Category Archives : Security

31

Jul

Azure management groups now in general availability

I am very excited to announce today general availability of Azure management groups to all our customers. Management groups allow you to organize your subscriptions and apply governance controls, such as Azure Policy and Role-Based Access Controls (RBAC), to the management groups. All subscriptions within a management group automatically inherit the controls applied to the management group. No matter if you have an Enterprise Agreement, Certified Solution Partner, Pay-As-You-Go, or any other type of subscription, this service gives all Azure customers enterprise-grade management at a large scale for no additional cost.

With the GA launch of this service, we introduce new functionality to Azure that allows customers to group subscriptions together so that you can apply a policy or RBAC role to multiple subscriptions, and their resources, with one assignment. Management groups not only allow you to group subscriptions but also allows you to group other management groups to form a hierarchy. The following diagram shows an example of creating a hierarchy for governance using management groups.

By creating a hierarchy like this you can apply a policy, for example, VM locations limited to US West Region on the group “Infrastructure Team management group” to enable internal compliance and

Share

30

Jul

Experts tips on hardening security with Azure security
Experts tips on hardening security with Azure security

Note: This blog was authored by the Microsoft Threat Intelligence Center.

Microsoft Azure provides a secure foundation for customers to host their infrastructure and applications. Microsoft’s secure foundation spans across physical, infrastructure, and operational security. Part of our operational security includes over 3,500 cybersecurity experts across different teams that are dedicated to security research and development. The Microsoft Threat Intelligence Center is just one of the security teams at Microsoft that encounters and mitigates against threats across the security landscape.

On today’s episode of Microsoft Mechanics, you’ll see how the work of the Microsoft Threat Intelligence Center is helping to secure Azure and the global security landscape. This team works to identify issues such as peer to peer networking software, standard botnet and ransomware attacks, and adversary-based threats from hackers or nation state sponsored groups.

The team also has a broad view across many geographies and a view of the services that run in Azure. With this insight, the team can see common attack patterns. These patterns can be at the network level, service level, app level, or OS level. As soon as an exploit is detected, the Microsoft Threat Intelligence Center works with other teams at Microsoft to build

Share

26

Jul

How to enhance HDInsight security with service endpoints

HDInsight enterprise customers work with some of the most sensitive data in the world. They want to be able to lock down access to this data at the networking layer as well. However, while service endpoints have been available in Azure data sources, HDInsight customers couldn’t leverage this additional layer of security for their big data pipelines due to the lack of interoperability between HDInsight and other data stores. As we have recently announced, HDInsight is now excited to support service endpoints for Azure Blob Storage, Azure SQL databases and Azure Cosmos DB.

With this enhanced level of security at the networking layer, customers can now lock down their big data storage accounts to their specified Virtual Networks (VNETs) and still use HDInsight clusters seamlessly to access and process that data.

In the rest of this post we will explore how to enable service endpoints and point out important HDInsight configurations for Azure Blob Storage, Azure SQL DB, and Azure CosmosDB.

Azure Blob Storage:

When using Azure Blob Storage with HDInsight, you can configure selected VNETs on a blob storage firewall settings. This will ensure that only traffic from those subnets can access this storage account.

It is important to

Share

25

Jul

Security Center’s adaptive application controls are generally available

Azure Security Center provides several threat prevention mechanisms to help you reduce surface areas susceptible to attack. One of those mechanisms is adaptive application controls. Today we are excited to announce the general availability of this capability, which helps you audit and block unwanted applications.

Adaptive application controls help you define the set of applications that are allowed to run on configured groups of virtual machines (VM). Enabling adaptive application controls for your VMs. Azure Security Center will allow you to do a few things. First, it recommends applications (EXEs, MSIs, and Scripts) for whitelisting, automatically clustering similar VMs to ease manageability and reduce exposure to unnecessary applications. It also applies the appropriate rules in an automated fashion, monitors any violations of those rules, and enables you to manage and edit previously applied application whitelisting policies.

By default, Security Center enables application control in Audit mode. After validating that the whitelist has not had any adverse effects on your workload, you can change the protection mode to Enforce mode through the Security Center management UI.

You can also change the application control policy for each configured group of VMs through the same Security Center management UI, edit and

Share

25

Jul

Security Center’s adaptive application controls are generally available

Azure Security Center provides several threat prevention mechanisms to help you reduce surface areas susceptible to attack. One of those mechanisms is adaptive application controls. Today we are excited to announce the general availability of this capability, which helps you audit and block unwanted applications.

Adaptive application controls help you define the set of applications that are allowed to run on configured groups of virtual machines (VM). Enabling adaptive application controls for your VMs. Azure Security Center will allow you to do a few things. First, it recommends applications (EXEs, MSIs, and Scripts) for whitelisting, automatically clustering similar VMs to ease manageability and reduce exposure to unnecessary applications. It also applies the appropriate rules in an automated fashion, monitors any violations of those rules, and enables you to manage and edit previously applied application whitelisting policies.

By default, Security Center enables application control in Audit mode. After validating that the whitelist has not had any adverse effects on your workload, you can change the protection mode to Enforce mode through the Security Center management UI.

You can also change the application control policy for each configured group of VMs through the same Security Center management UI, edit and

Share

17

Jul

Intelligent Healthcare with Azure Bring Your Own Key (BYOK) technology

Sensitive health data processed by hospitals and insurers is under constant attack from malicious actors who try to gain access to health care systems with the goal to steal or extort personal health information. Change Healthcare has implemented a Bring Your Own Key (BYOK) solution based on Microsoft Azure Cloud services and introduces Intelligent Healthcare today.

Change Healthcare is enabling payers and providers to have immediate and granular control over their data by transferring the ownership of encryption keys used to encrypt data at rest. This allows Change Healthcare customers to make security changes without involvement by Change Healthcare personnel and have their cloud-based systems re-encrypted and operational without service interruptions. The BYOK management capabilities include revoking access to encryption keys and rotating or deleting encryption keys on demand and at the time of a potential compromise. 
 
For the Intelligent Healthcare solution, Change Healthcare implemented Azure SQL Database Transparent Data Encryption (TDE) with BYOK support. TDE with BYOK encrypts databases, log files and backups when written to disk, which protects data at rest from unauthorized access. TDE with BYOK support integrates with Azure Key Vault, which provides highly available and scalable secure storage for RSA cryptographic keys backed by

Share

17

Jul

Intelligent Healthcare with Azure Bring Your Own Key (BYOK) technology

Sensitive health data processed by hospitals and insurers is under constant attack from malicious actors who try to gain access to health care systems with the goal to steal or extort personal health information. Change Healthcare has implemented a Bring Your Own Key (BYOK) solution based on Microsoft Azure Cloud services and introduces Intelligent Healthcare today.

Change Healthcare is enabling payers and providers to have immediate and granular control over their data by transferring the ownership of encryption keys used to encrypt data at rest. This allows Change Healthcare customers to make security changes without involvement by Change Healthcare personnel and have their cloud-based systems re-encrypted and operational without service interruptions. The BYOK management capabilities include revoking access to encryption keys and rotating or deleting encryption keys on demand and at the time of a potential compromise. 
 
For the Intelligent Healthcare solution, Change Healthcare implemented Azure SQL Database Transparent Data Encryption (TDE) with BYOK support. TDE with BYOK encrypts databases, log files and backups when written to disk, which protects data at rest from unauthorized access. TDE with BYOK support integrates with Azure Key Vault, which provides highly available and scalable secure storage for RSA cryptographic keys backed by

Share

17

Jul

Blockchain as a tool for anti-fraud

Healthcare costs are skyrocketing. In 2016, healthcare costs in the US are estimated at nearly 18 percent of the GDP! Healthcare is becoming less affordable worldwide, and a serious chasm is widening between those that can afford healthcare and those that cannot. There are many factors driving the high cost of healthcare, one of them is fraud. In healthcare, there are several types of fraud including prescription fraud, medical identity fraud, financial fraud, and occupational fraud. The National Health Care Anti-Fraud Association estimates conservatively that health care fraud costs the US about $68 billion annually, which is about three percent of the US total $2.26 trillion in overall healthcare spending. There are two root vulnerabilities in healthcare organizations: insufficient protection of data integrity, and a lack of transparency.

Insufficient protection of data integrity enables fraudulent modification of records

Cybersecurity involves safeguarding the confidentiality, availability, and integrity of data. Often cybersecurity is mistakenly equated with protecting just the confidentiality of data to prevent unauthorized access. However, equally important is protecting the availability of data. That is, you must secure timely and reliable access to data, as well as the integrity of the data. You must ensure records are accurate, complete,

Share

17

Jul

Blockchain as a tool for anti-fraud

Healthcare costs are skyrocketing. In 2016, healthcare costs in the US are estimated at nearly 18 percent of the GDP! Healthcare is becoming less affordable worldwide, and a serious chasm is widening between those that can afford healthcare and those that cannot. There are many factors driving the high cost of healthcare, one of them is fraud. In healthcare, there are several types of fraud including prescription fraud, medical identity fraud, financial fraud, and occupational fraud. The National Health Care Anti-Fraud Association estimates conservatively that health care fraud costs the US about $68 billion annually, which is about three percent of the US total $2.26 trillion in overall healthcare spending. There are two root vulnerabilities in healthcare organizations: insufficient protection of data integrity, and a lack of transparency.

Insufficient protection of data integrity enables fraudulent modification of records

Cybersecurity involves safeguarding the confidentiality, availability, and integrity of data. Often cybersecurity is mistakenly equated with protecting just the confidentiality of data to prevent unauthorized access. However, equally important is protecting the availability of data. That is, you must secure timely and reliable access to data, as well as the integrity of the data. You must ensure records are accurate, complete,

Share

16

Jul

Azure Security Center is now integrated into the subscription experience

Securing your resources is important, which is why we’ve made it even simpler for you to do. Azure Security Center is available in public preview in the subscription experience. In just a few clicks, you can enable Security Center and quickly assess the security state of your resources, get actionable recommendations, and mitigate risks.

Azure Security Center gives you visibility into your security state across hybrid cloud workloads, gives you adaptive protections to reduce your exposure to attacks, and intelligent threat detection that helps you keep pace with rapidly evolving attacks.
The newly added Security tab provides a quick view into the security posture of your subscription, enabling you to discover and assess the security of your resources in that subscription and take action. The built-in dashboard provides instant insights into security alerts and vulnerabilities that require attention.

To make sure you can address the most important issues first, we provide a list of prioritized security recommendations and prioritized alerts. These recommendations and alerts are ranked from high severity to low severity to help you quickly respond and reduce the surface area in your environment susceptible to attack.

For further investigation or to respond to a detected issue, you

Share