When systems administrators think about Microsoft Azure security, they will have encryption, monitoring/logging,...
access control and threat management at the forefront of their concerns. These areas are the pillars to cloud security. System design and security management best practices aside, maintaining a resilient Azure environment goes beyond these core concepts. One thing that's often overlooked is proper security reviews by way of vulnerability scanning and penetration testing. Without these practices, there's no way to know if the Azure environment can withstand an attack.
In many situations, those responsible for enterprise information security are put at ease over any related concerns because it's "in Microsoft's cloud." The general belief is that anything good enough for Microsoft is good enough for our business. The assumption is, Microsoft performs its own penetration testing of Azure and any problems would be uncovered and we would, thus, be notified. Microsoft states on its Azure website:
Microsoft conducts regular penetration testing to improve Azure security controls and processes. We understand that security assessment is also an important part of our customers' application development and deployment.
In other words, Microsoft leaves it to the end user to ensure that their systems meet their own security requirements. As impressive as Microsoft's list of industry-verified conformity with global standards looks, it's your job to ensure the systems and applications are checked. Data center security standards are one thing, but server and application flaws are quite another. If you look at the known breaches taking place, it's hardly ever because an organization didn't have certain basic security policies or industry standards in place. Instead, it's either because their policies and standards aren't being enforced in real-world scenarios or the lesser-known technical vulnerabilities are not being sought out and resolved.
Lack of enforcement is a common cause of Azure vulnerabilities
It's not uncommon to see highly compliant cloud environments in Azure (or Amazon or elsewhere for that matter) that are riddled with technical security vulnerabilities -- most of which would negate all other high-level data center and operational security controls. In these presumably resilient cloud environments, I’ve seen vulnerabilities such as the following:
- SQL injection due to lack of application input validation
- Weak web application passwords
- Missing -- and exploitable -- Web server patches
- Lack of monitoring, alerting and real-time blocking of attacks
If these Azure environments are secure because they're "compliant," then who's looking out for the real flaws that create most of problems? The answer is often no one. Shadow IT aside, many larger enterprises have security testing under control; medium and smaller organizations, not so much.
You don't know what you don't know. It'll be next to impossible to defend any claim of due care if the proper security reviews are not taking place in the cloud environment. Vow to look beyond mere words, promises and paperwork; bring the cloud security program full circle by obtaining permission from Microsoft and then test for these flaws and others in Azure. Do it now, and again a few months from now, then periodically and consistently moving forward. Find the weaknesses before the criminals do.
Lock down cloud security with Azure Key Vault
Multifactor authentication adds extra layer to Azure security
Boost PaaS security with Microsoft Azure security features
Implement SSO with Microsoft Azure AD