Microsoft explains which cloud security problems are your problem
And reveals that for really bad problems, Microsoft will break Azure to fix it
Microsoft has issued guidelines about Azure security that spell out when a problem is your problem and when a problem is Microsoft's problem.
Two documents explain Redmond's approach to problem-solving. The first is called Shared Responsibilities for Cloud Computing (PDF) and explains how Microsoft divides responsibility for security.
The basic tenets of Redmond's approach are:
- All on-premises IT is your problem
- When you use Azure for infrastructure-as-as-service:
- buildings, servers, networking hardware, and the hypervisor are Microsoft's problem
- the operating system, network configuration, applications, identity, clients, and data are your problem
- When you use platform-as-a-service:
- Network controls become Microsoft's problem
- the OS, applications, identity, clients and data are still your problem
- When you use SaaS, everything is Microsoft's problem but data classification, end-point security and user management, all of which remain your problem
Microsoft's also released a new white paper titled Microsoft Azure Security Response in the Cloud (PDF) that explains how the company responds when its cloud has a problem.
The document reveals that Redmond uses the following five steps to patrol Azure's borders:
- Customer reports via the Customer Support Portal that describe suspicious activity attributed to the Azure infrastructure (as opposed to activity occurring within the customer’s scope of responsibility)
- Security vulnerabilities are reported to the Microsoft Security Response Center via firstname.lastname@example.org. MSRC works with partners and security researchers around the world to help prevent security incidents and to advance Microsoft product security.
- Security Blue and Red teams activity. This strategy uses a highly skilled Red team of experts to attack potential weaknesses in Azure and the security response (Blue team) to uncover the Red team’s activity. Both Red and Blue team actions are treated as a means to verify that Azure security response efforts are managing security incidents. Security Red team and Blue team activities are operated under requirements of responsibility to help ensure the protection of Customer Data.
- Detections of suspicious activities by internal monitoring and diagnostic systems within the Azure service. These alerts could come in the way of signature-based alarms such as antimalware, intrusion detection or via algorithms designed to profile expected activity and alert upon anomalies.
- Escalations for operators of Azure Services. Microsoft employees are trained to identify and escalate potential security issues.
The rest of the document is a bit less revealing, although the section on mitigation actions does say that Redmond's effort to fix Azure “may result in a temporary outage.”
“Such decisions are not taken lightly,” the document says. “When such an aggressive mitigation occurs, the standard processes for notifying customers of outages and recovery timelines would apply.”
The rest of Redmond's response process is below, in a diagram and table from the document. ®
Wheels within wheels within wheels: the Microsoft security spin