CIOs can best prepare for a cloud environment that works securely with your on-premises datacenters.
The need for federal agencies to get their hybrid cloud roadmaps in place has reached a tipping point over the past year, especially as pressures mount to modernize the government’s vast portfolio of aging legacy IT systems and make smarter use of available IT funding.
Agency IT leaders however, face a deeper challenge. Deciding which applications to move to the cloud and which should be rebuilt or replaced to function securely in a hybrid environment. They must do so while planning for a rapidly-changing cybersecurity landscape.
That’s why rationalizing and rightsizing your applications deserves careful attention. This is also why aligning with the right partners who can support your applications, whether in the cloud or on-premises, can be the difference between successful IT modernization versus just lifting-and-shifting to the cloud.
That’s one reason a growing number of agencies are choosing the flexibility and built-in security features of cloud platforms such as Microsoft Azure Government. Azure Government gives leaders a flexible way to test out their
Nowadays, more and more enterprises are migrating their monolith applications to run mission-critical, containerized cloud-native applications in production. Containers provide multiple advantages, both for developers and IT professionals. They are easy and fast to deploy, immutable, and provide fast iteration. As the number of containers deployed continues to increase, security solutions need to be in place to provide you with visibility into the security state of your containers and help protect them from threats.
Azure Security Center now provides you with several new capabilities to help you secure your containers.
1. Visibility to the containers hosted on IaaS Linux machines
In Azure Security Center, a new tab of containers is now available and displays all virtual machines with Docker.
When exploring the security issues of a virtual machine, Security Center now provides additional information related to the containers on the machine, such as Docker version and the number of images running on the host.
2. Security recommendations based on the CIS benchmark for Docker
Security Center scans your Docker configurations and gives you visibility into misconfigurations by providing a list of all failed rules that were assessed. Security Center gives you guidelines to help you resolve these issues
Is your business ready for the holiday season?
As we approach the holiday season and bring in thoughts of good cheers, many companies are faced with an elevated risk of cyber-attacks. What makes the holidays such an enticing time for hackers is the combination of an increase in traffic volume due to an uptick in eCommerce that helps disguise hackers from detection, and reduced staff. All of which makes this time of year too attractive for cyber-criminals to pass up.
In fact, security firms report a 150 percent increase in DDoS attacks in the months between summer and the end of the year. DDoS is becoming an unfortunate and inevitable addition to the holidays.
DDoS is an ever-growing problem, and the types of attacks are getting increasingly sophisticated. More importantly, DDoS attacks are often used as a “smokescreen,” masking more malicious and harmful infiltration of your resources. The technology to create DDoS attacks continues to increase in sophistication while the cost and ability to instigate these attacks get more and more accessible. Therefore, driving up the frequency and ease at which criminals can wreak havoc on businesses and users.
Readily available DDoS toolkits, botnet-for-hire services and an explosion of inadequately
Recently at the Microsoft Experiences18 conference in Paris, we shared that Microsoft Azure, Microsoft Office 365, and Microsoft Dynamics have been granted a Health Data Hosting (HDS) certification. This makes Microsoft the first major cloud provider capable of meeting the strict standards of storing and processing health data for data centers located in France, and under the new certification process that began in June 2018.
This validates the very high level of safety and protection that Microsoft can offer to French healthcare entities, who will be able to rely on the Microsoft cloud to deploy the applications and health services of tomorrow. These applications and health services will also be in compliance with the current regulations on data protection and privacy.
With the HDS certification, health providers in France will not only be able to take advantage of the efficiencies of the cloud, but will also be empowered to innovate with new technologies such as artificial intelligence and mixed reality. Both have the potential to transform the delivery of health services.
Trust is essential when health information is held and shared in the public cloud. The privacy of health-related information is critical. Microsoft takes a holistic defense-in-depth approach to security
When an attacker compromises a machine, they typically have a goal in mind. Some attackers are looking for information residing on the victim’s machine or are looking for access to other machines on the victim’s network. Other times, attackers have plans to use the processing power of the machine itself or even use the machine as a launch point for other attacks. While on Linux virtual machines (VM) in Microsoft Azure we most commonly see attackers installing and running cryptocurrency mining software. This blog post will focus on the latter when an attacker wants to use the compromised machine as a launch point for other attacks.
Azure Security Center (ASC) utilizes an agent that runs on multiple distributions of Linux. When auditd is enabled, it collects logs including process creation events. These are run through the detection pipeline to look for malicious and suspicious activity. Alerts are surfaced through the ASC portal.
The Microsoft Threat Intelligence Center uses a range of methods to identify new emerging threats, including a sophisticated hybrid Linux honeypot service. A honeypot is a decoy system, set up to be attacked and lure cyber attackers to reveal themselves.
In this post, we discuss some recent instances
The next wave of computing is already taking shape around us as IoT enables businesses to sense all aspects of their business in real-time, and take informed action to running cloud workloads on those IoT devices so they don’t require “always on” connectivity to the cloud to make real-time context-aware decisions. This is the intelligent edge, and it will define the next wave of innovation, not just for business, but also how we address some of the world’s most pressing issues.
Drones or unmanned aircraft systems (UAS) are great examples of intelligent edge devices being used today to address many of these challenges, from search and rescue missions and natural disaster recovery, to increasing the world’s food supply with precision agriculture. With the power of AI at the edge, drones can have a profound impact in transforming businesses and improving society, as well as in assisting humans in navigating high-risk areas safely and efficiently.
With these advanced capabilities also comes great responsibility including respecting the laws that govern responsible drone use in our airspace, as well as the applications of the drones to scan the environment. We believe it is important to protect data wherever it lives, from the cloud
With an increasing number of recommendations and many security vulnerabilities surfaced, it is harder to triage and prioritize your response. In addition to a growing amount of information, you have limited resources and time. Azure Secure score helps you prioritize and triage your response to security recommendations by assigning values to the recommendations that can most help improve your security posture.
Last month at Ignite, we announced that Secure score is a security analytics tool that provides visibility of your organization’s security posture and helps to answer the most important question, “how secure is my workload?” Secure score takes into consideration the severity and the impact of the recommendation. Based on that information, it assigns a numerical value to show how fixing this recommendation can improve your security posture.
When a recommendation is remediated, the recommendation score updates and the overall Secure score is also updated.
The main goals of Secure score are to provide these capabilities to your organization :
Visualization of the security posture Fast triage and suggestions to provide meaningful action to increase your security posture Measurement of the workload security over time
Azure Security Center constantly reviews your active recommendations and calculates your secure score
Picking the right security for the job is a challenging issue. Obviously, everyone wants maximum security for IoT solutions. But issues such as hardware limitations, cost consciousness, lack of security expertise, and more all play into which security option is ultimately chosen for how your IoT devices connect to the cloud. There are many dimensions of IoT security and in my experience authentication type tends to be the first one customers encounter, though all are important.
In this blog post, I’m going to discuss the authentication types supported by the Azure IoT Hub Device Provisioning Service and Azure IoT Hub. There are other authentication methods out there, but these are the ones we have found to be the most widely used.
Azure IoT published a whitepaper about evaluating your IoT security, and we also offer the Security Program for Azure IoT. This security program helps you find the right security auditor for your situation and who can help you figure out how much security you need for your solution. These companies are experts at evaluating IoT security; if you have any in-depth questions around security, I highly recommend you give them a try. You can also learn about how to