Microsoft's raft of Azure and System Center announcements at TechEd 2014 address a wide selection of IT concerns. Among the most important are improvements to how it can help secure both existing and cloud infrastructures. With the shift to cloud well on the way, delivering a platform that's secure and easy to use is becoming increasingly important -- especially in countries outside the U.S. where businesses are held to a higher set of data protection and privacy standards.
Securing Azure is about more than ticking boxes in a regulatory report. What's essential about modern security is the ability to keep working while responding to the many threats businesses face. That might be a black-hat hacker, it might be malware, or the loss of business premises or a data center. There's a lot that the cloud can deliver here, from using big data to identify compromised machines, to delivering secure services and VMs, to encrypting and managing your data.
Disaster recovery in the cloud
Infrastructure-as-a-service (IaaS) has always been seen as an option for disaster recovery, but it's never been easy to implement. Even Azure's recovery tools have been focused on using the cloud as an intermediary between two different sites. But if your cloud can support VMs, then why shouldn't your cloud become a disaster recovery target in its own right?
That's what the latest version of Azure Recovery Manager offers, with the new Azure Site Recovery feature. It builds on the existing Hyper-V Recovery Manager tooling to target Azure, rather than a second site, making disaster recovery a possibility for smaller sites and smaller budgets. (The new features and new target mean that Hyper-V Recovery Manager is being renamed to Azure Site Recovery.) Once set up you'll be able to protect both workloads and VMs, with the only requirement being that they're encapsulated as System Center clouds.
Microsoft's System Center management tools use the concept of a cloud as a unit of management, made up of storage, network topology, and virtual servers. Once you've built a cloud, it's possible to replicate and deploy it anywhere, making it an ideal foundation for a disaster recovery system. Your clouds are at the heart of your recovery plan, and using the Azure dashboard you can tune which clouds can be recovered, what range of recovery points you use, or whether you use application-consistent snapshots instead. Azure Site Recovery will also encrypt your data when it's stored in the cloud, and gives you the tools you need to test your Azure-hosted disaster recovery system to ensure it'll do just that.
The most complex part of the process is handling networks, and the tools in Azure Site Recovery portal handle this for you. Using them you can take the networking information from your on-premises networks and map them to an Azure virtual network, configuring them as secure VLANs, with a VPN connection to your network.
Securing VMs and cloud data
Azure's built-in virtual machine monitoring agent does a lot more than just keep an eye on your virtual servers; it also lets you inject functionality into a VM before it runs. Initially this was to support the Puppet and Chef systems management tools, but it's being extended to add support for security tools. That means when you create an Azure virtual machine, you'll be able to choose what security tools to install -- and have running as soon as your VM is up and running. Initially three security tools will be supported: Microsoft's Endpoint Protection, Symantec's Endpoint Protection, and Trend Micro's Deep Security Agent.
The Snowden revelations haven't made it easy to sell U.S.-owned cloud services outside the U.S. The risk of data being taken outside a data protection regime, even with geo-locking, is seen as too great.
So it's interesting to see that Microsoft's cloud announcements today also include support for Trend Micro's encryption services. Like the anti-malware options, Trend's SecureCloud tools can be injected into an Azure virtual machine at first launch, allowing quick encryption of its virtual hard disks.
Microsoft never sees the key used to encrypt the disks, which are stored either in Trend's German data center (where they are subject to EU data protection laws) or in your own servers on your own premises. As Trend Micro is a Japanese company, it's clear that Microsoft is making an end-run around the complexities of selling cloud in a post-Snowden world, by working with two of the most privacy-oriented data protection regimes currently operating.
Alternatively there's the option of using Bitlocker to encrypt Azure-hosted data disks.
Similarly, its Azure Rights Management data protection tools for handling information at rest and in motion (and often outside your organisation) uses keys held in a Thales Hardware Security Modules. While these are in Azure data centers, the HSMs manage your keys separately, and are designed to be tamper resistant -- and will physically destroy the data they hold if someone attempts to break them open.
TechEd 2014 also highlighted Azure Active Directory Premium, which was released in April. In addition to the tools used to manage mobile devices, Azure Active Directory offers some useful contextual security features, helping you identify potentially compromised accounts and machines.
Contextual security is an important piece of securing networks that allow users to bring their own devices and services. It allows you to use geographic information to detect whether user accounts might have been stolen, warning you of successive connections that are in different places, and in potentially risky locations. A log in from the office followed by one from halfway around the world can trigger an alert, and you can then decide whether to reset that user's credentials to ensure that your on-premises and cloud data remains protected.
With Azure Active Directory at the heart of the Enterprise Mobility Suite, it's going to be used to manage users' own devices -- whether PCs or mobile devices. One report brings together that information with data from Microsoft's security team to indicate whether user devices are likely to be part of a botnet. You can then use that information to block access from potentially compromised machines, and encourage users to clean off the infection before allowing them back into your network and services.
The road ahead
Microsoft needs to deliver a secure cloud, one that's easy to configure and that offers a system administrators tools to manage a bring-your-own-application world. This latest Azure release, hot on the tails of a major release at BUILD, focuses on the IT pro side of the equation, with tools to help protect not just your cloud data, but your on-premises information, and your BYOD users' devices. It's a powerful combination, and one that tilts the security balance in favor of the cloud -- and in favor of the user. In this post-Snowden world of cloud insecurity, that's a big advantage to have.