Windows Azure in Australia! How does that change your security outlook?
We are bringing our world class Windows Azure data centres here to Australia. Microsoft has a long history of bringing industry leading technologies to the world. Windows Azure is no different. Today we announced that we will be adding more data centres around the globe. Australia will have two georedundant regions, New South Wales, and Victoria. So now, you can have access to all of Windows Azure’s services here in Australia.
Windows Azure runs in data centres managed and operated by Microsoft Global Foundation Services (GFS). These geographically dispersed data centres comply with key industry standards, such as ISO/IEC 27001:2005, for security and reliability. They are managed, monitored, and administered by Microsoft operations staff that have years of experience in delivering the world’s largest online services with 24 x 7 continuity.
With Windows Azure coming to Australia, how does that change the security picture. There is the obvious enhancements around latency, and this will allow data to be stored within Australia’s borders. What other security implications or improvements can you take advantage of?There are a couple areas that come to mind frequently when discussing cloud computing, General Security of cloud systems, Data Sovereignty, and Compliance.
The Cloud Security Alliance published the Cloud Control Matrix (CCM) to support customers in the evaluation of cloud services. In response to this publication, Microsoft has created a white paper to outline how Windows Azure security controls map to the CCM controls framework, providing customers with in-depth information on Windows Azure security policies and procedures. Please see Windows Azure Cloud Security Alliance STAR submission for more information.
Microsoft conducts regular penetration testing to improve Windows Azure security controls and processes. We understand that security assessment is also an important part of our customers' application development and deployment. Therefore, we have established a policy for customers to carry out authorized penetration testing on their applications hosted in Windows Azure. Because such testing can be indistinguishable from a real attack, it is critical that customers conduct penetration testing only after obtaining approval in advance from Windows Azure Customer Support. Penetration testing must be conducted in accordance with our terms and conditions. Requests for penetration testing should be submitted with a minimum of 7-day advanced notice.
To learn more or to initiate penetration testing, please download the Penetration Testing Approval Form and then contact Windows Azure Customer Support.
Security You Manage
There are certain security mechanisms built into the Windows Azure infrastructure that you get to take advantage of for free. For example, the DDoS protection, network isolation, VM isolation, etc. However, application and guest VM security are still your responsibility. Since we do not, and wouldn’t if we could, control your code, or the things inside your guest VMs, you will still have to apply proper best practice to build and manage the.
Application development best practices are still as important to cloud based applications as they are to on premises applications. You must still do proper input validation, error handling, authentication and authorisation checks, and secure data storage. You still need to apply a Secure Development Lifecycle to your cloud applications just as you should for your on premises applications.
As with any server you expose to the internet, your VMs in Windows Azure Infrastructure Services need to be hardened, managed, patched and protected just like anything else you’d put in your DMZ. You can configure entirely private networks between on premises and Windows Azure, and host some of your LOB applications in Azure without exposing them to the public internet. In which case, you should be guided by your internal policies on what level of security scrutiny these VMs need to adhere to. But I would suggest that anything exposed to the public internet be protected just as you would if you exposed it from your DMZ of a hoster.
In fact, one of the major advantages Platform As A Service has over Infrastructure As A Service is that you only have to worry about the application code. With PaaS there is no VM operating system to worry about. All of the problems of VM management, image management, patching, etc go away with PaaS.
A recommended strategy is to migrating existing workloads to IaaS on Windows Azure hosted VMs, while you migrate those workloads from being VM hosted, to PaaS workloads. The more workloads you can transition to PaaS, the more money you save and the more management headaches you get rid of.
Cloud as a Security Enhancement
One of the things people don’t often think about is how using public cloud services can greatly decrease your attack surface and increase your security posture. At the moment, to expose any of your LOB or public facing services externally, you have to host things in a DMZ, and expose your infrastructure to the public internet where it can be relentlessly beat on by potential attackers.
Traditionally we’ve had this configuration where the anonymous traffic from the internet could access exposed machines and hammer on them. A vulnerability means they can create a beach head attack host on your infrastructure and work their way through the rest of your systems and potentially into your internal networks.
However, by taking advantage of cloud computing you can put an extra barrier of specialised highly managed infrastructure between your on premises systems, and the unwashed masses of the internet.
Ideally you want all of your infrastructure in Windows Azure which eliminates all of the lower level management problems, and reduces the systems you expose from your internal networks to near zero.
But if this is not always feasible due to sensitive data issues, or legacy systems such as main frames, you can use a hybrid approach where cloud based front end systems talk to back-end systems through an encrypted VPN tunnel.
This puts the bulk of the security and DDoS load on the infrastructure that is designed to handle it. Microsoft has a large amount resources that go into protecting the infrastructure. You get that protection as part of using Windows Azure. This increased security benefit alone is an attractive use of Windows Azure. You only have to allow an encrypted tunnel through your firewall. This greatly reduces your attack surface, and increases your security.
Windows Azure Active Directory
Windows Azure Active Directory can provide you with:
- Authentication to your external facing cloud based services
- Federated authentication to your LOB apps
- OAuth integration with other identity providers such as Microsoft ID, Google, Facebook, Yahoo! and others
- Single Sign-On to your on-premises and cloud based LOB apps
Windows Azure Active Directory is a service that provides identity and access management capabilities in the cloud. In much the same way that Active Directory is a service made available to customers through the Windows Server operating system for on-premises identity management, Windows Azure Active Directory (Windows Azure AD) is a service that is made available through Windows Azure for cloud-based identity management. Learn more
Because it is your organization’s cloud directory, you decide who your users are, what information to keep in the cloud, who can use the information or manage it, and what applications or services are allowed to access that information.
When you use Windows Azure AD, it is Microsoft’s responsibility to keep Active Directory running in the cloud with high scale, high availability, and integrated disaster recovery, while fully respecting your requirements for the privacy and security of your organization’s information.
Integration with your on-premises Active Directory
Windows Azure AD can be used as a standalone cloud directory for your organization, but you can also integrate existing on-premise Active Directory with Windows Azure AD. Some of the features of integration include directory sync and single sign-on, which further extend the reach of your existing on-premises identities into the cloud for an improved admin and end user experience. Learn more
Integration with your applications
Application developers can integrate their applications with Windows Azure AD to provide single sign-on functionality for their users. This enables enterprise applications to be hosted in the cloud and to easily authenticate users with corporate credentials. It also enables software as a service (SaaS) providers to make authentication easier for users in Windows Azure AD organizations when authenticating to their services. Developers can also use the Graph API to query directory data for managing entities such as users or groups. Learn more
Previously Data Sovereignty was one of the first topics that came up when I discussed using Windows Azure with ISVs and customers. They were usually concerned with a perceived regulatory barrier around data privacy, or a more technical issue around data availability considering the data was held over seas. I’ve covered this before in a previous post. Essentially, they were worried about the Australian Privacy act, which actually states that hosting data and systems over seas is permissible, or the Patriot Act which in actuality has little or no bearing on cloud computing that wasn’t already covered by various Mutual Legal Assistance Treaties. The other concern around availability was around being able to get to the data when they needed it. This concern was more tangible. If all communications outside of Australia were lost, you would have a problem getting to your data. To mitigate this, we suggest keeping a master copy of the data locally, and using data synchronisation to push non-sensitive data to your cloud deployments. This is often mitigated by using a Hybrid Application approach that I mentioned in this post.
Now, with Windows Azure coming to Australia, most of these fears are alleviated. Organisations will be able to store data in country, all of your application deployments for your Line of Business (LOB) apps can be hosted in-country. This will greatly reduce a lot of the regulatory compliance questions and hurdles to let you take advantage of cloud computing and realise the huge cost, efficiency and agility improvements.
Microsoft has been one of the role models for customer and data privacy for many years. We have a very strong standard for privacy protection.
Privacy is one of the foundations of Microsoft’s Trustworthy Computing. Microsoft has a longstanding commitment to privacy, which is an integral part of our product and service lifecycle. We work to be transparent in our privacy practices, offer customers meaningful privacy choices, and manage responsibly the data we store.
The Microsoft Privacy Principles, our specific privacy statements, and our internal privacy standards guide how we collect, use, and protect Customer Data. General information about cloud privacy is available from the Microsoft Privacy Web site. We also published a white paper Privacy in the Cloud to explain how Microsoft is addressing privacy in the realm of cloud computing.
Location of Customer Data
Customers may specify the geographic region(s) of the Microsoft datacentres in which Customer Data will be stored.
- Microsoft may transfer Customer Data within a major geographic region (e.g., within Europe) for data redundancy or other purposes. For example, Windows Azure replicates Blob and Table data between two sub-regions within the same major region for enhanced data durability in case of a major data centre disaster. In the case of the Australia Region, this will be New South Wales and Victoria.
- Microsoft will not transfer Customer Data outside the major geographic region(s) customer specifies (for example, from Europe to U.S. or from U.S. to Asia) except where necessary for Microsoft to provide customer support, troubleshoot the service, or comply with legal requirements; or where customer configures the account to enable such transfer of Customer Data, including through the use of:
- Features that do not enable regional selection such as Content Delivery Network (CDN) that provides a global caching service;
- Web and Worker Roles, which backup software deployment packages to the United States regardless of deployment region;
- Preview, beta, or other pre-release features that may store or transfer Customer Data to the United States regardless of deployment region;
- Windows Azure Active Directory (except for Access Control), which may transfer Active Directory Customer Data to the United States for European customers, or to the United States or Europe for Asian customers;
Microsoft does not control or limit the regions from which customers or their end users may access Customer Data. So you can deploy to Australia and service customers from New Zealand, Asia, Europe or anywhere else. However, for best customer performance you’ll want to deploy your applications to each region that you want to service.
See the E.U. Data Protection Directive section below for information on the regulatory framework under which Microsoft transfers data.
E.U. Data Protection Directive
The E.U. Data Protection Directive (95/46/EC) sets a baseline for handling personal data in the European Union. The E.U. has stricter privacy rules than the U.S. and most other countries. To allow for the continuous flow of information required by international business (including cross border transfer of personal data), the European Commission reached an agreement with the U.S. Department of Commerce whereby U.S. organizations can self-certify as complying with the Safe Harbor Framework. Microsoft (including, for this purpose, all of our U.S. subsidiaries) is Safe Harbor certified under the U.S. Department of Commerce. For more information see the Windows Azure Trust Center Privacy page.
Microsoft also offers additional contractual commitments to its volume licensing customers:
- A Data Processing Agreement that details our compliance with the E.U. Data Protection Directive and related security requirements for Windows Azure core features within ISO/IEC 27001:2005 scope.
- E.U. Model Contractual Clauses that provide additional contractual guarantees around transfers of personal data for Windows Azure core features within ISO/IEC 27001:2005 scope.
This information and more can be found at our Cloud Privacy information can be found at this link: http://www.windowsazure.com/en-us/support/trust-center/privacy/
Traditionally auditing cloud provider’s has been difficult due to the way that cloud systems are built. They don’t conform to the usual auditing checklists. so wherever possible, we have achieved compliance and are continually working with standards bodies to enhance and build comprehensive cloud provider auditing and compliance systems. To date, Windows Azure has achieved the following compliance levels:
ISO/IEC 27001:2005 Audit and Certification / IS 577753
Windows Azure is committed to annual ISO/IEC 27001:2005 certification. The certificate issued by the British Standards Institution (BSI) is publically available. The Windows Azure ISO/IEC 27001:2005 Statement of Applicability is available upon escalation to customers under a non-disclosure agreement. It includes over 130 security controls, and it maps Windows Azure controls to control objectives contained in Annex A of ISO/IEC 27001:2005. Please contact your local Microsoft representative to obtain a copy of the document.
Scope: Only the following Windows Azure features are in scope for the current ISO/IEC 27001:2005 certification: Virtual Machines, Cloud Services, Storage (Tables, Blobs, Queues, Drives), and Networking.
SSAE 16/ISAE 3402 Attestation
A detailed Service Organization Control 1 (SOC 1) Type 2 report is available to customers under a non-disclosure agreement. Please contact your local Microsoft representative to get a copy of the report. Windows Azure is committed to annual SSAE 16 / ISAE 3402 attestation.
Scope: Only the following Windows Azure features are in scope for the current SOC 1 Type 2 attestation: Cloud Services, Storage (Tables, Blobs, Queues), and Networking (Traffic Manager and Windows Azure Connect only). The following additional features were launched after the examination review period but are subject to the same controls and processes that were tested in the audit: Virtual Network and Virtual Machines.
HIPAA Business Associate Agreement (BAA)
HIPAA and the HITECH Act are United States laws that apply to healthcare entities with access to patient information (called Protected Health Information, or PHI). In many circumstances, for a covered healthcare company to use a cloud service like Windows Azure, the service provider must agree in a written agreement to adhere to certain security and privacy provisions set forth in HIPAA and the HITECH Act. To help customers comply with HIPAA and the HITECH Act, Microsoft offers a BAA to customers as a contract addendum.
For further information see The Microsoft Approach to Cloud Transparency whitepaper. This paper provides an overview of various risk, governance, and information security frameworks and standards. It also introduces the cloud-specific framework of the Cloud Security Alliance (CSA), known as the Security, Trust & Assurance Registry (STAR).
Start now, be ready
Overall, the addition of the Windows Azure Australia Region is a huge benefit. It will alleviate most of the concerns around Data Sovereignty as well as providing a lower latency point for your cloud based deployments. You should start planning your deployments and migrations now. Get your account managers, and procedures sorted out. Start with smaller projects or Dev and Test environments and deploy them to existing data centres. When when the Australian Region opens up, deploy your production workloads to the local New South Wales, or Victoria DC. The sooner you start and get the process bedded down, the easier it will be and the more money you’ll save.
Security Resources for Windows Azure
Technical Overview of the Security Features in the Windows Azure Platform
This document provides a summary of some of the technical and organizational security measures for Windows Azure.
Windows Azure Security Overview
This in-depth paper provides a detailed discussion of some of the security features and controls implemented in Windows Azure.
Security Best Practices for Developing Windows Azure Applications
This paper focuses on the recommended approaches for designing and developing secure applications for Windows Azure.
Windows Azure Data Security (Cleansing and Leakage)
This blog posting details procedures implemented in Windows Azure to prevent data leakage or exposure of customer data upon data deletion.
Windows Azure Security Notes
This document from the Patterns and Practices team provides solutions for securing common application scenarios on Windows Azure.
Crypto Services and Data Security in Windows Azure
This MSDN article provides an overview of cryptography concepts and related security in Windows Azure.
Windows Azure: Understanding Security Account Management in Windows Azure
Cloud computing relieves some of the security burden, but you still have an active role in managing access, securing communications and ensuring data protection. This TechNet article covers best practices for creating and managing administrative accounts, using certificates for authentication, and handling transitions when employees begin or terminate employment.
Securing and Authenticating a Service Bus Connection
This MSDN Library article discusses how to develop applications that use the Windows Azure Service Bus to perform secure connections.
Scenarios and Solutions Using Windows Azure Active Directory Access Control
This section of the MSDN Library contains articles that discuss how to use the Windows Azure Active Directory Access Control for securing web applications, single sign-on, user authorization, and more.
Security Guidelines for SQL Database
This paper provides an overview of security guidelines for customers who connect to SQL Database (formerly SQL Azure), and who build secure applications on SQL Database.
Business Continuity for Windows Azure
This MSDN article provides guidance on how to use Windows Azure to achieve business continuity and disaster recovery goals.
Business Continuity in SQL Database
This MSDN article describes the business continuity capabilities provided by SQL Database (formerly SQL Azure). The purpose of creating database backups is to enable you to recover from data loss caused by the failure of individual servers and devices, unwanted data modifications and deletions, and widespread loss of data center facilities.
This web site is the landing point for security related information regarding Windows Azure.