Did you attend a Global Azure Bootcamp this year?
On April 22nd, thousands of participants attended one of over 250 locations to learn more about cloud computing and Microsoft Azure. This was the fifth year of this event, and the number of locations was up from 160 locations in 2016.
While most attendees were there for an introduction to Azure, or to learn more about the latest services, our teams fielded several questions about security at the 10 events we participated in. Security is often times an afterthought, both because the cloud is easy to consume and the platform is constantly evolving with new services and capabilities that take time to learn. Here are some things to keep in mind as you deploy your applications and services to the cloud:
You share responsibility with the cloud platform provider in securing your applications, services, and data, and your scope changes depending on whether you are using IaaS services, like Azure VMs, or PaaS services, such as Azure App Services or Azure SQL. You should make sure your teams understand this model and work together to address your areas of responsibility. You can learn more about this model by reading Microsoft’s Shared Responsibility whitepaper.
On a side note, the author of this paper, Frank Simorjay co-presented a PCI and HIPAA environment that was deployed and configured entirely through ARM templates and automation that was jointly developed with Avyan Consulting. This template can be refactored to better match your application requirements, and they are working on additional templates for IaaS environments.
- You should review the security best practices for each of the services you are using in your environment. In some cases, the default settings or configuration may not have security tools enabled, such as using disk encryption, and in other cases the default settings may be too permissive (the default NSG configuration allows traffic to all resources in a VNET, which makes connectivity easier, which can be detrimental if the environment is breached). In addition, Networking and InfoSec policies should be implemented into automation so the developers can stay within the guardrails without losing agility from having to coordinate with these teams on a per project basis.
- Finally, you don’t have to figure all of this out on your own. There are several companies out there who have been architecting, managing, and helping secure cloud environments. They can help ensure best practices are followed, help you implement new services beyond the IaaS stack, and save you time. Many security vendors can help keep you up to date on the latest threats and attack patterns (ours is here). Finally, the Azure blog is one of the best resources to stay on top of announcements.
It was really exciting to participate in these events and see the engagement and interest firsthand. If you missed the Global Azure Bootcamp this year, don’t worry because Microsoft is committed to engaging with the user community, and will likely be participating in an event near you. You can find out more about Azure Meetups here and find more about Alert Logic Azure Cloud Security here. Finally, check out our solutions for Azure.