GaLeon - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

What admins should know about Microsoft Azure security and vulnerabilities

Although Microsoft performs its own Azure testing, end users bear the responsibility of making sure their systems meet company security requirements.

When systems administrators think about Microsoft Azure security, they will have encryption, monitoring/logging,...

access control and threat management at the forefront of their concerns. These areas are the pillars to cloud security. System design and security management best practices aside, maintaining a resilient Azure environment goes beyond these core concepts. One thing that's often overlooked is proper security reviews by way of vulnerability scanning and penetration testing. Without these practices, there's no way to know if the Azure environment can withstand an attack.

In many situations, those responsible for enterprise information security are put at ease over any related concerns because it's "in Microsoft's cloud." The general belief is that anything good enough for Microsoft is good enough for our business. The assumption is, Microsoft performs its own penetration testing of Azure and any problems would be uncovered and we would, thus, be notified. Microsoft states on its Azure website:

Microsoft conducts regular penetration testing to improve Azure security controls and processes. We understand that security assessment is also an important part of our customers' application development and deployment.

In other words, Microsoft leaves it to the end user to ensure that their systems meet their own security requirements. As impressive as Microsoft's list of industry-verified conformity with global standards looks, it's your job to ensure the systems and applications are checked. Data center security standards are one thing, but server and application flaws are quite another. If you look at the known breaches taking place, it's hardly ever because an organization didn't have certain basic security policies or industry standards in place. Instead, it's either because their policies and standards aren't being enforced in real-world scenarios or the lesser-known technical vulnerabilities are not being sought out and resolved.

Lack of enforcement is a common cause of Azure vulnerabilities

It's not uncommon to see highly compliant cloud environments in Azure (or Amazon or elsewhere for that matter) that are riddled with technical security vulnerabilities -- most of which would negate all other high-level data center and operational security controls. In these presumably resilient cloud environments, I’ve seen vulnerabilities such as the following:

  • SQL injection due to lack of application input validation
  • Weak web application passwords
  • Missing -- and exploitable -- Web server patches
  • Lack of monitoring, alerting and real-time blocking of attacks

If these Azure environments are secure because they're "compliant," then who's looking out for the real flaws that create most of problems? The answer is often no one. Shadow IT aside, many larger enterprises have security testing under control; medium and smaller organizations, not so much.

You don't know what you don't know. It'll be next to impossible to defend any claim of due care if the proper security reviews are not taking place in the cloud environment. Vow to look beyond mere words, promises and paperwork; bring the cloud security program full circle by obtaining permission from Microsoft and then test for these flaws and others in Azure. Do it now, and again a few months from now, then periodically and consistently moving forward. Find the weaknesses before the criminals do.

Next Steps

Lock down cloud security with Azure Key Vault

Multifactor authentication adds extra layer to Azure security

Boost PaaS security with Microsoft Azure security features

Implement SSO with Microsoft Azure AD


Dig Deeper on Microsoft Azure cloud services