Windows Azure Security Essentials – Part 2/N – Cloud Threats and how Windows Azure handle them
One of the very important part of security is to know you threats, and in Cloud it’s important to know what threads are different from the On-premise environments, and those are:
- Traditional threats, like:
- Cross-site scripting (XSS), SQL Injection
- DoS Attacks, network spoofing, DDoS
- Old threads are mitigated by the system and are responsibilities of the Cloud Vendor
- Patching is automated and instances are moved to secure systems
- Cloud resiliency improves failover across a service
- Also some of the existing threads are expanded, like:
- Data privacy such as location and segregation
- Abuse of privilege access by admins
- So new Threads also appear. Threads like:
- Privilege escalations from the virtual machines to hosted server
- Breaking the boundaries between VM’s
- “Hyperjacking”
Windows Azure implements the following security measures:
- Strong storage keys fro access control
- SSL support for data transfers between all parts involved
- Partial Trust mode to run public facing applications
- Windows account with least privileges in order to avoid gaining access to something important even if getting in the application
- Special version of Windows Server 2008 R2 Operating System
- Host boundaries enforced by external hypervisor
- Host firewall limiting traffic to the VMs
- VLANs and packet filters in routers
- World class physical security
- ISO 27001 and SAS 70 Type II certifications for datacenter processes
Level | Defenses in place |
Data | |
Application | |
Host | |
Network | |
Physical | |
Defenses inherited by Windows Azure Platform Applications
Type of Thread | Defense |
Spoofing | VLANs Top Rack switches Custom packet filtering |
Tampering / Disclosure | VM switch hardening Certificate Services Shared-access signatures HTTPS Side channel protections |
Repudiation | Monitoring Diagnostics Service |
Denial of Service | Configurable scale-out |
Elevation of Privilege | Partial Trust Runtime Hypervisor custom sandboxing Virtual Service Accounts |
Windows Azure Data Center Security
- World-Class Physical Security
- 24x7 secured access
- Electronically controlled access systems
- Video camera surveillance
- Motion detectors
- Security breach alarms
- Industry Certifications
- ISO 27001-2005
- SAS 70 Type II
This information was achieved base on the following video.