Azure Cloud Security – Part 2
Security operations that work for you
UPCOMING WEBINAR: Best Practices for Securely Moving Workloads to Azure
Last week we released the first in a series of postings aimed at addressing any security concerns you may have regarding Microsoft’s Azure Cloud.
Today, we’re going to take a deeper look at Microsoft’s security operations and the people and intelligence behind the scenes that are helping secure organizations like yours every day.
The Microsoft cloud is managed by people who spend all day thinking about data security and privacy. Azure customers get to take advantage of 3,500 dedicated cybersecurity professionals working together across the Cyber Defense Operations Center, digital crimes unit and other teams to help protect, detect and respond to threats in real time.
The industry-leading security experts in Microsoft’s Cyber Defense Operations Center (CDOC) defend their services, Azure and Office 365 and so on, on behalf of their customers. Staffed with dedicated teams 24×7, the CDOC has direct access to thousands of security professionals, data scientists, and product engineers throughout Microsoft to ensure rapid response and resolution to security threats.
The Digital Crimes Unit (DCU), which operates out of the Cybercrime Center, is an international legal and technical team working with partners to help eliminate a full range of cyber threats, including malicious software crimes, IP crimes, and technology-facilitated child exploitation. Microsoft’s Digital Crimes Unit has worked with global law enforcement agencies to bring criminals to justice: to date, taking down 18 criminal bot-nets and rescuing nearly 500 million devices from secret bot-net control. In partnership with security teams across the company, the DCU has also combatted nation-state hackers, using innovative legal approaches 12 times in two years to shut down 84 fake websites, often used in phishing attacks and set up by a group known as Strontium that is widely associated with the Russian government
Microsoft Threat Intelligence Center, or MSTIC. MSTIC’s state-of-the-art detection work is well-documented and helps protect their customers every day. When threats are detected, they’ll work directly with participating organizations to notify them and help them secure their systems. This aspect of Microsoft AccountGuard will draw on the expertise of the Microsoft Threat Intelligence Center, or MSTIC.
Microsoft cloud services extend your security team by thousands of the industry’s-leading security experts.
Microsoft Intelligent Security Graph
The centerpiece of their investment in intelligence is the Microsoft Intelligent Security Graph. This is how they describe the way that they synthesize a vast amount of data from a huge variety of sources. 400 billion emails get analyzed by Outlook.com and Office 365 email services every month and 1.2 billion devices get scanned every month by Windows Defender!
That gives them a great deal of signal into what’s happening on endpoints, and where are the attacks, and what do they look like these days?
Microsoft operates 200-plus global cloud, consumer, and commercial services. Everything from outlook.com to Xbox Live to Office 365 to Azure, and so on. And with all of those services, they have a tremendous amount of surface area that they defend. Enterprise Security from Microsoft is employed by 90% of the Fortune 500.
Since Microsoft is more often the target for these attacks, they get a lot of information from defending against those attacks.
1 Billion plus Azure user accounts give Microsoft tremendous insight into how people authenticate to Azure. This, combined with the 450 billion monthly authentications that they do with Azure Active Directory and Microsoft Account, really gives them some tremendous insight into what is normal behavior when it comes to sign-ins and authentications. What is abnormal behavior, and how often is it that someone has the right password, but they’re not the person they say they are. Microsoft learns a lot about defending that really important control point, the identity, by looking across that set of data.
Bing scans about 18 billion web pages every month, giving Microsoft really great insight into what people are doing with web scripting technologies when it comes to attacks and phishing campaigns. They have a process in how this data is ingested and understand how they should help customers defend based on that information.
On top of all of that they layer shared threat data that they get from their partners, from the researchers at Microsoft who are part of their 3,500-plus people that are full time on security, and law enforcement agencies that they partner with worldwide through their digital crimes unit, as well as botnet data that they collect through the digital crimes unit. All of that intelligence makes up the Intelligent Security Graph.
And why is it a graph? It’s a graph because it’s really important in connecting these pieces of intelligence, so that these signals are not just individual points of information. The graph brings them together as something that Microsoft can draw patterns across. They can learn from one point of data to influence how they interpret another point of data.
So, the Intelligent Security Graph is something that Microsoft is very, very heavily invested in and something they feel is unique to them in the industry
The first side is the secure foundation of Microsoft’s cloud services. This is about how they operate their our own cloud services, Azure, Office 365 and so forth. Microsoft has some of the world’s best physical security, with fences and barbed wire to provide secured building environments and within those buildings, secure server environments.
To enter a server environment, for example, a person would have to pass through multiple physical layers and provide multiple forms of identification. They would also be scanned for metal in their pockets to make sure that they are not bringing devices in to steal information. So, there’s a great deal of physical security in place that they do on behalf of all of their customers in their cloud services and that make it possible for Microsoft customers to really leverage the investment that they’ve made in that respect.
One of the ways this comes to life is in Microsoft’s continual testing of their services and making sure that that they’re finding vulnerabilities faster than the bad guys can. Microsoft has a big focus on red team, blue team exercises. If you’re not familiar with those, the idea is that they have dedicated professionals whose job it is to be on the good side but act like the bad guys—they’re constantly trying to find ways to penetrate the services, find ways that hackers might attack them so that they can shore up their defenses.
Another example of their operational excellence is around restricted access. When Microsoft employees need elevated access so that they can perform maintenance on a service, or so they can investigate a customer support issue, they only have access to exactly the resources they need to access and for only exactly the amount of time that they need it. So, they have just in time and just enough access to do their work, and then they get out. They don’t have any standing elevated access that allows them to view customer data.
Global Cloud Infrastructure
Lastly, customer controls are an important part of keeping Azure secure. This is something that Microsoft gets asked about a lot when they talk to customers about their cloud services. What are the things that I have at my control so that I can decide how I want to manage my data and access to it? Access controls, of course, are the very foundation of it. Multi-factor authentication for admins at customer sites who are in charge of operating Azure for that customer or operating Office 365. Having multi-factor authentication of course is a basic that they think is fundamental.
And lastly, network and distributed denial of service protection is in place for all of these services. Microsoft does basic protection to ensure their services work reliably, and Azure customers can take advantage of additional protection at the network layer to suit their individual needs.