The first rule of cloud security club is that you never talk about cloud security club, but we’ve decided to ignore that rule. Here are ten lesser-known aspects of how Microsoft tries to ensure that its Windows Azure cloud offering stays secure.
Cloud security picture from Shutterstock
“Security’s the biggest blocker not just for Azure adoption but for cloud adoption generally,” Stevan Vidich, director of Windows Azure marketing, noted at the Microsoft Management Summit (MMS) in Las Vegas earlier this week. Presumably to dispel that paranoia, his presentation (which we’ve already drawn on briefly to discuss Microsoft’s future Azure data centre plans) offered up a stack of insights into the approach used to secure Azure.
10. You can go on a tour of the Azure data centres. Customers who are keen to tour one of the eight Azure locations are encouraged to do so. “I tend to have a very different discussion with customers who have gone to Dublin or Chicago or Singapore,” Vidich said. Like most data centres, security is tight: server cages are locked, you can’t enter them without completing two-factor authentication, and the entire facility is monitored 24/7 by video. Nonetheless, if you’re planning on spending big money in Singapore or Amsterdam, the option is there.
9. That won’t help you much if you have nefarious intentions. “There is no way to access Azure on-premises from the physical location,” Vidich said. “You cannot get into the fabric and administer all those facilities. All the administration is done from our network operations centre in Redmond. Being on site does not mean you get to see Azure in action.”
“You cannot walk up and put your finger onto a hard drive and say ‘that’s where my data is’ either, because the fabric will move data as you see fit,” he added. “A sliver of your data might be on a given drive on a day but not on another day.”
8. Penetration testing happens, but you’re not supposed to see it. So you can’t break in physically, but that’s not where most attacks would happen anyway, and we all know it. “Customers are often concerned about specific targeted attacks on their own applications,” Vidich said. “Windows Azure does penetration testing internally with our own teams on a continuous basis We also hire independent third party firms to do pen testing on the platform services.”
That sounds good, but you’ll largely have to take Microsoft’s word for it. “We do not publish or make these pen test results available to customers but we retained NCC Group to do pen testing accreditation for the UK government and that pen test report is available to customers under a non-disclosure agreement.” (We’re back to that cloud security club rule again, aren’t we?)
7. Microsoft staff also have to jump through hoops. To be clear, Microsoft doesn’t make life much easier for its own workers. Forget a staff member trying to jump across networks for a quick peek at the Azure data. “It’s not possible to get into the Azure domain simply by being on our Microsoft corporate Active Directory,” Vidich said.
Even the people writing code for Azure itself are subjected to scrutiny. “We perform full virus scans on all code before deploying. Only code with a clean scan via Forefront will be deployed.”
Obviously there are occasions where staffers do need to access the system (via so-called ‘jump boxes’), but the process is tightly controlled. Access to the Azure fabric requires prior authorisation, the use of a specific two-factor authentication system which requires a smart card, and access is generally restricted to a period of no more than six hours. “We have to be able to provide a full audit trail of these types of activities,” Vidich said.
7. Controlling leeches and DDOS wannabes.. One obvious temptation for hack-happy types would be to try and grab resources from other Azure users, but Vidich says that’s not possible. “The fabric controller will make sure that all of the VMs deployed into the Azure fabric will get the resources they paid for. It’s not possible for an infected VM to consume unlimited resources and starve its neighbours.”
Those protections also reduce the risk of an internal attack. “The packet filtering which we enforce on all traffic originating from VMs prevents spoofing attacks on the platform and stops the VMs from communicating with protected infrastructure devices.”
There are also additional layers designed to reduce the risk of a distributed denial of service (DDOS) attack. “Just about everything in Windows Azure is custom built and proprietary, including protection against DDOS attacks,” Vidich said. “We use standard DDOS mitigation techniques, but we also have dedicated third-party DDOS systems in place. Windows Azure also monitors for internally-initiated DDOS attacks and will remove offending VMs.”
5. Sometimes, you’re on your own. . While Microsoft monitors its fabric for potentially iffy activity, it generally takes a hands-off attitude to individual applications. “It is not possible for us to monitor your individual apps and tell you ‘hey, something funky’s going on’,” Vidich said. In other words: What you do inside your own virtual machines is your own affair.
4. Change happens faster, but not too fast. That hands-off attitude is also evident in the support cycle for Azure apps, which is driven by both security and performance concerns. While the traditional Windows platform has long run on a 5+5model (five years of guaranteed support and five years of extended support), that wasn’t feasible for Azure. “That had to be changed in the world of online services,” Vidich said. “What we did was we came up with the notion of disruptive change. If our changes mean changes to app configuration, we guarantee we’ll give you 12 months notice before making a disruptive change to the platform.” The big lesson? Never assume your code is super-permanent — a healthy attitude when it comes to security as well.
3. Cloud providers throw out hard drives — carefully. Inevitably, hard drives within the Azure data centres are retired. To ensure data isn’t compromised, they are put through a 7-pass wiping process. “Those drives which cannot spin we will physically shred and pulverise,” Vidich said. Awesome, but we’d like to see a video.
2. How to delete your own data. Getting rid of data on your own servers can be challenging. With Azure, built-in systems for redundancy make it even trickier, but it is possible.
“When you put data into Windows Azure storage, we have local redundant storage,” Vidich said. Your data is kept in triplicate across three physically separate domains If one part of the infrastructure goes down, it can provision another copy At any given time, there are always three copies of your data at the primary location. And unless you choose to disable, we will also geo-replicate to a secondary site at least 400 miles away and keep it in triplicate there too.”
So what happens when you decide to wipe something? “When you delete a blob or a table entity, we will immediately delete that entry from the index used to access data at the primary location, and then asynchronously delete it from geo-replicated copies.”
Does that create any risk that someone else might be able to read your data? Vidich offers an empatic ‘no’. “If you check yourself, you won’t find it. Windows Azure customers never have access to raw storage. Before storage can be provisioned, it has to be overwritten. Data is allocated sparsely. When you create a virtual disk, we create a table mapping the virtual disk to physical disk, and it’s empty. The very first time you write to virtual disk, we allocate space then place a pointer into that table. Attempts to read a space they haven’t written to would only return 0s as physical space hasn’t been allocated. Even though we don’t give you a contractual guarantee that says we will overwrite deleted data, we do make it impossible for anyone to provision data that hasn’t been overwritten or to read data that you have deleted.
1. Need logs? Get a lawyer. So with all this protected data, what happens if things get nasty, your company gets sued and someone is demanding access to evidence from your Azure-based systems? “If you as a customer are involved in a legal case and you need access to platform level logs, we will help you with that request,” Vidich said. “Logs will be sanitised and apply only to that customer account.
“What we cannot do is give you platform-level logs that pertain to another customer.” That would require a court order or subpoena. If that’s what you’re being forced to spend time on, chances are it’s not a good day at the office.
Lifehacker’s World Of Servers sees me travelling to conferences around Australia and around the globe in search of fresh insights into how server and infrastructure deployment is changing in the cloud era. This week, I’m in Las Vegas for the Microsoft Management Summit 2013, looking for practical guidance on deploying and managing Windows servers.