At last, Australian businesses can access a local Azure region. Microsoft has just announced the availability of the Australia East and Australia Southeast regions. The local regions are important for speed and availability and also for companies concerned by data residency and compliance. With Azure purchasing now available as a direct online transaction, via open license for smaller, upfront purchases and via enterprise agreements for larger organisations, I expect a raft of Australian companies to start their journey to the cloud in the coming months.
Security is often cited as one of the main concerns and inhibiting factors with cloud adoption; however, we have seen many organisations achieve levels of security in the cloud higher than in their own infrastructure. When you think about cloud computing and how the scale of investment drives the cost down to well below what the average company could achieve on their own, think about how that scale of investment is also applied to the security of the infrastructure that goes well beyond what the average company could afford.
Shared Responsibility Model
The key thing with security in Azure is that Microsoft delivers a secure infrastructure. However, the security of the data and applications loaded onto the cloud is up to you. This is called the shared security model;
“It is also important to note that a cloud platform like Azure requires shared responsibility between the customer and Microsoft. Microsoft is responsible for the platform, and seeks to provide a cloud service that can meet the security, privacy, and compliance needs of our customers. Customers are responsible for their environment once the service has been provisioned, including their applications, data content, virtual machines, access credentials, and compliance with regulatory requirements applicable to their particular industry and locale.” http://azure.microsoft.com/en-us/support/trust-center/
For a great list of the security elements involved in Azure, read here.
So when it comes to things like PCI-DSS, IRAP, APP and other compliance regulations the infrastructure is certified, however, you also need to ensure you are taking the appropriate steps ON TOP OF what Microsoft has already done to secure the infrastructure, in order to meet your compliance requirements.
Security Management in a Hybrid or Multi-cloud model
For most organisations, barring recent start-ups, their cloud usage will be just one component of their overall infrastructure. A web server here, an Exchange server there, maybe a Sharepoint server or a CRM moved into the cloud for speed, agility and to replace aging hardware – it may also be that they use multiple cloud providers for various aspects of their infrastructure.
Regardless of your usage model, the move to the cloud opens up some interesting security challenges. Workloads moving from a physical/virtual datacentre step outside the traditional boundaries and security perimeter that has been the cornerstone of a good defence. Anti-malware filtering via a gateway appliance, Intrusion prevention and firewalling at the gateway are no longer the bastion preventing threats from attacking critical systems. With flexibility of workloads in the cloud, scaling up and scaling out can quickly introduce security gaps and overload traditional security choke points.
Introducing multiple clouds means organisations need to apply the same critical security controls across different environments, integrating with different systems, potentially moving with workloads as they transition from one datacentre to the other.
A new way of handling protection of systems is needed; controls need to be placed on the host so that they are:
– Adaptive: Intelligent and dynamic to always be ready when a new instance is created
– Contextually Aware: Applying the right policies to a workload based on its applications and use
– Software-based: So it is optimized for a cloud environment and can be run per host machine
– Platform-agnostic: Comprehensive capabilities regardless of the environment
The constraints of licensing software in a cloud first world
When companies start to look at how to protect their cloud environments they typically look at the software they use to protect their in-house servers today. After-all it makes sense to try and apply the working knowledge you have to the new servers you are deploying. One challenge arises when they start to look at the cost involved in just extending their traditional licenses to the cloud.
Adding a few servers to an existing licensing agreement is no big deal. However, most existing licensing agreements will be on an annual basis with a perpetual license and annual maintenance. When moving to the cloud some of the key benefits are scalability and flexibility along with paying for only what you use. If a company has to pay upfront for a 12 month security license to protect a server that may not be needed a month from now the cost benefit of the cloud will quickly disappear. Likewise if their security software won’t allow an extra server to be protected because a license is not available when their infrastructure scales automatically, the security and compliance gaps may be disastrous.
A simple extension of a company’s on-premise security tools may not be as simple as you think.
Trend Micro Deep Security – Instant-on Security for Microsoft Azure
Deep Security provides a platform of security controls designed for virtual and cloud deployments. It combines Anti-Malware, Firewall, IDS/IPS, Log Inspection and Integrity Monitoring into a single agent that can be integrated and deployed into cloud workloads.
The Deep Security Agent is already available as an Azure VM extension which can be enabled during the creation of a VM: http://azure.microsoft.com/blog/2014/05/13/deploying-antimalware-solutions-on-azure-virtual-machines/
Deep Security can also be used to protect other cloud environments, virtual machines and physical desktops and servers.
And best of all, in a cloud environment you can pay by the hour, so you only pay to protect an Azure VM while it is running. Just like Microsoft Azure, you can pay with a credit card; you can purchase pre-paid credits in $100 block; or you can enter a longer term agreement.
For more information about Trend Micro Deep Security for Microsoft Azure, visit here.
To see just how easy it is to protect an Azure VM, watch this video.
Moving workloads to the cloud requires adjustments in processes, tools, budgeting and skills – security is no different. If you’re starting your journey, we can help you secure it.