Azure Case Study
The Azure Trend
During the keynote day 2 of Microsoft Build 2016, Executive VP of Cloud & Enterprise division, Scott Guthrie, revealed some outstanding metrics related to the roll-out of Microsoft Azure to the current IT landscape. MS is growing at a rate of 120k new customers per month. There are 1.4 million SQL databases in Azure, 2 trillion messages per week processed by Azure IoT and5 million organizations using Azure active directory. Moreover 4 million developers are now registered with Visual Studio Team services, and 40 percent of their revenue is from start-ups and ISVs., while 85 percent of Fortune 500 companies are currently utilizing Azure services.
All cloud adopters opt for seamless scalability, efficiency and ready-to-wear architecture decisions, both for their datacenter operations, as well as their application fabric. Although architecture migrations, especially for IT professionals, seem a daunting task, Forrester reports on 500% return of investment, 80% reduction of IT workload, 25h reduction in dev/testing per app and a 50% increase on time to market. These numbers come from a US eCommerce services firm, with 2000+ employees and >100 deployed applications
Security and control on the other hand is not the driving principle. Although Microsoft provides a rich toolkit of security interfaces that apply on different operations on top of the Azure stack, the interfaces themselves, as well as the documentation is very difficult to follow, especially for organizations that do not have expertise to take informed security decisions.
Above all, unrestricted access to the customer's new datacenter - the Azure subscription - is only a matter of a Web Application login on the Azure Portal.
How Azure is layered
Azure is a growing collection of integrated cloud services, that allows companies to build infrastructure and application environments by interchangeably selecting between a range of Infrastructure-as-a-Service (IaaS) to Platform-as-a-Service (PaaS) tools.
IaaS components are practically full-featured virtual machines (customer-managed) on top of the Azure virtualization stack (unmanaged). They provide a high degree of flexibility to be equipped with custom security controls, but depending on the OS vendor, they may or may not integrate optimally with the Azure Stack in terms of centralized security monitoring and operation control. FreeBSD is an example of loose integration, while Microsoft Windows are, of course, integrated optimally. On a networking level, customers can opt for third-party firewall/NGFW vendors (providing Azure appliance) to achieve a datacenter-like operational environment and complete the IaaS picture. Microsoft is only involved in operating the virtualization stack and the Azure supporting applications.
PaaS components, on the other hand, form a highly integrated environment that gives the idea of a "headless" service providing its functionality through the Azure Portal, without even a need to do a Remote Desktop to fine-tune it. Services such as Azure SQL, Azure Cloud Services, Azure Active Directory, Business Analytics Solutions, Azure Web Apps allow developers and DeVop teams to deploy and provision application instances directly from their Visual Studio consoles. On the networking level, here we observe a very low degree of security control with the Azure "PaaS" firewall (NSG) to form an elementary method to limit the interactions.
Behind the scenes, these components are forming collections called Azure Resource Groups that exist within an Azure Subscription. Azure Subscriptions can communicate with each other, as well as communicate with physical datacenters. Everything can be controlled utilizing the Azure Portal, using Powershell or other API provided for popular languages (C#/Python/Java).
Protecting an Azure infrastructure, apart from an established security program and change management, requires the following technical steps:
- Understand its underlying security capabilities
- Realization and mapping the current implemented environment
- Implementation of identity and access management
- Provision adequate non-intrusive security controls (network and host level)
- Analyze and monitor the operational and security logs provided by all the levels of the implemented stack, in real-time
- Perform penetration tests and implement a security regression testing plan Implementing the above tasks, requires the experience of security professionals with specialization in the Azure mechanics.
Here at Obrela Security Industries we heavily invested in dissecting the Azure platform, to provide our customers with a full range of security services related to Exposure, Risk and Threat Management.
Our Threat Management perspective involves the real-time monitoring of operational and security interactions, within the Azure environment and in relation to the Internet.
Enhanced by proprietary threat intelligence data collections, our real-time analytics and 24x7 security operations can pinpoint the security issue or threat and help our customers to close or mitigate respectively.
Since everything boils down to the quality and completeness of data collected, we present below specific Azure features in relation to our approach of integration and collecting data