Securing Applications on Microsoft Azure

In this article, we'll delve into the mechanics of security in the cloud. Not to be confused with Security-as-a-Service (fee-based subscriptions such as security event management), our interests lie in demonstrating how to properly secure applications, services, and data – wherever they reside in the cloud services stack (IaaS or PaaS).

Specifically, we will focus on workloads running in Microsoft Azure. By integrating the capabilities of Barracuda Network's best-in-class virtualized NG Firewall and Web Application Firewall (WAF) with Microsoft Azure's native security features, you'll be in a superior position to deploy reliable and resilient cloud services for your enterprise, partners, and customers.


Cloud computing has faced many challenges when it comes to reliability, privacy, and security. With early incarnations, such as those from commercial service providers, sensitive corporate information was kept at a distance from public platforms. Instead, hosting was used for lightweight applications with limited needs for access to such data, including websites, collaboration tools, and real-time communications. As cloud services matured, businesses became more willing to place proprietary data in the hands of trusted SaaS partners, such as for CRM. And when the depth and breadth of available services evolved into more standardized infrastructure – the "as-a-Service" model – organizations started large-scale moves into the cloud with their most critical data.

Today, cloud computing has become a "must-have" to a majority of the enterprise IT community, for reasons ranging from economic gains to technology benefits. But one of the major concerns carrying over from traditional IT – data and application security – has not changed, and requires the same diligence in the cloud as with on-premises solutions.

Solution Profile

When you migrate data, applications, and processes to the cloud, you take with you the requirements to safely manage both corporate and customer information. And in most cases, you are still subject to the privacy and compliance directives of your industry, whether HIPAA, SOX, PCI, or others.

So while the cloud computing model promises great flexibility, cost savings, scalability, and other benefits, it's essential to understand the differences between implementing effective on-premises information security and deploying the same protections in the cloud. These considerations include (but are not limited to) data governance, auditing, leak prevention, threat detection/ remediation, privacy and confidentiality, information integrity, and reliability/availability.

Historically, many of these needs could be met and enforced at the edge of your corporate network. A selection of physically-wired routers, firewalls, gateways, IPS devices, and VPNs worked together to keep the bad traffic out and the good in.

But in the cloud, you can only rely on what the platform vendor offers, either natively or as value-added services on top of your subscriptions. You do not have a say in how the infrastructure behaves or what mechanisms are used to secure it, other than in how your applications interact. You cannot deploy your own firewall in the server rack, and you can't configure the ACLs on the fabric routers.

In this sense, your previous approach to security is no longer suitable. You must trade physical control for virtual stewardship using the combination of the cloud platform's capabilities, your application design, deployment methodology, and layered virtualized security. Indeed, you may not own the hardware, but you can certainly own what runs on it – and implement a security solution that fits your needs.

A fully-functional virtualized security appliance deployed within the framework of your environment can deliver all of the benefits of a physical device, with the flexibility only possible in a fluid software form-factor. The Barracuda NG Firewall and Barracuda Web Application Firewall are optimized to run on Microsoft Azure, make it easy to protect mission-critical enterprise applications and data in the cloud.

Application Security Overview

The origins of application security revolve around the protocols, commands, data types, credentials, and policies associated with providing external access to internal corporate resources – whether by employees or otherwise. As traditional client/server architecture transitions to web-based solutions using XML and HTTP, forms-and-claims-based authentication becomes more common. Likewise, application firewalls are transforming into web-based systems that deal with a broad threat landscape.

Now, web application security is known for preventing advanced attacks that may hide in scripts, code, downloads, data streams, images, protocols, tunneled/encrypted traffic, program execution/ applets, forms, and more. Thus the idea of an application firewall has become too narrow, as only a comparatively small number of exploits are targeted at protocol or IP stack vulnerabilities (most of which are known and easily deterred at this point). The rich functionality, power, and depth of data in web applications represents a treasure trove for malevolent individuals and organizations to exploit.

There's no difference between securing a workload or application that runs in the cloud, or an on-premises service in your data center. The basic concepts of encryption, filtering, and access control apply equally well in a hosted scenario. The primary change is in the breadth of considerations, as well as how you deploy and configure these security attributes.

A proven tenet of application, one of the proven tenets of application protection is that the closer the security capability is to the resource, the better it will function. In the data center, this means installing access and security gateways on the same network, in the same DMZ, as the target servers. Such a deployment topology prevents traffic from reaching the application without first being inspected and filtered – in some cases, at multiple points along the way.

However, in the public cloud, no such topology exists because a customer cannot walk into a global data center, find the rack their applications are running on, and install a firewall. The very nature of cloud computing stands in stark contrast to hardware-level protection, since the fabric can autonomously move your workload to another rack, or to another data center altogether.

As a result, application security requirements take on a transitory nature that must be as mobile as the workload itself. Apart from security capabilities built into the cloud platform, there are only two options: Security-as-a-Service, or virtualized security (i.e., virtual appliances).

How Does Microsoft Azure Security Work?

Microsoft Azure provides most of the same controls and security features that you would expect from Windows Server within an on-premises data center – with the one notable exception that it must operate and scale across thousands of tenant environments simultaneously.

Core security and access components include:

  • Microsoft Azure Active Directory: identity and access management capabilities in the cloud
  • Access Control Services: cloud-based service that provides simplified authentication and authorization
  • Microsoft Azure Virtual Network: logically isolated section in Microsoft Azure that connects over IPsec to your on- premises data center
  • Microsoft Azure Multi-Factor Authentication: additional layer of authentication via mobile services

With these capabilities, augmented by Windows Server's native security functionality within a virtual machine, customers can either host their IT resources in Microsoft Azure, or easily extended their on-premises infrastructure to the cloud, without adversely affecting their security posture.

Some examples of architecture-level security features in Microsoft Azure include:

  • Storage, network, process isolation: prevents different customers' virtual machines (VMs) or cloud services from interfering with one another's operation
  • VM-VM/host-VM packet filtering: host-level and VM-level firewalls block unwanted traffic from crossing VM boundaries, as well as blocking tenant-to-host connections that could impact the Microsoft Azure fabric
  • Port restrictions: by default, all new VMs are deployed with deny-all policies on the native Windows Firewall, and all ports are closed to external traffic

But are these capabilities, taken by themselves, enough to protect your IT environment from all attacks and exploits? As we'll see below, the answer is "no."

Bringing Together Application Security and Microsoft Azure

The future data center is one which spans both on-premises physical infrastructure and cloud-based virtualized services. Whether you use platform, infrastructure, Software-as-a-Service, or a mix of all or a mix of all, your security strategy needs to encompass your applications and data wherever they reside.

Applying a "Defense-in-Depth" (DiD) approach means using more than one type of security measure in the data path. As a simple example, consider how your corporate email system has anti-malware, anti-spam, a front-end gateway, router ACLs, and a firewall in front of it. Putting that same resource into the cloud requires the same effort, but security capabilities also have to bridge between your local systems/users and your virtualized data center. The latter is true for both a fully-hosted IT environment in the cloud, and extended IT from existing on-premises infrastructure.

So while Microsoft Azure's core infrastructure security stands well on its own with comprehensive authentication/ authorization/access control technologies, encryption, data and storage protection, etc., it makes sense to augment it with advanced security functionality to safeguard your critical assets.

Web World

Microsoft Azure websites are built on top of the same secure infrastructure as Bing, Microsoft. com, and Office 365. In terms of reliability, it is the same platform that drives some of the world's biggest websites and collaboration services.

However, challenges emerge as you move from service-level offerings (SaaS) from the provider to custom-developed solutions (or packaged applications) running within customers' virtual environments (IaaS/PaaS). The cloud infrastructure should not, by it's very nature, obstruct the operations of a tenant's workload.

Thus, Microsoft Azure cannot block a poorly-designed web application from running on a VM, regardless of the security risks it might pose. However, any VM found to be the source of a DDoS or malware attack will be removed from the network by Microsoft Azure data center administrators.]

In an ideal world, every web-facing application would be designed and thoroughly reviewed according to strict security-development practices, penetration-tested, and deployed using the latest embedded filtering technologies. This is a rare occurence, as was the trend with rollouts of data-driven web systems in the past, many corporate cloud applications will get released with little security testing and limited system hardening. of data-driven web systems in the past, many corporate cloud applications will get released with little security testing and limited system hardening.

When web application firewalls came along, they solved this problem by making up for inadequate design by locking down every transport, protocol, method, command, and data structure used in modern web services. Developers could now rely on the web gateway to protect the app, and CIOs could accelerate the push towards getting more of their in-house resources onto the Internet for increased employee productivity.

The present situation is nearly identical... CIOs want to move applications and services out of the expensive data center and into the commodity cloud; however, the cloud does not natively have the same protections in place as on-premises corporate resources.

As before, will developers begin rewriting their applications specifically to run effectively and securely in the cloud, or will economics win out once again, rapidly driving corporate assets onto the Internet without sufficient security considerations?

The answer is that economics always win. Hackers know this, and will continue to exploit every new IT medium that is introduced. It means that IT customers must once again take an active role in protecting their investments at multiple levels, without relying on just the cloud provider, or just developer resources to address Internet threats.


The Barracuda Web Application Firewall is an integrated, proven and highly scalable security solution on Microsoft Azure, offering comprehensive protection for web applications and for confidential data hosted in the cloud. This solution ensures that web applications have the same high levels of protection afforded by in-house data centers.

The Barracuda Web Application Firewall for Microsoft Azure is secure, affordable, and easy to use. It combines web application security, access control, and optimization in a single package that is easy and intuitive to set up and administer.

About the Barracuda Web Application Firewall

The Barracuda Web Application Firewall blocks an ever-expanding list of sophisticated web-based intrusions and attacks that target applications hosted on web servers and in the cloud. The Barracuda Web Application Firewall scans all inbound web traffic to block attacks and scans all outbound traffic to provide highly effective Data Loss Prevention (DLP). Available as a physical or virtual appliance, it is deployed in front of the web application servers, on-premises, or in private cloud or public cloud, like Microsoft Azure.

To learn more about the Barracuda Web Application Firewall, please visit: