Security Solutions in Cloud offered by the platform Microsoft Cloud Security for Microsoft Azure and Microsoft 365

In the previous article we discussed the security principles applied to the platforms of cloud, which are based on the Zero Trust Security model, completely different from the idea of ​​concentrating security technologies to create a strong secure perimeter, with the aim of keeping attackers out of it. The application of security measures specific to enterprise infrastructures was based on treating the services and resources positioned in this secured perimeter as credible and protected, everything outside being viewed as potentially hostile.

The new security principles on which current security technologies are developed in cloud

In the age of technologies cloud  and hybrid infrastructures, these principles are replaced by a new attitude towards security needs based on the idea of ​​assuming security breaches and the zero trust model (Zero Trust), which highlight the reality of today, which forces organizations to no longer consider that the defense of the safety perimeter is exclusively the prerogative of security specialists. Modern organizations, in full process of digital transformation of their business and infrastructures, are obliged to provide access to their own data and services to users and employees both behind firewall security solutions and outside them.

The Zero Trust Model (ZTM) was introduced by the analysis firm Forrester Research and as mentioned in the first part of this article, it introduced the concept of continuous validation of security instead of directly assuming it according to the positioning of resources and their consumers. At the same time, it starts from the idea that, once the users and their devices receive access to the organization's resources, the level of security will no longer be implicitly assumed just by positioning the consumers in the organization's perimeter, this being continuously validated.

The traditional implementation of security technologies is closely related to the type of resources to be protected and is carried out at the level of the organization. Scenarios in which resources of several organizations used in partnership from multiple locations are involved, complicate the implementation and control of security quite a bit and raise the issue of partners' responsibility for possible security breaches and attacks on resources. The historical monitoring of the events that take place in each organization will have to be correlated so that the aspects related to the behavior of the users of the partner organizations are captured, and this requires the use of monitoring and analysis platforms positioned outside the audited infrastructures.

Positioning of organizational resources in cloud, makes a large number of globally positioned infrastructure components available to users and simplifies how organizations can collaborate to share data with each other. It also divides the responsibility of implementing security measures between the vendor (which provides the infrastructure for a fee) and the organization that owns and pays the subscription cloud, this model being called the Shared Responsibility Model.

This level of responsibility is closely related to the type of resources in cloud, the Infrastructure as a Service (IaaS) type having a higher responsibility of the organization and the Software as a Service (SaaS) type for the vendor, as can be easily identified in image 1.

Image 1 – Shared Responsibility Model, source Microsoft Docs

To understand how this principle of shared responsibility applies, let's take as an example a virtual machine (VM) in Azure (resource cloud IaaS) on which the organization will hold a proprietary application. While the vendor Microsoft is responsible for the security of the physical network environments, the physical storage environments and the virtualization platform including the updates of the physical servers, the organization that will use this virtual machine has the responsibility to secure the public and internal access points to the VM, the updates periodic updates of its operating system and securing the applications that will be installed in it.

If the organization decides to use Platform as a Service (PaaS) services instead of the virtual machine, the vendor will provide and manage the instances that will provide the organization with the necessary services, guaranteeing their security, periodic updates of the operating systems and of the software platform as well as monitoring, scalability and resilience. However, there is a common area of ​​responsibility for the authentication and authorization service (identity), the accessed application platform (for example Web services or SQL database) and network security control (exposing endpoints, enabling firewall, DDoS or VPN services, opening necessary ports, assigning public IP addresses).

For a Software as a Service solution, for example Microsoft 365, the responsibility of the vendor Microsoft it also includes the application platform and the control of the network environment (endpoints are predefined), the shared responsibility being only in the area of ​​the identity platform. Regardless of the model, however, the organization will always be responsible for defining access accounts, passwords, protecting personal data and implementing governance mechanisms, managing access and activating licenses associated with users.

The reference architecture defined by Cloud Security Alliance

According to the design principles applied to infrastructures cloud and of the reference architecture defined by Cloud Security Alliance, any environment will be composed of the following components:

Source Cloud Security Alliance

Therefore, the implementation of security mechanisms must take into account this organization, the technologies involved being associated and specialized for each subcomponent as follows:

• Business Operation Support Services – BOSS (defined by the SABSA Institute Enterprise Security Architecture): compliance, data governance, operational risk management, human resources security, security monitoring, legal services and internal investigations
• Information Technology Operation & Support – ITOS (defined by ITIL – Information Technology Infrastructure Library: IT Operation, Service Delivery and Service Support
• Architecture services (defined by the Open Group Architecture Framework – TOGAF Standard):
  • Presentation Services (consumer service platform, enterprise service platform, enpoints, speech recognition and handwriting)
  • Application Services (programming interfaces, security knowledge lifecycle, development process, integration, connectivity and delivery)
  • Information Services (service delivery and support, reporting services, data governance and risk management, security monitoring, user directory services)
  • Infrastructure Services (Internal Infrastructure – servers, storage, network, equipments, endpoint, mpatch management and Virtual Infrastructure – desktop, server, application virtualization, network, virtual workspaces, file based virtualization)
• Security and Risk management (defined by the JERICHO Forum Commandments):
  • Governance Risk & Compliance (compliance, policy, vendor audit, IT Risk management, Technical Awareness and Training)
  • Privilege Management Infrastructure (identity management, authentication services, authorization services, privilege usage management)
  • Threat and Vulnerability Management (compliance testing, penetration testing, vulnerability management, threat management)
  • Infrastructure Protection Services (server, end-point, network, application)
  • Data protection (data lifecycle management, data loss prevention, intellectual property protection, cryptographic services)
  • Policies and Standards (operational security baselines, role based awareness, Information Security policies, Technical Security Standards, Data/Asset classification, vest practices, regulatory correlation).

For a complete picture of these components I invite you to study the official page Cloud Security Alliance and the CSA portal, where the fundamental security principles that guide service vendors are also available cloud to assist customers of the services provided in the management and analysis of security risks through tools such as  Cloud Security Alliance Cloud Controls Matrix (CCM) .

Microsoft Cybersecurity Reference Architecture

Starting from the model described by CSA, Microsoft defined and integrated into the service offer cloud, the security principles of hybrid enterprise environments with the title Cybersecurity Reference Architecture:

Cybersecurity Reference Architecture – official site source Microsoft

Annual investment officially announced by Microsoft CEO Satya Nadella, over $1 billion dedicated to research and development of security solutions integrated into infrastructures cloud services, made possible the development of innovative solutions represented by the image above and which we will describe next. Microsoft also invests in start-ups that develop advanced security solutions and products, such as the Israeli company Team8, and constantly expands the capabilities of Windows platforms and Office which integrates Windows Defender and Windows Defender Security Center.

The main arguments of the vendor Microsoft for choosing as the main partner of customers and for cybersecurity are:

• strong commitment to cyber security (investment of more than 1 billion annually, use of own security solutions hosted in cloud, expanding our own teams of specialists with globally recognized engineers including former CISOs)
• three-pronged approach to security: a comprehensive platform, smartthe artificial which analyzes large volumes of information transmitted through telemetry mechanisms and partnerships with the best security specialists worldwide
• commitment Microsoft against security: Microsoft Trust Center
• promoter of sharing cyber security best practices (NIST, CSF, RFI, Microsoft Security Development Cycle)
• interacting with customers and educating them about the approach and services Microsoft on cyber security – Microsoft collaborated with Digital Crimes Unit, Cyber ​​​​Defense Operations Center, Digital Risk and Security Engineering team, Cloud & Enterprise Security, Windows Security to launch Cyber ​​Security Executive Intelligence Center (EBC) delivering major customer benefits

Vendor Relationship Microsoft with the customers of the solutions of cloud services

Customers of the solutions cloud Microsoft get in touch with a comprehensive overview of cybersecurity products and services developed and aligned based on the principles protect, detect and respond, meet face-to-face with security experts and leaders to learn about threats, cybersecurity services, risk management, and learn how to improve their cybersecurity posture by Microsoft a trusted advisor and partner.

Microsoft permanently contributes to the protection of users against computer threats by using automation and artificial intelligence incorporated in the technologies dedicated to them, both for enterprise users and for home-use or educational environments.

For the latter, the main recommendations are keeping the Windows operating system up to date, using the facilities Microsoft Family Safety for Windows PC, Android and Xbox users, keeping your files safe and always available via Onedrive, browsing the Internet safely using Microsoft Edge and Microsoft Defender SmartScreen, creating and managing secure passwords of at least 12 characters and avoiding their reuse last but not least, using the platform Microsoft Teams for education.

Security solutions dedicated to enterprise environments are based on the integration of the native security capabilities of the platforms used, on simplicity and visibility, principles enunciated by the following statement:

"If you make security difficult, people will bypass it. With Microsoft, we get native capabilities, visibility into our operational environment, and simplicity for all employees.”

– Simon Hodgkinson, Group Head of Information Security, BP

An overview of the main groups of security technologies and platforms available in the platforms Microsoft cloud, dedicated to public enterprise infrastructures, those hybrids and their customers, highlights the following product families:

Dedicated SOC (Security Operations Center) solutions and resources

Azure Sentinel - Cloud Native Security Information and Event Management (SIEM) and Security Orchestration, Automation and Response platform, dedicated both to specialists Microsoft Threat Experts as well as Security Incident Response Teams

Microsoft Cloud App Security – what acts as and Cloud Access Security Broker for various application deployment models: log collection, API connectors and reverse proxies. MCAS is responsible for discovery and control through Shadow IT (library of over 16000 applications and over 80 identifiable risks), for the protection of sensitive information anywhere in cloud, protection against anomalies and cyber threats, and application compliance testing cloud

Azure Security Center – dedicated to testing the existing level of security at the infrastructure level cloud through Secure Score and improving the protection of Linux and Windows virtual machines, native applications cloud, of data and solutions IoT through the Security Center Standard tier consumption plan, a paid extension of the free Basic tier

Microsoft Defender that offers advanced protection against threats (Advanced Threat Protection – Microsoft Defender ATP), provides proactive protection, post-breach detection, automated investigation and response

Telemetry, auditing, logging and data protection mechanisms included in the platforms Office 365 and Azure and integration of third party solutions through Microsoft The Graph Security API rounds out the list of SOC solutions

Dedicated customer management solutions and resources

Mobile and unmanaged and unenrolled devices are managed through the Intune MDM/MAM platform and the newer Microsoft Endpoint Manager (both components of the Microsoft 365 included in Enterprise Mobility & Security), and of centrally managed clients in enterprise environments the System Center Configuration Manager platform.

Customer management is also based on their association with Microsoft Defender ATP and the monitoring of the security level through Secure Score, which will provide security specialists with recommendations regarding the remediation of aspects that can be improved.

Microsoft Advanced Threat Analytics – ATA, dedicated to the analysis of historical data provided by SIEM, WTF and Windows Event Collector monitoring solutions in order to recognize attack phases, identify lateral movement cycles and dominate the domain. The list of attacks that can be detected by ATA includes the following: Pass-the-Ticket (PtT), Pass-the-Hash (PtH), Overpass-the-Hash, Forged PAC (MS14-068), Golden Ticket, Malicious replications , Reconnaissance, Brute Force, Remote execution

Microsoft Advanced Threat Analytics - source Microsoft Docs

Windows 10 Enterprise Security is a platform component Microsoft 365, extension of the operating system Microsoft Windows 10 includes advanced identity and access management mechanisms, threat protection and information protection.

We should also not forget Windows 10 S, a limited version of the operating system dedicated to low-end devices used by the education market (School PC), specialized devices (Microsoft Surface Hub and Surface Studio)

Solutions and products dedicated to hybrid enterprise environments

Azure Security Center provides these types of infrastructures with cross-platform visibility, threat protection and detection, Just in Time VM Access, Adaptive App Control and configuration hygiene.

Azure Firewall is a solution cloud based network security service, of the managed type (administered by the vendor), complete statefull firewall as a service that offers high availability and scalability and Network Security Appliances (templates from Azure Marketplaces that allow the provisioning of virtual machines that contain dedicated security solutions and are integrated into the infrastructure cloud of the organization).

Azure DDoS Protection and attack mitigation implicitly ensures protection against attempts to flood and monopolize infrastructure resources, benefiting from an extension for a fee that allows anticipation of critical situations based on historical records.

Express Route enables the extension of on-premises networks to resources Microsoft cloud Azure and Office 365, through redundant private connections provided by partners Microsoft regionally and complements technology Azure VPN gateway, traditional connectivity solution dedicated to hybrid environments.

Via Azure Policy and Azure Blueprints manage templates, organizational standards and resource provisioning conditions and subscription management Azure, while Azure Key Vault enables centralized management of cryptographic keys, passwords and digital certificates in cloud

Azure Web Application Firewall is the component dedicated to protecting applications against vulnerabilities and exploits, integrated with Azure Application Gateway

Application & Network Security Groups allow filtering of traffic from outside and inside resources cloud and organizing application layers according to architectural needs

Azure Backup & Site Recovery ensures the protection of data, virtual machines and virtual disks from cloud or on-premise, both for resources Azure as well as the non-cloud

Disk & Storage Encryption enables encryption of virtual machine disks and data stored in cloud

Confidential computing is dedicated to protecting data and application code in cloud

The platforms Azure monitor, Azure alerts, Azure Log Analytics originally called Operation management Suite and Azure Application Insights is dedicated to logging data collected from resources, event triggering and deep analysis by correlating data sources and can be integrated with other security solutions.

The Windows Server 2019 Security operating system offers a wide range of built-in security technologies, including Just Enough Administration, Hyper-V Containersm Nano and Core server.

Administrative operations performed on critical resources can be performed using the Privileged Access Workstation (PAW) or Azure Bastion, thus ensuring a connection point to the infrastructure cloud strongly secured.

Windows IoT, Azure IoT Security and Azure Sphere provides comprehensive security solutions for devices Internet of Things while IoT The Hub provides organizations with a data gateway to which data from these devices is sent

Solutions and products dedicated to information and data protection

Together with Microsoft Cloud App Security, Azure Information Protection – AIP, Windows Information protection – WIP previously called Enterprise Data protection and Sensitivity labels are solutions cloud classification and protection of documents

Office 365 Data Loss Prevention, Data Governance and eDiscovery directly support the process of controlling how the organization's legislation and regulations regarding data access and handling are respected.

For paaS database services. Azure SQL Threat Detection, and SQL Encryption & Data Masking are build-in security features Azure SQL Information Protection that can be extended by the information collected by Microsoft Defend ATP

Tool Microsoft 365 makes available to users Office 365 Compliance Manager, which allows, based on the running of predefined tests of templates, the level of compliance with the most well-known security standards, to which reports and archiving mechanisms are added.

Compliance Manager components - source Microsoft Docs

Special attention is given by Microsoft current legislation by integrating into the section's security platform Office 365 Information Protection for GDPR.

Identity & Access solutions and products

The platforms of cloud Microsoft Azure and Microsoft 365 is based on Azure Active Directory, universal platform for managing and securing identity, complemented by the following services:

• Azure AD Identity Protection – allows the automation of risk detection and remediation, their investigation based on data and their export to third party solutions specialized in analysis
• Azure AD Privileged Identity Management – ​​PIM service Azure AD dedicated to the administration, control and monitoring of access to the most important resources cloud
• Multi factor Authentication security extension in the authentication process involving two or more authentication methods
• Azure AD B2B – business to business collaboration
• Azure AD B2C – business-to-consumer application access management

Hello for Business services allow replacing passwords with two factors authentication mechanisms while Microsoft Identity Management – ​​MIM and Privileged Access Management complement identity services with additional integration and control mechanisms.

Surely this list will be continuously supplemented and improved by Microsoft, but keeping the architectural reference model and CSA design principles mentioned above.

For an in-depth understanding of each of the technologies and products mentioned above, two specializations are available cloud one for the platform Microsoft Azure and the other for the platform Microsoft 365. Both specializations are accompanied by dedicated courses described in these official pages:

• Microsoft Certified Azure Security Engineer Associate course associate AZ-500 – Microsoft Azure Security Technologies with a duration of 4 days

source Microsoft Docs

• Microsoft 365 Certified Security Administrator Associate course associate MS-500 – Microsoft Security Administration lasting 4 days

source Microsoft Docs

For a complete picture of the structure of courses and certifications dedicated to platform security cloud Microsoft Azure and Microsoft 365 we invite you to study the structure of the official courses Microsoft on the official portal Microsoft Training and Certification and on the portal Bittnet Training.

Senior Microsoft Certified trainer
Microsoft Learning Consultant 2010-2024
Customer Learning Architect
Cloud Solution and Cybersecurity Architect