Azure Security Overview

Azure security
David J. Rosenthal
VP & GM, Digital Business
September 15, 2020

The security
landscape
Increasing
complexity
Evolving
threats
Rising costs
Talent gap
On-
premises
Cloud

95% of Fortune 500 businesses trust Microsoft Cloud
“Azure complies with multiple international and industry
security compliance standards and certifications that our
customers demand. This allows us to offer our solutions in
Azure with confidence.”
— Brandon Pulsipher, Vice President of Technical Operation and Managed
Services
“From a security point of view, I
think Azure is a demonstrably more
secure environment than most
banks’ datacenters.”
— John Schlesinger, Chief Enterprise Architect
“Microsoft has a great commitment to the
problems of the enterprise. The security
built into Azure is huge for us and ensures
the safety of our data wherever it is.”
— Julia Anderson, Global Chief Information Officer
“Building with the additional layer of
Azure security, we feel we have a far
better security posture than we could
provide ourselves.”
— Thomas Fredell, Chief Product Officer
“Today, our operations team saves
at least 30 percent of its time by
using Security Center.”
— Monish Darda, Co-founder and CTO

Security operations that work for you
Partnerships for a heterogeneous worldEnterprise-class technology

Partnerships for a heterogeneous worldEnterprise-class intelligent security

A secure foundation
at global scale
Each physical datacenter
protected with world-class,
multi-layered protection
Secured with cutting-
edge operational security
• Restricted access
• 24x7 monitoring
• Global security experts
Global cloud infrastructure
with custom hardware and
network protection
Over 100
datacenters
across the
planet

Protect customer data
Data, network segregation. DDoS
protection at the edge
Secure hardware
Custom-built hardware with
integrated security and attestation
Continuous testing
Red team exercises by Microsoft
teams, vulnerability scanning &
continuous monitoring
Azure infrastructure security
Secure foundation
Customer 2Customer 1

Microsoft Intelligent Security Graph
450B
monthly
authentications
18B+ Bing web
pages scanned
1B+
Azure user
accounts
Enterprise security
for 90% of
Fortune 500
5B
threats
detected on
devices every
month
Shared threat data
from partners,
researchers, and law
enforcement
worldwide
Botnet data from
Microsoft Digital
Crimes Unit
6.5B
threat signals
analyzed daily
400B
emails
analyzed
200+
global cloud consumer
and commercial
services
OneDrive
Microsoft
accounts
Bing
Azure
Outlook
Windows
Unique insights, informed by trillions of signals

Stopping cyber attacks
Intelligent Edge
Intelligent
Cloud
Big data analytics
Detonation-based ML models
Sample analysis-based ML models
Metadata-based ML models
Local ML models, behavior-based detection algorithms, generics, heuristics
March 6 – Behavior-based detection
algorithms blocked more than 400,000
instances of the Dofoil trojan.
February 3 – Client machine learning
algorithms automatically stopped the
malware attack Emotet in real time.
October 2017 – Cloud-based detonation ML
models identified Bad Rabbit, protecting users
14 minutes after the first encounter.
2017 2018
August 2018 – Cloud machine learning
algorithms blocked a highly targeted campaign
to deliver Ursnif malware to under 200 targets
Real-world intelligence at work

Cloud Services Security is a Shared Responsibility
The
security
of your
Microsoft
cloud service
is a partnership
between
You and
Microsoft.
Microsoft cloud
services are built
on a foundation of
trust and security.
Microsoft provides
you security controls
and capabilities to
help you protect your
data and applications
You own your data
and identities and
the responsibility for
protecting them, the
security of your on-
premises resources,
and the security of
cloud components
you control
(varies by service
Administration
Applications
Data
Runtime
Middleware
O/S
Virtualization
Servers
Storage
Networking
Managed by
Customer
Managed by
Service Provider
IaaSOn Prem PaaS SaaS

Identity &
access
Apps & data
security
Network
security
Threat
protection
Security
management
Azure Built-in Controls
Defense in Depth
Technology

Identity and
access management

Identity and access management
Secure identities to reach zero trust
Identity
protection
Secure
authentication
Role based
access control,
Conditional
access

Customer Lockbox to control
Microsoft support access
No standing access to production
servers and services
Multi-factor authentication required
for admin actions
“Secure Workstations” required to
access production
Access requests are audited, logged,
and monitored
Customers approve Just in Time
Microsoft support engineer access for
issue resolution
Operational Security

Control data through its lifecycle
Standard Data Protection
At rest
Encrypt data when stored in blob
storage, database, etc.
Examples:
Azure Storage Service Encryption
SQL Server Transparent Database
Encryption (TDE)
In use
Protect/Encrypt data that is in use
during computation
Examples:
Trusted Execution Environments
such as Intel SGX and VBS
Homomorphic encryption
In transit
Encrypt data that is flowing
between untrusted public or
private networks
Examples:
HTTPS
TLS

Safeguard cryptographic keys
and other secrets used by
cloud apps and services
Encrypt keys and small secrets using keys
in Hardware Security Modules (HSMs)
Simplify and automate tasks for SSL/TLS
certificates, enroll and automatically
renew certificates
Rapidly scale to meet the cryptographic
needs of your cloud applications and
match peak demand
Key, Secrets & Certificate
Management- Azure Key Vault
Virtual Machines Applications Storage & Databases

Network protection services enabling zero trust
Distributed inbound &
outbound network (L3-L4)
traffic filtering on VM,
Container or subnet
Network
Security Groups
Centralized inbound web
application protection
from common exploits
and vulnerabilities
Web Application
Firewall
Micro segmentationApplication protection
Centralized outbound and
inbound (non-HTTP/S)
network and application
(L3-L7) filtering
Azure
Firewall
Restrict access to Azure
service resources (PaaS)
to only your Virtual
Network
Service
Endpoints
DDoS
protection
DDOS protection tuned
to your application
traffic patterns

Server
Protection
Threat
Detection
Brute force
protection
Azure VMs, Apps & Data
(IaaS & PaaS services)
Server workloads on-
premises & Other clouds
Windows Server EDR with Windows Defender ATP
Linux server threat protection
Machine learning based Application Whitelisting
Actionable alerts for incidents
Investigation for entire kill chain
Automated response with Logic Apps workflow
Just in time access to management ports
Azure Security Center
Protecting hybrid cloud workloads
Export to Excel
and Power BI
Threat Detections,
Prescriptive
Recommendations

Speed + Control
Cloud Custodian Team
Developers
Operations
Cost
Management
Management
Groups
Templates RBAC
Blueprints
Policies
Policy
Cloud-native governance -> removing barriers to compliance and enabling velocity

Governance for the cloud
The broadest governance portfolio of any cloud
Management Group
Define
organizational
hierarchy
Hierarchy
Policy
Real-time
enforcement,
compliance
assessment and
remediation
Control
Cost Management
Monitor cloud
spend and
optimize resources
Consumption
NEWNEW
Blueprints
Deploy and update
cloud environments
in a repeatable
manner using
composable artifacts
Environment
NEW
Resource Graph
Query, explore &
analyze cloud
resources at scale
Visibility

Gain visibility and guidance
to improve security state
CSPM
Continuous assessment of security
state with a dynamic secure score
Best practice recommendations
Central policy for security and
compliance
Across all your workloads

Microsoft Antimalware
for Azure
Azure Log Analytics
Azure Security CenterVNET, VPN, NSG
Application Gateway
(WAF), Azure Firewall
DDoS Protection
Standard
ExpressRoute
Encryption
(Disks, Storage, SQL)
Azure Key Vault
Confidential
Computing
Azure Active Directory
Multi-Factor
Authentication
Role Based
Access Control
Azure Active Directory
(Identity Protection)
+ Partner Solutions
Simplify security management with Azure services
App and Data
protection
Network
security
Threat
protection
Identity & access
management
Security
management

Enterprise-class intelligent security Partnerships for a heterogeneous world

Partnerships for a heterogeneous world
Work with
industry alliances
Work with
government
Partner
with peers

Teaming up with our security partners to build an ecosystem of intelligent security
solutions that better defend against a world of increased threats
Microsoft Intelligent Security Association
Collaboration strengthens protection

And hundreds more with new partners integrating every month
Extend your existing security solution to Azure with Marketplace
Palo Alto Networks
Qualys Inc
HPE ArcSight
Splunk
IBM QRadar
Partner solutions
Data
protection
Network
security
Threat
protection
Identity & access
management
Security
management

Azure security
Identity &
access
Apps & data
security
Network
security
Threat
protection
Security
management
Role based
access
Encryption DDoS Protection Antimalware
Log
Management
Multi-Factor
Authentication
Confidential
Computing
NG Firewall
AI Based
Detection and
Response
Security Posture
Assessment
Central Identity
Management
Key
Management
Web App
Firewall
Cloud Workload
Protection
Policy and
governance
Identity
Protection
Certificate
Management
Private
Connections
SQL Threat
Protection
Regulatory
Compliance
Privileged
Identity
Management
Information
Protection
Network
Segmentation
IoT Security SIEM
Defense in Depth
Microsoft + Partners

© 2020 Razor Technology, LLC www.razor-tech.com
David Rosenthal
VP & General Manager
Digital Business
@DavidJRosenthal
Slideshare
Blog: www.razor-tech.com
5 Tower Bridge
300 Barr Harbor Dr., Suite 705
West Conshohocken, PA 19428
www.razor-tech.com
David.Rosenthal@razor-tech.com
Office: 866.RZR.DATA
LETS KEEP IN TOUCH

Azure Security Overview

More Related Content

What's hot

Similar to Azure Security Overview

More from David J Rosenthal

Recently uploaded

In this document

Azure Security Overview