Section 1: Identity and Governance
In this section, you will learn how to create and enforce policies in Azure, how to manage and secure identity in Azure, and what is cybersecurity in the cloud.
This section comprises the following chapters:
Chapter 1, Azure Security Introduction
Chapter 2, Governance and Security
Chapter 3, Managing Cloud Identities
Chapter 1: Introduction to Azure security
When cloud computing comes up as the subject of a conversation, security is, very often, the main topic. When data leaves local datacenters, many wonder what happens to it. We are used to having complete control over everything, from physical servers, networks, and hypervisors, to applications and data. Then, all of a sudden, we are supposed to transfer much of that to someone else. It's natural to feel a little tension and distrust at the beginning, but, if we dig deep, we'll see that cloud computing can offer us more security than we could ever achieve on our own.
Microsoft Azure is a cloud computing service provided through Microsoft-managed datacenters dispersed around the world. Azure datacenters are built to top industry standards and comply with all the relevant certification authorities, such as ISO/IEC 27001:2013 and NIST SP 800-53, to name a couple. These standards guarantee that Microsoft Azure is built to provide security and reliability.
In this chapter, we'll learn about Azure security concepts and how security is structured in Microsoft Azure datacenters, using the following topics:
- Exploring the shared responsibility model
- Physical security
- Azure network
- Azure infrastructure availability
- Azure infrastructure integrity
- Azure infrastructure monitoring
- Understanding Azure security foundations
Exploring the shared responsibility model
While Microsoft Azure is very secure, responsibility for building a secure environment doesn't rest with Microsoft alone. Its shared responsibility model divides responsibility between Microsoft and its customers.
Before we can discuss which party looks after which aspect of security, we need to first discuss cloud service models. There are three basic models:
- Infrastructure as a Service (IaaS)
- Platform as a Service (PaaS)
- Software as a Service (SaaS)
These models differ in terms of what is controlled by Microsoft and the customer. A general break up can be seen in the following diagram:
Figure 1.1 – Basic cloud service models
Let's look at these services in a little more detail:
On-premises
In an on-premises environment, we, as users, take care of everything: the network, physical servers, storage, and so on. We need to set up virtualization stacks (if used), configure and maintain servers, install and maintain software, manage databases, and so on. Most importantly, all aspects of security are our responsibility: physical security, network security, host and OS security, and application security for all application software running on our servers.
Infrastructure as a Service
With IaaS, Microsoft takes over some of the responsibilities. We only take care of data, runtime, applications, and some aspects of security, which we'll discuss a little later on. An example of an IaaS product in Microsoft Azure is Azure Virtual Machines (VM).
Platform as a Service
PaaS gives Microsoft even more responsibility. We only take care of our applications. However, this still means looking after a part of the security. Some examples of PaaS in Microsoft Azure are Azure SQL Database and web apps.
Software as a Service
SaaS gives a large amount of control away, and we manage very little, including some aspects of security. In Microsoft's ecosystem, a popular example of SaaS is Office365; however, we will not discuss this in this book.
Now that we have a basic understanding of shared responsibility, let's understand how responsibility for security is allocated.
Division of security in the shared responsibility model
The shared responsibility model divides security into three zones:
- Always controlled by the customer
- Always controlled by Microsoft
- Varies by service type
Irrespective of the cloud service model, customers will always retain the following security responsibilities:
- Data governance and right management
- Endpoints
- Account and access management
Similarly, Microsoft always handles the following, in terms of security, for any of its cloud service models:
- Physical datacenter
- Physical network
- Physical hosts
Finally, there are a few security responsibilities that are allocated based on the cloud service model:
- Identity and directory infrastructure
- Applications
- Network
- Operating system
Responsibility distribution, based on different cloud service models, is shown in the following diagram:
Figure 1.2 – Responsibility distribution between the customer and service provider for different cloud service models (image courtesy of Microsoft, License: MIT)
Now that we know how security is divided, let's move on to one specific aspect of it: the physical security that Microsoft manages. This section is important as we won't discuss it in much detail in the chapters to come.
Physical security
It all starts with physical security. No matter what we do to protect our data from attacks coming from outside of our network, it would all be in vain if someone was to walk into datacenters or server rooms and take away disks from our servers. Microsoft takes physical security very seriously in order to reduce risk from unauthorized access to data and datacenter resources.
Azure datacenters can be accessed only through strictly defined access points. A facility's perimeter is safeguarded by tall fences made of steel and concrete. In order to enter Azure datacenters, a person needs to go through at least two checkpoints: first to enter the facility perimeter, and second to enter the building. Both checkpoints are staffed by professional and trained security personnel. In addition to the access points, security personnel patrol the facility's perimeter. The facility and its buildings are covered by video surveillance, which is monitored by the security personnel.
After entering the building, two-factor authentication with biometrics is required to gain access to the inside of the datacenter. If their identity is validated, a person can access only approved parts of the datacenter. Approval, besides defining areas that can be accessed, also defines periods that can be spent inside these areas. It also strictly defines whether a person can access these areas alone or needs to be accompanied by someone.
Before accessing each area inside the datacenter, a mandatory metal detector check is performed. In order to prevent unauthorized data leaving or entering the datacenter, only approved devices are allowed. Additionally, all server racks are monitored from the front and back using video surveillance. When leaving a datacenter area, an additional metal detector screening is required. This helps Microsoft make sure that nothing that can compromise its data's security is brought in or removed from the datacenter without authorization.
A review of physical security is conducted periodically for all facilities. This aims to satisfy all security requirements at all times.
After equipment reaches the end of its life, it is disposed of in a secure way, with rigorous data and hardware disposal policies. During the disposal process, Microsoft personnel ensure that data is not available to untrusted parties. All data devices are either wiped (if possible) or physically destroyed in order to render the recovery of any information impossible.
All Microsoft Azure datacenters are designed, built, and operated in a way that satisfies top industry standards, such as ISO 27001, HIPAA, FedRAMP, SOC 1, and SOC 2, to name a few. In many cases, specific region or country standards are followed as well, such as Australia IRAP, UK GCloud, and Singapore MTCS.
As an added precaution, all data inside any Microsoft Azure datacenter is encrypted at rest. Even if someone managed to get their hands on disks with customers' data, which is virtually impossible with all the security measures, it would take an enormous effort (both from a financial and time perspective) to decrypt any of the data.
But in the cloud era, network security is equally, if not more, important as physical security. Most services are accessed over the internet, and even isolated services depend on the network layer. So next, we need to take a look at Azure network architecture.
Azure network
Networking in Azure can be separated into two parts: managed by Microsoft and managed by us. In this section, we will discuss the part of networking managed by Microsoft. It's important to understand the architecture, reliability, and security setup of this part to provide more context once we move to parts of network security that we need to manage.
As with Azure datacenters generally, the Azure network follows industry standards with three distinct models/layers:
All three models use distinct hardware in order to completely separate all the layers. The core layer uses datacenter routers, the distribution layer uses access routers and L2 aggregation (this layer separates L3 routing from L2 switching), and the access layer uses L2 switches.
Azure network architecture includes two levels of L2 switches:
- First level: Aggregates traffic
- Second level: Loops to incorporate redundancy
This approach allows for more flexibility and better port scaling. Another benefit of this approach is that L2 and L3 are totally separated, which allows for the use of distinct hardware for each layer in the netw...
