Category Archives : Security



The Azure Cloud Collaboration Center: A First-of-Its Kind Facility

As businesses around the world continue to adopt Azure, it’s our mission to ensure our customers can trust our cloud. Today in Redmond, we invited the world to see how our teams are innovating in the Azure Cloud Collaboration Center, a first-of-its-kind facility that combines innovation and scale to address operational issues and unexpected events in order to drive new levels of customer responsiveness, security and efficiency.


Microsoft unveils Azure Cloud Collaboration Center

We’re using the Cloud Collaboration Center to take a proactive approach to delivering responsiveness for our customers, who count on our cloud services in 140 countries and on all inhabited continents. To meet the mission-critical requirements businesses trust, we need to be always looking ahead. Delivering innovation in Azure services means identifying new efficiencies and finding new ways to streamline connections with the intelligence we have at every level of the cloud.

The Cloud Collaboration Center space gives customers a snapshot of what is happening with their data 24/7 and enables real-time troubleshooting of any issue by multiple teams simultaneously from across the organization. It is a space that’s purpose-built for collaborative work, with a 1,600 square foot video wall that enables a comprehensive view



Azure #CosmosDB: Secure, private, compliant
Azure #CosmosDB: Secure, private, compliant

Azure Cosmos DB is Microsoft’s globally distributed, multi-model database. Azure Cosmos DB enables you to elastically and independently scale throughput and storage across any number of Azure’s geographic regions with a single click. It offers throughput, latency, availability, and consistency guarantees with comprehensive service level agreements (SLAs), a feature that no other database service can offer.

A database that holds sensitive data across international borders must meet high standards for security, privacy, and compliance. Additionally, the cloud service provider must anticipate and be ready for new standards, such as the General Data Protection Regulation (GDPR), which will soon govern the collection and use of EU resident’s data. Microsoft has pledged that Azure services will be GDPR compliant by the May 25 implementation date.


Microsoft’s cloud privacy policies state that we will use your customer data only to provide the services we have agreed upon, and for purposes that are compatible with providing those services. We do not share your data with our advertiser-supported services, nor do we mine it for marketing or advertising. 


Azure Cosmos DB also implements stringent security practices. All the documents, attachments and backups stored in Azure Cosmos DB are encrypted at rest and



How Azure Security Center helps detect attacks against your Linux machines

Azure Security Center (ASC) is now extending its Linux threat detection preview program, both on cloud and on-premise. New capabilities include detection of suspicious processes, suspect login attempts, and anomalous kernel module loads. Security Center is using auditd for collecting machines’ events, which is one of the most common frameworks for auditing on Linux. Auditd has the advantage of having been around for a long time and living in the mainline kernel. Any Linux machine that runs auditd by default and is covered by Security Center will benefit from this public preview. For a little more detail on how the collection works, check out our private preview announcement from October.

In addition to building up Linux-specific detections, we have also reviewed applicability of our current detections originally developed for Windows. Attackers also like to be OS-agnostic, especially for large-scale attacks, and will reuse tools and techniques where they can. In such circumstances the same detection is also applicable across operating systems. Happily, several of our analytics worked with minimal tuning. Today, I’ll walk you through an analytic example in the form of malicious crypto coin mining and then give some tips on using Azure Log Analytics with Linux machines.




Azure DDoS Protection for virtual networks generally available

This blog post was co-authored by JR Mayberry, Principal PM Manager, Azure Networking.

Today we are excited to announce the general availability of the Azure DDoS Protection Standard service in all public cloud regions. This service is integrated with Azure Virtual Networks (VNet) and provides protection and defense for Azure resources against the impacts of DDoS attacks.

Distributed Denial of Service (DDoS) attacks are intended to disrupt a service by exhausting its resources (e.g., bandwidth, memory). DDoS attacks are one of the top availability and security concerns voiced by customers moving their applications to the cloud. With extortion and hacktivism being the common motivations behind DDoS attacks, they have been consistently increasing in type, scale, and frequency of occurrence as they are relatively easy and cheap to launch.

These concerns are justified as the number of documented DDoS amplification attacks increased by more than 357 percent in the fourth quarter of 2017, compared to 2016 according to data from Nexusguard. Further, more than 56 percent of all attacks exploit multiple vector combinations. In February 2018, Github was attacked via a reflection exploit in Memcached generating 1.35 terabits of attack traffic, the largest DDoS attack ever recorded.

As the types and



Transparent Data Encryption with customer managed keys in Azure SQL Database generally available

Today, we are excited to announce the general availability of Transparent Data Encryption (TDE) with Bring Your Own Key (BYOK) support for Azure SQL Database and Azure SQL Data Warehouse. This is one of the most frequently requested features by enterprise customers looking to protect sensitive data and meet regulatory or compliance obligations that require implementation of specific key management controls. TDE with BYOK support is offered in addition to TDE with service managed keys, which is enabled by default on all new Azure SQL Databases.

TDE with BYOK support uses Azure Key Vault, which provides highly available and scalable secure storage for RSA cryptographic keys backed by FIPS 140-2 Level 2 validated Hardware Security Modules (HSMs). Key Vault streamlines the key management process and enables customers to maintain full control of encryption keys and allows them to manage and audit key access.

Customers can generate and import their RSA key to Azure Key Vault and use it with Azure SQL Database and Azure SQL Data Warehouse TDE with BYOK support. Azure SQL Database handles the encryption and decryption of data stored in databases, log files, and backups in a fully transparent fashion by using a symmetric Database Encryption Key



The 3 ways Azure improves your security
The 3 ways Azure improves your security

Today we’re at RSA, and we are delighted to sponsor and participate in this industry event centered in security. I thought I’d take the opportunity to share our perspective on cloud security with Azure.

As we all know, companies worldwide are challenged by the ongoing volume of evolving security threats and with retaining qualified security talent to respond to these threats. In fact, the average large organization gets 17,000 security alerts each week, which results in an of average 99 days to discover security breaches. That contrasts with the less than 48 hours it takes for security breaches to grow from one system compromised into significantly broader issues.

As you look for solutions to address these challenges, Azure can help strengthen your security posture, while reducing cost and complexity. Thousands of companies and governments from all over the world including TD Bank, First Tech Credit Union, Geico, 3M, Rolls-Royce, state of Hawaii, city of Musson, and Heineken have chosen Azure as their trusted cloud. Azure provides value in three key areas – a secure foundation that is provided by Microsoft, built-in security controls to help you quickly configure security across the full-stack, and unique intelligence at cloud scale to help



Announcing new Azure Security Center capabilities at RSA 2018

Migrating your workloads to the cloud can enable some inherent security benefits. With cloud scale machine learning and security analytics, you can mitigate threats quickly, making your environment more secure and your organization more productive.

Azure Security Center provides centralized visibility of the security state of your resources and uses the collective intelligence from machine learning and advanced analytics to not only detect threats quickly but to help you prevent them. It’s agent-based approach helps gain deeper security insights from the workloads and extends these protections to workloads running on-premises as well as other clouds, providing a unified security management for you.

Today we are excited to announce several capabilities in Azure Security Center that will provide enhanced protection to help you keep pace with the evolving cybersecurity landscape:

Visibility and governance at the organizational level

Take advantage of a new overview dashboard to gain visibility into your security state from an organizational level instead of a subscription level. To help organizations identify and address the challenges of managing an organization-wide security posture, you can now set security policies for management groups in your organization. You can also monitor it with an organization-wide compliance score as well as a breakdown



Streamlining GDPR requests with the Azure Portal

Today we’re letting our customers know about our upcoming Data Subject Request (DSR) processing capability in the Azure portal, which will provide tenant admins a simple, powerful tool to quickly fulfill the Data Subject Requests that are central to compliance with the European Union General Data Protection Regulation (GDPR). We will fully support these DSR capabilities before May 25, 2018, the date when enforcement of the GDPR begins and when Microsoft has committed to be GDPR compliant across our cloud services. 

The GDPR is the most significant change to EU privacy law in two decades and sets a new global standard for privacy rights, governing the handling and use of personal data. A fundamental tenet of the GDPR is the set of rights it grants individuals, or data subjects, in connection with their personal data collected by an organization (known as the data controller).

If your organization collects, hosts, or analyzes the personal data of EU residents, GDPR provisions require you to use data processors that guarantee their ability to implement the technical and organizational requirements of the GDPR. The GDPR also requires you to respond to requests from individuals, or data subjects, to receive a copy of their personal



Application Security Groups now generally available in all Azure regions

We are pleased to announce the general availability of Application Security Groups (ASG) in all Azure regions. This feature provides security micro-segmentation for your virtual networks in Azure.

Network security micro segmentation

ASGs enable you to define fine-grained network security policies based on workloads, centralized on applications, instead of explicit IP addresses. Provides the capability to group VMs with monikers and secure applications by filtering traffic from trusted segments of your network.

Implementing granular security traffic controls improves isolation of workloads and protects them individually. If a breach occurs, this technique limits the potential impact of lateral exploration of your networks from hackers.

Security definition simplified

With ASGs, filtering traffic based on applications patterns is simplified, using the following steps:

Define your application groups, provide a moniker descriptive name that fits your architecture. You can use it for applications, workload types, systems, tiers, environments or any role. Define a single collection of rules using ASGs and Network Security Groups (NSG), you can apply a single NSG to your entire virtual network on all subnets. A single NSG gives you full visibility on your traffic policies, and a single place for management. Scale at your own pace. When you deploy



SQL Database: Long-term backup retention preview includes major updates

The preview for long-term backup retention in Azure SQL Database was announced in October 2016, providing you with a way to easily manage long-term retention for your databases – up to 10 years – with backups stored in your own Azure Backup Service Vault.

Based upon feedback gathered during the preview, we are happy to announce a set of major enhancements to the long-term backup retention solution. With this update we have eliminated the need for you to deploy and manage a separate Backup Service Vault. Instead, SQL Database will utilize Azure Blob Storage under the covers to store and manage your long-term backups. This new design will enable flexibility for your backup strategy, and overall more control over costs.

This update brings you the following additional benefits:

More regional support – Long-term retention will be supported in all Azure regions and national clouds. More flexible backup policies – You can customize the frequency of long-term backups for each database with policies covering weekly, monthly, yearly, and specific week-within-a-year backups. Management of individual backups – You can delete backups that are not critical for compliance. Streamlined configuration No need to provision a separate backup service vault. What happens with