Professional Documents
Culture Documents
Azure - Operational Security (2017)
Azure - Operational Security (2017)
Operational Security
(c) 2017 Microsoft Corporation. All rights reserved. This document is provided "as-is." Information and views expressed in
this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using
it. Some examples are for illustration only and are fictitious. No real association is intended or inferred.
This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may
copy and use this document for your internal, reference purposes.
Introduction
Overview
We know that security is job one in the cloud and how important it is that you find
accurate and timely information about Azure security. One of the best reasons to
use Azure for your applications and services is to take advantage of the wide array
of security tools and capabilities available. These tools and capabilities help make it
possible to create secure solutions on the secure Azure platform. Windows Azure
must provide confidentiality, integrity, and availability of customer data, while also
enabling transparent accountability.
To help customers better understand the array of security controls implemented
within Microsoft Azure from both the customer's and Microsoft operational
perspectives, this white paper, “Azure Operational Security", is written that provides
a comprehensive look at the operational security available with Windows Azure.
Azure Platform
Azure is a public cloud service platform that supports a broad selection of operating
systems, programming languages, frameworks, tools, databases, and devices. It can
run Linux containers with Docker integration; build apps with JavaScript, Python,
.NET, PHP, Java, and Node.js; build back-ends for iOS, Android, and Windows devices.
Azure Cloud service supports the same technologies millions of developers and IT
professionals already rely on and trust.
When you build on, or migrate IT assets to, a public cloud service provider you are
relying on that organization’s abilities to protect your applications and data with
the services and the controls they provide to manage the security of your cloud-
based assets.
Azure’s infrastructure is designed from the facility to applications for hosting
millions of customers simultaneously, and it provides a trustworthy foundation
upon which businesses can meet their security requirements. In addition, Azure
provides you with a wide array of configurable security options and the ability to
control them so that you can customize security to meet the unique requirements
of your organization’s deployments. This document will helps you understand how
Azure security capabilities can help you fulfill these requirements.
Abstract
Azure Operational Security refers to the services, controls, and features available to
users for protecting their data, applications, and other assets in Microsoft Azure.
Azure Operational Security is built on a framework that incorporates the knowledge
gained through various capabilities that are unique to Microsoft, including the
Microsoft Security Development Lifecycle (SDL), the Microsoft Security Response
Center program, and deep awareness of the cybersecurity threat landscape.
This white paper outlines Microsoft’s approach to Azure Operational Security within
the Microsoft Azure cloud platform and covers following services:
1. Azure Operations Management Suite
2. Azure Security Center
3. Azure Monitor
4. Azure Network watcher
5. Azure Storage analytics
6. Azure Active directory
With OMS, you can manage any instance in any cloud, including on-premises,
Azure, AWS, Windows Server, Linux, VMware, and OpenStack, at a lower cost than
competitive solutions. Built for the cloud-first world, OMS offers a new approach to
managing your enterprise that is the fastest, most cost-effective way to meet new
business challenges and accommodate new workloads, applications and cloud
environments.
OMS services
The core functionality of OMS is provided by a set of services that run in Azure. Each
service provides a specific management function, and you can combine services to
achieve different management scenarios.
SERVICE DESCRIPTION
Azure Monitor
The OMS Security and Audit solution enables IT to actively monitor all resources,
which can help minimize the impact of security incidents. OMS Security and Audit
have security domains that can be used for monitoring resources. The security
domain provides quick access to options, for security monitoring the following
domains are covered in more details:
Malware assessment
Update assessment
Identity and Access.
Azure Monitor provides pointers to information on specific types of resources. It
offers visualization, query, routing, alerting, auto scale, and automation on data both
from the Azure infrastructure (Activity Log) and each individual Azure resource
(Diagnostic Logs).
Cloud applications are complex with many moving parts. Monitoring provides data
to ensure that your application stays up and running in a healthy state. It also helps
you to stave off potential problems or troubleshoot past ones.
In addition, you can use monitoring data to gain deep insights about your
application. That knowledge can help you to improve application performance or
maintainability, or automate actions that would otherwise require manual
intervention.
Azure Activity Log
It is a log that provides insight into the operations that were performed on
resources in your subscription. The Activity Log was previously known as “Audit
Logs” or “Operational Logs,” since it reports control-plane events for your
subscriptions.
Using the Activity Log, you can determine the ‘what, who, and when’ for any write
operations (PUT, POST, DELETE) taken on the resources in your subscription. You can
also understand the status of the operation and other relevant properties. The
Activity Log does not include read (GET) operations or operations for resources that
use the Classic model.
Azure Diagnostic Logs
These logs are emitted by a resource and provide rich, frequent data about the
operation of that resource. The content of these logs varies by resource type.
For example, Windows event system logs are one category of Diagnostic Log for
VMs and blob, table, and queue logs are categories of Diagnostic Logs for storage
accounts.
Diagnostics Logs differ from the Activity Log (formerly known as Audit Log or
Operational Log). The Activity log provides insight into the operations that were
performed on resources in your subscription. Diagnostics logs provide insight into
operations that your resource performed itself.
Metrics
Azure Monitor enables you to consume telemetry to gain visibility into the
performance and health of your workloads on Azure. The most important type of
Azure telemetry data is the metrics (also called performance counters) emitted by
most Azure resources. Azure Monitor provides several ways to configure and
consume these metrics for monitoring and troubleshooting. Metrics are a valuable
source of telemetry and enable you to do the following tasks:
Track the performance of your resource (such as a VM, website, or logic app) by
plotting its metrics on a portal chart and pinning that chart to a dashboard.
Get notified of an issue that impacts the performance of your resource when a
metric crosses a certain threshold.
Configure automated actions, such as auto scaling a resource or firing a runbook
when a metric crosses a certain threshold.
Perform advanced analytics or reporting on performance or usage trends of
your resource.
Archive the performance or health history of your resource for compliance or
auditing purposes.
Azure Diagnostics
It is the capability within Azure that enables the collection of diagnostic data on a
deployed application. You can use the diagnostics extension from various different
sources. Currently supported are Azure Cloud Service Web and Worker Roles,
Azure Virtual Machines running Microsoft Windows,and Service Fabric. Other Azure
services have their own separate diagnostics.
NOTE
For more information on billing and data retention policies, see Storage Analytics and
Billing. For optimal performance, you want to limit the number of highly utilized disks
attached to the virtual machine to avoid possible throttling. If all disks are not being
highly utilized at the same time, the storage account can support a larger number disk.
NOTE
For more information on storage account limits, see Azure Storage Scalability and
Performance Targets.
The data of these reports can be useful to your applications, such as SIEM systems,
audit, and business intelligence tools. The Azure AD reporting APIs provide
programmatic access to the data through a set of REST-based APIs. You can call
these APIs from various programming languages and tools.
Events in the Azure AD Audit report are retained for 180 days.
NOTE
For more information about retention on reports, see Azure Active Directory Report
Retention Policies.
For customers interested in storing their audit events for longer retention periods,
the Reporting API can be used to regularly pull audit events into a separate data
store.
Summary
This article summaries protecting your privacy and securing your data, while
delivering software and services that help you manage the IT infrastructure of your
organization. Microsoft recognizes that when they entrust their data to others, that
trust requires rigorous security. Microsoft adheres to strict compliance and security
guidelines— from coding to operating a service. Securing and protecting data is a
top priority at Microsoft.
This article explains
How data is collected, processed, and secured in the Operations Management
Suite (OMS).
Quickly analyze events across multiple data sources. Identify security risks and
understand the scope and impact of threats and attacks to mitigate the damage
of a security breach.
Identify attack patterns by visualizing outbound malicious IP traffic and malicious
threat types. Understand the security posture of your entire environment
regardless of platform.
Capture all the log and event data required for a security or compliance audit. Slash
the time and resources needed to supply a security audit with a complete,
searchable, and exportable log and event data set.
Collect security-related events, audit, and breach analysis to keep a close eye your
assets:
Security posture
Notable issue
Summaries
threats
Next Steps
Design and operational security
Microsoft designs its services and software with security in mind to help ensure that
its cloud infrastructure is resilient and defended from attacks.
Operations Management Suite | Security & Compliance
Use Microsoft security data and analysis to perform more intelligent and effective
threat detection.
Azure Security Center planning and operations A set of steps and tasks that you
can follow to optimize your use of Security Center based on your organization’s
security requirements and cloud management model.