Posted by Dana Epp
Is your data secure in Azure?
Recently I have had the opportunity to engage with peers on social media about how secure their data is in Azure. It brought up some interesting questions, and something we thought we should cover in an episode of #KnowOps.
In this week's video we talk about where your shared responsibility starts, and Microsoft's ends. We also discuss things like Microsoft's Service Trust Portal. and how they are constantly investing in their cybersecurity efforts for the cloud.
There's no easy button for securing your data in Azure and no solution that solves all your problems from a security perspective. It just doesn't exist. Back in 2000, when Bruce published his article on the process of security, it was a novel concept to think about people, process, and then product. But here we are, 20 years later, and we still haven't learned. You cannot abdicate responsibility of all your cloud administration to Microsoft. As administrators, we have an important part to play when it comes to securing our data. We can't buy our way out of it. It's time we face the reality of what our shared responsibilities really are in Azure, and just how much we can trust to Microsoft.
Dana Epp, here. Welcome to the channel that helps aspiring Azure administrators to know OPS, and, well, to master the Microsoft cloud. I'm glad you're back, well, unless this is your first video, in which case, welcome! Make sure you smash the subscribe button and hit the notification bell so you can be alerted when I post new content.
Okay, time for some transparency. I'm re-recording this episode. I originally recorded a deep diatribe about cloud-shared responsibility model, and who's responsible for what in Azure. We'll still probably cover that, but I want to tackle it a bit differently. All because of this Facebook comment from a fellow MVP, who was responding to last week's episode.
"Dana, people are concerned that their data is not safe. I work with people every day who use the cloud. But the question becomes, how do we know our data is safe? You're in a good position to talk about that issue. What would it take, for example, to swap out attachments in emails if you knew someone in the inside at Microsoft? What protections are in place to prevent that? What if a government wants your data? Can they just take it? Can someone from within Microsoft hack your data in a database? What would it take?"
I think these are great questions, Jeff. And it all comes down to how much we can trust Microsoft. And on understanding what their responsibility is and what ours is. You see, Microsoft is responsible for security of the cloud. As administrators, we're responsible for security in the cloud. Microsoft has published an excellent chart that helps to showcase who's responsible for what depending on the cloud computing options you choose. If you watched my last video, we talked about the different cloud computing models for Iaas, Paas, and Saas. Each one has different levels of responsibility that we need to be accountable for.
As an example, if you're running Azure virtual machines, you're responsible for patching it. You can turn on update management and then have Microsoft manage the patching of the operating systems for the VMs themselves, but you'd still be responsible for patching the software that you're running on those machines. This is part of the shared responsibility model in Azure. Both we and Microsoft have a part to play. When on premises, we're responsible for everything. I think that goes without saying. But if we have to IaaS in Azure, though, we no longer have to worry about the physical hardware or the networking. Racking, stacking, and cabling, that all goes away.As we adopt PaaS, we also don't have to worry about the operating systems anymore. And some of the networking controls are taken care of for us, too. Well, not all of them, mind you. But let's leave that for another episode.
Finally, we have SaaS. That's the nirvana, where we no longer have to worry about the applications themselves. Things like Office 365, Power BI, and Dynamics are great examples of this. Who wants to constantly be managing mail, and SharePoint servers, and CRM systems these days anyways? I sure don't.
Did you notice something, though?
In all of these scenarios, we as administrators are responsible for the data, the users, and their access to that data. That never changes. In other words, while we can delegate responsibility to many of the underlying infrastructure bits, and even some of the applications, the people, their access, and the data are still our responsibility. We cannot abdicate responsibility of cloud IT to Microsoft. We need to trust, but verify, so to speak.
So Jeff's questions open Pandora's box when it comes to how we should work with Microsoft and how we need to trust them. Trust is a really important part of partnering with Microsoft for your cloud infrastructure. One thing I highly recommend is that you check out Microsoft's Service Trust Portal, or something we call STP. You can reach it at servicetrust.microsoft.com. It's an awesome resource to show you everything Microsoft does to provide a safe cloud computing environment for you. It lists all the third part security assessments and pen tests that they conduct every year. And actually you can go back in history to see what they've done. It also provides access to independent audit reports that provide information about compliance with data protection standards and regulatory requirements.
Here's a little tid bit for you. Did you know that Azure has the deepest and most comprehensive compliance coverage in the industry for all cloud vendors? I think it's north of like 90 different compliance offerings now. And if you need more mature cloud IT management for compliance and governance yourself, Microsoft also offers the free compliance manager there that helps you to identify areas in your Azure environment that may not be compliant with many of today's industry and regulatory standards that you may need to adhere to. But let's get right to Jeff's questions.
First off, let me be clear, Microsoft administrators do not have default access to cloud customer data. On the rare occasion that there is an incident that requires troubleshooting access to your data, administrators need to follow a stringent, time-based workflow that Microsoft calls Lockbox, which through software, allows only pre-assigned two factor authenticated administrators even request escalation. So your buddy on the Microsoft campus doesn't have access to your mail or your data. It just doesn't work that way.
The Microsoft trusted cloud was built on the foundational principles of security, and privacy, compliance, and transparency. So for them to maintain that, they're constantly having to demonstrate stronger principles of information security than what we can deal with in our own companies. In fact, Microsoft spends something like a billion dollars focused on their cyber security efforts every year. That's billion with a B. How much are you able to invest in your cyber security efforts for the cloud? I think it's important to be clear that you own your data. You decide where it can be located and who can access it. If you decide to leave the Microsoft cloud, Microsoft will make sure your data's purged within 90 days of a subscription expiring. And any compliance data that you host in STP, well that will be permanently deleted within 24 hours of your tenant being deactivated.
Microsoft does not give governments direct or unfettered access to custom data ever.
And they will not provide any government with their encryption keys or the ability to break their encryption. You can find all of this documented in the Service Trust Portal. But here's the thing, that's not enough. You should have an attitude of assumed breach. Let's assume for a moment someone from Microsoft did have access to our data. How could we protect it? The cloud really should be no different than how we would protect this on-prem. You should be in control of the data in transit and at rest. That means in Azure, make sure everything is encrypted. And you may even consider maintaining the keys.
Microsoft calls this Bring Your Own Key, or BYOK for short. And most services in Azure support this. From virtual machines and storage, all the way to SQL, all backed by a hardware security module, or what we call HSMs, with Azure Key Vault. Even Office 365 supports BYOK using Key Vault with a feature called Customer Key. I'd suggest you take a look at it. Look, there are tons of technical safeguards and security controls in Azure, that you can apply to protect your users and your data in the cloud. It's your responsibility as a cloud administrator to apply it.
Microsoft is responsible for security of Azure. You are responsible for security in it.
That's why you can't abdicate responsibility to Microsoft. You can and should trust them, but at the same time you should take a defensive posture of assumed breach. Apply the guided principles of information security and ensure that confidentiality, integrity, and availability are always met. Back up your data off of the cloud. Use strong authentication. Make sure systems are patched. Choose the right cloud computing model that balances this all for you. Sound familiar? It's pretty much the same guidance we've heard for years on maintaining good IT hygiene. You're just doing it on someone else's computers.
Man, I love this stuff.
I hope you found this useful. Thanks to Jeff for the great comments and the questions, and, well, thanks to you for watching. Let me know if you liked this by hitting the thumbs up button. Smash the subscribe button if you haven't already, and share this with all of those people that you think might benefit from it. Of course, if you have any feedback, please leave it in the comments. Who knows, it might make it in an upcoming video. Until then, we'll see you in the next episode.
There's no easy button for securing your data in #Azure” #knowops @auditwolf
Microsoft is responsible for the security OF Azure, YOU are responsible for security in it.