close

Crypto-virus Ransomware Voting

Understanding the Azure IAAS Security Architecture
There is a new whitepaper that has been published by Microsoft to explain the security architecture features of Windows Azure.  You can download it . The key security concepts and features within the Windows Azure Infrastructure as a Service are highlighted within this whitepaper. Virtual Security, not Physical Security One of the key security safeguards in the traditional infrastructure world is physical isolation of networks and servers.  In the cloud world, this no longer exists because all the servers are virtual.  This applies across multiple customers as well – you have no guarantee that your servers are not on the same server as some other customer.  This is the key challenge in overcoming traditional security policies, attitudes and approaches because most of them written years ago prescribe physical network isolation and/or physical environment isolation.  As we move to cloud based infrastructures, we will need to find other ways to ensure isolation of environments beyondphysical boxes. How does Windows Azure protect your environment from other customers?  The answer is two fold: 1) network traffic between VMs is highly secured and managed by the Windows Azure Service; 2) the Windows Azure Service is highly secured and protected from customer VMs themselves through “multiple layers” of security.   Virtual Network Isolation within a customer Azure supports two concepts of virtual network isolation.  A “Deployment” is an isolated environment that allows VMs within this deployment to talk to each other through private IP addresses.  A “Virtual Network” allows for communication between deployments through specified IP channels and is isolated from other virtual networks. Isolating Traffic Coming from the Internet By default, every VM has traffic blocked from the Internet except for remote management ports.  When you create a VM, you add additional endpoints if you deem them appropriate – for example, you could add an FTP endpoint that accepts trafficthrough port 21 for sending and receiving files. In addition to specifying the end points, administrators can further restrict endpoints through additional rules such as IP access control lists or only allowing traffic from a site to site VPN. The key statement here is this one: If an application exposes input endpoints, it should follow the same security model as if it were running open on the Internet. Be Careful about Traffic Crossing Regions Communication across regions (e.g. servers in North America shuttling data to servers in Europe) is deemed as less secure than within a region: If an application sends or receives any sensitive data across Windows Azure regions, then communications must be encrypted. Cross-region traffic transits over a WAN and is more open to interception. Administrators should be concerned about this specific scenario because some will be looking to use multiple regions to promote increased high availability and disaster recovery. Integrating Azure Networks

endpoint security download mac     endpoint security companies

TAGS

CATEGORIES