Nuno Filipe Godinho

In July I  decided to create a series of 3 posts about this topic. Those 3 posts are be:

• Introduction to Windows Azure Security
• Introduction to Windows Azure Compliance
• Lessons Learned Building Secure and Compliant solutions in Windows Azure

In this post I’ll be focusing on the Windows Azure compliance part.

Introduction to Windows Azure Compliance

Compliance is extremely important when moving/building solutions to the cloud for two main reasons. First because it will provide us with with an understanding of the type of infrastructure that is underneath the cloud offering. Secondly because there are several different solutions and companies which require specific compliances in order to be approved for deployment.

In order to achieve this Windows Azure Infrastructure provides the following compliances:

ISO/IEC 27001:2005

“Specifies a management system that is intended to bring information security under explicit management control” by Wikipedia. More information here.

This is extremely important because it provides us a clear information about how secure our data will be inside Windows Azure.

SSAE 16/ISAE 3402 SOC 1, 2 and 3

“Enhancement to the current standard for Reporting on Controls at a Service Organization, the SAS70. The changes made to the standard will bring your company, and the rest of the companies in the US, up to date with new international service organization reporting standards, the ISAE 3402” by SSAE-16.com. More information here.

Extremely important to understand that Windows Azure is audited and has to follow strict rules un terms of reporting to make it compliance. This give us a view that everything has a specific process that needs to be followed.

HIPPA/HITECH

“The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology.” by hhs.gov. More information here.

By having this HIPPA compliance it means that solutions for the healthcare industry can be delivered in Windows Azure because the underlying infrastructure is already HIPPA compliant. This doesn’t mean that anything we do now is HIPPA compliant, it just means that Windows Azure can be used to deploy the solution, but the solution still needs to comply with the rest of the HIPPA compliance, mainly the software compliance part.

PCI Data Security Standard Certification

“Created to increase controls around cardholder data to reduce credit card fraud via its exposure. Validation of compliance is done annually — by an external Qualified Security Assessor (QSA) that creates a Report on Compliance (ROC)^[1] for organizations handling large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes.^[2]” by Wikipedia. More information here.

This doesn’t mean that we can deploy PCI compliant solution in Windows Azure, because this certification is only for the way Windows Azure uses to accept payment, and not for allowing 3rd party applications.

FISMA Certification and Accreditation

“Assigns specific responsibilities to federal agencies, the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) in order to strengthen information system security. In particular, FISMA requires the head of each agency to implement policies and procedures to cost-effectively reduce information technology security risks to an acceptable level.^[2]

According to FISMA, the term information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality and availability.” by Wikipedia. More information here.

Windows Azure Compliance Roadmap

But Windows Azure has other compliances and so here is the complete roadmap.

Summary

What all this means if that Windows Azure is a secure and highly compliant option, which will allow us to leverage the Cloud on several different occasions.

The Windows Azure team has a Trust Center which will give you all the information about Security, Privacy and Compliance.

Hope this clears a bit your view about the compliances behind Windows Azure.

Last Monday I presented on Windows Azure UK User Group a session about “Windows Azure Security & Compliance”. During that session I spoke about the base security elements that Windows Azure provides from an infrastructure standpoint and how important is to implement security also in our applications.

In order to pass this information to a broader audience I decided to create a series of 3 posts about this topic. Those 3 posts will be:

• Introduction to Windows Azure Security
• Introduction to Windows Azure Compliance
• Lessons Learned Building Secure and Compliant solutions in Windows Azure

Introduction to Windows Azure Security

When we talk to someone about Cloud, generally the following Security concerns are shown:

• Where is my Data Located?
• Is my Cloud Provider secure?
• Who can see my Data?
• How can I make sure my data on the Cloud continue to follow “my company policies”?
• Can I have my Data back?
• Can I have compliant applications in the Cloud?
• Can I encrypt my data? Where do I store the keys?

Those are extremely important questions that need to be answered before moving forward. The best way to answer them is generally to work with the Cloud provider and also with a partner that can provide real work insights about those topics for the application that is being built. For a reference, please check also this Windows Azure Standard Response to Request for Information: Security and Privacy from Cloud Security Alliance – http://bit.ly/WASecurityPrivacy.

Security is Multi-Dimensional

Also important is to understand that Security is Multi-Dimensional, since we shouldn’t only look at how secure the Cloud provider infrastructure is. For example, the Cloud infrastructure can be secure but if our solution isn’t it will allow unsecure access to the data, thus making the complete solution insecure.

In order to have a solution completely secure, we need to think about the following perspectives:

• Human: How does people treat sensitive data?
  • You can have a very secure infrastructure, encryption strategy, but if your users share your sensitive data by exporting it to excel and place them in unsecure locations, or even use unsecure passwords, the system is still at risk.
  • Windows Azure can’t help here
• Data: DB Hardening, Cryptography, Permissions
  • By hardening the DB and encrypting data, using least privileges accounts, and for example changing the default database ports, the security will be increased.
  • Windows Azure can’t help here
• Application: Design and Implement Security Best Practices
  • The application design and implementation is very important to make sure the application is secure. Making sure you use for example “Partial trust” in .NET development will definitely make the security a lot better. Also I recommend checking the Microsoft Security Development Lifecycle.
  • Windows Azure can’t help a lot here, but it allows the ability to run the Cloud Services in Partial Trust which will improve security.
• Host: OS Hardening, Regular Patching
  • Making sure the OS that is being used is correctly configured and is patched regularly is extremely important. I recommend whenever creating Windows environments to leverage the Microsoft Best Practices Analyzer.
  • Handled by Windows Azure in Cloud Services (PaaS) but handled by the user in Virtual Machines (IaaS)
• Networking: Firewall, VLANS, Secure Channels, …
  • From an infrastructure best practices it is very important to make sure that Firewalls and VLANs are correctly configured, and also making sure that all communications are always correctly configured.
  • Handled by Windows Azure internally. All communications inside Windows Azure are secure, from communications from the Host to the Guest machine in the infrastructure level.
• Physical: Who can access my servers?
  • Who can handle our servers is always important. In Windows Azure, like in most Cloud providers, servers are very secure and access to then is highly restricted. More information can be found here.

 

Windows Azure Security Layers

In order to improve security Windows Azure provides the following security defenses for each layer:

Layer	Defenses
Data	Strong storage keys for access control SSL support for data transfers between all parties
Application	Front-end .NET framework code running under partial trust Windows account with least privileges
Host	Stripped down version of Windows Server 2008 OS Host boundaries enforced by external hypervisor
Network	Host firewall limiting traffic to VMs VLANs and packet filters in routers
Physical	World-class physical security ISO 27001 and SAS 70 Type II certifications for datacenter processes

If we analyze the security layers in more detail we’ll see the following:

This means that Windows Azure provides several different layers which will improve the security of your application, and by using all the elements in the “onion” like graph, we’ll have a very secure system.

Defenses Inherited by Windows Azure Platform Applications

In addition, when thinking about security one very important analysis to do is how the application handles the STRIDE Model.

 

This is a quick overview of what is done/enabled by Windows Azure in each area of the STRIDE model.

Penetration Testing in Windows Azure

Microsoft conducts regular penetration testing to improve Windows Azure security controls and processes. Also, customers can execute Penetration Testing in Windows Azure, and will required to get previous authorization from Microsoft through filling out a Penetration Testing Approval Form (http://bit.ly/WAPenTesting) and contacting Support.

Summary

Windows Azure is secure, and if we think about most data centers used by companies today, we’ll see that Windows Azure and even other Cloud providers are a lot more secure. Having said that, the infrastructure can be secure but our application is only as secure as the combination of Infrastructure and Application, and so only if the application is built in a very secure way we will be able to say “Our application is Secure”.

I would recommend to look at the following resources in order to understand more about Windows Azure Security:

• Windows Azure Standard Response to Request for Information: Security and Privacy (Cloud Security Alliance) – http://bit.ly/WASecurityPrivacy
• Windows Azure Penetration Testing Approval Form – http://bit.ly/WAPenTesting
• Windows Azure Security – http://bit.ly/WASecurity
• Microsoft Security Development Lifecycle

Introduction

Now that Windows Azure IaaS offerings are out and made GA a lot of new workloads can be enabled with Windows Azure. Workloads like, SQL Server, SharePoint, System Center 2012, Server Roles like AD, ADFS DNS and so on, and even Team Foundation Server. More of the supported list of server software that is currently supported in Windows Azure Virtual Machines can be found here.

But knowing what we can leverage in the Cloud isn’t enough, every features has its tricks in order to take the best out of it. In this case in order to take the best performance out of the Windows Azure Virtual Machines, I’ll provide you with a list of things you should always do, and so making your life easier and the performance a lot better.

1. Place each data disk in a single storage account to improve IOPS

Last November 2012 Windows Azure Storage had an update which was called “Windows Azure’s Flat Network Storage” which provided some new scalability targets to the blob storage accounts. In this case it went from 5,000 to 20,000, which means that we can actually have something like 20,000 IOPS now.

Having 20,000 IOPS is good but if we have several disks for the same Virtual Machine this means that we’ll need to share those IOPS with all those disks, so if we have 2 disks in the same storage account we’ll have 10,000 IOPS for each one (roughly). This isn’t optimal.

So, in order to achieve optimal we should create each disk in a separate storage account, because that will mean that each disk has it’s 20,000 IOPS just for itself and not sharing with any other disk.

2. Always use Data Disks for Read/Write intensive operations, never the OS Disk

Windows Azure Virtual Machines have two types of disks, which are OS and Data Disks. The OS Disk goal is to have everything that has to do with OS installation or any other product installation information, but isn’t actually a good place to install your highly intensive read/write software. In order to do that, you should actually leverage Data Disks, because their goal is to provide a faster and read/write capability and also separate this from the OS Disk.

So since data disks are better than OS Disks it’s easy to understand why we should always place read/write intensive operations on data disks. Just be careful on the maximum number of data disks you can associate to your virtual machine, since it will differ. 16 Data Disks is the maximum you are allowed but for that you need to have an extra large virtual machine.

3. Use striped disks to achieve better performance

So we told that you should always place your read/write intensive operations software on data disks and in different storage accounts because of the IOPS you can get, and we told it was 20k IOPS, but is that enough? Can we live with only 20k IOPS in a disk?

Sometimes the answer might be yes, but in some cases it won’t because we need more. For example if we think about SQL Server or SharePoint they will require a lot more, and so how can we get more IOPS?

The answer is data disks striped together. What this means is that you’ll need to understand your requirements and know what’s the IOPS you’re going to need and based on that you’ll create several data disks and attach them to the virtual machine and finally stripe them together like they were a single disk. For the user of the virtual machine it will look like a single disk but it’s actually several ones striped together, which means each of the parts of that “large disk presented to the user” has 20k IOPS capability.

For example, imagine we’re building a virtual machine for SQL Server and that the size of the database is 1TB but requires at least 60k IOPS. What can we do?

Option 1, we could create a 1TB Data Disk and place the database files in there but that would max out to 20k IOPS only and not the 60k we need.

Option 2, we will create 4 data disks of 250GB each and place each of them in a single storage account. Then we’ll attach it to the virtual machine and in the Disk Management we’ll choose to stripe them together. Now this means that we have a 1TB disk in the virtual machine that is actually composed by 4 data disks. So this means that we can actually get something like a max of 80k IOPS for this. So a lot better than before.

4. Configure Data Disks HostCache for ReadWrite

By now you already understood that data disks are your friends, and so one of the ways to achieve better performance with them is leveraging the HostCache. Windows Azure provides three options for data disk HostCache, which are None, ReadOnly and ReadWrite. Of course most of the times you would choose the ReadWrite because it will provide you a lot better performance, since now instead of going directly to the data disk in the storage account it will have some cached content making IOPS even better, but that doesn’t work in all cases. For example in SQL Server you should never use it since they don’t play well together, in that case you should use None instead.

5. Always create VMs inside a Affinity Group or VNET to decrease latency

Also another big improvement you can do is to place always de VM inside an affinity group or a VNET, which in turn will live inside the affinity group. This is important because when you’re creating the several different storage accounts that will have data disks, OS disks and so on, you’ want to make sure the latency is decreased to the max and so affinity groups will provide you with that.

6. Always leverage Availability Sets to get SLA

Windows Azure Virtual Machines provide a 99,95% SLA but only if you have 2 or more virtual machines running inside an availability set, so leverage it, always create your virtual machines inside an availability set.

7. Always sysprep your machines

One of the important parts of the work when we take on Windows Azure Virtual Machines is to create a generalized machine that we can use later as a base image. Some people ask me, why is this important? why should I care?

The answer is simple, because we need to be able to quickly provision a new machine if it’s required and if we have it syspreped we’ll be able to use it as a base and then reducing the time of installation and provisioning.

Examples of where we would need this would be for Disaster Recovery and Scaling.

8. Never place intensive read/write information on the Windows System Drive for improved performance

As stated before, OS Disks aren’t good for intensive IOPS so avoid leveraging them for read/write intensive work, leverage data disks instead.

9. Never place persistent information on the Temporary Drive (D:)

Careful what you place inside the Temporary Drive (D: ) since that’s temporary and so if the machine recycles it will go away, so only place there something that can be deleted without issues. Things like the IIS Temporary files, ASP.NET Temp files, SQL Server TempDB (this has some challenges but can be achieved like it’s shown here, and it’s actually a best practice).

Summary

So in summary, Windows Azure Virtual Machines are a great addition to Windows Azure but there’s a lot of tricks in order to make it better and these are some of them. If you need any help feel free to contact me and I’ll help you in anyway possible. But best of all, start to take the best out of Windows Azure Virtual Machines today and take your solutions into the next level.

Also if you need some help doing that, please check Aditi’s offerings around Windows Azure IaaS here.

Now with Windows Azure Virtual Machines and Virtual Networks a lot more capabilities are available to be able to look at Windows Azure not as a ‘yet another platform’ and not your network, but really think of it as a real extension of your On-Premises Data Center. Of course that this always depends on the type of company we are talking about, since if we talk with Enterprises this is a MUST-HAVE because they have a lot of investments still in the On-Premises world and some that aren’t still ready, and might never be, for the Public Cloud, but if we talk to ISV’s this isn’t that important because they want to reduce as much as possible their On-Premises needs.

In order to achieve this extension there is a component in Windows Azure that is key, which is Windows Azure Virtual Network, since it allows to create a VPN between On-Premises and your Windows Azure resources. But there are some important considerations to have in mind, like:    

• Windows Azure Virtual Networks is currently still on Preview
• In order to use Windows Azure Virtual Network it’s required to have a Router device that supports VPN on the On-Premises location.
• The On-Premises VPN devices that are currently tested can be found here. This doesn’t mean that they are the only ones you can use, it just means that those are a lot simpler to configure because Windows Azure provides a configuration file that is required to import into the device and it’s done.
• Windows Azure Virtual Networks do not span Regions or Subscriptions, which means that if you have multiple deployments in the same region and within the same subscription you can use the same VNET, if not you’re required to create multiple VNET’s. Here are some scenarios:
  • Scenario A:
    • Description: Subscription A, has Service B deployed into Windows Azure Cloud Services in North Europe region and Service C deployed in Windows Azure Cloud Services in West Europe region
    • Comments: Even though they are in the same subscriptions since they are in different regions you would need to create a VNET for Subscription A for the North Europe region and another for the West Europe region.    
  • Scenario B:
    • Description: Subscription A , has Service A and B deployed Windows Azure Cloud or Windows Azure Virtual Machines, and it’s required that they are in the same VNET
    • Comments: In this case you only need one VNET for both since they do not span either subscriptions or regions.    
  • Scenario C:
    • Description: Subscription A has Service B and C deployed in Windows Azure Cloud Service within the same region, but it’s required to create security when connecting between them.
    • Comments: In order to achieve this it’s only required to create one VNET since they are in the same subscription and region, but 2 different subnets one for each service, and then it’s the On-Premises VPN/Firewall device that will create the restrictions for each Subnet.    
  • Scenario D:
    • Description: Subscription A has Service B deployed in Windows Azure on the North Central US region, and Subscription C has Service D deployed in Windows Azure on the North Central US region, but they need to communicate between themselves.
    • Comments: in order to achieve this it’s required to create a 2 separate VPN connections, one for Subscription A and another for Subscription C, because VNET’s don’t span across different subscriptions even if they are in the same region.    
• Currently there’s no ACLing for subnet isolation, so that needs to be done in one of three ways.
  • Create different VNET for each Subnet and this way they aren’t known
  • Perform the ACLing and restrictions between the different subnets on the Windows Firewall level of the instance
  • Perform the ACLing in and On-Premises Firewall device.

So by leveraging Windows Azure Virtual Networks we’ll be able to connect everything we have deployed in Windows Azure Compute with our On-Premises Data Center. By doing this companies gain the ability of leveraging more of their existing investments and look at Windows Azure in a more "extension of Data Center" way and less as a "Black box" which you don’t have a lot of control.

In future posts I’ll go through the process of how-to setup a new Windows Azure Virtual Network between On-Premises and Windows Azure.

been doing a lot of work in Windows Azure both on the PaaS and IaaS world and since we’re entering the typical time where the Cloud Events start to happen, I’d like to share where you guys can see me talking about Windows Azure.

The events I’m currently speaking are:

DevWeek 2013 (http://www.devweek.com/ and http://www.devweek.com/speakers/)

March 5th

– SQL Azure overview – how to develop and manage it (http://www.devweek.com/sessions/conference1.asp)

· In this session we will be looking at an overview of SQL Azure in terms of Architecture, Application Topologies that can be used and its Provisioning Model. We’ll also be looking at how Deployment can be done, and which Security we can expect on it. One of the important parts will be understanding the elements that are currently supported and not supported on the current version of SQL Azure, and what we can expect about the future.

– Advanced SQL Azure – performance and scalability (http://www.devweek.com/sessions/conference1.asp)

· In this session we’ll look at some more important SQL Azure topics like performance and scalability, and how concepts like Sharding, SQL Azure Federation are important in order to achieve scalability improvements. We will also look at how SQL Azure Data Sync is important for these concepts and also to keep a local replica of the SQL Azure Database, SQL Azure Backups, Import and Exports and other new features that are being release by the SQL Azure team.

March 6^th

– Tips & tricks to build Multi-Tenant databases with Windows Azure SQL Databases (http://www.devweek.com/sessions/conference2.asp)

· When we talk about the Cloud it’s very important the we do our solutions in a highly scalable way as well as in a Multi-Tenant way, since this actually helps us lower the costs to the end customer and so grab the long tail. In order to do this a lot of adjustments need to happen on the database side of things, and in this session we’ll look at ways we can achieve Multi-Tenancy with Windows Azure SQL Databases, and how that can be integrated with the work performed while scaling out Windows Azure SQL Databases, using SQL Federations.

TechDays Netherlands 2013 (http://www.microsoft.com/netherlands/techdays/home.aspx and http://www.microsoft.com/netherlands/techdays/SpeakerDetail.aspx?speakerId=1441) 

March 7^th

– Crash Course on "Automating deployments in Windows Azure Virtual Machines". How and which tools? (http://www.microsoft.com/netherlands/techdays/SessionDetail.aspx?sessionId=3735)

· Windows Azure Virtual Machines have a very interesting interface in the new Windows Azure management portal and it’s very usable when thinking about a small number of Virtual Machines, but when we start building large deployments like 10, 20, 100, 500 virtual machines with VNETs, failover, and so on things start to be different and less doable using the management portal. For this type of work we actually need some form of automation and this is actually what we’ll be covering in this session. And so in this session we’ll look at tools that can enable us to automate Windows Azure Virtual Machines deployments, like PowerShell, ScaleXtreme, RightScale, and other in order to take the automation issue out of the way and really take advantage of Windows Azure.

March 8^th

– Lessons Learned: Bridging Windows Azure and On-Premises environments with Windows Azure Virtual Network (http://www.microsoft.com/netherlands/techdays/SessionDetail.aspx?sessionId=3736) 

· Windows Azure Virtual Network is a very important feature in Windows Azure since it provides a way to extend the existing On-Premises environment into the Cloud, making Windows Azure look as an Extension of the already existing Data Center. Setting up Virtual Network seems simple but sometimes have some important topics that need to be considered. Topics like, Which DNS should I use? How to configure create DMZ’s within the Cloud? How to place PaaS components in the same Virtual Network? How do I configure the Gateway between Cloud and On-Premises? How to troubleshoot the connection? These are some of the concerns that you normally handle when configuring and using Windows Azure Virtual Networks, and so in these session we’ll cover these topics based on the lessons learned from doing this with a great deal of customer and going through each of those concerns.

– Achieve High Availability with SQL Server on Windows Azure Virtual Machines (http://www.microsoft.com/netherlands/techdays/SessionDetail.aspx?sessionId=3737)

· SQL Server has been massively used by organizations in order to provide a RDBMS and when moving into the Cloud one of the elements that normally caused some concerns was ‘THE DATABASE’, since SQL Databases are Shared Instances and don’t have feature parity with SQL Server, which causes some changes in the existing codebase. Now Windows Azure Virtual Machines opens a new door for the Cloud Migration process, since it allows to completely move our SQL Server into the Cloud and keep feature parity with On-Premises, which is important. But with this great news some new concerns appear also. Concerns like How to achieve High-Availability, Failover, Clustering, Data Security and so on with SQL Server in Windows Azure Virtual Machines. In this session, we’ll look at SQL Server in Windows Azure and how we can use it and achieve a Highly Available environment for out RDBMS.

– Lessons Learned: Taking the best performance out of Windows Azure Virtual Machines (http://www.microsoft.com/netherlands/techdays/SessionDetail.aspx?sessionId=3738)

· Windows Azure Virtual Machines are still new in Windows Azure and have a lot of tweaks needed in order to take the best out of their capabilities. After being working with them since the early beginning a lot of lessons were learned in the process in terms of how to achieve the best performance. In this process we’ll cover some topics and strategies that will enable us to take the best performance out of Windows Azure Virtual Machines but at the same time also achieve the best SLA possible.

Hope to see you in one of my sessions and if you would like to send any requests for some of the sessions you’re attending just send me a Tweet for @NunoGodinho. This way I’ll be able to create those Windows Azure sessions more related to what all of you really want to see.