Microsoft Windows Azure Cloud Security:
The security of your data is essential for your business. We have seen an average of two cyber-attacks per day to web sites with very low ranking on Internet Search Engines. The average cyber-attacks to web sites with high ranking on Internet Search Engines is several times greater.
The Windows Azure platform is designed to provide “Defense in Depth,” reducing the risk that failure of any one security mechanism will compromise the security of the entire environment. The Defense in Depth layers include:
Filtering Routers
Filtering routers reject attempts to communicate between addresses and ports not configured as allowed. This helps to prevent common attacks that use “drones” or “zombies” searching for vulnerable servers. Although relatively easy to block, these types of attacks remain a favorite method of malicious attackers in search of vulnerabilities. Filtering routers also support configuring back end services to be accessible only from their corresponding front ends.
Firewalls
Firewalls restrict data communication to (and from) known and authorized ports, protocols, and destination (and source) IP addresses.
Cryptographic Protection of Messages
TLS with at least 128 bit cryptographic keys is used to protect control messages sent between Windows Azure datacenters and between clusters within a given datacenter. Customers have the option to enable encryption for traffic between end users and customer VMs.
Software Security Patch Management
Security patch management is an integral part of operations to help protect systems from known vulnerabilities. The Windows Azure platform utilizes integrated deployment systems to manage the distribution and installation of security patches for Microsoft software.
Monitoring
Security is monitored with the aid of centralized monitoring, correlation, and analysis systems that manage the large amount of information generated by devices within the environment, providing pertinent and timely monitoring and alerts.
Network Segmentation
Microsoft uses a variety of technologies to create barriers for unauthorized traffic at key junctions to and within the datacenters, including firewalls, Network Address Translation boxes (load balancers), and filtering routers. The back-end network is made up of partitioned Local Area Networks for Web and applications servers, data storage, and centralized administration. These servers are grouped into private address segments protected by filtering routers.
Physical Security
Physical security goes hand-in-hand with software-based security measures, and similar risk assessment and risk mitigation procedures apply to both.
Windows Azure platform services are delivered to customers through a network of global datacenters, each designed to run 24 x 7, and each employing various measures to help protect operations from power failure, physical intrusion, and network outages. These datacenters are compliant with applicable industry standards for physical security and reliability; managed, monitored, and administered by Microsoft operations staff; and geographically dispersed.
Microsoft uses highly secured access mechanisms, limited to a small number of operations personnel, who must regularly change their administrator access passwords. Datacenter access, and authority to open datacenter access tickets, is controlled by the network operations director in conjunction with local datacenter security practices.