Microsoft Inspire: 3 Azure Security Takeaways for Partners

Dan Mannion

By Dan Mannion, VP, partners & alliances, Armor

I recently had the pleasure of attending my 12th Microsoft Inspire conference, mingling with more than 17,000 partners from around the world and several thousand Microsoft leaders. Notably, Microsoft CEO Satya Nadella outlined a $4.5+ trillion-dollar opportunity for Microsoft partners to take advantage of its innovations in cloud computing, natural UIs and IoT, which are key components of the digital transformation underway for the vast majority of organizations.

For security-minded folks like me, the true highlight, however, was Brad Smith’s keynote. For the first time ever, one of Microsoft’s most senior execs dedicated 20-minutes of prime stage time to emphasizing cybersecurity and the growing threat to organizations and individuals alike. Smith also focused on the responsibility we have to secure customer data in the cloud.

I’d argue that Microsoft, more than any company, has a unique view of the increasing challenges we face from ransomware like WannaCry, Petya, NotPetya; new regulations such as the EU’s GDPR and South Africa’s POPI; and a severe cybersecurity talent shortage. He called on the industry to share the responsibility to keep customer data safe, so I thought I’d take a moment and highlight what that means for partners helping  customers moving to Azure.

The Azure Shared Responsibility Model states very simply that Microsoft will secure the cloud – physical data centers, networks – and control access by Microsoft employees to ensure customers their data will not be compromised from those vectors. However, once a customer puts their application(s) in the cloud, the customer is responsible for securing the virtual machines, application servers, database servers and all the network ports used to access cloud applications.

Unfortunately, this concept is misunderstood by most customers. In fact, in one IDC study surveying IT leaders about who’s responsible for the security of their applications in the cloud, 85 percent said the cloud provider.

Wrong. The correct answer is the person in the mirror. When we help customers understand this responsibility, it typically raises questions in three key areas:

• Security in Azure is different from your own data center. When you move an application to Azure, you quickly realize the customer IT team doesn’t have the same level of access, control and visibility that they did in their own data center. To Microsoft’s credit, they have invested heavily to provide more visibility through the Azure Security Center dashboard, but even though they provide more data, you still need super smart, 24×7 cybersecurity professionals to correlate that data with other sources to get an accurate picture of what threat actors are attempting to do to your environment. And, these attempts are relentless.
• All Azure IP addresses are published. Every threat actor on the planet can find the IP addresses of Azure, and AWS, for that matter. If you’re a threat actor, and you understand that most customers aren’t putting appropriate security controls in place in the cloud, then all you have to do is scan those IP ranges and find common/known vulnerabilities to exploit. We’ve tested this by launching unprotected IaaS environments in Azure and AWS. Within 2 minutes, they are being scanned for holes, and in a matter of 10-15 mins, threat actors have injected malware onto the VMs and taken control.
• Hybrid security is difficult.  While most CIOs are ready to shut down their data centers and get out of the business of server and network maintenance, the reality is it will take years to migrate and re-architect applications to the public cloud. That leaves the CIO and her security team with a hybrid computing experience, and an even more challenging hybrid security experience.

As CIO, do you make it one person’s full-time job to secure applications in Azure? Do you cross-train your entire team? Can you re-use your response and remediation plan for Azure, or do you need to design a new one? If your credentials in the cloud get compromised, does that raise your risk of compromise in your own data center? What new approaches will be needed for compliance audits, and have any audit risks been introduced?

We’ve heard from top Microsoft executives loud and clear that the threat landscape and compliance regulations are getting more difficult to keep up with. Partners have a shared responsibility to help customers be secure. While the challenge is real, being prepared starts by doing your homework to understand exactly what your role in security is and applying resources accordingly. With appropriate planning and an organizational commitment to make security a priority, CIOs can realize the full benefits of the cloud so they can focus on productivity and performance.

Dan Mannion is vice president, partners & alliances at Armor, the First Totally Secure Cloud Company that keeps sensitive, regulated data safe and compliant in the cloud. For more information, visit www.armor.com.