Security shared responsibility in Azure IaaS

Cloud computing is heterogeneously broad, relating to variety of software services to hardware infrastructure. Nevertheless, people are still following the U.S. National Institute of Standards and Technology (NIST), defining three service models:

  • Software as a Service (SaaS): this is the model when cloud consumer has access to cloud service provider’s software from the Internet. An example of the software is Microsoft Office 365, which offer you set of business productivity services including instant messaging and video conferencing tool (Skype for Business Online), email messaging tool (Exchange Online), collaboration and file sharing (SharePoint Online and OneDrive). The cloud consumer does not manage underlying cloud infrastructure including network, server, operating system, storage. The cloud consumer may have access to limited software configuration settings (e.g. SharePoint Online Central Administration).
  • Platform as a Service (PaaS): more granular control than the SaaS model, cloud consumer is given to have access to development platform, web server or database instance. The cloud consumer may have access to the cloud service provider’s extensibility module, library and tools to develop more robust application hosted on the underlying cloud infrastructure. The cloud consumer still has no control in network, server, storage and operating system.
  • Infrastructure as a Service (IaaS): the cloud service provider provides infrastructure resources such as network, storage and other fundamental compute resources to allow cloud consumer to fully deploy their system upon specific demands. In this model, the cloud consumer is given to tailor its infrastructure but still cannot manage the underlying infrastructure.

Microsoft Azure IaaS should not be an exception. It still follows NIST definition. Below is the illustration of four models specific to Microsoft – a cloud service provider and you – a cloud consumer. In the on-premises model, you control everything. This includes infrastructure resources such as networking, storage, server, virtualization platform to application and data. Microsoft has nothing to do in this model until you wish Microsoft support if you are using its products e.g. System Center, Hyper-V or so on.

In the IaaS model, Microsoft provides networking, storage, server and virtualization technologies to assist you to build your own virtualized infrastructure. You have your own decision to choose operating system, data, application. You can pick a virtual machine size you need, deploy it on Microsoft Azure. You can specific the operating system (e.g. Windows Server 2012) you want as well. You can also configure for high availability for your workload deployment (e.g. SharePoint farm deployment).

From the illustration below, you should be understanding shared responsibilities so you will better incorporate with Microsoft to build and harden your system. Below is the illustration of shared responsibility between you and Microsoft.

Data privacy becomes the regulation which is often brought up to discuss about cloud security. Cloud service provider like Microsoft always put in its contract and term agreement that it has no privileges to access to customer data. That said data classification and privacy is your responsibility. The level of confidentiality is defined by yourself. Microsoft can help by offering encryption option for you. But it leaves you the choice whether you like to encrypt your data or not. You are fully accountable for your data even it resides in Microsoft infrastructure somewhere.

Next, client and endpoint protection are part of your responsibility. This often refers to protecting your virtual machines and any client inside your virtual network from virus or malware. Microsoft is offering a built-in antimalware for your virtual machine called Microsoft Antimalware.

Identity and access management is always your responsibility. Microsoft only provides you a secure identity platform which assists you in managing and protecting identity. You have fully responsibility to protect your accounts used to log in to Azure Management Portal to manage Azure resources. Password must be maintained as well.

With the application level in the IaaS model, Microsoft does not know what you are going to deploy on your virtual machine. You have to plan and conduct security checklist to harden your application.

For the network scope, because Microsoft is providing network infrastructure, Microsoft needs to take care of the network portion, of course, with your virtual network.

You might have a thought that Microsoft can help for Distributed Denial-of-Service (DDos). Well, Microsoft has its own DDos defense system, but is designed for only network-layer high volume attacks to protect Azure customer tenants. It basically means there is no guarantee from Microsoft to prevent from an attack of smaller volume which you may be the target. Microsoft also has no official information regarding how high the network volume attack is. Hence, preventing DDos is still part of your security responsibility. In addition to defense supportability, Microsoft Azure does not provide mitigation or actively block network traffic to customer deployment at application-layer attack.

The last one is physical infrastructure. Have you had access to this scope as a Microsoft’s customer? If you say “Yes” I have no guarantee for your life in the jail. Physical infrastructure are often hardware resources, datacenters and other things which are combined to run and monitor Microsoft Azure cloud platform. You are absolutely unauthorized to touching Microsoft infrastructure.

This entry was posted in Governance & Compliance and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published.