Securing Applications on Microsoft Azure

Download PDF

Introduction

In this white paper, we’ll delve into the mechanics of security in the cloud. Not to be confused with Security-as-a-Service (fee-based subscriptions such as security event management), our interests lie in demonstrating how to properly secure applications, services, and data – wherever they reside in the cloud services stack (IaaS or PaaS).

Specifically, we will focus on workloads running in Microsoft Azure. By integrating the capabilities of Barracuda Network’s best-in-class virtualized CloudGen Firewall and CloudGen WAF with Microsoft Azure’s native security features, you’ll be in a superior position to deploy reliable and resilient cloud services for your enterprise, partners, and customers.

Introduction

Cloud computing has faced many challenges when it comes to reliability, privacy, and security. With early incarnations, such as those from commercial service providers, sensitive corporate information was kept at a distance from public platforms. Instead, hosting was used for lightweight applications with limited needs for access to such data, including websites, collaboration tools, and real-time communications. As cloud services matured, businesses became more willing to place proprietary data in the hands of trusted SaaS partners, such as salesforce.com for CRM. And when the depth and breadth of available services evolved into more standardized infrastructure – the “as-a-Service” model – organizations started large-scale moves into the cloud with their most critical data.

Today, cloud computing has become a “must-have” to a majority of the enterprise IT community, for reasons ranging from economic gains to technology benefits. But one of the major concerns carrying over from traditional IT – data and application security – has not changed, and requires the same diligence in the cloud as with on-premises solutions.

Solution Profile

When you migrate data, applications, and processes to the cloud, you take with you the requirements to safely manage both corporate and customer information. And in most cases, you are still subject to the privacy and compliance directives of your industry, whether HIPAA, SOX, PCI, or others.

So while the cloud computing model promises great flexibility, cost savings, scalability, and other benefits, it’s essential to understand the differences between implementing effective on-premises information security and deploying the same protections in the cloud. These considerations include (but are not limited to) data governance, auditing, leak prevention, threat detection/ remediation, privacy and confidentiality, information integrity, and reliability/availability.

Historically, many of these needs could be met and enforced at the edge of your corporate network. A selection of physically-wired routers, firewalls, gateways, IPS devices, and VPNs worked together to keep the bad traffic out and the good in.

But in the cloud, you can only rely on what the platform vendor offers, either natively or as valueadded services on top of your subscriptions. You do not have a say in how the infrastructure behaves or what mechanisms are used to secure it, other than in how your applications interact. You cannot deploy your own firewall in the server rack, and you can’t configure the ACLs on the fabric routers.

In this sense, your previous approach to security is no longer suitable. You must trade physical control for virtual stewardship using the combination of the cloud platform’s capabilities, your application design, deployment methodology, and layered virtualized security. Indeed, you may not own the hardware, but you can certainly own what runs on it – and implement a security solution that fits your needs.

A fully-functional virtualized security appliance deployed within the framework of your environment can deliver all of the benefits of a physical device, with the flexibility only possible in a fluid software form-factor. The Barracuda CloudGen Firewall and Barracuda CloudGen WAF are optimized to run on Microsoft Azure, make it easy to protect mission-critical enterprise applications and data in the cloud.

How Does Microsoft Azure Security Work?

Microsoft Azure provides most of the same controls and security features that you would expect from Windows Server within an on-premises data center – with the one notable exception that it must operate and scale across thousands of tenant environments simultaneously.

Core security and access components include:

  • Microsoft Azure Active Directory: identity and access management capabilities in the cloud
  • Access Control Services: cloud-based service that provides simplified authentication and authorization
  • Microsoft Azure Virtual Network: logically isolated section in Microsoft Azure that connects over IPsec to your on- premises data center
  • Microsoft Azure Multi-Factor Authentication: additional layer of authentication via mobile services

With these capabilities, augmented by Windows Server’s native security functionality within a virtual machine, customers can either host their IT resources in Microsoft Azure, or easily extended their on-premises infrastructure to the cloud, without adversely affecting their security posture.

Some examples of architecture-level security features in Microsoft Azure include:

  • Storage, network, process isolation: prevents different customers’ virtual machines (VMs) or cloud services from interfering with one another’s operation
  • VM-VM/host-VM packet filtering: host-level and VM-level firewalls block unwanted traffic from crossing VM boundaries, as well as blocking tenantto-host connections that could impact the Microsoft Azure fabric
  • Port restrictions: by default, all new VMs are deployed with deny-all policies on the native Windows Firewall, and all ports are closed to external traffic

But are these capabilities, taken by themselves, enough to protect your IT environment from all attacks and exploits? As we’ll see below, the answer is “no."

Bringing Together Application Security and Microsoft Azure

The future data center is one which spans both on-premises physical infrastructure and cloudbased virtualized services. Whether you use platform, infrastructure, Software-as-a-Service, or a mix of all or a mix of all, your security strategy needs to encompass your applications and data wherever they reside.

Applying a “Defense-in-Depth” (DiD) approach means using more than one type of security measure in the data path. As a simple example, consider how your corporate email system has anti-malware, anti-spam, a front-end gateway, router ACLs, and a firewall in front of it. Putting that same resource into the cloud requires the same effort, but security capabilities also have to bridge between your local systems/users and your virtualized data center. The latter is true for both a fully-hosted IT environment in the cloud, and extended IT from existing on-premises infrastructure.

So while Microsoft Azure’s core infrastructure security stands well on its own with comprehensive authentication/ authorization/access control technologies, encryption, data and storage protection, etc., it makes sense to augment it with advanced security functionality to safeguard your critical assets.

Web World

Microsoft Azure websites are built on top of the same secure infrastructure as Bing, Microsoft. com, and Office 365. In terms of reliability, it is the same platform that drives some of the world’s biggest websites and collaboration services.

However, challenges emerge as you move from service-level offerings (SaaS) from the provider to custom-developed solutions (or packaged applications) running within customers’ virtual environments (IaaS/PaaS). The cloud infrastructure should not, by it’s very nature, obstruct the operations of a tenant’s workload.

Thus, Microsoft Azure cannot block a poorly-designed web application from running on a VM, regardless of the security risks it might pose. However, any VM found to be the source of a DDoS or malware attack will be removed from the network by Microsoft Azure data center administrators.]

In an ideal world, every web-facing application would be designed and thoroughly reviewed according to strict security-development practices, penetration-tested, and deployed using the latest embedded filtering technologies. This is a rare occurence, as was the trend with rollouts of data-driven web systems in the past, many corporate cloud applications will get released with little security testing and limited system hardening. of data-driven web systems in the past, many corporate cloud applications will get released with little security testing and limited system hardening.

When web application firewalls came along, they solved this problem by making up for inadequate design by locking down every transport, protocol, method, command, and data structure used in modern web services. Developers could now rely on the web gateway to protect the app, and CIOs could accelerate the push towards getting more of their in-house resources onto the Internet for increased employee productivity.

The present situation is nearly identical...CIOs want to move applications and services out of the expensive data center and into the commodity cloud; however, the cloud does not natively have the same protections in place as on-premises corporate resources.

As before, will developers begin rewriting their applications specifically to run effectively and securely in the cloud, or will economics win out once again, rapidly driving corporate assets onto the Internet without sufficient security considerations?

The answer is that economics always win. Hackers know this, and will continue to exploit every new IT medium that is introduced. It means that IT customers must once again take an active role in protecting their investments at multiple levels, without relying on just the cloud provider, or just developer resources to address Internet threats.

Conclusion

The Barracuda CloudGen WAF is an integrated, proven and highly scalable security solution on Microsoft Azure, offering comprehensive protection for web applications and for confidential data hosted in the cloud. This solution ensures that web applications have the same high levels of protection afforded by in-house data centers.

The Barracuda CloudGen WAF for Microsoft Azure is secure, affordable, and easy to use. It combines web application security, access control, and optimization in a single package that is easy and intuitive to set up and administer.

About the Barracuda CloudGen WAF

The Barracuda CloudGen WAF blocks an ever-expanding list of sophisticated web-based intrusions and attacks that target applications hosted on web servers and in the cloud. The Barracuda CloudGen WAF scans all inbound web traffic to block attacks and scans all outbound traffic to provide highly effective Data Loss Prevention (DLP). Available as a physical or virtual appliance, it is deployed in front of the web application servers, on-premises, or in private cloud or public cloud, like Microsoft Azure.

To learn more about the Barracuda CloudGen WAF, please visit: www.barracuda.com/programs/azure.

About Barracuda Networks

Barracuda (NYSE: CUDA) simplifies IT with cloud-enabled solutions that empower customers to protect their networks, applications and data regardless of where they reside. These powerful, easy-to-use and affordable solutions are trusted by more than 150,000 organizations worldwide and are delivered in appliance, virtual appliance, cloud and hybrid deployments. Barracuda’s customer-centric business model focuses on delivering high-value, subscription-based IT solutions that provide end-to-end network and data security. For additional information, please visit barracuda.com.

Barracuda Networks, Barracuda and the Barracuda Networks logo are registered trademarks or trademarks of Barracuda Networks, Inc. in the U.S. and other countries.