securing a public cloud infrastructure : windows azure

Source: Saugatuck Technology Inc., 2009 Cloud Infrastructure Survey (Julne09), WW N=670

Saugatuck Insight:

Saugatuck believes

that many users will

find that changes

required in internal

organization and

politics for moving

from dedicated to

shared resources

pose significant

challenges to the

adoption of Cloud

Computing.

Security Privacy

Reliability Business Practice

Questions

Is your service secure?

Are you ISO 27001

certified?

Jurisdiction?

Have you ever had a

service outage?

Do you have performance

SLA?

Do you have an incident response plan?

Do you have SAS Type II Report?

Do you provide 24*7 support?

Are you HIPAA compliant?

How do you ensure data

isolation?

Data retention?

location ownership control

10

Hybrid Public Private

SaaS Software as a Service

PaaS Platform as a Service

IaaS Infrastructure as a Service

Spoofing Tampering &

Disclosure

Port Scanning/

Service

Enumeration

Elevation of

Privilege

Load-balanced

Infrastructure

Network

bandwidth

throttling

Configurable

scale-out

Denial of

Service

Service Definition

file, Windows

Firewall, VM switch

packet filtering

VM switch

hardening

Certificate

Services

Shared-Access

Signatures

HTTPS

Sidechannel

protections

VLANs

Top of Rack

Switches

Custom packet

filtering

Partial Trust

Runtime

Hypervisor

custom

sandboxing

Virtual Service

Accounts

Windows Azure

Customer Tenant

Customer Admin Users

External Web Site

Physical Attacks

On Servers Central Admin

Windows Azure

Customer Tenant

Customer Admin Users

Physical Attacks On Servers

Windows Azure

Customer Tenant

Central Admin

Windows Azure

Customer Tenant

Customer Admin Users

Windows Azure

Customer Tenant

Users

Windows Azure

Customer Tenant

Customer Admin

Managed Code

Access Security:

partial trust

Windows Account:

running with least

privileges

Windows FW (VM):

rules based on service

model

Virtual Machine: fixed

CPU, memory, disk

resources Root Partition Packet

Filter: defense in

depth against VM

“jailbreaking”

Network ACLs: dedicated VLANS for tenant nodes

22

Hypervisor

Network/Disk

R

o

o

t

V

M

G

u

e

s

t

V

M

G

u

e

s

t

V

M

G

u

e

s

t

V

M

G

u

e

s

t

V

M

G

u

e

s

t

V

M

G

u

e

s

t

V

M

G

u

e

s

t

V

M

Service security starts with the data center

Data center within a data center

Motion sensors

24×7 secured access

Biometric controlled access systems

Video camera surveillance

Security breach alarms

World-Class Security

1 .Windows Azure Security Overview

2. TechNet Webcast - Windows Azure Security - A

Peek Under the Hood (Level 100)

3. MSDN Webcast - Security Talk - Using Windows

Azure Storage Securely (Level 200)

4. Securing Microsoft's Cloud Infrastructure