Microsoft Boosts Azure Security With Array of New Tools
25.9.2018 securityweek Security
At its Ignite conference this week, Microsoft announced improved security features for Azure with the addition of Microsoft Authenticator, Azure Firewall, and several other tools to the cloud computing platform.
After announcing Azure Active Directory (AD) Password Protection in June to combat bad passwords, Microsoft is now bringing password-less logins to Azure AD connected apps with the addition of support for Microsoft Authenticator.
The tool, Microsoft claims, can replace passwords with “a more secure multi-factor sign in that combines your phone and your fingerprint, face, or PIN.” In addition to reducing risks, this approach also offers a better user experience by eliminating passwords.
To better protect networked resources in Azure, Microsoft is making ExpressRoute Global Reach and Azure Virtual WAN generally available, adding them to built-in services such as network security groups, Web Application Firewall (WAF), Virtual Private Network, and DDoS protection.
Microsoft also announced ExpressRoute support in preview for Virtual WAN, for seamless transit across VPN, SDWAN and ExpressRoute circuits connected to Virtual WAN.
Azure Firewall also becomes generally available, allowing organizations to enforce their network security polices while also taking advantage of the cloud. Additionally, there’s Azure Virtual Network TAP, which delivers “tap” capabilities for virtual networks, allowing for the continuous mirroring of traffic from a virtual network to a packet collector with Virtual Network terminal access point (TAP).
“The mirrored traffic is a deep copy of the inbound and outbound VM network traffic and can be streamed to a destination IP endpoint, a 3rd party security appliance or an internal load balancer, in the same virtual network or peered virtual network,” Microsoft explains.
To protect data not only when in transit or being stored, but also while it’s in use, Microsoft is enabling confidential computing for its cloud platform, to protect “the confidentiality and integrity of customer data and code while it’s processed in the public cloud through the use of Trusted execution environments (TEEs).”
Backed by the latest generation of the Intel Xeon processors with Intel SGX, a new family of virtual machines in Azure (DC series) is now accessible to all Azure customers, allowing them to build, run, and test SGX based applications and leverage confidential computing.
The Redmond-based software giant also plans on open-sourcing a new SDK “to provide a consistent API surface and enclaving abstraction, supporting portability across enclave technologies and flexibility in architecture across all platforms from cloud to edge,” and which will get support for Intel SGX technology and ARM TrustZone soon afterward.
Customers can now leverage Azure Security Center to customize their SQL Information Protection policy, in addition to being able to discover, classify, label, and protect sensitive data in Azure SQL Database using the capabilities in Azure SQL.
The Security Center continuously assesses the security state of workloads across Azure, other clouds, and on-premises, and can also identify vulnerabilities and provide customers with actionable recommendations. Starting this week, new capabilities will arrive in Security Center, such as Secure Score, which delivers a dynamic report card for one’s security posture and which now covers all of Microsoft 365.
Microsoft also announced Microsoft Threat Protection this week, which combines detection, investigation, and remediation across endpoints, email, documents, identity, and infrastructure in the Microsoft 365 admin console.
The company is also expanding its threat protection capabilities “to include detecting threats on Linux, Azure Storage, and Azure Postgress SQL and providing endpoint detection and response capabilities for Windows Server by integrating with Windows Defender ATP.”
Building on the Information Protection solutions launched last year, Microsoft is now rolling out the Security & Compliance center to deliver a single, integrated approach to creating data sensitivity and data retention labels.
“We are also previewing labeling capabilities that are built right into Office apps across all major platforms, and extending labeling and protection capabilities to include PDF documents. The Microsoft Information Protection SDK, now generally available, enables other software creators to enhance and build their own applications that understand, apply, and act on Microsoft’s sensitivity labels,” Microsoft says.
Microsoft says it is also working with tech companies, policymakers, and institutions on strategies to protect the midterm elections. In June, the Windows maker launched the Defending Democracy program to “protect political campaigns from hacking, increase security of the electoral process, defend against disinformation, and bring greater transparency to political advertising online” and plans on expanding it globally.
“Part of this program is the AccountGuard initiative that provides state-of-the-art cybersecurity protection at no extra cost to all candidates and campaign offices at the federal, state, and local level, as well as think tanks and political organizations. We’ve had strong interest in AccountGuard and in the first month onboarded more than 30 organizations,” the software company notes.
The tech giant also plans on launching a new key management solution, Azure Dedicated hardware security module (HSM), to provide customers with full administrative and cryptographic control over the HSMs that process their encryption keys. Furthermore, Microsoft plans to improve the existing processes for the instances when a customer asks it to access their computer resources to resolve an issue.