How secure is Azure?
Security in the world of IT is a key agenda item for any business. We constantly hear the myth of security in the cloud being poor and this can be a key reason why some businesses don’t want to go near it.
Let’s take a look at why this in more detail and investigate what Microsoft are doing to make Azure secure for your business.
Where does the myth come from?
There are many different reasons I hear through customer interactions as to why a company doesn’t want to adopt Azure, check out some of these below:
- Cloud uses Shared Infrastructure, other customers could access my data!
- It’s not in my data centre so how do I know who has access to my data?
- The business doesn’t believe that Cloud is secure!
The question here is why do people or businesses believe that cloud isn’t secure?
Security is on everyone’s mind and people can be reluctant to take full responsibility for their IT systems safety. But security in the cloud doesn’t sit with one person, one company, one entity, its everyone’s responsibility. Let’s look at Microsoft Shares Responsibility matrix that explains this approach in detail.
What is the Shared Responsibility Matrix?
Below you will find the shared responsibilities matrix for cloud computing. This is a great starting point in understanding what Microsoft are responsible for, what you are responsible for and where Microsoft and you share responsibility for securing the Azure infrastructure. — Full document available for download here.
In simple terms anything not in Azure, i.e. an in house Server is your responsibility to secure.
The shared responsibility matrix shows that you do not just put your application in Azure and forget about it — instead you need to understand what your responsible for and put a plan together to cover it.
Planning for security can be anything from architecting Azure securely, or using particular services available in the Azure Market Place to address your areas of responsibility or potentially even accepting known risks.
Is it going to cost my business more money to secure Azure?
Security for your business and your customers should not come down to cost, instead it should be about understanding what you are trying to protect and how you can mitigate against the potential threats.
Let’s look at the example below to understand if securing Azure should be solely dependent on the cost.
123 Learn
123 Learn are an online E-Learning platform using IaaS on Azure for one of the largest IT companies globally (ABC Firewalls). They work with ABC Firewalls all year round to put together strategic online training for the ABC Sales teams. Examples of these include, Product overviews, competitor analysis and pricing strategies.
What happens if an attack occurs and those materials are leaked on the internet for all to see?
Answer: A number of things can happen but three of the most alarming are below:
- Reputational Damage — For both 123 Learn and ABC Firewalls. This could affect 123 Learn’s ability to attract new customers and also create concern within their existing customer base that their materials are also at risk — For ABC they are now in jeopardy as their strategic plans are available within their competitor landscape. Reputational damage may not be instant but can be long term pain for all involved.
- Financial Impact — Customers potentially leaving 123 Learn due to the risk which would impact revenue numbers. ABC Firewalls could also be impacted if competitors use the leaked information to win business.
- Legal Implications — Are 123 Learn legally liable to protect against this type of attack? If so does that leave them vulnerable? Is this a breach of contract? This is closely linked to the above points and ultimately could result in the end of 123 Learn!
Yes, you may have to spend more money securing Azure but remember don’t spend money on security for the sake of it — spend money on security products or services that can help protect you and your customers from known threats.
I’m budgeting for security but what is Microsoft doing?
Well, if spending at least $7Billon a year on security measures is not enough for you, I have highlighted below some of the key actions Microsoft are taking to keep up with their end of the matrix:
- Deploy “Red Team” — as part of Microsoft’s Assume Breach strategy they employ a dedicated team of software security experts who simulate real life attacks at the network, platform, and application layers. They do this to test Azure’s ability to detect, protect against, and recover from breaches. This allows Microsoft to stay ahead of the curve.
- Lockbox — an internal access control technology that Microsoft uses to give their employees access to Azure infrastructure for administering customer support. There are multiple levels of approval within Microsoft that need to be given before an employee is provided with time sensitive and unique log in details to carry out his investigation. This preventing unauthorised access to your data!
- Logical Separation — With Azure being a multi tenanted environment your services could be running in parallel with other customers. So how do Microsoft keep data separate from a security standpoint? — Microsoft don’t reveal how it is achieved as it’s classed as Intellectual Property but they do state: “Microsoft uses logical isolation to segregate storage and processing for different customers through specialized technology engineered to help ensure that your customer data is not combined with anyone else’s.”
The above shows you some of actions that Microsoft take to ensure Azure is a platform you can trust. What really stands out for me is the amount of money Microsoft invest into security research and security resources.
The latest testament to this is ClearBank (The UK’s first clearing bank to open in 250 years) choosing Azure as their platform of choice for their new venture.
As noted by Computing.co.uk when interviewing Nick Ogden (Founder) “Microsoft are investing $1.5bn every 12 weeks in their Azure network for cybersecurity, and all the rest of it. As far as I know — and I’m not a Microsoft salesman — that’s the most investment that’s going on in a secure network, a cybersecurity platform, on this planet. It’s why the Ministry of Defence sit next to us in the Microsoft datacentre in the UK. And so it was that security [that persuaded us to go with Microsoft].” — Link to the article
Review with a view
Security is an ever present topic when talking with any online business these days and it’s up to the organisations themselves to do their own due diligence and protect their customers and themselves.
Azure is a great example of a secure platform but the key is understanding your responsibilities vs Microsoft’s responsibilities.
Cloud should not be a scary thought, look at the Ministry of Defense. I don’t know any organisation who has more priority around systems and data security but yet they are large users of Azure.
In my view if it’s good enough for the MoD, it’s good enough for you!
MyMateTech’s Conclusion
Attacks are on the rise and IT security budgets are growing year in year out (but not in line with threats says IISP). Governments around the world are bringing in new laws to protect citizens/customers online and it’s now time for your business to take action.
Is Azure secure? Is cloud secure? This is a question that comes from a either a lack of understanding of Azure/Cloud or it could be resistance to change inside your organisation.
Azure holds hundreds of certifications from PCI to ISO27001 and more. Having a global dedicated Cyber Security Operations Centre (CSOC) and with the Azure platform being designed with security in mind -the question for you is how secure is your current platform vs Azure?
Using a platform backed by Microsoft should give you confidence, even if you can’t see it or touch it. Security is a shared responsibility and if you don’t know what your responsibilities are or you don’t want to manage them, look to your Microsoft Cloud Solution Provider (CSP) for guidance.
