Cloud computing and cloud security are top-of-mind across all enterprises. Chief information security officers and teams responsible for cloud deployments need to plan for and provide the required level of security that's relevant to their cloud resource needs.
How can you help protect your cloud assets and be compliant with security policies? How do you get targeted information about threats and incidents in real time, without investing in new infrastructure and IT capabilities?
At Microsoft IT, we use Azure Security Center as part of our mission to assess and help protect our cloud resources in Microsoft Azure across hundreds of subscriptions and apps. Azure Security Center gives us analytics-based threat detection and provides alerts that help us prevent and respond to threats and attacks in real time.
We use security intelligence from Azure Security Center to get visibility into our security state, prevent and tackle threats in our cloud ecosystem, and provide configuration and operational cloud-security knowledge to DevOps teams that manage cloud deployments at Microsoft.
Helping protect cloud resources isn't without its challenges. Let's first look at a few of these potential challenges, and then how we use Azure Security Center to address these barriers and help protect security of cloud resources—from an IT perspective.
It can be hard to assess the security level of cloud resources. In part, this is because the cloud is a vast ecosystem, with the potential to change very rapidly: More specifically, getting visibility can be difficult because:
Having security professionals with a deep knowledge about cloud security is crucial, and you can face a few challenges because:
We use Azure Security Center to help us proactively assess our security ecosystem, enhance the security expertise of teams, learn about new threats, and get Azure alerts. With the information we get from Azure Security Center, both IT and DevOps teams can proactively help protect the security of virtual machines, applications, databases, networks, and other cloud assets. Azure Security Center gives us:
Having standard and enforceable policies, robust threat intelligence, and near real-time reporting can inform and direct decision making, and helps our DevOps teams operate successfully by giving them expert-level security guidance. Azure Security Center helps prioritize, monitor, and actively manage security of Azure subscriptions.
We can see if someone has tried to use frequently guessed passwords and common credential names to try and attack our resources. We also get alerts about brute force attacks on services such as remote desktop protocol, secure shell, and file transfer protocol, and alerts about computers that are infected with malware.
From a prevention standpoint, Azure Security Center might recommend that we should apply system updates, run Azure Disk Encryption, or reconfigure how often users are required to change their domain passwords.
From a response standpoint, if a suspicious process is found, Azure Security Center might recommend steps such as running Process Explorer, running an anti-malware scan, and then running the Microsoft Windows Malicious Software Removal tool.
The following image shows an example of a dashboard with recommendations to help protect our Azure resources.
Figure 1. Examples of recommendations to help prevent security incidents related to Azure resources
Past: With on-premises solutions, if we were monitoring a full application stack, we had to piece together logs and security events from Microsoft Internet Information Services, the middle tier, back end, and from the operating systems themselves. It was harder to tell what the real (and most critical) issues were.
Present: A user interface lets us quickly see security health, with prioritized alerts, recommendations, rule-based analytics, and reduced false positives. We no longer have to pore over logs, or assemble all the information ourselves, which can take a lot of time.
IT and DevOps teams at Microsoft are familiar with using Azure Security Center. They need to know how to set security policies for Azure subscriptions, and how to use operational aspects of the data. Through dashboards, IT and DevOps can get an idea of overall usage and compliance state. (To get this information, the service principal that we own must have read-only permission to the Azure subscriptions.)
Azure Security Center is available with an Azure subscription. There's a simple walkthrough to set up Azure Security Center, enable a storage account and data collection, and do other tasks. But from an enterprise standpoint, what's challenging is setting it up consistently and at scale in a complex environment, and making operational decisions like:
We set up and monitor things on a high level from a security, management, and network standpoint. (DevOps, in turn, can then take charge of their own part of the overall landscape of whichever applications and services they use.)
We provide configuration and operational guidance to DevOps teams that implement the actual apps and services. For instance, we advise on configuring the Power BI Content Pack. We show DevOps teams which types of issues to pay attention to and prioritize; for example, items that appear in red in the Azure Security Center dashboard.
Azure Security Center makes it much easier and more efficient for us to detect, protect, and respond to malicious and suspicious threats to our Azure resources. It also helps us support DevOps teams with critical, analytics-based guidance as they manage cloud deployments. We're confident that it can benefit your organization in similar ways.