Microsoft's hat in the cloud security ring is Azure, a services platform by which organizations can create, deploy, manage and distribute web-based applications on the local network (private cloud) or over the Internet. But will those applications and services offer a secure computing environment? In this article, we look at what Microsoft is doing to address the biggest cloud security "hot spots".
Security: the biggest obstacle to adoption of cloud services
Cloud computing offers a number of attractive aspects. It can be far more cost effective than running local servers, as it eliminates or reduces the need to buy hardware. It is easy to scale up or down as the company's workload changes. However, along with reliability, security is one of the biggest concerns among companies that are considering whether to move to cloud computing.
The idea of having sensitive business data "floating around out there" makes people nervous. By nature, IT administrators tend to be control freaks, and thus are not at all comfortable with not knowing exactly where their data is physically located, if and how it is encrypted, exactly how much it's intermingled with the data of the cloud vendor's other clients and who has access to it.
Azure: What it is and how it works
A number of providers are competing in the cloud market. Microsoft's cloud services platform is called Azure, and it is destined to be a major player in this market. The Azure platform includes:
- Windows Azure (operating system as a service)
- SQL Azure (cloud-based database)
- .NET services
The platform can be used by applications running in the cloud (software as a service) or on the local computer (software plus services). The service is currently in the Community Technology Preview stage and is planned to go live in November 2009. Microsoft has invested a great deal in its cloud effort and is building datacenters in different parts of the world to support the service. Windows Azure runs on these machines and can be accessed over the Internet. Developers can build applications in VB, C++, C# etc. to run on the Azure platform. Data is stored on the Azure storage service or if the data needs to be stored in a relational database, in SQL Azure Database, which is based on SQL Server.
Windows Azure takes advantage of the benefits of virtualization. Typically, each instance of an application runs in a separate virtual machine on Windows Server 2008. The VMs run on a hypervisor that Microsoft designed specifically for the cloud computing environment. Applications can be developed using either a web role instance or a worker role instance. Those implemented as worker role instances do not have IIS running in their VMs and can not have incoming network connections. It can have outgoing connections by which it can send information outside. The web role instances accept incoming HTTP or HTTPS requests.
What about security?
One area of concern is the security challenge that's posed by a cloud service that allows third party developers to create applications and host them in the Azure cloud. Microsoft has designed the Azure platform with security in mind, building in a number of different security features. An important aspect of securing data is verifying the identities of those who request to access it. Microsoft has .NET Access Control Service, which works with web services and web applications to provide a way to integrate common identities. The service will support popular identity providers.
Applications determine whether a user is allowed access based on Security Assertion Markup Language (SAML) tokens that are created by the Security Token Service (STS) and contain information about the user. The STS provides a digital signature for each token. Applications have lists of digital certificates for the STSs it trusts. Trust relationships can be created between a trusted STS and an STS that issues a token to provide for identity federation. The Access Control Service is an STS that runs in the cloud. This STS validates the signature on the SAML token that is sent by the client application (such as a web browser) and creates and signs a new token for the client application to present to the cloud application.
To find out more about the Azure components and how they work, alongside detailed description of the Access Control Service, see the white paper "Introducing the Windows Azure Platform"
Security and regulatory compliance
As a service provider, Microsoft must comply with regulatory requirements of the governmental entities within whose jurisdictions Azure operates, along with industry regulations that cover many companies in specific fields. Microsoft's compliance framework is designed to address this challenge. The security for Microsoft's cloud infrastructure is managed by the Online Services Security and Compliance team, which maintains the security control framework and develops policies and programs for ensuring compliance and managing security risks.
The Microsoft cloud undergoes annual audits for PCI DSS, SOX and HIPAA compliance, as well as internal assessments throughout the year. The Microsoft cloud has obtained ISO/IEC 27001:2005 certification and SAS 70 Type 1 and II attestations.
ISO/EC 27001:2005 is a standard that specifies requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System. You can find out more about it here.
Statement on Auditing Standards (SAS) 70 is an auditing standard developed by the American Institute of Certified Public Accountants, which provides guidance for independent auditors to issue an opinion on a service or organization's disclosure of its control of activities and processes. Find out more about it here.
Security in the Microsoft Cloud
Microsoft's approach to security in its cloud environment is laid out in the white paper Securing Microsoft's Cloud Infrastructure.
To read about Microsoft's approach to cloud security in more detail, click here.
To summarize, the company applies security mechanisms at different layers of the cloud infrastructure to implement a defense-in-depth approach. These layered mechanisms include:
- Physical security of the data centers (locks, cameras, biometric devices, card readers, alarms)
- Firewalls, application gateways and IDS to protect the network
- Access Control Lists (ACLs) applied to virtual local area networks (VLANs) and applications
- Authentication and authorization of persons or processes that request access to data
- Hardening of the servers and operating system instances
- Redundant internal and external DNS infrastructure with restricted write access
- Securing of virtual machine objects
- Securing of static and dynamic storage containers
Assets are categorized as to the level of security required, based on the potential for damage. Highly sensitive assets are protected by more stringent mechanisms, such as multi-factor authentication (smart cards, biometrics, hardware tokens). The principle of least privilege is followed, whereby persons and processes are given the lowest level of access that is required for them to do their jobs and no more.
Microsoft's online services teams apply the Security Development Lifecycle (SDL) principles (security by design, security by default, and security in deployment + communications) to the online services. To read more about the SDL and SD3+C principles, follow this link.
Windows Azure is deployed within Global Foundation Services datacenters, and thus enjoys the network security benefits provided by GFS. It is the responsibility of application developers to ensure that application data is secured at the application layer. Thus it is up to the application developer to determine whether/which data should be encrypted.
Security in SQL Azure is much like security for an on-site SQL Server, so SQL administrators will find security management at the database level to be a familiar task. Server-level administration is a bit different because the databases may span more than one physical system.
To find out more about managing security in SQL Azure, check out the MSDN web site.
Building secure applications on the Azure platform
Developers can find proven practices for creating secure applications to run on the Azure platform in the Azure Security Knowledge Base here.
A training seminar for developers on the SQL Azure Security Model will be available on demand, beginning November 30th, here!