This blog post was co-authored by JR Mayberry, Principal PM Manager, Azure Networking.
Today we are excited to announce the general availability of the Azure DDoS Protection Standard service in all public cloud regions. This service is integrated with Azure Virtual Networks (VNet) and provides protection and defense for Azure resources against the impacts of DDoS attacks.
Distributed Denial of Service (DDoS) attacks are intended to disrupt a service by exhausting its resources (e.g., bandwidth, memory). DDoS attacks are one of the top availability and security concerns voiced by customers moving their applications to the cloud. With extortion and hacktivism being the common motivations behind DDoS attacks, they have been consistently increasing in type, scale, and frequency of occurrence as they are relatively easy and cheap to launch.
These concerns are justified as the number of documented DDoS amplification attacks increased by more than 357 percent in the fourth quarter of 2017, compared to 2016 according to data from Nexusguard. Further, more than 56 percent of all attacks exploit multiple vector combinations. In February 2018, Github was attacked via a reflection exploit in Memcached generating 1.35 terabits of attack traffic, the largest DDoS attack ever recorded.
As the types and
Today, we are excited to announce the general availability of Transparent Data Encryption (TDE) with Bring Your Own Key (BYOK) support for Azure SQL Database and Azure SQL Data Warehouse. This is one of the most frequently requested features by enterprise customers looking to protect sensitive data and meet regulatory or compliance obligations that require implementation of specific key management controls. TDE with BYOK support is offered in addition to TDE with service managed keys, which is enabled by default on all new Azure SQL Databases.
TDE with BYOK support uses Azure Key Vault, which provides highly available and scalable secure storage for RSA cryptographic keys backed by FIPS 140-2 Level 2 validated Hardware Security Modules (HSMs). Key Vault streamlines the key management process and enables customers to maintain full control of encryption keys and allows them to manage and audit key access.
Customers can generate and import their RSA key to Azure Key Vault and use it with Azure SQL Database and Azure SQL Data Warehouse TDE with BYOK support. Azure SQL Database handles the encryption and decryption of data stored in databases, log files, and backups in a fully transparent fashion by using a symmetric Database Encryption Key
Today we’re at RSA, and we are delighted to sponsor and participate in this industry event centered in security. I thought I’d take the opportunity to share our perspective on cloud security with Azure.
As we all know, companies worldwide are challenged by the ongoing volume of evolving security threats and with retaining qualified security talent to respond to these threats. In fact, the average large organization gets 17,000 security alerts each week, which results in an of average 99 days to discover security breaches. That contrasts with the less than 48 hours it takes for security breaches to grow from one system compromised into significantly broader issues.
As you look for solutions to address these challenges, Azure can help strengthen your security posture, while reducing cost and complexity. Thousands of companies and governments from all over the world including TD Bank, First Tech Credit Union, Geico, 3M, Rolls-Royce, state of Hawaii, city of Musson, and Heineken have chosen Azure as their trusted cloud. Azure provides value in three key areas – a secure foundation that is provided by Microsoft, built-in security controls to help you quickly configure security across the full-stack, and unique intelligence at cloud scale to help
Migrating your workloads to the cloud can enable some inherent security benefits. With cloud scale machine learning and security analytics, you can mitigate threats quickly, making your environment more secure and your organization more productive.
Azure Security Center provides centralized visibility of the security state of your resources and uses the collective intelligence from machine learning and advanced analytics to not only detect threats quickly but to help you prevent them. It’s agent-based approach helps gain deeper security insights from the workloads and extends these protections to workloads running on-premises as well as other clouds, providing a unified security management for you.
Today we are excited to announce several capabilities in Azure Security Center that will provide enhanced protection to help you keep pace with the evolving cybersecurity landscape:
Visibility and governance at the organizational level
Take advantage of a new overview dashboard to gain visibility into your security state from an organizational level instead of a subscription level. To help organizations identify and address the challenges of managing an organization-wide security posture, you can now set security policies for management groups in your organization. You can also monitor it with an organization-wide compliance score as well as a breakdown
Today we’re letting our customers know about our upcoming Data Subject Request (DSR) processing capability in the Azure portal, which will provide tenant admins a simple, powerful tool to quickly fulfill the Data Subject Requests that are central to compliance with the European Union General Data Protection Regulation (GDPR). We will fully support these DSR capabilities before May 25, 2018, the date when enforcement of the GDPR begins and when Microsoft has committed to be GDPR compliant across our cloud services.
The GDPR is the most significant change to EU privacy law in two decades and sets a new global standard for privacy rights, governing the handling and use of personal data. A fundamental tenet of the GDPR is the set of rights it grants individuals, or data subjects, in connection with their personal data collected by an organization (known as the data controller).
If your organization collects, hosts, or analyzes the personal data of EU residents, GDPR provisions require you to use data processors that guarantee their ability to implement the technical and organizational requirements of the GDPR. The GDPR also requires you to respond to requests from individuals, or data subjects, to receive a copy of their personal
We are pleased to announce the general availability of Application Security Groups (ASG) in all Azure regions. This feature provides security micro-segmentation for your virtual networks in Azure.
Network security micro segmentation
ASGs enable you to define fine-grained network security policies based on workloads, centralized on applications, instead of explicit IP addresses. Provides the capability to group VMs with monikers and secure applications by filtering traffic from trusted segments of your network.
Implementing granular security traffic controls improves isolation of workloads and protects them individually. If a breach occurs, this technique limits the potential impact of lateral exploration of your networks from hackers.
Security definition simplified
With ASGs, filtering traffic based on applications patterns is simplified, using the following steps:
Define your application groups, provide a moniker descriptive name that fits your architecture. You can use it for applications, workload types, systems, tiers, environments or any role. Define a single collection of rules using ASGs and Network Security Groups (NSG), you can apply a single NSG to your entire virtual network on all subnets. A single NSG gives you full visibility on your traffic policies, and a single place for management. Scale at your own pace. When you deploy
The preview for long-term backup retention in Azure SQL Database was announced in October 2016, providing you with a way to easily manage long-term retention for your databases – up to 10 years – with backups stored in your own Azure Backup Service Vault.
Based upon feedback gathered during the preview, we are happy to announce a set of major enhancements to the long-term backup retention solution. With this update we have eliminated the need for you to deploy and manage a separate Backup Service Vault. Instead, SQL Database will utilize Azure Blob Storage under the covers to store and manage your long-term backups. This new design will enable flexibility for your backup strategy, and overall more control over costs.
This update brings you the following additional benefits:
More regional support – Long-term retention will be supported in all Azure regions and national clouds. More flexible backup policies – You can customize the frequency of long-term backups for each database with policies covering weekly, monthly, yearly, and specific week-within-a-year backups. Management of individual backups – You can delete backups that are not critical for compliance. Streamlined configuration – No need to provision a separate backup service vault. What happens with
Selecting a secure cloud services provider is one of the most fundamentally important decisions customers make. Customers must build their applications and services upon a secure trusted foundation. Azure Database for PostgreSQL and Azure Database for MySQL inherit the fundamentally proven trusted security architecture from Microsoft Azure. Azure has over 50 national, regional and industry specific compliance offering that Azure Database for PostgreSQL and Azure Database for MySQL leverage as part of Microsoft’s Trusted Cloud foundation of security, privacy, compliance, and transparency. To learn more and access additional resources, visit the Microsoft Trust Center. Azure Database for PostgreSQL and Azure Database for MySQL protection starts with Azure network security. Azure networking provides Distributed Denial of Service (DDoS) protection at the network edge for all Azure services and all network traffic between Azure datacenters that stays on Azure’s global network and does not travel over the Internet. To learn more please read Yousef Khalidi’s blog post on Azure network security.
Security for Azure Database for PostgreSQL and Azure Database for MySQL is built into the service as depicted above. Azure Database for PostgreSQL and Azure Database for MySQL share a common layered security model. Neither database service node is exposed
Azure Security Center offers integration with various 3rd party security solutions which provide a unified view for alerting and monitoring of your Azure and non-Azure workloads. For integrated partner solutions, Security Center scans Azure resources and provides recommendations to install the solution while automating the deployment. In addition to these features, we are excited to announce the general availability of auto discovery of partner solutions that have already been deployed in the subscription.
Security Center will now automatically discover partner solutions for Next-Generation Firewalls (NGFW) and Web Application Firewalls (WAF), prompting connection while allowing the integration of logs and alerts. Discovered partner solutions will be displayed in security solutions panel. To allow interoperability with many security vendors, Security Center supports log ingestion using industry standard Common Event Format (CEF) on top of Syslog messages.
Once integrated, Security Center provides visibility into the health of partner solutions and provides links to its management console. Partner solution logs are indexed and stored in customer workspace, they are also enriched with threat intelligence to help with security investigations. Partner solution logs are available to setup custom alerts and be displayed in Security Center alerts page. Custom alerts allow user defined queries to scope
We have heard from many customers about their challenges with detecting highly evasive threats. To help provide guidance, we published Windows DNS server logging for network forensics and the introduction of the Azure DNS Analytics solution. Today, we are discussing some of our more complex, heuristic techniques to detect malicious use of this vital protocol and how these detect key components of common real-world attacks.
These analytics focus on behavior that is common to a variety of attacks, ranging from advanced targeted intrusions to the more mundane worms, botnets and ransomware. Such techniques are designed to complement more concrete signature-based detection, giving the opportunity to identify such behavior prior to the deployment of analyst driven rules. This is especially important in the case of targeted attacks, where time to detection of such activity is typically measured in months. The longer an attacker has access to a network, the more expensive the eventual clean-up and removal process becomes. Similarly, while rule-based detection of ransomware is normally available within a few days of an outbreak, this is often too late to avoid significant brand and financial damage for many organizations.
These analytics, along with many more, are enabled through Azure Security Center