Microsoft has announced new security features for customers of its Azure cloud computing service.
They are a mix of features for storage and compute services:
- Advanced Threat Protection for Azure Storage
- A regulatory compliance dashboard in Azure Security Center
- Security assessments, recommendations and disk encryption for Virtual Machine Scale Sets
- Azure Dedicated Hardware Security Module (HSM) service availability in more regions.
Azure ATP and the regulatory compliance dashboard
Advanced Treat Protection, which detects unusual and potentially harmful attempts to access or exploit storage accounts, can currently be enabled only for Blob storage (object storage for unstructured data).
Security alerts are triggered when anomalies in activity occur: access from an unusual location, anonymous access, access by an unusual application, data exfiltration, unexpected delete operations, access permission change, and so on.
Admins can view these alerts via Azure Security Center and can also choose to be notified of each of them via email. The notification includes information about the nature of the anomaly, the storage account name, the time of the event, the storage type, potential causes, proposed investigation and remediation steps.
The new regulatory compliance dashboard provides insight into the compliance posture of customers’ Azure environments for a set of supported standards and regulations (e.g., PCI DSS, 3.2, ISO 27001, etc.). It provides recommendation for improving the security posture and enables companies to generate compliance status reports for internal and external auditors and executives.
“In addition, you can now automate compliance processes and manage them at scale using programmatic APIs,” noted Gilad Elyashar, Principal Group PM Manager, Azure Security Center.
Increased security for Virtual Machine Scale Sets (VMSS)
Azure virtual machine scale sets let Azure customers create, manage, configure, and update a large number of identical, load balanced VMs, to build large-scale services for areas such as compute, big data, and container workloads.
The number of VM instances can automatically increase or decrease in response to demand or a defined schedule.
Customers can now also monitor and improve their security posture, reduce vulnerabilities and detect threats with Security Center’s advanced threat detection capabilities.
Microsoft has also made available Azure Disk Encryption for VMSS, for Windows and Linux Virtual Machine Scale Sets in Azure public regions.
“Disk Encryption leverages the industry standard BitLocker feature of Windows and the DM-Crypt feature of Linux to provide volume encryption of disks. The solution is integrated with Azure Key Vault to help you control and manage the disk-encryption keys and secrets. The solution also ensures that all data on the VM disks are encrypted at rest in your Azure Storage,” Elyashar explained.
The feature is supported in many (but not all) scenarios, and there are pre-requisites for its use.
Finally, the company is extending the Azure Dedicated Hardware Security Module (HSM) service to six new public regions in the UK, Canada and Australia.
The service provides cryptographic key storage in Azure and is aimed at customers requiring FIPS 140-2 Level 3 validated devices and complete, exclusive control of the HSM appliance.