Windows Azure Security Essentials – Part 2/N – Cloud Threats and how Windows Azure handle them

   One of the very important part of security is to know you threats, and in Cloud it’s important to know what threads are different from the On-premise environments, and those are:

  • Traditional threats, like:
    • Cross-site scripting (XSS), SQL Injection
    • DoS Attacks, network spoofing, DDoS
  • Old threads are mitigated by the system and are responsibilities of the Cloud Vendor
    • Patching is automated and instances are moved to secure systems
    • Cloud resiliency improves failover across a service
  • Also some of the existing threads are expanded, like:
    • Data privacy such as location and segregation
    • Abuse of privilege access by admins
  • So new Threads also appear. Threads like:
    • Privilege escalations from the virtual machines to hosted server
    • Breaking the boundaries between VM’s
    • “Hyperjacking”

   Windows Azure implements the following security measures:

    Level Defenses in place
    • Strong storage keys fro access control
    • SSL support for data transfers between all parts involved
    • Partial Trust mode to run public facing applications
    • Windows account with least privileges in order to avoid gaining access to something important even if getting in the application
    • Special version of Windows Server 2008 R2 Operating System
    • Host boundaries enforced by external hypervisor
    • Host firewall limiting traffic to the VMs
    • VLANs and packet filters in routers
    • World class physical security
    • ISO 27001 and SAS 70 Type II certifications for datacenter processes

       Defenses inherited by Windows Azure Platform Applications

    Type of Thread Defense
    Spoofing VLANs
    Top Rack switches
    Custom packet filtering
    Tampering / Disclosure VM switch hardening
    Certificate Services
    Shared-access signatures
    Side channel protections
    Repudiation Monitoring
    Diagnostics Service
    Denial of Service Configurable scale-out
    Elevation of Privilege Partial Trust Runtime
    Hypervisor custom sandboxing
    Virtual Service Accounts

      Windows Azure Data Center Security

    • World-Class Physical Security
      • 24×7 secured access
      • Electronically controlled access systems
      • Video camera surveillance
      • Motion detectors
      • Security breach alarms
    • Industry Certifications
      • ISO 27001-2005
      • SAS 70 Type II


    This information was achieved base on the following video.

    Leave a Reply

    Your email address will not be published. Required fields are marked *