You’ve got word that your group is tasked with moving to the cloud and one of the cloud providers you’ll be working with is Microsoft Azure.

Great!

Now you’re thinking “what about security?”

Good question.

Microsoft Azure has a ton of security built right into the platform. You can learn about Azure platform security (which you get with any service you run on Azure) by visiting the Microsoft Trust Center. There you’ll learn about what we do on at the Azure platform level to secure the services and information you place in Azure.

If you want to dive into Azure security technical details, architecture, and best practices, then head on over to the Azure Security Information site.

The next step is to start learning about the services, features and technologies that we make available to you that you can use to enhance the security of the services you build on Azure. There are a lot of them to choose from, so to help you get started, we’ve compiled a list of what we consider to be the “top 10” to start with. Over time, you’ll discover more – but make sure you know about these first!

1. Azure Security Center

Azure Security Center provides you a central location from which you can assign security policies, get security recommendations, and receive alerts and remediations for IaaS and PaaS assets you place in Azure. With Azure Security Center you’ll:

• Have a better understanding of your overall security state
• Be able to define security policies for your subscriptions and resource groups
• Easily deploy integrated security partner solutions
• Take advantage of advanced threat detection and quickly respond to threats

Azure Security Center is our elite security offering for protecting your Azure assets.

For more information Azure Security Center check out What is Azure Security Center.

2. OMS Security & Compliance

Operations Management Suite (OMS) Security and Compliance compliments and extends the advanced detection and alerting capabilities found in Azure Security Center by including your on-premises resources. Similar to Azure Security Center, OMS Security & Compliance helps you prevent, detect and respond to threats.

With OMS Security & Compliance you can:

• Analyze and investigate incidents
• Detect threats before they happen
• Streamline security audits

For more information about OMS Security & Compliance, check out Operations Management Suite | Security & Compliance

3. Azure Key Vault

Azure Key Vault is your Hardware Security Module (HSM) in the cloud. You can use Azure Key Vault to store and encrypt keys and small secrets like passwords using keys stored in Azure Key Vault HSMs. You can also monitor and audit key and secret usage by taking advantage of Azure Logging – all you need to do is pipe your logs in Azure HDInsight or your on-premises (or cloud) Security Information and Event Management (SIEM) system and you can get even more information and insights about key use (and abuse).

For more information about Azure Key Vault, check out What is Azure Key Vault.

4. Azure Disk Encryption

Azure Disk Encryption lets you encrypt your Windows and Linux Azure Virtual Machine disks. Azure Disk Encryption uses industry standard BitLocker for Windows VMs and DM-Crypt for Linux VMs to provide volume encryption for the OS and the data disks. Azure Disk Encryption is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets in your key vault subscription, while ensuring that all data in the virtual machine disks are encrypted at rest in your Azure storage. With Azure Disk Encryption, even if you’re virtual machine disks are stolen, the attacker will not be able to access the data on the encrypted disk.

For more information about Azure Disk Encryption, check out Azure Disk Encryption for Windows and Linux Azure Virtual Machines

5. Azure Storage Service Encryption

Azure Storage Service Encryption helps you protect data to meet organizational security and compliance commitments. With this feature, Azure Storage automatically encrypts your data prior to persisting to storage and decrypts it prior to retrieval. The encryption, decryption, and key management opaque to users so they never need to do anything to make it happen. Azure Storage Service Encryption enables you automatically encrypt block blobs, page blobs and append blobs.

For more information about Azure Storage Service Encryption, check out Azure Storage Service Encryption for Data at Rest (Preview).

6. Azure SQL Transparent Data Encryption

SQL Transparent Data Encryption helps protect your data in a scenario where the physical media (such as drives or backup tapes) are stolen so that a malicious party can just restore or attach the database and browse the data. One solution is to encrypt the sensitive data in the database and protect the keys that are used to encrypt the data with a certificate. This prevents anyone without the keys from using the data. TDE performs real-time I/O encryption and decryption of the data and log files for both SQL Server in Azure Virtual Machines as well as Azure SQL.

For more information about Azure SQL Transparent Data Encryption, check out Transparent Data Encryption.

7. Azure SQL Cell Level Encryption

Azure SQL Cell Level Encryption allows you to select the columns you want to encrypt in your database, which can be useful in some instances when you have very large databases.

For more information about Azure SQL Cell Level Encryption, check out Recommendations for using Cell Level Encryption in Azure SQL Database.

8. Azure Log Integration

Azure Log Integration enables you to integrate logs from both Azure and on-premises assets so that you can integrate them with your on-premises Security Information and Event Management System (SIEM).

For more information about Azure Log Integration, check out Microsoft Azure Log Integration – Preview

9. Azure Active Directory Multi-Factor Authentication

Azure Active Directory Multi-Factor Authentication (MFA) enables you to increase the security of your solutions hosted on Azure by bypassing the security issues related to traditional username/password solutions. There are a number of identity verification options, such as phone call, SMS message, or mobile app notification. The solution provides real time alerts and monitoring and can be deployed on-premises, in the cloud, or both.

For more information about Azure Active Directory Multi-Factor Authentication, check out What is Azure Multi-Factor Authentication.

10. Azure Active Directory Privileged Identity Management

Azure Active Directory Privileged Identity Management (PIM) enables you can manage, control, and monitor access within your organization. This includes access to resources in Azure AD and other Microsoft online services like Office 365 or Microsoft Intune.

Azure AD Privileged Identity Management helps you:

• See which users are Azure AD administrators
• Enable on-demand, “just in time” administrative access to Microsoft Online Services like Office 365 and Intune
• Get reports about administrator access history and changes in administrator assignments
• Get alerts about access to a privileged role

For more information about Azure Active Directory Privileged Identity Management, check out Azure AD Privileged Identity Management.

Thanks!

Tom

Tom Shinder
Program Manager, Azure Security
@tshinder | Facebook | LinkedIn | Email | Web | Bing me! | GOOG me!