Windows Azure Security Essentials – Part 2/N – Cloud Threats and how Windows Azure handle them

   One of the very important part of security is to know you threats, and in Cloud it’s important to know what threads are different from the On-premise environments, and those are:

• Traditional threats, like:
  • Cross-site scripting (XSS), SQL Injection
  • DoS Attacks, network spoofing, DDoS
• Old threads are mitigated by the system and are responsibilities of the Cloud Vendor
  • Patching is automated and instances are moved to secure systems
  • Cloud resiliency improves failover across a service
• Also some of the existing threads are expanded, like:
  • Data privacy such as location and segregation
  • Abuse of privilege access by admins
• So new Threads also appear. Threads like:
  • Privilege escalations from the virtual machines to hosted server
  • Breaking the boundaries between VM’s
  • “Hyperjacking”

   Windows Azure implements the following security measures:

Level	Defenses in place
Data	Strong storage keys fro access control SSL support for data transfers between all parts involved
Application	Partial Trust mode to run public facing applications Windows account with least privileges in order to avoid gaining access to something important even if getting in the application
Host	Special version of Windows Server 2008 R2 Operating System Host boundaries enforced by external hypervisor
Network	Host firewall limiting traffic to the VMs VLANs and packet filters in routers
Physical	World class physical security ISO 27001 and SAS 70 Type II certifications for datacenter processes

   Defenses inherited by Windows Azure Platform Applications

  Windows Azure Data Center Security

• World-Class Physical Security
  • 24x7 secured access
  • Electronically controlled access systems
  • Video camera surveillance
  • Motion detectors
  • Security breach alarms
• Industry Certifications
  • ISO 27001-2005
  • SAS 70 Type II

This information was achieved base on the following video.