With an increase in PaaS and serverless deployments in Microsoft Azure, a collection of integrated cloud services comes a shift to security in the cloud. Today, we are seeing a transfer from controlling everything on-premise to sharing security responsibilities with Microsoft.
Unfamiliar with the terms of Platform as a Service and Serverless architectures? The easiest way to think about this technology is to know that there is an operating system, usually Windows or Linux, driving the solution “under the covers,” but that you will never see it. The underlying operating system is entirely supported and maintained by Microsoft, Amazon or Google, depending on which platform you’re using. Supporting security on these platforms can be very different, and often, even easier than what you may be used to on-premise.
A significant difference between PaaS and more traditional on-premise deployments is how the security perimeter is defined. Traditionally, the primary on-premise security perimeter was your network. Most on-premise security designs use the network as its primary security pivot. With PaaS deployments, user identity is the main security perimeter. The goal of cloud computing is to allow users to access resources regardless of location. For most users, that location is going to be somewhere on the Internet.
Key Considerations for PaaS Security
As your company considers PaaS security, there are some matters to take into account. Your company will need to think about:
Adopting a policy of identity as the primary security perimeter: This shift can be a big change for your organization, especially when its norm may have been channeling network traffic through one or two on-premise firewalls.
In the cloud, network-centric thinking becomes way less relevant. In many cases, you will not have access to the network below the application layer. Security becomes less about protecting your network and more about defending your data, as well as managing the security of your apps and users. The key difference is that you want to push security closer to what’s important to your company.
Using threat modeling during application design: The Microsoft Security Development Lifecycle specifies that teams should engage in a process called threat modeling during the design phase. To help facilitate this process, Microsoft has created the SDL Threat Modeling Tool. Modeling the application design and enumerating STRIDE threats across all trust boundaries can catch design errors early on.
Developing on Azure App Service: Azure App Service is a PaaS offering that lets you create web and mobile apps for any platform or device and connect to data anywhere, in the cloud or on-premise. App Service includes the web and mobile capabilities that were previously available separately as Azure Websites and Azure Mobile Services. It also includes new capabilities for automating business processes and hosting cloud APIs.
Azure Cloud Services: Azure Cloud Services is an example of a PaaS. Like Azure App Service, this technology is designed to support applications that are scalable, reliable, and inexpensive to operate. In the same way that App Service is hosted on virtual machines (VMs), so is Azure Cloud Services. However, you have more control over the VMs. You can install your own software on VMs that use Azure Cloud Services and you can access them remotely. In this recorded webcast, find out what you don’t know about Azure.
Installing a web application firewall: Web applications are increasingly targets of malicious attacks that exploit common known vulnerabilities. A centralized web application firewall (WAF) helps make security management much simpler and gives better assurance to application administrators against threats or intrusions.
A WAF solution can also react to a security threat faster by patching a known vulnerability at a central location instead of securing each individual web application. Existing application gateways can easily be converted to a web application firewall-enabled application gateway.
Monitoring the performance of your applications: Monitoring is the act of collecting and analyzing data to determine the performance, health, and availability of your application. An effective monitoring strategy helps you understand the detailed operation of the components of your application. It helps you increase your uptime by notifying you of critical issues so they can be resolved before becoming problems. Monitoring also helps you detect anomalies that might be security-related.
Performing security penetration testing: As in on-premise installations, validating security defenses is as important. Make penetration testing a standard part of your build and deployment process. Schedule regular security tests and vulnerability scanning on deployed applications. Monitor for open ports, endpoints, and attacks.